Merge pull request #243 from zhom/dependabot/cargo/src-tauri/rust-dependencies-c95d545b97

deps(rust)(deps): bump the rust-dependencies group in /src-tauri with 17 updates

.github/workflows/issue-validation.yml

@@ -42,7 +42,7 @@ jobs:
           fi
 
       - name: Analyze issue
-        uses: anomalyco/opencode/github@d954026dd855e018302a6c0733a1dd74140931df #v1.2.26
+        uses: anomalyco/opencode/github@4ee426ba549131c4903a71dfb6259200467aca81 #v1.2.27
         env:
           ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -92,7 +92,7 @@ jobs:
           fi
 
       - name: Analyze PR
-        uses: anomalyco/opencode/github@d954026dd855e018302a6c0733a1dd74140931df #v1.2.26
+        uses: anomalyco/opencode/github@4ee426ba549131c4903a71dfb6259200467aca81 #v1.2.27
         env:
           ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -129,7 +129,7 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
 
       - name: Run opencode
-        uses: anomalyco/opencode/github@d954026dd855e018302a6c0733a1dd74140931df #v1.2.26
+        uses: anomalyco/opencode/github@4ee426ba549131c4903a71dfb6259200467aca81 #v1.2.27
         env:
           ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
           TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -202,7 +202,7 @@ jobs:
           rm -f $CERT_PATH $KEY_PATH $PEM_PATH $P12_PATH
 
       - name: Build Tauri app
-        uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1
+        uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 #v0.6.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REF_NAME: ${{ github.ref_name }}

.github/workflows/rolling-release.yml

@@ -210,7 +210,7 @@ jobs:
           echo "Generated timestamp: ${TIMESTAMP}-${COMMIT_HASH}"
 
       - name: Build Tauri app
-        uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1
+        uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 #v0.6.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           BUILD_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}"

donut-sync/package.json

@@ -18,12 +18,12 @@
     "test:e2e": "jest --config ./test/jest-e2e.json"
   },
   "dependencies": {
-    "@aws-sdk/client-s3": "^3.1009.0",
-    "@aws-sdk/s3-request-presigner": "^3.1009.0",
-    "@nestjs/common": "^11.1.16",
+    "@aws-sdk/client-s3": "^3.1014.0",
+    "@aws-sdk/s3-request-presigner": "^3.1014.0",
+    "@nestjs/common": "^11.1.17",
     "@nestjs/config": "^4.0.3",
-    "@nestjs/core": "^11.1.16",
-    "@nestjs/platform-express": "^11.1.16",
+    "@nestjs/core": "^11.1.17",
+    "@nestjs/platform-express": "^11.1.17",
     "jsonwebtoken": "^9.0.3",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.2"
@@ -31,7 +31,7 @@
   "devDependencies": {
     "@nestjs/cli": "^11.0.16",
     "@nestjs/schematics": "^11.0.9",
-    "@nestjs/testing": "^11.1.16",
+    "@nestjs/testing": "^11.1.17",
     "@types/express": "^5.0.6",
     "@types/jest": "^30.0.0",
     "@types/jsonwebtoken": "^9.0.10",

package.json

@@ -2,7 +2,7 @@
   "name": "donutbrowser",
   "private": true,
   "license": "AGPL-3.0",
-  "version": "0.17.1",
+  "version": "0.17.6",
   "type": "module",
   "scripts": {
     "dev": "next dev --turbopack -p 12341",
@@ -57,10 +57,10 @@
     "cmdk": "^1.1.1",
     "color": "^5.0.3",
     "flag-icons": "^7.5.0",
-    "i18next": "^25.8.18",
+    "i18next": "^25.9.0",
     "lucide-react": "^0.577.0",
-    "motion": "^12.36.0",
-    "next": "^16.1.6",
+    "motion": "^12.38.0",
+    "next": "^16.2.1",
     "next-themes": "^0.4.6",
     "radix-ui": "^1.4.3",
     "react": "^19.2.4",
@@ -73,17 +73,17 @@
     "tauri-plugin-macos-permissions-api": "^2.3.0"
   },
   "devDependencies": {
-    "@biomejs/biome": "2.4.7",
-    "@tailwindcss/postcss": "^4.2.1",
+    "@biomejs/biome": "2.4.8",
+    "@tailwindcss/postcss": "^4.2.2",
     "@tauri-apps/cli": "~2.10.1",
-    "@types/color": "^4.2.0",
+    "@types/color": "^4.2.1",
     "@types/node": "^25.5.0",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
     "husky": "^9.1.7",
-    "lint-staged": "^16.3.4",
-    "tailwindcss": "^4.2.1",
+    "lint-staged": "^16.4.0",
+    "tailwindcss": "^4.2.2",
     "ts-unused-exports": "^11.0.1",
     "tw-animate-css": "^1.4.0",
     "typescript": "~5.9.3"

src-tauri/Cargo.lock

@@ -513,7 +513,7 @@ dependencies = [
  "sha1",
  "sync_wrapper",
  "tokio",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.28.0",
  "tower",
  "tower-layer",
  "tower-service",
@@ -709,19 +709,20 @@ dependencies = [
 
 [[package]]
 name = "borsh"
-version = "1.6.0"
+version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1da5ab77c1437701eeff7c88d968729e7766172279eab0676857b3d63af7a6f"
+checksum = "cfd1e3f8955a5d7de9fab72fc8373fade9fb8a703968cb200ae3dc6cf08e185a"
 dependencies = [
  "borsh-derive",
+ "bytes",
  "cfg_aliases",
 ]
 
 [[package]]
 name = "borsh-derive"
-version = "1.6.0"
+version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0686c856aa6aac0c4498f936d7d6a02df690f614c03e4d906d1018062b5c5e2c"
+checksum = "bfcfdc083699101d5a7965e49925975f2f55060f94f9a05e7187be95d530ca59"
 dependencies = [
  "once_cell",
  "proc-macro-crate 3.5.0",
@@ -843,6 +844,15 @@ dependencies = [
  "bzip2-sys",
 ]
 
+[[package]]
+name = "bzip2"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3a53fac24f34a81bc9954b5d6cfce0c21e18ec6959f44f56e8e90e4bb7c346c"
+dependencies = [
+ "libbz2-rs-sys",
+]
+
 [[package]]
 name = "bzip2-sys"
 version = "0.1.13+1.0.8"
@@ -1702,22 +1712,22 @@ dependencies = [
 
 [[package]]
 name = "dom_query"
-version = "0.25.1"
+version = "0.27.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d9c2e7f1d22d0f2ce07626d259b8a55f4a47cb0938d4006dd8ae037f17d585e"
+checksum = "521e380c0c8afb8d9a1e83a1822ee03556fc3e3e7dbc1fd30be14e37f9cb3f89"
 dependencies = [
  "bit-set",
  "cssparser 0.36.0",
  "foldhash 0.2.0",
- "html5ever 0.36.1",
+ "html5ever 0.38.0",
  "precomputed-hash",
- "selectors 0.35.0",
- "tendril",
+ "selectors 0.36.1",
+ "tendril 0.5.0",
 ]
 
 [[package]]
 name = "donutbrowser"
-version = "0.17.1"
+version = "0.17.6"
 dependencies = [
  "aes",
  "aes-gcm",
@@ -1728,7 +1738,7 @@ dependencies = [
  "base64 0.22.1",
  "blake3",
  "boringtun",
- "bzip2",
+ "bzip2 0.6.1",
  "cbc",
  "chrono",
  "chrono-tz",
@@ -1788,7 +1798,7 @@ dependencies = [
  "tempfile",
  "thiserror 2.0.18",
  "tokio",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.29.0",
  "tokio-util",
  "tower",
  "tower-http",
@@ -1801,7 +1811,7 @@ dependencies = [
  "windows 0.62.2",
  "winreg 0.56.0",
  "wiremock",
- "zip 8.2.0",
+ "zip 8.3.0",
 ]
 
 [[package]]
@@ -1848,9 +1858,9 @@ checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
 
 [[package]]
 name = "embed-resource"
-version = "3.0.6"
+version = "3.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "55a075fc573c64510038d7ee9abc7990635863992f83ebc52c8b433b8411a02e"
+checksum = "47ec73ddcf6b7f23173d5c3c5a32b5507dc0a734de7730aa14abc5d5e296bb5f"
 dependencies = [
  "cc",
  "memchr",
@@ -1984,9 +1994,9 @@ dependencies = [
 
 [[package]]
 name = "euclid"
-version = "0.22.13"
+version = "0.22.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df61bf483e837f88d5c2291dcf55c67be7e676b3a51acc48db3a7b163b91ed63"
+checksum = "f1a05365e3b1c6d1650318537c7460c6923f1abdd272ad6842baa2b509957a06"
 dependencies = [
  "num-traits",
 ]
@@ -2773,9 +2783,9 @@ dependencies = [
 
 [[package]]
 name = "heapless"
-version = "0.8.0"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bfb9eb618601c89945a70e254898da93b13be0388091d42117462b265bb3fad"
+checksum = "2af2455f757db2b292a9b1768c4b70186d443bcb3b316252d6b540aec1cd89ed"
 dependencies = [
  "hash32",
  "stable_deref_trait",
@@ -2828,12 +2838,12 @@ dependencies = [
 
 [[package]]
 name = "html5ever"
-version = "0.36.1"
+version = "0.38.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6452c4751a24e1b99c3260d505eaeee76a050573e61f30ac2c924ddc7236f01e"
+checksum = "1054432bae2f14e0061e33d23402fbaa67a921d319d56adc6bcf887ddad1cbc2"
 dependencies = [
  "log",
- "markup5ever 0.36.1",
+ "markup5ever 0.38.0",
 ]
 
 [[package]]
@@ -3295,9 +3305,9 @@ dependencies = [
 
 [[package]]
 name = "itoa"
-version = "1.0.17"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 
 [[package]]
 name = "javascriptcore-rs"
@@ -3486,6 +3496,12 @@ dependencies = [
  "once_cell",
 ]
 
+[[package]]
+name = "libbz2-rs-sys"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c4a545a15244c7d945065b5d392b2d2d7f21526fba56ce51467b06ed445e8f7"
+
 [[package]]
 name = "libc"
 version = "0.2.183"
@@ -3659,17 +3675,17 @@ dependencies = [
  "phf_codegen 0.11.3",
  "string_cache 0.8.9",
  "string_cache_codegen 0.5.4",
- "tendril",
+ "tendril 0.4.3",
 ]
 
 [[package]]
 name = "markup5ever"
-version = "0.36.1"
+version = "0.38.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c3294c4d74d0742910f8c7b466f44dda9eb2d5742c1e430138df290a1e8451c"
+checksum = "8983d30f2915feeaaab2d6babdd6bc7e9ed1a00b66b5e6d74df19aa9c0e91862"
 dependencies = [
  "log",
- "tendril",
+ "tendril 0.5.0",
  "web_atoms",
 ]
 
@@ -4011,9 +4027,9 @@ dependencies = [
 
 [[package]]
 name = "num_enum"
-version = "0.7.5"
+version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1207a7e20ad57b847bbddc6776b968420d38292bbfe2089accff5e19e82454c"
+checksum = "5d0bca838442ec211fa11de3a8b0e0e8f3a4522575b5c4c06ed722e005036f26"
 dependencies = [
  "num_enum_derive",
  "rustversion",
@@ -4021,9 +4037,9 @@ dependencies = [
 
 [[package]]
 name = "num_enum_derive"
-version = "0.7.5"
+version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff32365de1b6743cb203b710788263c44a03de03802daf96092f2da4fe6ba4d7"
+checksum = "680998035259dcfcafe653688bf2aa6d3e2dc05e98be6ab46afb089dc84f1df8"
 dependencies = [
  "proc-macro-crate 3.5.0",
  "proc-macro2",
@@ -4346,7 +4362,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
  "libc",
- "windows-sys 0.45.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -5635,9 +5651,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.9"
+version = "0.103.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -5813,9 +5829,9 @@ dependencies = [
 
 [[package]]
 name = "selectors"
-version = "0.35.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93fdfed56cd634f04fe8b9ddf947ae3dc493483e819593d2ba17df9ad05db8b2"
+checksum = "c5d9c0c92a92d33f08817311cf3f2c29a3538a8240e94a6a3c622ce652d7e00c"
 dependencies = [
  "bitflags 2.11.0",
  "cssparser 0.36.0",
@@ -6204,9 +6220,9 @@ checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
 
 [[package]]
 name = "smoltcp"
-version = "0.12.0"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dad095989c1533c1c266d9b1e8d70a1329dd3723c3edac6d03bbd67e7bf6f4bb"
+checksum = "ac729b0a77bd092a3f06ddaddc59fe0d67f48ba0de45a9abe707c2842c7f8767"
 dependencies = [
  "bitflags 1.3.2",
  "byteorder",
@@ -6548,9 +6564,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
 
 [[package]]
 name = "tar"
-version = "0.4.44"
+version = "0.4.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a"
+checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973"
 dependencies = [
  "filetime",
  "libc",
@@ -6957,7 +6973,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
 dependencies = [
  "fastrand",
- "getrandom 0.3.4",
+ "getrandom 0.4.2",
  "once_cell",
  "rustix",
  "windows-sys 0.52.0",
@@ -6974,6 +6990,16 @@ dependencies = [
  "utf-8",
 ]
 
+[[package]]
+name = "tendril"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4790fc369d5a530f4b544b094e31388b9b3a37c0f4652ade4505945f5660d24"
+dependencies = [
+ "new_debug_unreachable",
+ "utf-8",
+]
+
 [[package]]
 name = "thiserror"
 version = "1.0.69"
@@ -7186,13 +7212,25 @@ name = "tokio-tungstenite"
 version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d25a406cddcc431a75d3d9afc6a7c0f7428d4891dd973e4d54c56b46127bf857"
+dependencies = [
+ "futures-util",
+ "log",
+ "tokio",
+ "tungstenite 0.28.0",
+]
+
+[[package]]
+name = "tokio-tungstenite"
+version = "0.29.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f72a05e828585856dacd553fba484c242c46e391fb0e58917c942ee9202915c"
 dependencies = [
  "futures-util",
  "log",
  "native-tls",
  "tokio",
  "tokio-native-tls",
- "tungstenite",
+ "tungstenite 0.29.0",
 ]
 
 [[package]]
@@ -7300,18 +7338,18 @@ dependencies = [
 
 [[package]]
 name = "toml_parser"
-version = "1.0.9+spec-1.1.0"
+version = "1.0.10+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4"
+checksum = "7df25b4befd31c4816df190124375d5a20c6b6921e2cad937316de3fccd63420"
 dependencies = [
- "winnow 0.7.15",
+ "winnow 1.0.0",
 ]
 
 [[package]]
 name = "toml_writer"
-version = "1.0.6+spec-1.1.0"
+version = "1.0.7+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab16f14aed21ee8bfd8ec22513f7287cd4a91aa92e44edfe2c17ddd004e92607"
+checksum = "f17aaa1c6e3dc22b1da4b6bba97d066e354c7945cac2f7852d4e4e7ca7a6b56d"
 
 [[package]]
 name = "tower"
@@ -7449,13 +7487,29 @@ dependencies = [
  "http",
  "httparse",
  "log",
- "native-tls",
  "rand 0.9.2",
  "sha1",
  "thiserror 2.0.18",
  "utf-8",
 ]
 
+[[package]]
+name = "tungstenite"
+version = "0.29.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c01152af293afb9c7c2a57e4b559c5620b421f6d133261c60dd2d0cdb38e6b8"
+dependencies = [
+ "bytes",
+ "data-encoding",
+ "http",
+ "httparse",
+ "log",
+ "native-tls",
+ "rand 0.9.2",
+ "sha1",
+ "thiserror 2.0.18",
+]
+
 [[package]]
 name = "typed-path"
 version = "0.12.3"
@@ -8583,6 +8637,12 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "winnow"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a90e88e4667264a994d34e6d1ab2d26d398dcdca8b7f52bec8668957517fc7d8"
+
 [[package]]
 name = "winreg"
 version = "0.55.0"
@@ -8722,9 +8782,9 @@ checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
 
 [[package]]
 name = "wry"
-version = "0.54.3"
+version = "0.54.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a24eda84b5d488f99344e54b807138896cee8df0b2d16c793f1f6b80e6d8df1f"
+checksum = "e5a8135d8676225e5744de000d4dff5a082501bf7db6a1c1495034f8c314edbc"
 dependencies = [
  "base64 0.22.1",
  "block2",
@@ -8923,18 +8983,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.42"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
+checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.42"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
+checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -9023,7 +9083,7 @@ checksum = "fabe6324e908f85a1c52063ce7aa26b68dcb7eb6dbc83a2d148403c9bc3eba50"
 dependencies = [
  "aes",
  "arbitrary",
- "bzip2",
+ "bzip2 0.5.2",
  "constant_time_eq 0.3.1",
  "crc32fast",
  "crossbeam-utils",
@@ -9047,9 +9107,9 @@ dependencies = [
 
 [[package]]
 name = "zip"
-version = "8.2.0"
+version = "8.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b680f2a0cd479b4cff6e1233c483fdead418106eae419dc60200ae9850f6d004"
+checksum = "4a243cfad17427fc077f529da5a95abe4e94fd2bfdb601611870a6557cc67657"
 dependencies = [
  "crc32fast",
  "flate2",

src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "donutbrowser"
-version = "0.17.1"
+version = "0.17.6"
 description = "Simple Yet Powerful Anti-Detect Browser"
 authors = ["zhom@github"]
 edition = "2021"
@@ -95,7 +95,7 @@ async-socks5 = "0.6"
 playwright = { git = "https://github.com/sctg-development/playwright-rust", branch = "master" }
 
 # Wayfern CDP integration
-tokio-tungstenite = { version = "0.28", features = ["native-tls"] }
+tokio-tungstenite = { version = "0.29", features = ["native-tls"] }
 rusqlite = { version = "0.39", features = ["bundled"] }
 serde_yaml = "0.9"
 thiserror = "2.0"
@@ -106,7 +106,7 @@ quick-xml = { version = "0.39", features = ["serialize"] }
 
 # VPN support
 boringtun = "0.7"
-smoltcp = { version = "0.12", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }
+smoltcp = { version = "0.13", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }
 
 # Daemon dependencies (tray icon)
 tray-icon = "0.21"

src-tauri/src/app_auto_updater.rs

@@ -704,7 +704,8 @@ impl AppAutoUpdater {
 
     let total_size = response.content_length().unwrap_or(0);
     log::info!("Silent download size: {} bytes", total_size);
-    let mut file = fs::File::create(&file_path)?;
+    let raw_file = fs::File::create(&file_path)?;
+    let mut file = std::io::BufWriter::with_capacity(8 * 1024 * 1024, raw_file);
     let mut stream = response.bytes_stream();
 
     use futures_util::StreamExt;
@@ -712,6 +713,7 @@ impl AppAutoUpdater {
       let chunk = chunk?;
       file.write_all(&chunk)?;
     }
+    std::io::Write::flush(&mut file)?;
 
     log::info!("Silent download completed: {}", file_path.display());
     Ok(file_path)

src-tauri/src/auto_updater.rs

@@ -145,6 +145,14 @@ impl AutoUpdater {
               let registry =
                 crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
 
+              // Skip if this browser-version pair is already being downloaded
+              if crate::downloader::is_downloading(&browser, &new_version) {
+                log::info!(
+                  "Browser {browser} {new_version} is already being downloaded, skipping duplicate"
+                );
+                return;
+              }
+
               if registry.is_browser_downloaded(&browser, &new_version) {
                 log::info!("Browser {browser} {new_version} already downloaded, proceeding to auto-update profiles");
 

src-tauri/src/browser_runner.rs

@@ -2157,14 +2157,11 @@ impl BrowserRunner {
       .find(|p| p.id.to_string() == profile_id)
       .ok_or_else(|| format!("Profile '{profile_id}' not found"))?;
 
-    if profile.is_cross_os()
-      && !crate::cloud_auth::CLOUD_AUTH
-        .is_fingerprint_os_allowed(profile.host_os.as_deref())
-        .await
-    {
+    if profile.is_cross_os() {
       return Err(format!(
-        "Cannot open URL with profile '{}': cross-OS fingerprints require a paid subscription",
+        "Cannot open URL with profile '{}': this profile was created on {} and cannot be used on a different operating system",
         profile.name,
+        profile.host_os.as_deref().unwrap_or("another OS"),
       ));
     }
 
@@ -2196,14 +2193,11 @@ pub async fn launch_browser_profile(
     profile.id
   );
 
-  if profile.is_cross_os()
-    && !crate::cloud_auth::CLOUD_AUTH
-      .is_fingerprint_os_allowed(profile.host_os.as_deref())
-      .await
-  {
+  if profile.is_cross_os() {
     return Err(format!(
-      "Cannot launch profile '{}': cross-OS fingerprints require a paid subscription",
+      "Cannot launch profile '{}': this profile was created on {} and cannot be launched on a different operating system",
       profile.name,
+      profile.host_os.as_deref().unwrap_or("another OS"),
     ));
   }
 
@@ -2516,14 +2510,11 @@ pub async fn launch_browser_profile_with_debugging(
   remote_debugging_port: Option<u16>,
   headless: bool,
 ) -> Result<BrowserProfile, String> {
-  if profile.is_cross_os()
-    && !crate::cloud_auth::CLOUD_AUTH
-      .is_fingerprint_os_allowed(profile.host_os.as_deref())
-      .await
-  {
+  if profile.is_cross_os() {
     return Err(format!(
-      "Cannot launch profile '{}': cross-OS fingerprints require a paid subscription",
+      "Cannot launch profile '{}': this profile was created on {} and cannot be launched on a different operating system",
       profile.name,
+      profile.host_os.as_deref().unwrap_or("another OS"),
     ));
   }
 

src-tauri/src/cloud_auth.rs

@@ -591,8 +591,8 @@ impl CloudAuthManager {
     // Clear wayfern token
     self.clear_wayfern_token().await;
 
-    // Disconnect team lock manager
-    crate::team_lock::TEAM_LOCK.disconnect().await;
+    // Disconnect profile lock manager
+    crate::team_lock::PROFILE_LOCK.disconnect().await;
 
     // Try to call the logout API (best-effort)
     if let Ok(Some(access_token)) = Self::load_access_token() {
@@ -1070,10 +1070,10 @@ impl CloudAuthManager {
         log::debug!("Failed to refresh cloud profile: {e}");
       }
 
-      // Reconnect team lock manager if needed
+      // Reconnect profile lock manager if needed
       if let Some(auth_state) = CLOUD_AUTH.get_user().await {
-        if let Some(tid) = &auth_state.user.team_id {
-          crate::team_lock::TEAM_LOCK.connect(tid).await;
+        if auth_state.user.plan != "free" && !crate::team_lock::PROFILE_LOCK.is_connected().await {
+          crate::team_lock::PROFILE_LOCK.connect().await;
         }
       }
 
@@ -1137,11 +1137,9 @@ pub async fn cloud_verify_otp(
   // Sync cloud proxy after login
   CLOUD_AUTH.sync_cloud_proxy().await;
 
-  // Connect team lock manager if on a team plan
-  if state.user.team_id.is_some() {
-    if let Some(tid) = &state.user.team_id {
-      crate::team_lock::TEAM_LOCK.connect(tid).await;
-    }
+  // Connect profile lock manager for paid users
+  if state.user.plan != "free" {
+    crate::team_lock::PROFILE_LOCK.connect().await;
   }
 
   let _ = crate::events::emit_empty("cloud-auth-changed");

src-tauri/src/downloaded_browsers_registry.rs

@@ -513,6 +513,11 @@ impl DownloadedBrowsersRegistry {
     browser: &str,
     version: &str,
   ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    // Never remove a directory if a download is in progress for this browser/version
+    if crate::downloader::is_downloading(browser, version) {
+      return Ok(());
+    }
+
     let binaries_dir = crate::app_dirs::binaries_dir();
 
     let version_dir = binaries_dir.join(browser).join(version);
@@ -593,6 +598,12 @@ impl DownloadedBrowsersRegistry {
           continue;
         }
 
+        // Skip if a download is in progress for this browser/version
+        if crate::downloader::is_downloading(browser_name, version_name) {
+          has_non_empty_versions = true;
+          continue;
+        }
+
         // Check if version directory is empty
         match fs::read_dir(&version_path) {
           Ok(mut entries) => {
@@ -1237,12 +1248,13 @@ pub async fn ensure_active_browsers_downloaded(
     // Check if any version is already downloaded
     let existing = registry.get_downloaded_versions(browser);
     if !existing.is_empty() {
-      log::debug!(
-        "Skipping {browser}: already have {} version(s) downloaded",
+      log::info!(
+        "ensure_active: Skipping {browser}: already have {} version(s) downloaded",
         existing.len()
       );
       continue;
     }
+    log::info!("ensure_active: No {browser} versions found, will download");
 
     // Get the latest release type for this browser
     let release_types = match version_manager.get_browser_release_types(browser).await {

src-tauri/src/downloader.rs

@@ -42,7 +42,10 @@ pub struct Downloader {
 impl Downloader {
   fn new() -> Self {
     Self {
-      client: Client::new(),
+      client: Client::builder()
+        .connect_timeout(std::time::Duration::from_secs(30))
+        .build()
+        .unwrap_or_else(|_| Client::new()),
       api_client: ApiClient::instance(),
       registry: crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance(),
       version_service: crate::browser_version_manager::BrowserVersionManager::instance(),
@@ -304,44 +307,22 @@ impl Downloader {
     let file_path = dest_path.join(&download_info.filename);
 
     // Resolve the actual download URL
+    log::info!(
+      "Resolving download URL for {} {}",
+      browser_type.as_str(),
+      version
+    );
     let download_url = self
       .resolve_download_url(browser_type.clone(), version, download_info)
       .await?;
+    log::info!("Download URL resolved: {}", download_url);
 
-    // Check existing file size — if it matches the expected size, skip download
+    // Determine if we have a partial file to resume
     let mut existing_size: u64 = 0;
     if let Ok(meta) = std::fs::metadata(&file_path) {
       existing_size = meta.len();
     }
 
-    // Do a HEAD request to get the expected file size for skip/resume decisions
-    let head_response = self
-      .client
-      .head(&download_url)
-      .header(
-        "User-Agent",
-        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36",
-      )
-      .send()
-      .await
-      .ok();
-
-    let expected_size = head_response.as_ref().and_then(|r| r.content_length());
-
-    // If existing file matches expected size, skip download entirely
-    if existing_size > 0 {
-      if let Some(expected) = expected_size {
-        if existing_size == expected {
-          log::info!(
-            "Archive {} already exists with correct size ({} bytes), skipping download",
-            file_path.display(),
-            existing_size
-          );
-          return Ok(file_path);
-        }
-      }
-    }
-
     // Build request, add Range only if we have bytes. If the server responds with 416 (Range Not
     // Satisfiable), delete the partial file and retry once without the Range header.
     let response = {
@@ -357,7 +338,13 @@ impl Downloader {
         request = request.header("Range", format!("bytes={existing_size}-"));
       }
 
+      log::info!("Sending download request...");
       let first = request.send().await?;
+      log::info!(
+        "Download response received: status={}, content-length={:?}",
+        first.status(),
+        first.content_length()
+      );
 
       if first.status().as_u16() == 416 && existing_size > 0 {
         // Partial file on disk is not acceptable to the server — remove it and retry from scratch
@@ -415,6 +402,20 @@ impl Downloader {
       existing_size = 0;
     }
 
+    // If the existing file already matches the total size, skip the download
+    if existing_size > 0 {
+      if let Some(total) = total_size {
+        if existing_size >= total {
+          log::info!(
+            "Archive {} already complete ({} bytes), skipping download",
+            file_path.display(),
+            existing_size
+          );
+          return Ok(file_path);
+        }
+      }
+    }
+
     let mut downloaded = existing_size;
     let start_time = std::time::Instant::now();
     let mut last_update = start_time;
@@ -445,12 +446,16 @@ impl Downloader {
 
     let _ = events::emit("download-progress", &progress);
 
-    // Open file in append mode (resuming) or create new
+    // Open file in append mode (resuming) or create new.
+    // Wrap in BufWriter with a large buffer to reduce the number of disk writes,
+    // which dramatically improves download speed on Windows (NTFS + Defender overhead).
     use std::fs::OpenOptions;
-    let mut file = OpenOptions::new()
+    use std::io::Write;
+    let raw_file = OpenOptions::new()
       .create(true)
       .append(true)
       .open(&file_path)?;
+    let mut file = io::BufWriter::with_capacity(8 * 1024 * 1024, raw_file);
     let mut stream = response.bytes_stream();
 
     use futures_util::StreamExt;
@@ -463,7 +468,7 @@ impl Downloader {
         }
       }
       let chunk = chunk?;
-      io::copy(&mut chunk.as_ref(), &mut file)?;
+      file.write_all(&chunk)?;
       downloaded += chunk.len() as u64;
 
       let now = std::time::Instant::now();
@@ -510,6 +515,9 @@ impl Downloader {
       }
     }
 
+    // Flush remaining buffered data to disk
+    file.flush()?;
+
     Ok(file_path)
   }
 
@@ -953,6 +961,13 @@ impl Downloader {
   }
 }
 
+/// Check if a specific browser-version pair is currently being downloaded
+pub fn is_downloading(browser: &str, version: &str) -> bool {
+  let download_key = format!("{browser}-{version}");
+  let downloading = DOWNLOADING_BROWSERS.lock().unwrap();
+  downloading.contains(&download_key)
+}
+
 #[tauri::command]
 pub async fn download_browser(
   app_handle: tauri::AppHandle,

src-tauri/src/extraction.rs

@@ -232,13 +232,21 @@ impl Extractor {
     &self,
     file_path: &Path,
   ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
-    // Always check magic bytes first — the file extension may be wrong
-    // (e.g. CDN serving a ZIP with .dmg extension)
+    // Check file extension first for container formats (DMG, MSI) whose internal
+    // compression makes magic bytes unreliable
+    if let Some(ext) = file_path.extension().and_then(|ext| ext.to_str()) {
+      match ext.to_lowercase().as_str() {
+        "dmg" => return Ok("dmg".to_string()),
+        "msi" => return Ok("msi".to_string()),
+        _ => {}
+      }
+    }
+
     let mut file = File::open(file_path)?;
-    let mut buffer = [0u8; 12]; // Read first 12 bytes for magic number detection
+    let mut buffer = [0u8; 12];
     file.read_exact(&mut buffer)?;
 
-    // Check magic numbers for different file types
+    // Check magic numbers for other file types
     match &buffer[0..4] {
       [0x50, 0x4B, 0x03, 0x04] | [0x50, 0x4B, 0x05, 0x06] | [0x50, 0x4B, 0x07, 0x08] => {
         return Ok("zip".to_string())

src-tauri/src/lib.rs

@@ -297,7 +297,7 @@ async fn fetch_dynamic_proxy(
     .fetch_dynamic_proxy(&url, &format)
     .await?;
 
-  // Validate the proxy actually works by routing through a temporary local proxy
+  // Validate the proxy actually works by connecting through it
   crate::proxy_manager::PROXY_MANAGER
     .check_proxy_validity("_dynamic_test", &settings)
     .await

src-tauri/src/mcp_server.rs

@@ -4,16 +4,18 @@ use axum::{
   http::{header, Request, StatusCode},
   middleware::{self, Next},
   response::{IntoResponse, Response},
-  routing::post,
+  routing::{get, post},
   Json, Router,
 };
 use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
 use std::net::SocketAddr;
 use std::sync::atomic::{AtomicBool, AtomicU16, Ordering};
 use std::sync::Arc;
 use tauri::AppHandle;
 use tokio::net::TcpListener;
 use tokio::sync::Mutex as AsyncMutex;
+use uuid::Uuid;
 
 use crate::browser::ProxySettings;
 use crate::cloud_auth::CLOUD_AUTH;
@@ -34,15 +36,20 @@ pub struct McpTool {
 #[allow(dead_code)]
 pub struct McpRequest {
   jsonrpc: String,
-  id: serde_json::Value,
+  id: Option<serde_json::Value>,
   method: String,
   params: Option<serde_json::Value>,
 }
 
+const PROTOCOL_VERSION: &str = "2025-03-26";
+const SERVER_NAME: &str = "donut-browser";
+const SERVER_VERSION: &str = env!("CARGO_PKG_VERSION");
+
 #[derive(Debug, Serialize)]
 pub struct McpResponse {
   jsonrpc: String,
-  id: serde_json::Value,
+  #[serde(skip_serializing_if = "Option::is_none")]
+  id: Option<serde_json::Value>,
   #[serde(skip_serializing_if = "Option::is_none")]
   result: Option<serde_json::Value>,
   #[serde(skip_serializing_if = "Option::is_none")]
@@ -57,10 +64,15 @@ pub struct McpError {
 
 const DEFAULT_MCP_PORT: u16 = 51080;
 
+struct McpSession {
+  initialized: bool,
+}
+
 struct McpServerInner {
   app_handle: Option<AppHandle>,
   token: Option<String>,
   shutdown_tx: Option<tokio::sync::oneshot::Sender<()>>,
+  sessions: HashMap<String, McpSession>,
 }
 
 #[derive(Clone)]
@@ -82,6 +94,7 @@ impl McpServer {
         app_handle: None,
         token: None,
         shutdown_tx: None,
+        sessions: HashMap::new(),
       })),
       is_running: AtomicBool::new(false),
       port: AtomicU16::new(0),
@@ -207,7 +220,13 @@ impl McpServer {
     shutdown_rx: tokio::sync::oneshot::Receiver<()>,
   ) {
     let app = Router::new()
-      .route("/mcp", post(Self::handle_mcp_post))
+      .route(
+        "/mcp",
+        post(Self::handle_mcp_post)
+          .get(Self::handle_mcp_get)
+          .delete(Self::handle_mcp_delete),
+      )
+      .route("/health", get(Self::handle_health))
       .layer(middleware::from_fn_with_state(
         state.clone(),
         Self::auth_middleware,
@@ -243,6 +262,11 @@ impl McpServer {
     req: Request<Body>,
     next: Next,
   ) -> Result<Response, StatusCode> {
+    // Health endpoint is public
+    if req.uri().path() == "/health" {
+      return Ok(next.run(req).await);
+    }
+
     let auth_header = req
       .headers()
       .get(header::AUTHORIZATION)
@@ -257,12 +281,114 @@ impl McpServer {
     Ok(next.run(req).await)
   }
 
-  async fn handle_mcp_post(
+  async fn handle_health() -> impl IntoResponse {
+    Json(serde_json::json!({
+      "status": "ok",
+      "server": SERVER_NAME,
+      "version": SERVER_VERSION,
+      "protocolVersion": PROTOCOL_VERSION,
+    }))
+  }
+
+  async fn handle_mcp_get() -> impl IntoResponse {
+    // We don't support server-initiated SSE streams
+    StatusCode::METHOD_NOT_ALLOWED
+  }
+
+  async fn handle_mcp_delete(
     State(state): State<McpHttpState>,
-    Json(request): Json<McpRequest>,
+    req: Request<Body>,
   ) -> impl IntoResponse {
-    let response = state.server.handle_request(request).await;
-    Json(response)
+    let session_id = req
+      .headers()
+      .get("mcp-session-id")
+      .and_then(|h| h.to_str().ok())
+      .map(|s| s.to_string());
+
+    if let Some(sid) = session_id {
+      let mut inner = state.server.inner.lock().await;
+      inner.sessions.remove(&sid);
+      log::info!("[mcp] Session terminated: {}", sid);
+    }
+
+    StatusCode::OK
+  }
+
+  async fn handle_mcp_post(State(state): State<McpHttpState>, req: Request<Body>) -> Response {
+    let session_id = req
+      .headers()
+      .get("mcp-session-id")
+      .and_then(|h| h.to_str().ok())
+      .map(|s| s.to_string());
+
+    let body_bytes = match axum::body::to_bytes(req.into_body(), 1024 * 1024).await {
+      Ok(b) => b,
+      Err(_) => {
+        return (StatusCode::BAD_REQUEST, "Invalid request body").into_response();
+      }
+    };
+
+    let request: McpRequest = match serde_json::from_slice(&body_bytes) {
+      Ok(r) => r,
+      Err(_) => {
+        return (StatusCode::BAD_REQUEST, "Invalid JSON").into_response();
+      }
+    };
+
+    let is_notification = request.id.is_none();
+    let method = request.method.clone();
+
+    // Handle initialize (no session required)
+    if method == "initialize" {
+      let response = state.server.handle_initialize(request).await;
+      match response {
+        Ok((session_id, result)) => {
+          let body = McpResponse {
+            jsonrpc: "2.0".to_string(),
+            id: Some(result.0),
+            result: Some(result.1),
+            error: None,
+          };
+          Response::builder()
+            .status(StatusCode::OK)
+            .header(header::CONTENT_TYPE, "application/json")
+            .header("mcp-session-id", &session_id)
+            .body(Body::from(serde_json::to_vec(&body).unwrap()))
+            .unwrap()
+        }
+        Err((id, error)) => {
+          let body = McpResponse {
+            jsonrpc: "2.0".to_string(),
+            id: Some(id),
+            result: None,
+            error: Some(error),
+          };
+          Json(body).into_response()
+        }
+      }
+    } else if is_notification {
+      // Notifications (like notifications/initialized) -> 202 Accepted
+      if method == "notifications/initialized" {
+        if let Some(sid) = &session_id {
+          let mut inner = state.server.inner.lock().await;
+          if let Some(session) = inner.sessions.get_mut(sid) {
+            session.initialized = true;
+          }
+        }
+      }
+      StatusCode::ACCEPTED.into_response()
+    } else {
+      // Validate session exists
+      if let Some(sid) = &session_id {
+        let inner = state.server.inner.lock().await;
+        if !inner.sessions.contains_key(sid) {
+          return StatusCode::NOT_FOUND.into_response();
+        }
+      }
+
+      let response = state.server.handle_request(request).await;
+      Json(response).into_response()
+    }
   }
 
   pub async fn stop(&self) -> Result<(), String> {
@@ -273,6 +399,7 @@ impl McpServer {
     let mut inner = self.inner.lock().await;
     inner.app_handle = None;
     inner.token = None;
+    inner.sessions.clear();
 
     // Send shutdown signal
     if let Some(tx) = inner.shutdown_tx.take() {
@@ -1184,11 +1311,56 @@ impl McpServer {
     ]
   }
 
+  async fn handle_initialize(
+    &self,
+    request: McpRequest,
+  ) -> Result<(String, (serde_json::Value, serde_json::Value)), (serde_json::Value, McpError)> {
+    let id = request.id.clone().unwrap_or(serde_json::Value::Null);
+
+    if !self.is_running() {
+      return Err((
+        id,
+        McpError {
+          code: -32001,
+          message: "MCP server is not running".to_string(),
+        },
+      ));
+    }
+
+    // Create session
+    let session_id = Uuid::new_v4().to_string();
+    {
+      let mut inner = self.inner.lock().await;
+      inner
+        .sessions
+        .insert(session_id.clone(), McpSession { initialized: false });
+    }
+
+    let result = serde_json::json!({
+      "protocolVersion": PROTOCOL_VERSION,
+      "capabilities": {
+        "tools": {
+          "listChanged": false
+        }
+      },
+      "serverInfo": {
+        "name": SERVER_NAME,
+        "version": SERVER_VERSION,
+      },
+      "instructions": "Donut Browser MCP server. Use tools/list to discover available browser automation tools."
+    });
+
+    log::info!("[mcp] New session initialized: {}", session_id);
+    Ok((session_id, (id, result)))
+  }
+
   pub async fn handle_request(&self, request: McpRequest) -> McpResponse {
+    let id = request.id.clone().unwrap_or(serde_json::Value::Null);
+
     if !self.is_running() {
       return McpResponse {
         jsonrpc: "2.0".to_string(),
-        id: request.id,
+        id: Some(id),
         result: None,
         error: Some(McpError {
           code: -32001,
@@ -1198,6 +1370,7 @@ impl McpServer {
     }
 
     let result = match request.method.as_str() {
+      "ping" => Ok(serde_json::json!({})),
       "tools/list" => self.handle_tools_list().await,
       "tools/call" => self.handle_tool_call(request.params).await,
       _ => Err(McpError {
@@ -1209,13 +1382,13 @@ impl McpServer {
     match result {
       Ok(value) => McpResponse {
         jsonrpc: "2.0".to_string(),
-        id: request.id,
+        id: Some(id),
         result: Some(value),
         error: None,
       },
       Err(error) => McpResponse {
         jsonrpc: "2.0".to_string(),
-        id: request.id,
+        id: Some(id),
         result: None,
         error: Some(error),
       },

src-tauri/src/profile/manager.rs

@@ -425,8 +425,21 @@ impl ProfileManager {
       if path.is_dir() {
         let metadata_file = path.join("metadata.json");
         if metadata_file.exists() {
-          let content = fs::read_to_string(metadata_file)?;
-          let profile: BrowserProfile = serde_json::from_str(&content)?;
+          let content = fs::read_to_string(&metadata_file)?;
+          let mut profile: BrowserProfile = serde_json::from_str(&content)?;
+
+          // Backfill host_os from browser config for profiles created before
+          // the field existed (or synced without it).
+          if profile.host_os.is_none() {
+            let inferred_os = profile.resolved_os().map(str::to_string);
+            if let Some(os) = inferred_os {
+              profile.host_os = Some(os);
+              if let Ok(json) = serde_json::to_string_pretty(&profile) {
+                let _ = fs::write(&metadata_file, json);
+              }
+            }
+          }
+
           profiles.push(profile);
         }
       }
@@ -566,6 +579,29 @@ impl ProfileManager {
     Ok(())
   }
 
+  /// Delete a profile from the local filesystem only, without triggering remote sync deletion.
+  /// Used when a profile was deleted on another device and the local copy should be cleaned up.
+  pub fn delete_profile_local_only(
+    &self,
+    profile_id: &str,
+  ) -> Result<(), Box<dyn std::error::Error>> {
+    let profiles_dir = self.get_profiles_dir();
+    let profile_dir = profiles_dir.join(profile_id);
+    if profile_dir.exists() {
+      fs::remove_dir_all(&profile_dir)?;
+      log::info!("Deleted local profile {} (tombstoned remotely)", profile_id);
+    }
+
+    if let Err(e) = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance()
+      .cleanup_unused_binaries()
+    {
+      log::warn!("Failed to cleanup binaries after tombstone deletion: {e}");
+    }
+
+    let _ = crate::events::emit_empty("profiles-changed");
+    Ok(())
+  }
+
   pub fn update_profile_version(
     &self,
     _app_handle: &tauri::AppHandle,

src-tauri/src/profile/types.rs

@@ -87,11 +87,22 @@ impl BrowserProfile {
     profiles_dir.join(self.id.to_string()).join("profile")
   }
 
+  /// Resolve the OS this profile was created on. Checks `host_os` first,
+  /// then falls back to the fingerprint config's `os` field (for profiles
+  /// created before `host_os` was introduced or synced without it).
+  pub fn resolved_os(&self) -> Option<&str> {
+    self
+      .host_os
+      .as_deref()
+      .or_else(|| self.camoufox_config.as_ref().and_then(|c| c.os.as_deref()))
+      .or_else(|| self.wayfern_config.as_ref().and_then(|c| c.os.as_deref()))
+  }
+
   /// Returns true when the profile was created on a different OS than the current host.
-  /// Profiles without an `os` field (backward compat) are treated as native.
+  /// Checks `host_os` first, then falls back to the browser config's `os` field.
   pub fn is_cross_os(&self) -> bool {
-    match &self.host_os {
-      Some(host_os) => host_os != &get_host_os(),
+    match self.resolved_os() {
+      Some(os) => os != get_host_os(),
       None => false,
     }
   }

src-tauri/src/profile_importer.rs

@@ -1035,7 +1035,9 @@ Path=test.profile
   fn test_get_default_version_for_browser_no_versions() {
     let (importer, _temp_dir) = create_test_profile_importer();
 
-    let result = importer.get_default_version_for_browser("camoufox");
+    // Use a browser name that is guaranteed to have no downloaded versions,
+    // since the global registry singleton may contain real data from the system.
+    let result = importer.get_default_version_for_browser("nonexistent_browser_xyz");
     assert!(
       result.is_err(),
       "Should fail when no versions are available"

src-tauri/src/proxy_manager.rs

@@ -907,6 +907,63 @@ impl ProxyManager {
       .map(|p| p.proxy_settings.clone())
   }
 
+  fn classify_proxy_error(raw_error: &str, settings: &ProxySettings) -> String {
+    let err = raw_error.to_lowercase();
+    let proxy_addr = format!("{}:{}", settings.host, settings.port);
+
+    if err.contains("connection refused") {
+      return format!(
+        "Connection refused by {proxy_addr}. The proxy server is not accepting connections."
+      );
+    }
+    if err.contains("connection reset") {
+      return format!(
+        "Connection reset by {proxy_addr}. The proxy server closed the connection unexpectedly."
+      );
+    }
+    if err.contains("timed out") || err.contains("deadline has elapsed") {
+      return format!("Connection to {proxy_addr} timed out. The proxy server is not responding.");
+    }
+    if err.contains("no such host") || err.contains("dns") || err.contains("resolve") {
+      return format!(
+        "Could not resolve proxy host '{}'. Check that the hostname is correct.",
+        settings.host
+      );
+    }
+    if err.contains("authentication") || err.contains("407") || err.contains("proxy auth") {
+      return format!(
+        "Proxy authentication failed for {proxy_addr}. Check your username and password."
+      );
+    }
+    if err.contains("403") || err.contains("forbidden") {
+      return format!("Access denied by {proxy_addr} (403 Forbidden).");
+    }
+    if err.contains("402") {
+      return format!(
+        "Payment required by {proxy_addr} (402). Your proxy subscription may have expired."
+      );
+    }
+    if err.contains("502") || err.contains("bad gateway") {
+      return format!(
+        "Bad gateway from {proxy_addr} (502). The upstream proxy server may be down."
+      );
+    }
+    if err.contains("503") || err.contains("service unavailable") {
+      return format!("Proxy {proxy_addr} is temporarily unavailable (503).");
+    }
+    if err.contains("socks") && err.contains("unreachable") {
+      return format!("SOCKS proxy {proxy_addr} could not reach the target. The proxy server may not have internet access.");
+    }
+    if err.contains("invalid proxy") || err.contains("unsupported proxy") {
+      return format!(
+        "Invalid proxy configuration for {proxy_addr}. Check the proxy type and address."
+      );
+    }
+
+    // Generic fallback — still show the proxy address for context
+    format!("Proxy check failed for {proxy_addr}. Could not connect through the proxy.")
+  }
+
   // Build proxy URL string from ProxySettings
   fn build_proxy_url(proxy_settings: &ProxySettings) -> String {
     let mut url = format!("{}://", proxy_settings.proxy_type);
@@ -928,9 +985,9 @@ impl ProxyManager {
     url
   }
 
-  // Check if a proxy is valid by routing through a temporary local donut-proxy.
-  // This tests the exact same code path the browser uses, ensuring that if the
-  // check passes, the browser connection will work too.
+  // Check if a proxy is valid by routing through a temporary donut-proxy process.
+  // This tests the exact same code path the browser uses.
+  // Falls back to direct reqwest check if the proxy worker fails to start.
   pub async fn check_proxy_validity(
     &self,
     proxy_id: &str,
@@ -938,19 +995,31 @@ impl ProxyManager {
   ) -> Result<ProxyCheckResult, String> {
     let upstream_url = Self::build_proxy_url(proxy_settings);
 
-    // Start a temporary local proxy that tunnels through the upstream
-    let proxy_config = crate::proxy_runner::start_proxy_process(Some(upstream_url), None)
-      .await
-      .map_err(|e| format!("Failed to start test proxy: {e}"))?;
+    // Try process-based check first (identical to browser launch path)
+    // Try process-based check first (identical to browser launch path).
+    // If the proxy worker fails to start (e.g. Gatekeeper, antivirus, signing
+    // restrictions), fall back to a direct reqwest check.
+    let proxy_start_result =
+      crate::proxy_runner::start_proxy_process(Some(upstream_url.clone()), None)
+        .await
+        .map_err(|e| e.to_string());
 
-    let local_url = format!("http://127.0.0.1:{}", proxy_config.local_port.unwrap_or(0));
-    let proxy_id_clone = proxy_config.id.clone();
-
-    // Fetch public IP through the local proxy (same path the browser uses)
-    let ip_result = ip_utils::fetch_public_ip(Some(&local_url)).await;
-
-    // Stop the temporary proxy regardless of result
-    let _ = crate::proxy_runner::stop_proxy_process(&proxy_id_clone).await;
+    let ip_result = match proxy_start_result {
+      Ok(proxy_config) => {
+        let local_url = format!("http://127.0.0.1:{}", proxy_config.local_port.unwrap_or(0));
+        let config_id = proxy_config.id.clone();
+        let result = ip_utils::fetch_public_ip(Some(&local_url)).await;
+        let _ = crate::proxy_runner::stop_proxy_process(&config_id).await;
+        result
+      }
+      Err(err_msg) => {
+        log::warn!(
+          "Proxy worker failed to start ({}), falling back to direct check",
+          err_msg
+        );
+        ip_utils::fetch_public_ip(Some(&upstream_url)).await
+      }
+    };
 
     let ip = match ip_result {
       Ok(ip) => ip,
@@ -964,7 +1033,10 @@ impl ProxyManager {
           is_valid: false,
         };
         let _ = self.save_proxy_check_cache(proxy_id, &failed_result);
-        return Err(format!("Failed to fetch public IP: {e}"));
+
+        let err_str = e.to_string();
+        let user_message = Self::classify_proxy_error(&err_str, proxy_settings);
+        return Err(user_message);
       }
     };
 
@@ -1049,12 +1121,21 @@ impl ProxyManager {
       .as_object()
       .ok_or_else(|| "JSON response is not an object".to_string())?;
 
-    let host = obj
+    let raw_host = obj
       .get("ip")
       .or_else(|| obj.get("host"))
       .and_then(|v| v.as_str())
-      .ok_or_else(|| "Missing 'ip' or 'host' field in JSON response".to_string())?
-      .to_string();
+      .ok_or_else(|| "Missing 'ip' or 'host' field in JSON response".to_string())?;
+
+    // Strip protocol prefix from host if present (e.g. "socks5://1.2.3.4" -> "1.2.3.4")
+    // and extract the proxy type from it if no explicit type field is provided
+    let (host, protocol_from_host) = if let Some(rest) = raw_host.strip_prefix("://") {
+      (rest.to_string(), None)
+    } else if let Some((proto, rest)) = raw_host.split_once("://") {
+      (rest.to_string(), Some(proto.to_lowercase()))
+    } else {
+      (raw_host.to_string(), None)
+    };
 
     let port = obj
       .get("port")
@@ -1070,8 +1151,9 @@ impl ProxyManager {
       .or_else(|| obj.get("proxy_type"))
       .or_else(|| obj.get("protocol"))
       .and_then(|v| v.as_str())
-      .unwrap_or("http")
-      .to_lowercase();
+      .map(|s| s.to_lowercase())
+      .or(protocol_from_host)
+      .unwrap_or_else(|| "http".to_string());
 
     let username = obj
       .get("username")
@@ -2731,17 +2813,19 @@ mod tests {
   fn test_process_running_detection_with_child_lifecycle() {
     use crate::proxy_storage::is_process_running;
 
-    // Spawn a long-lived child so we can check while it runs
-    let mut child = std::process::Command::new(if cfg!(windows) { "timeout" } else { "sleep" })
+    // Spawn a long-lived child so we can check while it runs.
+    // On Windows, `timeout` requires console input and exits immediately in
+    // non-interactive contexts, so use `ping` with a high count instead.
+    let mut child = std::process::Command::new(if cfg!(windows) { "ping" } else { "sleep" })
       .args(if cfg!(windows) {
-        vec!["/T", "10"]
+        vec!["-n", "100", "127.0.0.1"]
       } else {
         vec!["10"]
       })
       .stdout(std::process::Stdio::null())
       .stderr(std::process::Stdio::null())
       .spawn()
-      .expect("spawn sleep");
+      .expect("spawn long-lived child");
 
     let pid = child.id();
 
@@ -3470,6 +3554,28 @@ mod tests {
     assert_eq!(result2.proxy_type, "http");
   }
 
+  #[test]
+  fn test_parse_dynamic_proxy_json_strips_protocol_from_host() {
+    // User's API returns "ip": "socks5://1.2.3.4" with protocol embedded in host
+    let body = r#"{"ip": "socks5://1.2.3.4", "port": 1080, "username": "u", "password": "p"}"#;
+    let result = ProxyManager::parse_dynamic_proxy_json(body).unwrap();
+    assert_eq!(result.host, "1.2.3.4");
+    assert_eq!(result.proxy_type, "socks5");
+    assert_eq!(result.port, 1080);
+
+    // Protocol in host should be used as proxy_type when no explicit type field
+    let body2 = r#"{"ip": "http://10.0.0.1", "port": 8080}"#;
+    let result2 = ProxyManager::parse_dynamic_proxy_json(body2).unwrap();
+    assert_eq!(result2.host, "10.0.0.1");
+    assert_eq!(result2.proxy_type, "http");
+
+    // Explicit type field takes precedence over protocol in host
+    let body3 = r#"{"ip": "http://10.0.0.1", "port": 1080, "type": "socks5"}"#;
+    let result3 = ProxyManager::parse_dynamic_proxy_json(body3).unwrap();
+    assert_eq!(result3.host, "10.0.0.1");
+    assert_eq!(result3.proxy_type, "socks5");
+  }
+
   #[test]
   fn test_parse_dynamic_proxy_json_empty_credentials_treated_as_none() {
     let body = r#"{"ip": "1.2.3.4", "port": 8080, "username": "", "password": ""}"#;

src-tauri/src/proxy_server.rs

@@ -883,6 +883,87 @@ fn build_reqwest_client_with_proxy(
   Ok(client_builder.proxy(proxy).build()?)
 }
 
+/// Handle a single proxy connection (used by both the proxy worker and in-process proxy checks).
+pub async fn handle_proxy_connection(
+  mut stream: tokio::net::TcpStream,
+  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
+) {
+  let _ = stream.set_nodelay(true);
+
+  if stream.readable().await.is_err() {
+    return;
+  }
+
+  let mut peek_buffer = [0u8; 16];
+  match stream.read(&mut peek_buffer).await {
+    Ok(0) => {}
+    Ok(n) => {
+      let request_start_upper = String::from_utf8_lossy(&peek_buffer[..n.min(7)]).to_uppercase();
+      let is_connect = request_start_upper.starts_with("CONNECT");
+
+      if is_connect {
+        let mut full_request = Vec::with_capacity(4096);
+        full_request.extend_from_slice(&peek_buffer[..n]);
+
+        let mut remaining = [0u8; 4096];
+        let mut total_read = n;
+        let max_reads = 100;
+        let mut reads = 0;
+
+        loop {
+          if reads >= max_reads {
+            break;
+          }
+          match stream.read(&mut remaining).await {
+            Ok(0) => {
+              if full_request.ends_with(b"\r\n\r\n")
+                || full_request.ends_with(b"\n\n")
+                || total_read > 0
+              {
+                break;
+              }
+              return;
+            }
+            Ok(m) => {
+              reads += 1;
+              total_read += m;
+              full_request.extend_from_slice(&remaining[..m]);
+              if full_request.ends_with(b"\r\n\r\n") || full_request.ends_with(b"\n\n") {
+                break;
+              }
+            }
+            Err(_) => {
+              if total_read > 0 {
+                break;
+              }
+              return;
+            }
+          }
+        }
+
+        let _ =
+          handle_connect_from_buffer(stream, full_request, upstream_url, bypass_matcher).await;
+        return;
+      }
+
+      // Non-CONNECT: prepend consumed bytes and pass to hyper
+      let prepended_bytes = peek_buffer[..n].to_vec();
+      let prepended_reader = PrependReader {
+        prepended: prepended_bytes,
+        prepended_pos: 0,
+        inner: stream,
+      };
+      let io = TokioIo::new(prepended_reader);
+      let service =
+        service_fn(move |req| handle_request(req, upstream_url.clone(), bypass_matcher.clone()));
+
+      let _ = http1::Builder::new().serve_connection(io, service).await;
+    }
+    Err(_) => {}
+  }
+}
+
 pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::error::Error>> {
   log::error!(
     "Proxy worker starting, looking for config id: {}",
@@ -1052,145 +1133,11 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
   // This ensures the process doesn't exit even if there are no active connections
   loop {
     match listener.accept().await {
-      Ok((mut stream, peer_addr)) => {
-        // Enable TCP_NODELAY to ensure small packets are sent immediately
-        // This is critical for CONNECT responses to be sent before tunneling begins
-        let _ = stream.set_nodelay(true);
-        log::error!("DEBUG: Accepted connection from {:?}", peer_addr);
-
+      Ok((stream, _peer_addr)) => {
         let upstream = upstream_url.clone();
         let matcher = bypass_matcher.clone();
-
         tokio::task::spawn(async move {
-          // Wait for the stream to have readable data before attempting to read.
-          // This prevents read() from returning 0 on a fresh connection before
-          // the client's data arrives.
-          if stream.readable().await.is_err() {
-            return;
-          }
-
-          let mut peek_buffer = [0u8; 16];
-          match stream.read(&mut peek_buffer).await {
-            Ok(0) => {}
-            Ok(n) => {
-              // Check if this looks like a CONNECT request
-              // Be more lenient - check if the first bytes match "CONNECT" (case-insensitive)
-              let request_start_upper =
-                String::from_utf8_lossy(&peek_buffer[..n.min(7)]).to_uppercase();
-              let is_connect = request_start_upper.starts_with("CONNECT");
-
-              log::error!(
-                "DEBUG: Read {} bytes, starts with: {:?}, is_connect: {}",
-                n,
-                String::from_utf8_lossy(&peek_buffer[..n.min(20)]),
-                is_connect
-              );
-
-              if is_connect {
-                // Handle CONNECT request manually for tunneling
-                let mut full_request = Vec::with_capacity(4096);
-                full_request.extend_from_slice(&peek_buffer[..n]);
-
-                // Read the rest of the CONNECT request until we have the full headers
-                // CONNECT requests end with \r\n\r\n (or \n\n)
-                let mut remaining = [0u8; 4096];
-                let mut total_read = n;
-                let max_reads = 100; // Prevent infinite loop
-                let mut reads = 0;
-
-                loop {
-                  if reads >= max_reads {
-                    log::error!("DEBUG: Max reads reached, breaking");
-                    break;
-                  }
-
-                  match stream.read(&mut remaining).await {
-                    Ok(0) => {
-                      // Connection closed, but we might have a complete request
-                      if full_request.ends_with(b"\r\n\r\n") || full_request.ends_with(b"\n\n") {
-                        break;
-                      }
-                      // If we have some data, try to process it anyway
-                      if total_read > 0 {
-                        break;
-                      }
-                      return; // No data at all
-                    }
-                    Ok(m) => {
-                      reads += 1;
-                      total_read += m;
-                      full_request.extend_from_slice(&remaining[..m]);
-
-                      // Check if we have complete headers
-                      if full_request.ends_with(b"\r\n\r\n") || full_request.ends_with(b"\n\n") {
-                        break;
-                      }
-
-                      // Also check if we have enough to parse (at least "CONNECT host:port HTTP/1.x")
-                      if total_read >= 20 {
-                        // Check if we have a newline that might indicate end of request line
-                        if let Some(pos) = full_request.iter().position(|&b| b == b'\n') {
-                          if pos < full_request.len() - 1 {
-                            // We have at least the request line, check if we have headers
-                            let request_str = String::from_utf8_lossy(&full_request);
-                            if request_str.contains("\r\n\r\n") || request_str.contains("\n\n") {
-                              break;
-                            }
-                          }
-                        }
-                      }
-                    }
-                    Err(e) => {
-                      log::error!("DEBUG: Error reading CONNECT request: {:?}", e);
-                      // If we have some data, try to process it
-                      if total_read > 0 {
-                        break;
-                      }
-                      return;
-                    }
-                  }
-                }
-
-                // Handle CONNECT manually
-                log::error!(
-                  "DEBUG: Handling CONNECT manually for: {}",
-                  String::from_utf8_lossy(&full_request[..full_request.len().min(200)])
-                );
-                if let Err(e) =
-                  handle_connect_from_buffer(stream, full_request, upstream, matcher).await
-                {
-                  log::error!("Error handling CONNECT request: {:?}", e);
-                } else {
-                  log::error!("DEBUG: CONNECT handled successfully");
-                }
-                return;
-              }
-
-              // Not CONNECT (or partial read) - reconstruct stream with consumed bytes prepended
-              // This is critical: we MUST prepend any bytes we consumed, even if < 7 bytes
-              log::error!(
-                "DEBUG: Non-CONNECT request, first {} bytes: {:?}",
-                n,
-                String::from_utf8_lossy(&peek_buffer[..n.min(50)])
-              );
-              let prepended_bytes = peek_buffer[..n].to_vec();
-              let prepended_reader = PrependReader {
-                prepended: prepended_bytes,
-                prepended_pos: 0,
-                inner: stream,
-              };
-              let io = TokioIo::new(prepended_reader);
-              let service =
-                service_fn(move |req| handle_request(req, upstream.clone(), matcher.clone()));
-
-              if let Err(err) = http1::Builder::new().serve_connection(io, service).await {
-                log::error!("Error serving connection: {:?}", err);
-              }
-            }
-            Err(e) => {
-              log::error!("Error reading from connection: {:?}", e);
-            }
-          }
+          handle_proxy_connection(stream, upstream, matcher).await;
         });
       }
       Err(e) => {

src-tauri/src/sync/engine.rs

@@ -597,15 +597,35 @@ impl SyncEngine {
       let _ = self.sync_vpn(vpn_id, Some(app_handle)).await;
     }
 
-    // Update profile last_sync
-    let mut updated_profile = profile.clone();
-    updated_profile.last_sync = Some(
-      std::time::SystemTime::now()
-        .duration_since(std::time::UNIX_EPOCH)
-        .unwrap()
-        .as_secs(),
-    );
-    let _ = profile_manager.save_profile(&updated_profile);
+    // Download remote metadata and merge changes (name, tags, notes, etc.)
+    let remote_metadata_key = format!("{}profiles/{}/metadata.json", key_prefix, profile_id);
+    if let Ok(remote_meta) = self.download_profile_metadata(&remote_metadata_key).await {
+      let mut updated_profile = profile.clone();
+      // Merge fields that can be changed on other devices
+      updated_profile.name = remote_meta.name;
+      updated_profile.tags = remote_meta.tags;
+      updated_profile.note = remote_meta.note;
+      updated_profile.proxy_id = remote_meta.proxy_id;
+      updated_profile.vpn_id = remote_meta.vpn_id;
+      updated_profile.group_id = remote_meta.group_id;
+      updated_profile.last_sync = Some(
+        std::time::SystemTime::now()
+          .duration_since(std::time::UNIX_EPOCH)
+          .unwrap()
+          .as_secs(),
+      );
+      let _ = profile_manager.save_profile(&updated_profile);
+    } else {
+      // Fallback: just update last_sync
+      let mut updated_profile = profile.clone();
+      updated_profile.last_sync = Some(
+        std::time::SystemTime::now()
+          .duration_since(std::time::UNIX_EPOCH)
+          .unwrap()
+          .as_secs(),
+      );
+      let _ = profile_manager.save_profile(&updated_profile);
+    }
     let _ = events::emit("profiles-changed", ());
 
     let _ = events::emit(
@@ -691,6 +711,22 @@ impl SyncEngine {
     Ok(())
   }
 
+  async fn download_profile_metadata(&self, key: &str) -> SyncResult<BrowserProfile> {
+    let stat = self.client.stat(key).await?;
+    if !stat.exists {
+      return Err(SyncError::InvalidData(
+        "Remote metadata not found".to_string(),
+      ));
+    }
+
+    let presign = self.client.presign_download(key).await?;
+    let data = self.client.download_bytes(&presign.url).await?;
+    let profile: BrowserProfile = serde_json::from_slice(&data)
+      .map_err(|e| SyncError::SerializationError(format!("Failed to parse metadata: {e}")))?;
+
+    Ok(profile)
+  }
+
   async fn upload_profile_metadata(
     &self,
     profile_id: &str,
@@ -2361,6 +2397,54 @@ impl SyncEngine {
       log::info!("No missing profiles found");
     }
 
+    // Delete local synced profiles that have a remote tombstone (deleted on another device)
+    {
+      let profile_manager = ProfileManager::instance();
+      let local_synced: Vec<(String, Option<String>)> = profile_manager
+        .list_profiles()
+        .unwrap_or_default()
+        .iter()
+        .filter(|p| p.is_sync_enabled())
+        .map(|p| (p.id.to_string(), p.created_by_id.clone()))
+        .collect();
+
+      let team_prefix = if let Some(auth) = crate::cloud_auth::CLOUD_AUTH.get_user().await {
+        auth.user.team_id.map(|tid| format!("teams/{}/", tid))
+      } else {
+        None
+      };
+
+      for (pid, created_by_id) in &local_synced {
+        // Check personal tombstone
+        let personal_tombstone = format!("tombstones/profiles/{}.json", pid);
+        let has_personal_tombstone = matches!(
+          self.client.stat(&personal_tombstone).await,
+          Ok(stat) if stat.exists
+        );
+
+        // Check team tombstone
+        let has_team_tombstone = if let (Some(tp), Some(_)) = (&team_prefix, created_by_id) {
+          let team_tombstone = format!("{}tombstones/profiles/{}.json", tp, pid);
+          matches!(
+            self.client.stat(&team_tombstone).await,
+            Ok(stat) if stat.exists
+          )
+        } else {
+          false
+        };
+
+        if has_personal_tombstone || has_team_tombstone {
+          log::info!(
+            "Profile {} has remote tombstone, deleting locally (deleted on another device)",
+            pid
+          );
+          if let Err(e) = profile_manager.delete_profile_local_only(pid) {
+            log::warn!("Failed to delete tombstoned profile {}: {}", pid, e);
+          }
+        }
+      }
+    }
+
     // Refresh metadata for local cross-OS profiles (propagate renames, tags, notes from originating device)
     let profile_manager = ProfileManager::instance();
     // Collect cross-OS profiles before async operations to avoid holding non-Send Result across await

src-tauri/src/sync/scheduler.rs

@@ -153,30 +153,20 @@ impl SyncScheduler {
   }
 
   pub async fn is_profile_running(&self, profile_id: &str) -> bool {
-    // First check our internal tracking
+    // Check our internal tracking (authoritative — immediately updated by mark_profile_stopped)
     let running = self.running_profiles.lock().await;
     if running.contains(profile_id) {
       return true;
     }
     drop(running);
 
-    // Also check the actual profile state from ProfileManager
-    let profile_manager = ProfileManager::instance();
-    if let Ok(profiles) = profile_manager.list_profiles() {
-      if let Some(profile) = profiles.iter().find(|p| p.id.to_string() == profile_id) {
-        if profile.process_id.is_some() {
-          return true;
-        }
-      }
-    }
-
-    // Check if locked by another team member (profile in use remotely)
-    if crate::team_lock::TEAM_LOCK
+    // Check if locked by another device (profile in use remotely)
+    if crate::team_lock::PROFILE_LOCK
       .is_locked_by_another(profile_id)
       .await
     {
       log::debug!(
-        "Profile {} is locked by another team member, treating as running",
+        "Profile {} is locked on another device, treating as running",
         profile_id
       );
       return true;
@@ -477,31 +467,12 @@ impl SyncScheduler {
       });
     }
 
-    // Wait for all parallel syncs to finish
-    while let Some(result) = sync_set.join_next().await {
-      if let Err(e) = result {
-        log::error!("Profile sync task panicked: {e}");
-      }
-    }
-
-    // Trigger cleanup if everything is done
-    let all_done = {
-      let in_flight = self.in_flight_profiles.lock().await;
-      in_flight.is_empty()
-        && self.pending_profiles.lock().await.is_empty()
-        && self.pending_proxies.lock().await.is_empty()
-        && self.pending_groups.lock().await.is_empty()
-        && self.pending_vpns.lock().await.is_empty()
-        && self.pending_extensions.lock().await.is_empty()
-        && self.pending_extension_groups.lock().await.is_empty()
-    };
-    if all_done {
-      log::debug!("All profile syncs completed, triggering cleanup");
-      let registry = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
-      if let Err(e) = registry.cleanup_unused_binaries() {
-        log::warn!("Cleanup after sync failed: {e}");
-      } else {
-        log::debug!("Cleanup after sync completed successfully");
+    // Wait for all parallel syncs to finish (only if we actually spawned any)
+    if !sync_set.is_empty() {
+      while let Some(result) = sync_set.join_next().await {
+        if let Err(e) = result {
+          log::error!("Profile sync task panicked: {e}");
+        }
       }
     }
   }
@@ -556,16 +527,6 @@ impl SyncScheduler {
         }
 
         // Check if all sync work is complete after proxies finish
-        if !self.is_sync_in_progress().await {
-          log::debug!("All syncs completed after proxy sync, triggering cleanup");
-          let registry =
-            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
-          if let Err(e) = registry.cleanup_unused_binaries() {
-            log::warn!("Cleanup after sync failed: {e}");
-          } else {
-            log::debug!("Cleanup after sync completed successfully");
-          }
-        }
       }
       Err(e) => {
         log::error!("Failed to create sync engine: {}", e);
@@ -623,16 +584,6 @@ impl SyncScheduler {
         }
 
         // Check if all sync work is complete after groups finish
-        if !self.is_sync_in_progress().await {
-          log::debug!("All syncs completed after group sync, triggering cleanup");
-          let registry =
-            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
-          if let Err(e) = registry.cleanup_unused_binaries() {
-            log::warn!("Cleanup after sync failed: {e}");
-          } else {
-            log::debug!("Cleanup after sync completed successfully");
-          }
-        }
       }
       Err(e) => {
         log::error!("Failed to create sync engine: {}", e);
@@ -685,17 +636,6 @@ impl SyncScheduler {
             }
           }
         }
-
-        if !self.is_sync_in_progress().await {
-          log::debug!("All syncs completed after VPN sync, triggering cleanup");
-          let registry =
-            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
-          if let Err(e) = registry.cleanup_unused_binaries() {
-            log::warn!("Cleanup after sync failed: {e}");
-          } else {
-            log::debug!("Cleanup after sync completed successfully");
-          }
-        }
       }
       Err(e) => {
         log::error!("Failed to create sync engine: {}", e);
@@ -725,15 +665,6 @@ impl SyncScheduler {
             log::error!("Failed to sync extension {}: {}", ext_id, e);
           }
         }
-
-        if !self.is_sync_in_progress().await {
-          log::debug!("All syncs completed after extension sync, triggering cleanup");
-          let registry =
-            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
-          if let Err(e) = registry.cleanup_unused_binaries() {
-            log::warn!("Cleanup after sync failed: {e}");
-          }
-        }
       }
       Err(e) => {
         log::error!("Failed to create sync engine: {}", e);
@@ -763,15 +694,6 @@ impl SyncScheduler {
             log::error!("Failed to sync extension group {}: {}", group_id, e);
           }
         }
-
-        if !self.is_sync_in_progress().await {
-          log::debug!("All syncs completed after extension group sync, triggering cleanup");
-          let registry =
-            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
-          if let Err(e) = registry.cleanup_unused_binaries() {
-            log::warn!("Cleanup after sync failed: {e}");
-          }
-        }
       }
       Err(e) => {
         log::error!("Failed to create sync engine: {}", e);

src-tauri/src/sync/subscription.rs

@@ -233,10 +233,16 @@ impl SyncSubscription {
     let key = Self::strip_team_prefix(raw_key);
 
     let work_item = if key.starts_with("profiles/") {
-      key
-        .strip_prefix("profiles/")
-        .and_then(|s| s.strip_suffix(".tar.gz"))
-        .map(|s| SyncWorkItem::Profile(s.to_string()))
+      // Match both bundle uploads (profiles/{id}.tar.gz) and delta sync updates
+      // (profiles/{id}/manifest.json, profiles/{id}/files/*, profiles/{id}/metadata.json)
+      let profile_id = key.strip_prefix("profiles/").and_then(|rest| {
+        // profiles/{id}.tar.gz → id
+        rest
+          .strip_suffix(".tar.gz")
+          // profiles/{id}/manifest.json → id
+          .or_else(|| rest.split('/').next().filter(|s| !s.is_empty()))
+      });
+      profile_id.map(|s| SyncWorkItem::Profile(s.to_string()))
     } else if key.starts_with("proxies/") {
       key
         .strip_prefix("proxies/")

src-tauri/src/team_lock.rs

@@ -31,42 +31,45 @@ struct AcquireLockResponse {
   locked_by_email: Option<String>,
 }
 
-pub struct TeamLockManager {
+pub struct ProfileLockManager {
   locks: RwLock<HashMap<String, ProfileLockInfo>>,
   heartbeat_handle: Mutex<Option<JoinHandle<()>>>,
-  connected_team_id: Mutex<Option<String>>,
+  connected: Mutex<bool>,
 }
 
 lazy_static! {
-  pub static ref TEAM_LOCK: TeamLockManager = TeamLockManager::new();
+  pub static ref PROFILE_LOCK: ProfileLockManager = ProfileLockManager::new();
 }
 
-impl TeamLockManager {
+// Keep backward compatibility alias
+pub use PROFILE_LOCK as TEAM_LOCK;
+
+impl ProfileLockManager {
   fn new() -> Self {
     Self {
       locks: RwLock::new(HashMap::new()),
       heartbeat_handle: Mutex::new(None),
-      connected_team_id: Mutex::new(None),
+      connected: Mutex::new(false),
     }
   }
 
-  pub async fn connect(&self, team_id: &str) {
-    log::info!("Connecting team lock manager for team: {team_id}");
+  pub async fn connect(&self) {
+    log::info!("Connecting profile lock manager");
 
     {
-      let mut tid = self.connected_team_id.lock().await;
-      *tid = Some(team_id.to_string());
+      let mut c = self.connected.lock().await;
+      *c = true;
     }
 
-    if let Err(e) = self.fetch_initial_locks(team_id).await {
-      log::warn!("Failed to fetch initial locks: {e}");
+    if let Err(e) = self.fetch_locks().await {
+      log::warn!("Failed to fetch initial profile locks: {e}");
     }
 
     self.start_heartbeat_loop().await;
   }
 
   pub async fn disconnect(&self) {
-    log::info!("Disconnecting team lock manager");
+    log::info!("Disconnecting profile lock manager");
 
     {
       let mut handle = self.heartbeat_handle.lock().await;
@@ -81,23 +84,24 @@ impl TeamLockManager {
     }
 
     {
-      let mut tid = self.connected_team_id.lock().await;
-      *tid = None;
+      let mut c = self.connected.lock().await;
+      *c = false;
     }
   }
 
-  pub async fn acquire_lock(&self, profile_id: &str) -> Result<(), String> {
-    let team_id = self.get_team_id().await?;
-    let client = Client::new();
+  pub async fn is_connected(&self) -> bool {
+    *self.connected.lock().await
+  }
 
+  pub async fn acquire_lock(&self, profile_id: &str) -> Result<(), String> {
+    let client = Client::new();
     let access_token =
       CloudAuthManager::load_access_token()?.ok_or_else(|| "Not logged in".to_string())?;
 
-    let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks");
+    let url = format!("{CLOUD_API_URL}/api/profile-locks/{profile_id}");
     let response = client
       .post(&url)
       .header("Authorization", format!("Bearer {access_token}"))
-      .json(&serde_json::json!({ "profileId": profile_id }))
       .send()
       .await
       .map_err(|e| format!("Failed to acquire lock: {e}"))?;
@@ -116,7 +120,7 @@ impl TeamLockManager {
     if !result.success {
       let email = result
         .locked_by_email
-        .unwrap_or_else(|| "another user".to_string());
+        .unwrap_or_else(|| "another device".to_string());
       return Err(format!("Profile is in use by {email}"));
     }
 
@@ -136,21 +140,19 @@ impl TeamLockManager {
     }
 
     let _ = crate::events::emit(
-      "team-lock-acquired",
-      serde_json::json!({ "profileId": profile_id }),
+      "profile-lock-changed",
+      serde_json::json!({ "profileId": profile_id, "action": "acquired" }),
     );
 
     Ok(())
   }
 
   pub async fn release_lock(&self, profile_id: &str) -> Result<(), String> {
-    let team_id = self.get_team_id().await?;
     let client = Client::new();
-
     let access_token =
       CloudAuthManager::load_access_token()?.ok_or_else(|| "Not logged in".to_string())?;
 
-    let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks/{profile_id}");
+    let url = format!("{CLOUD_API_URL}/api/profile-locks/{profile_id}");
     let _ = client
       .delete(&url)
       .header("Authorization", format!("Bearer {access_token}"))
@@ -163,8 +165,8 @@ impl TeamLockManager {
     }
 
     let _ = crate::events::emit(
-      "team-lock-released",
-      serde_json::json!({ "profileId": profile_id }),
+      "profile-lock-changed",
+      serde_json::json!({ "profileId": profile_id, "action": "released" }),
     );
 
     Ok(())
@@ -190,12 +192,12 @@ impl TeamLockManager {
     false
   }
 
-  async fn fetch_initial_locks(&self, team_id: &str) -> Result<(), String> {
+  async fn fetch_locks(&self) -> Result<(), String> {
     let client = Client::new();
     let access_token =
       CloudAuthManager::load_access_token()?.ok_or_else(|| "Not logged in".to_string())?;
 
-    let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks");
+    let url = format!("{CLOUD_API_URL}/api/profile-locks");
     let response = client
       .get(&url)
       .header("Authorization", format!("Bearer {access_token}"))
@@ -231,13 +233,13 @@ impl TeamLockManager {
       loop {
         tokio::time::sleep(std::time::Duration::from_secs(30)).await;
 
-        let team_id = match TEAM_LOCK.get_team_id().await {
-          Ok(id) => id,
-          Err(_) => break,
-        };
+        if !PROFILE_LOCK.is_connected().await {
+          break;
+        }
 
+        // Send heartbeat for each held lock
         let held_locks: Vec<String> = {
-          let locks = TEAM_LOCK.locks.read().await;
+          let locks = PROFILE_LOCK.locks.read().await;
           if let Some(user) = CLOUD_AUTH.get_user().await {
             locks
               .values()
@@ -252,7 +254,7 @@ impl TeamLockManager {
         for profile_id in held_locks {
           let client = Client::new();
           if let Ok(Some(token)) = CloudAuthManager::load_access_token() {
-            let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks/{profile_id}/heartbeat");
+            let url = format!("{CLOUD_API_URL}/api/profile-locks/{profile_id}/heartbeat");
             let _ = client
               .post(&url)
               .header("Authorization", format!("Bearer {token}"))
@@ -262,63 +264,56 @@ impl TeamLockManager {
         }
 
         // Refresh lock state from server
-        if let Err(e) = TEAM_LOCK.fetch_initial_locks(&team_id).await {
-          log::debug!("Failed to refresh locks: {e}");
+        if let Err(e) = PROFILE_LOCK.fetch_locks().await {
+          log::debug!("Failed to refresh profile locks: {e}");
         }
       }
     });
 
     *handle = Some(h);
   }
-
-  async fn get_team_id(&self) -> Result<String, String> {
-    let tid = self.connected_team_id.lock().await;
-    tid
-      .clone()
-      .ok_or_else(|| "Not connected to a team".to_string())
-  }
 }
 
-/// Acquire team lock if profile is sync-enabled and user is on a team.
-/// Returns Ok(()) if lock acquired or not applicable, Err with message if locked by another.
+/// Acquire profile lock if profile is sync-enabled and user has a paid subscription.
 pub async fn acquire_team_lock_if_needed(
   profile: &crate::profile::BrowserProfile,
 ) -> Result<(), String> {
   if !profile.is_sync_enabled() {
     return Ok(());
   }
-  if !CLOUD_AUTH.is_on_team_plan().await {
+  if !CLOUD_AUTH.has_active_paid_subscription().await {
     return Ok(());
   }
 
-  if TEAM_LOCK
+  // Ensure lock manager is connected
+  if !PROFILE_LOCK.is_connected().await {
+    PROFILE_LOCK.connect().await;
+  }
+
+  if PROFILE_LOCK
     .is_locked_by_another(&profile.id.to_string())
     .await
   {
-    if let Some(lock) = TEAM_LOCK.get_lock_status(&profile.id.to_string()).await {
+    if let Some(lock) = PROFILE_LOCK.get_lock_status(&profile.id.to_string()).await {
       return Err(format!("Profile is in use by {}", lock.locked_by_email));
     }
-    return Err("Profile is in use by another team member".to_string());
+    return Err("Profile is in use on another device".to_string());
   }
 
-  TEAM_LOCK.acquire_lock(&profile.id.to_string()).await
+  PROFILE_LOCK.acquire_lock(&profile.id.to_string()).await
 }
 
-/// Release team lock if profile is sync-enabled and user is on a team.
-/// Logs warnings on failure but does not return errors.
+/// Release profile lock if profile is sync-enabled and user has a paid subscription.
 pub async fn release_team_lock_if_needed(profile: &crate::profile::BrowserProfile) {
   if !profile.is_sync_enabled() {
     return;
   }
-  if !CLOUD_AUTH.is_on_team_plan().await {
+  if !CLOUD_AUTH.has_active_paid_subscription().await {
     return;
   }
 
-  if let Err(e) = TEAM_LOCK.release_lock(&profile.id.to_string()).await {
-    log::warn!(
-      "Failed to release team lock for profile {}: {e}",
-      profile.id
-    );
+  if let Err(e) = PROFILE_LOCK.release_lock(&profile.id.to_string()).await {
+    log::warn!("Failed to release profile lock for {}: {e}", profile.id);
   }
 }
 
@@ -326,10 +321,10 @@ pub async fn release_team_lock_if_needed(profile: &crate::profile::BrowserProfil
 
 #[tauri::command]
 pub async fn get_team_locks() -> Result<Vec<ProfileLockInfo>, String> {
-  Ok(TEAM_LOCK.get_locks().await)
+  Ok(PROFILE_LOCK.get_locks().await)
 }
 
 #[tauri::command]
 pub async fn get_team_lock_status(profile_id: String) -> Result<Option<ProfileLockInfo>, String> {
-  Ok(TEAM_LOCK.get_lock_status(&profile_id).await)
+  Ok(PROFILE_LOCK.get_lock_status(&profile_id).await)
 }

src-tauri/tauri.conf.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://schema.tauri.app/config/2",
   "productName": "Donut",
-  "version": "0.17.1",
+  "version": "0.17.6",
   "identifier": "com.donutbrowser",
   "build": {
     "beforeDevCommand": "pnpm copy-proxy-binary && pnpm dev",

src/components/integrations-dialog.tsx

@@ -361,6 +361,9 @@ export function IntegrationsDialog({
                   <p className="text-xs text-muted-foreground">
                     {t("integrations.mcpCopyHint")}
                   </p>
+                  <p className="text-xs text-muted-foreground">
+                    {t("integrations.mcpConfigPath")}
+                  </p>
                 </div>
               )}
             </TabsContent>

src/components/profile-data-table.tsx

@@ -1648,14 +1648,18 @@ export function ProfilesDataTable({
 
           // Cross-OS profiles: show OS icon when checkboxes aren't visible, show checkbox when they are
           if (isCrossOs && !meta.showCheckboxes && !isSelected) {
-            const osName = profile.host_os
-              ? getOSDisplayName(profile.host_os)
+            const resolvedOs =
+              profile.host_os ||
+              profile.camoufox_config?.os ||
+              profile.wayfern_config?.os;
+            const osName = resolvedOs
+              ? getOSDisplayName(resolvedOs)
               : "another OS";
             const crossOsTooltip = t("crossOs.viewOnly", { os: osName });
             const OsIcon =
-              profile.host_os === "macos"
+              resolvedOs === "macos"
                 ? FaApple
-                : profile.host_os === "windows"
+                : resolvedOs === "windows"
                   ? FaWindows
                   : FaLinux;
             return (
@@ -1684,8 +1688,12 @@ export function ProfilesDataTable({
 
           // Cross-OS profiles with checkboxes visible: show checkbox (selectable for bulk delete)
           if (isCrossOs && (meta.showCheckboxes || isSelected)) {
-            const osName = profile.host_os
-              ? getOSDisplayName(profile.host_os)
+            const resolvedOs =
+              profile.host_os ||
+              profile.camoufox_config?.os ||
+              profile.wayfern_config?.os;
+            const osName = resolvedOs
+              ? getOSDisplayName(resolvedOs)
               : "another OS";
             const crossOsTooltip = t("crossOs.viewOnly", { os: osName });
             return (
@@ -2017,7 +2025,7 @@ export function ProfilesDataTable({
             );
 
           const isCrossOs = isCrossOsProfile(profile);
-          const isCrossOsBlocked = isCrossOs && !meta.crossOsUnlocked;
+          const isCrossOsBlocked = isCrossOs;
           const isRunning =
             meta.isClient && meta.runningProfiles.has(profile.id);
           const isLaunching = meta.launchingProfiles.has(profile.id);
@@ -2078,7 +2086,7 @@ export function ProfilesDataTable({
           const meta = table.options.meta as TableMeta;
           const profile = row.original;
           const isCrossOs = isCrossOsProfile(profile);
-          const isCrossOsBlocked = isCrossOs && !meta.crossOsUnlocked;
+          const isCrossOsBlocked = isCrossOs;
           const isRunning =
             meta.isClient && meta.runningProfiles.has(profile.id);
           const isLaunching = meta.launchingProfiles.has(profile.id);
@@ -2107,7 +2115,7 @@ export function ProfilesDataTable({
           const meta = table.options.meta as TableMeta;
           const profile = row.original;
           const isCrossOs = isCrossOsProfile(profile);
-          const isCrossOsBlocked = isCrossOs && !meta.crossOsUnlocked;
+          const isCrossOsBlocked = isCrossOs;
           const isRunning =
             meta.isClient && meta.runningProfiles.has(profile.id);
           const isLaunching = meta.launchingProfiles.has(profile.id);
@@ -2134,7 +2142,7 @@ export function ProfilesDataTable({
           const meta = table.options.meta as TableMeta;
           const profile = row.original;
           const isCrossOs = isCrossOsProfile(profile);
-          const isCrossOsBlocked = isCrossOs && !meta.crossOsUnlocked;
+          const isCrossOsBlocked = isCrossOs;
           const isRunning =
             meta.isClient && meta.runningProfiles.has(profile.id);
           const isLaunching = meta.launchingProfiles.has(profile.id);
@@ -2534,7 +2542,12 @@ export function ProfilesDataTable({
                 const rowIsCrossOs = isCrossOsProfile(row.original);
                 const crossOsTitle = rowIsCrossOs
                   ? t("crossOs.viewOnly", {
-                      os: getOSDisplayName(row.original.host_os ?? ""),
+                      os: getOSDisplayName(
+                        row.original.host_os ||
+                          row.original.camoufox_config?.os ||
+                          row.original.wayfern_config?.os ||
+                          "",
+                      ),
                     })
                   : undefined;
                 return (

src/components/profile-info-dialog.tsx

@@ -211,7 +211,7 @@ export function ProfileInfoDialog({
     profile.release_type.slice(1);
   const hasTags = profile.tags && profile.tags.length > 0;
   const hasNote = !!profile.note;
-  const showCrossOs = !!(profile.host_os && isCrossOsProfile(profile));
+  const showCrossOs = isCrossOsProfile(profile);
 
   type ActionItem = {
     icon: React.ReactNode;
@@ -364,10 +364,22 @@ export function ProfileInfoDialog({
                           {t("profiles.ephemeralBadge")}
                         </Badge>
                       )}
-                      {showCrossOs && profile.host_os && (
+                      {showCrossOs && (
                         <Badge variant="outline" className="text-xs gap-1">
-                          <OSIcon os={profile.host_os} />
-                          {getOSDisplayName(profile.host_os)}
+                          <OSIcon
+                            os={
+                              profile.host_os ||
+                              profile.camoufox_config?.os ||
+                              profile.wayfern_config?.os ||
+                              ""
+                            }
+                          />
+                          {getOSDisplayName(
+                            profile.host_os ||
+                              profile.camoufox_config?.os ||
+                              profile.wayfern_config?.os ||
+                              "",
+                          )}
                         </Badge>
                       )}
                     </div>

src/hooks/use-browser-state.ts

@@ -15,7 +15,7 @@ export function useBrowserState(
   _isUpdating: (browser: string) => boolean,
   launchingProfiles: Set<string>,
   stoppingProfiles: Set<string>,
-  crossOsUnlocked = false,
+  _crossOsUnlocked = false,
 ) {
   const [isClient, setIsClient] = useState(false);
 
@@ -53,7 +53,7 @@ export function useBrowserState(
     (profile: BrowserProfile): boolean => {
       if (!isClient) return false;
 
-      if (isCrossOsProfile(profile) && !crossOsUnlocked) return false;
+      if (isCrossOsProfile(profile)) return false;
 
       const isRunning = runningProfiles.has(profile.id);
       const isLaunching = launchingProfiles.has(profile.id);
@@ -81,7 +81,6 @@ export function useBrowserState(
       isAnyInstanceRunning,
       launchingProfiles,
       stoppingProfiles,
-      crossOsUnlocked,
     ],
   );
 
@@ -158,11 +157,16 @@ export function useBrowserState(
     (profile: BrowserProfile): string => {
       if (!isClient) return "Loading...";
 
-      if (isCrossOsProfile(profile) && profile.host_os) {
-        if (!crossOsUnlocked) {
-          const osName = getOSDisplayName(profile.host_os);
-          return `This profile was created on ${osName}. A paid subscription is required to launch cross-OS profiles.`;
+      if (isCrossOsProfile(profile)) {
+        const profileOs =
+          profile.host_os ||
+          profile.camoufox_config?.os ||
+          profile.wayfern_config?.os;
+        if (profileOs) {
+          const osName = getOSDisplayName(profileOs);
+          return `This profile was created on ${osName} and cannot be launched on a different operating system.`;
         }
+        return "This profile was created on a different operating system and cannot be launched here.";
       }
 
       const isRunning = runningProfiles.has(profile.id);
@@ -197,7 +201,6 @@ export function useBrowserState(
       canLaunchProfile,
       launchingProfiles,
       stoppingProfiles,
-      crossOsUnlocked,
     ],
   );
 

src/i18n/locales/en.json

@@ -421,7 +421,8 @@
       "config": "MCP Configuration",
       "copyConfig": "Copy Configuration"
     },
-    "mcpCopyHint": "Add this to your MCP client config to connect."
+    "mcpCopyHint": "Copy and paste this into your MCP client configuration.",
+    "mcpConfigPath": "Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\\Claude\\claude_desktop_config.json (Windows)"
   },
   "import": {
     "title": "Import Profile",

src/i18n/locales/es.json

@@ -421,7 +421,8 @@
       "config": "Configuración MCP",
       "copyConfig": "Copiar Configuración"
     },
-    "mcpCopyHint": "Agrega esto a la configuración de tu cliente MCP para conectarte."
+    "mcpCopyHint": "Copia y pega esto en la configuración de tu cliente MCP.",
+    "mcpConfigPath": "Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) o %APPDATA%\\Claude\\claude_desktop_config.json (Windows)"
   },
   "import": {
     "title": "Importar Perfil",

src/i18n/locales/fr.json

@@ -421,7 +421,8 @@
       "config": "Configuration MCP",
       "copyConfig": "Copier la configuration"
     },
-    "mcpCopyHint": "Ajoutez ceci à la configuration de votre client MCP pour vous connecter."
+    "mcpCopyHint": "Copiez et collez ceci dans la configuration de votre client MCP.",
+    "mcpConfigPath": "Claude Desktop : ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) ou %APPDATA%\\Claude\\claude_desktop_config.json (Windows)"
   },
   "import": {
     "title": "Importer un profil",

src/i18n/locales/ja.json

@@ -421,7 +421,8 @@
       "config": "MCP設定",
       "copyConfig": "設定をコピー"
     },
-    "mcpCopyHint": "MCPクライアントの設定にこれを追加して接続してください。"
+    "mcpCopyHint": "MCPクライアントの設定にコピーして貼り付けてください。",
+    "mcpConfigPath": "Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) または %APPDATA%\\Claude\\claude_desktop_config.json (Windows)"
   },
   "import": {
     "title": "プロファイルをインポート",

src/i18n/locales/pt.json

@@ -421,7 +421,8 @@
       "config": "Configuração MCP",
       "copyConfig": "Copiar Configuração"
     },
-    "mcpCopyHint": "Adicione isso à configuração do seu cliente MCP para conectar."
+    "mcpCopyHint": "Copie e cole isso na configuração do seu cliente MCP.",
+    "mcpConfigPath": "Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) ou %APPDATA%\\Claude\\claude_desktop_config.json (Windows)"
   },
   "import": {
     "title": "Importar Perfil",

src/i18n/locales/ru.json

@@ -421,7 +421,8 @@
       "config": "Конфигурация MCP",
       "copyConfig": "Копировать конфигурацию"
     },
-    "mcpCopyHint": "Добавьте это в конфигурацию вашего MCP-клиента для подключения."
+    "mcpCopyHint": "Скопируйте и вставьте это в конфигурацию вашего MCP-клиента.",
+    "mcpConfigPath": "Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) или %APPDATA%\\Claude\\claude_desktop_config.json (Windows)"
   },
   "import": {
     "title": "Импорт профиля",

src/i18n/locales/zh.json

@@ -421,7 +421,8 @@
       "config": "MCP 配置",
       "copyConfig": "复制配置"
     },
-    "mcpCopyHint": "将此添加到您的MCP客户端配置中以进行连接。"
+    "mcpCopyHint": "将此内容复制并粘贴到您的 MCP 客户端配置中。",
+    "mcpConfigPath": "Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) 或 %APPDATA%\\Claude\\claude_desktop_config.json (Windows)"
   },
   "import": {
     "title": "导入配置文件",

src/lib/browser-utils.ts

@@ -57,9 +57,17 @@ export const getCurrentOS = () => {
   return "unknown";
 };
 
-export function isCrossOsProfile(profile: { host_os?: string }): boolean {
-  if (!profile.host_os) return false;
-  return profile.host_os !== getCurrentOS();
+export function isCrossOsProfile(profile: {
+  host_os?: string;
+  camoufox_config?: { os?: string };
+  wayfern_config?: { os?: string };
+}): boolean {
+  const profileOs =
+    profile.host_os ||
+    profile.camoufox_config?.os ||
+    profile.wayfern_config?.os;
+  if (!profileOs) return false;
+  return profileOs !== getCurrentOS();
 }
 
 export function getOSDisplayName(os: string): string {