refactor: better cleanup

chore: version bump
chore: linting
2026-06-11 17:27:54 +02:00 · 2026-04-19 22:43:16 +04:00 · 2026-04-19 21:44:13 +04:00 · 2026-04-19 21:07:10 +04:00 · 2026-04-19 19:40:55 +04:00 · 2026-04-19 19:40:55 +04:00
162 changed files with 11370 additions and 4653 deletions
@@ -197,6 +197,7 @@ These are frequently overlooked issues that make UI look unprofessional:
 Before delivering UI code, verify these items:

 ### Visual Quality
+
 - [ ] No emojis used as icons (use SVG instead)
 - [ ] All icons from consistent icon set (Heroicons/Lucide)
 - [ ] Brand logos are correct (verified from Simple Icons)
@@ -204,24 +205,28 @@ Before delivering UI code, verify these items:
 - [ ] Use theme colors directly (bg-primary) not var() wrapper

 ### Interaction
+
 - [ ] All clickable elements have `cursor-pointer`
 - [ ] Hover states provide clear visual feedback
 - [ ] Transitions are smooth (150-300ms)
 - [ ] Focus states visible for keyboard navigation

 ### Light/Dark Mode
+
 - [ ] Light mode text has sufficient contrast (4.5:1 minimum)
 - [ ] Glass/transparent elements visible in light mode
 - [ ] Borders visible in both modes
 - [ ] Test both modes before delivery

 ### Layout
+
 - [ ] Floating elements have proper spacing from edges
 - [ ] No content hidden behind fixed navbars
 - [ ] Responsive at 320px, 768px, 1024px, 1440px
 - [ ] No horizontal scroll on mobile

 ### Accessibility
+
 - [ ] All images have alt text
 - [ ] Form inputs have labels
 - [ ] Color is not the only indicator
@@ -31,10 +31,10 @@ jobs:
            build-mode: none
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -22,7 +22,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
      - name: Contribute List
        uses: akhilmhdh/contributors-readme-action@83ea0b4f1ac928fbfe88b9e8460a932a528eb79f #v2.3.11
        env:
@@ -13,7 +13,7 @@ jobs:
  security-scan:
    name: Security Vulnerability Scan
    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -69,7 +69,7 @@ jobs:
    steps:
      - name: Dependabot metadata
        id: metadata
-        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a #v2.5.0
+        uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 #v3.0.0
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for minor and patch updates
@@ -30,13 +30,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0

      - name: Log in to Docker Hub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 #v3
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
          echo "Tags: ${TAGS}"

      - name: Build and push Docker image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 #v6
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f #v7.1.0
        with:
          context: .
          file: ./donut-sync/Dockerfile
@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Install Nix
        uses: cachix/install-nix-action@a6f7623b2e2401f485f1eead77ced45bd99b09b0 #v31
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Check if first-time contributor
        id: check-first-time
@@ -30,9 +30,9 @@ jobs:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
        run: |
-          ISSUE_COUNT=$(gh api "/repos/${{ github.repository }}/issues" \
-            --jq "map(select(.user.login == \"$ISSUE_AUTHOR\" and .number != ${{ github.event.issue.number }})) | length" \
-            --paginate || echo "0")
+          ISSUE_COUNT=$(gh api "/repos/${{ github.repository }}/issues?state=all&creator=$ISSUE_AUTHOR&per_page=100" \
+            --jq "[.[] | select(.number != ${{ github.event.issue.number }}) ] | length" \
+            || echo "0")

          if [ "$ISSUE_COUNT" = "0" ]; then
            echo "is_first_time=true" >> $GITHUB_OUTPUT
@@ -131,7 +131,7 @@ jobs:
              messages: [
                {
                  role: "system",
-                  content: ("You are a triage bot for Donut Browser, an open-source anti-detect browser (Tauri desktop app: Rust backend + Next.js frontend).\n\nProject guidelines and structure:\n" + $repo_context + "\n\nYou have access to relevant source files for context. Use them to give specific, actionable advice.\n\nAnalyze the issue and produce a single comment. Format:\n\n1. One sentence acknowledging the issue.\n2. **Possible cause** - Based on the source code, briefly explain what might be going wrong and which files are involved. Be specific (mention file names, function names, line ranges if possible).\n3. **Action items** - What specific info is missing or what the user should try. Only include items that are actually missing.\n   - For bug reports: if logs are needed, tell the user EXACTLY how to get them:\n     - macOS app logs: `~/Library/Logs/Donut Browser/`\n     - Linux app logs: `~/.local/share/DonutBrowser/logs/`\n     - Windows app logs: `%APPDATA%\\DonutBrowser\\logs\\`\n     - Sync server logs: `docker logs <container>` or check the server console\n     - Provide a ready-to-run shell command when possible.\n   - For self-hosted sync issues: check if the user is using the latest Docker image (`docker pull donutbrowser/donut-sync:latest`).\n4. Suggest a label: `Label: bug` or `Label: enhancement` on its own line.\n\nRules:\n- Be brief but specific. Reference actual code when possible.\n- If the issue already has everything needed, just acknowledge it and point to the likely cause.\n- Never exceed 15 lines.")
+                  content: ("You are a triage bot for Donut Browser, an open-source anti-detect browser (Tauri desktop app: Rust backend + Next.js frontend).\n\nProject guidelines and structure:\n" + $repo_context + "\n\nYou have access to relevant source files for context.\n\nAnalyze the issue and produce a single comment. Your job is to collect missing information needed to diagnose the issue, NOT to guess the cause.\n\nFormat:\n\n1. One sentence acknowledging the issue.\n2. **Missing information** - Ask specific questions about what is missing from the report. Focus on reproducing the issue. Do NOT speculate about root causes or mention internal code/files — you will almost certainly be wrong without logs. Instead, ask for:\n   - Exact steps to reproduce (if not provided)\n   - Expected vs actual behavior (if unclear)\n   - Error messages or screenshots (if not provided)\n   - OS and app version (if not provided)\n   - For bug reports: if logs are needed, tell the user EXACTLY how to get them:\n     - macOS app logs: `~/Library/Logs/Donut Browser/`\n     - Linux app logs: `~/.local/share/DonutBrowser/logs/`\n     - Windows app logs: `%APPDATA%\\DonutBrowser\\logs\\`\n     - Sync server logs: `docker logs <container>` or check the server console\n     - Provide a ready-to-run shell command when possible.\n   - For self-hosted sync issues: check if the user is using the latest Docker image (`docker pull donutbrowser/donut-sync:latest`).\n   - Only ask for information that is actually missing. If the issue is already detailed, just acknowledge it.\n3. Suggest a label: `Label: bug` or `Label: enhancement` on its own line.\n\nRules:\n- Do NOT include a \"Possible cause\" section. Do not speculate about what code might be causing the issue.\n- Be brief and focused on collecting actionable information from the reporter.\n- If the issue already has everything needed (steps to reproduce, logs, version, OS), just acknowledge it.\n- Never exceed 15 lines.")
                },
                {
                  role: "user",
@@ -181,7 +181,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Check if first-time contributor
        id: check-first-time
@@ -324,10 +324,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Run opencode
-        uses: anomalyco/opencode/github@4ee426ba549131c4903a71dfb6259200467aca81 #v1.2.27
+        uses: anomalyco/opencode/github@a35b8a95c27d28e979a3826e1289d7ee87f40251 #v1.4.11
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -34,10 +34,10 @@ jobs:
        run: git config --global core.autocrlf false

      - name: Checkout repository code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -41,10 +41,10 @@ jobs:
        run: git config --global core.autocrlf false

      - name: Checkout repository code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -67,7 +67,7 @@ jobs:
        if: matrix.os == 'ubuntu-22.04'
        run: |
          sudo apt-get update
-          sudo apt install libwebkit2gtk-4.1-dev build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          sudo apt install libwebkit2gtk-4.1-dev build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev openvpn

      - name: Install frontend dependencies
        run: pnpm install --frozen-lockfile
@@ -113,12 +113,8 @@ jobs:
        run: cargo clippy --all-targets --all-features -- -D warnings -D clippy::all
        working-directory: src-tauri

-      - name: Run Rust unit tests
-        run: cargo test --lib && cargo test --test donut_proxy_integration && cargo test --test vpn_integration
-        working-directory: src-tauri
-
-      - name: Run Rust sync e2e tests
-        run: node scripts/sync-test-harness.mjs
+      - name: Run test suite
+        run: pnpm test

      - name: Run cargo audit security check
        run: cargo audit
@@ -46,7 +46,7 @@ jobs:
  scan-scheduled:
    name: Scheduled Security Scan
    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -58,7 +58,7 @@ jobs:
  scan-pr:
    name: PR Security Scan
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -29,7 +29,7 @@ jobs:
  security-scan:
    name: Security Vulnerability Scan
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -0,0 +1,221 @@
+name: Publish Linux Repos
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag (e.g. v0.18.1). Leave empty for latest."
+        required: false
+        type: string
+  workflow_run:
+    workflows: ["Release"]
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+jobs:
+  publish-repos:
+    if: >
+      github.repository == 'zhom/donutbrowser' &&
+      (github.event_name == 'workflow_dispatch' ||
+       github.event.workflow_run.conclusion == 'success')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Determine release tag
+        id: tag
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_TAG: ${{ inputs.tag }}
+        run: |
+          if [[ -n "${INPUT_TAG:-}" ]]; then
+            echo "tag=${INPUT_TAG}" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            # The Release workflow is triggered by a tag push (v*),
+            # so head_branch is the tag name
+            echo "tag=${{ github.event.workflow_run.head_branch }}" >> "$GITHUB_OUTPUT"
+          else
+            TAG=$(gh release view --repo "${{ github.repository }}" --json tagName -q .tagName)
+            echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Configure aws-cli for R2
+        # aws-cli v2.23+ sends integrity checksums by default; Cloudflare R2
+        # rejects those headers with `Unauthorized` on ListObjectsV2.
+        # Also normalise the endpoint URL (must start with https://).
+        # Both values propagate to later steps via $GITHUB_ENV.
+        env:
+          RAW_ENDPOINT: ${{ secrets.R2_ENDPOINT_URL }}
+        run: |
+          endpoint="$RAW_ENDPOINT"
+          if [[ "$endpoint" != https://* && "$endpoint" != http://* ]]; then
+            endpoint="https://$endpoint"
+          fi
+          echo "R2_ENDPOINT=$endpoint" >> "$GITHUB_ENV"
+          echo "AWS_REQUEST_CHECKSUM_CALCULATION=WHEN_REQUIRED" >> "$GITHUB_ENV"
+          echo "AWS_RESPONSE_CHECKSUM_VALIDATION=WHEN_REQUIRED" >> "$GITHUB_ENV"
+
+      - name: Install tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y dpkg-dev createrepo-c python3-pip
+          # Remove pre-installed aws-cli v2 — it sends CRC64NVME checksums
+          # that Cloudflare R2 rejects with Unauthorized, and the s3transfer
+          # lib has a confirmed bug where WHEN_REQUIRED is silently ignored
+          # (boto/s3transfer#327). Install aws-cli v1 via pip instead.
+          sudo rm -f /usr/local/bin/aws /usr/local/bin/aws_completer
+          sudo rm -rf /usr/local/aws-cli
+          pip3 install --break-system-packages awscli
+          # Ensure pip-installed aws is on PATH (pip may install to ~/.local/bin)
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+          aws --version
+
+      - name: Download packages from GitHub release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ steps.tag.outputs.tag }}
+        run: |
+          mkdir -p /tmp/packages
+          gh release download "$TAG" \
+            --repo "${{ github.repository }}" \
+            --pattern "*.deb" \
+            --dir /tmp/packages
+          gh release download "$TAG" \
+            --repo "${{ github.repository }}" \
+            --pattern "*.rpm" \
+            --dir /tmp/packages
+          echo "Downloaded packages:"
+          ls -lh /tmp/packages/
+
+      - name: Build DEB repository
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          DEB_DIR="/tmp/repo/deb"
+          mkdir -p "$DEB_DIR/pool/main"
+          mkdir -p "$DEB_DIR/dists/stable/main/binary-amd64"
+          mkdir -p "$DEB_DIR/dists/stable/main/binary-arm64"
+
+          # Sync existing pool from R2 (incremental)
+          aws s3 sync "s3://${R2_BUCKET}/deb/pool" "$DEB_DIR/pool" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || true
+
+          # Copy new .deb files into pool
+          cp /tmp/packages/*.deb "$DEB_DIR/pool/main/" 2>/dev/null || true
+
+          # Generate Packages and Packages.gz for each arch
+          for arch in amd64 arm64; do
+            BINARY_DIR="$DEB_DIR/dists/stable/main/binary-${arch}"
+            (cd "$DEB_DIR" && dpkg-scanpackages --arch "$arch" pool/main) \
+              > "$BINARY_DIR/Packages"
+            gzip -9c "$BINARY_DIR/Packages" > "$BINARY_DIR/Packages.gz"
+            echo "  $arch: $(grep -c '^Package:' "$BINARY_DIR/Packages" 2>/dev/null || echo 0) package(s)"
+          done
+
+          # Generate Release file
+          {
+            echo "Origin: Donut Browser"
+            echo "Label: Donut Browser"
+            echo "Suite: stable"
+            echo "Codename: stable"
+            echo "Architectures: amd64 arm64"
+            echo "Components: main"
+            echo "Date: $(date -u '+%a, %d %b %Y %H:%M:%S UTC')"
+            echo "MD5Sum:"
+            for arch in amd64 arm64; do
+              for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+                filepath="$DEB_DIR/dists/stable/$file"
+                if [[ -f "$filepath" ]]; then
+                  size=$(wc -c < "$filepath")
+                  md5=$(md5sum "$filepath" | awk '{print $1}')
+                  printf " %s %8d %s\n" "$md5" "$size" "$file"
+                fi
+              done
+            done
+            echo "SHA256:"
+            for arch in amd64 arm64; do
+              for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+                filepath="$DEB_DIR/dists/stable/$file"
+                if [[ -f "$filepath" ]]; then
+                  size=$(wc -c < "$filepath")
+                  sha256=$(sha256sum "$filepath" | awk '{print $1}')
+                  printf " %s %8d %s\n" "$sha256" "$size" "$file"
+                fi
+              done
+            done
+          } > "$DEB_DIR/dists/stable/Release"
+
+          echo "DEB Release file created."
+
+      - name: Build RPM repository
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          RPM_DIR="/tmp/repo/rpm"
+          mkdir -p "$RPM_DIR/x86_64"
+          mkdir -p "$RPM_DIR/aarch64"
+
+          # Sync existing RPMs from R2 (incremental)
+          aws s3 sync "s3://${R2_BUCKET}/rpm/x86_64" "$RPM_DIR/x86_64" \
+            --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+          aws s3 sync "s3://${R2_BUCKET}/rpm/aarch64" "$RPM_DIR/aarch64" \
+            --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+
+          # Copy new .rpm files into arch directories
+          for rpm in /tmp/packages/*.rpm; do
+            [[ -f "$rpm" ]] || continue
+            filename=$(basename "$rpm")
+            if [[ "$filename" == *x86_64* ]]; then
+              cp "$rpm" "$RPM_DIR/x86_64/"
+            elif [[ "$filename" == *aarch64* ]]; then
+              cp "$rpm" "$RPM_DIR/aarch64/"
+            fi
+          done
+
+          # Generate repodata
+          createrepo_c --update "$RPM_DIR"
+          echo "RPM repodata created."
+
+      - name: Upload to R2
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          echo "Uploading DEB repository..."
+          aws s3 sync /tmp/repo/deb/dists "s3://${R2_BUCKET}/deb/dists" \
+            --endpoint-url "$R2_ENDPOINT" --delete
+          aws s3 sync /tmp/repo/deb/pool "s3://${R2_BUCKET}/deb/pool" \
+            --endpoint-url "$R2_ENDPOINT"
+
+          echo "Uploading RPM repository..."
+          aws s3 sync /tmp/repo/rpm "s3://${R2_BUCKET}/rpm" \
+            --endpoint-url "$R2_ENDPOINT"
+
+      - name: Verify upload
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+          TAG: ${{ steps.tag.outputs.tag }}
+        run: |
+          echo "Published repos for $TAG"
+          echo ""
+          echo "DEB dists/stable/:"
+          aws s3 ls "s3://${R2_BUCKET}/deb/dists/stable/" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty)"
+          echo "DEB pool/main/:"
+          aws s3 ls "s3://${R2_BUCKET}/deb/pool/main/" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty)"
+          echo "RPM repodata/:"
+          aws s3 ls "s3://${R2_BUCKET}/rpm/repodata/" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty)"
@@ -17,7 +17,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          fetch-depth: 0

@@ -20,7 +20,7 @@ jobs:
  security-scan:
    if: github.repository == 'zhom/donutbrowser'
    name: Security Vulnerability Scan
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -105,10 +105,10 @@ jobs:

    runs-on: ${{ matrix.platform }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -139,6 +139,10 @@ jobs:
        run: pnpm install --frozen-lockfile

      - name: Build frontend
+        # NEXT_PUBLIC_* vars are inlined at build time and must be forwarded
+        # from secrets explicitly — they are NOT inherited from the job env.
+        env:
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        run: pnpm exec next build

      - name: Verify frontend dist exists
@@ -216,6 +220,12 @@ jobs:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          # tauri-action invokes `pnpm tauri build`, which runs
+          # `beforeBuildCommand` from tauri.conf.json. That rebuilds the
+          # frontend in its own subprocess, so the env var MUST be forwarded
+          # here or the inner `next build` inlines an empty string and
+          # overwrites the dist the explicit "Build frontend" step produced.
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        with:
          projectPath: ./src-tauri
          tagName: ${{ github.ref_name }}
@@ -225,6 +235,44 @@ jobs:
          prerelease: false
          args: ${{ matrix.args }}

+      - name: Create portable Windows ZIP
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG#v}"
+          PORTABLE_DIR="Donut-Portable"
+          mkdir -p "$PORTABLE_DIR"
+
+          # Copy main executable
+          cp "src-tauri/target/${{ matrix.target }}/release/donutbrowser.exe" "$PORTABLE_DIR/Donut.exe"
+
+          # Copy sidecar binaries
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe" "$PORTABLE_DIR/"
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe" "$PORTABLE_DIR/"
+
+          # Copy WebView2Loader if present
+          if [ -f "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" ]; then
+            cp "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" "$PORTABLE_DIR/"
+          fi
+
+          # Create .portable marker
+          touch "$PORTABLE_DIR/.portable"
+
+          # Create ZIP
+          7z a "Donut_${VERSION}_x64-portable.zip" "$PORTABLE_DIR"
+
+      - name: Upload portable ZIP to release
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG#v}"
+          gh release upload "$TAG" "Donut_${VERSION}_x64-portable.zip" --clobber
+
      - name: Clean up Apple certificate
        if: matrix.platform == 'macos-latest' && always()
        run: |
@@ -239,7 +287,7 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          ref: main
          fetch-depth: 0
@@ -346,7 +394,7 @@ jobs:

          ### Windows

-          [Download Windows Installer (x64)](${BASE}/Donut_${VERSION}_x64-setup.exe)
+          [Download Windows Installer (x64)](${BASE}/Donut_${VERSION}_x64-setup.exe) · [Portable (x64)](${BASE}/Donut_${VERSION}_x64-portable.zip)

          ### Linux

@@ -390,7 +438,7 @@ jobs:
              --body "Automated update of CHANGELOG.md and README.md download links for ${TAG}." \
              --base main \
              --head "$BRANCH"
-            gh pr merge "$BRANCH" --auto --squash
+            gh pr merge "$BRANCH" --squash --admin
          fi

      - name: Update release notes
@@ -402,26 +450,82 @@ jobs:

  notify-discord:
    if: github.repository == 'zhom/donutbrowser'
-    needs: [release]
+    needs: [release, changelog]
    runs-on: ubuntu-latest
    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Generate changelog summary
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          PREV_TAG=$(git tag --sort=-version:refname \
+            | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
+            | grep -v "^${TAG}$" \
+            | head -n 1)
+          if [ -z "$PREV_TAG" ]; then
+            PREV_TAG=$(git rev-list --max-parents=0 HEAD)
+          fi
+
+          strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; }
+
+          CHANGES=""
+          while IFS= read -r msg; do
+            [ -z "$msg" ] && continue
+            case "$msg" in
+              feat\(*\):*|feat:*)   CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+              fix\(*\):*|fix:*)     CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+              refactor\(*\):*|refactor:*) CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+              perf\(*\):*|perf:*)   CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+            esac
+          done < <(git log --pretty=format:"%s" "${PREV_TAG}..${TAG}" --no-merges)
+
+          # Truncate to fit Discord embed (max 4096 chars)
+          if [ ${#CHANGES} -gt 3900 ]; then
+            CHANGES="${CHANGES:0:3900}\n..."
+          fi
+
+          if [ -z "$CHANGES" ]; then
+            CHANGES="See the full changelog on GitHub."
+          fi
+
+          printf '%b' "$CHANGES" > /tmp/discord-changes.txt
+
      - name: Send Discord notification
        env:
          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_STABLE_WEBHOOK_URL }}
+          TAG: ${{ github.ref_name }}
        run: |
-          VERSION="${GITHUB_REF_NAME}"
+          VERSION="${TAG}"
          RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/${VERSION}"
+          CHANGES=$(cat /tmp/discord-changes.txt)

-          curl -fsSL -H "Content-Type: application/json" \
-            -d "{
-              \"embeds\": [{
-                \"title\": \"Donut Browser ${VERSION} Released\",
-                \"url\": \"${RELEASE_URL}\",
-                \"description\": \"A new stable release of Donut Browser is available.\",
-                \"color\": 5814783
+          # Build JSON with jq to handle escaping
+          PAYLOAD=$(jq -n \
+            --arg title "Donut Browser ${VERSION} Released" \
+            --arg url "$RELEASE_URL" \
+            --arg changes "$CHANGES" \
+            --arg dl_mac_arm "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_aarch64.dmg" \
+            --arg dl_mac_intel "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_x64.dmg" \
+            --arg dl_win "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_x64-setup.exe" \
+            --arg dl_linux "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_amd64.AppImage" \
+            '{
+              embeds: [{
+                title: $title,
+                url: $url,
+                description: $changes,
+                color: 5814783,
+                fields: [
+                  { name: "Download", value: ("[macOS (Apple Silicon)](" + $dl_mac_arm + ") · [macOS (Intel)](" + $dl_mac_intel + ")\n[Windows x64](" + $dl_win + ") · [Linux x64](" + $dl_linux + ")"), inline: false }
+                ],
+                footer: { text: "donutbrowser.com" }
              }]
-            }" \
-            "$DISCORD_WEBHOOK_URL"
+            }')
+
+          curl -fsSL -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL"

  deploy-website:
    if: github.repository == 'zhom/donutbrowser'
@@ -441,13 +545,13 @@ jobs:

  update-flake:
    if: github.repository == 'zhom/donutbrowser'
-    needs: [release]
+    needs: [release, changelog]
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          ref: main

@@ -516,4 +620,4 @@ jobs:
            --body "Automated update of flake.nix with new AppImage hashes for v${VERSION}." \
            --base main \
            --head "$BRANCH"
-          gh pr merge "$BRANCH" --auto --squash
+          gh pr merge "$BRANCH" --squash --admin
@@ -19,7 +19,7 @@ jobs:
  security-scan:
    if: github.repository == 'zhom/donutbrowser'
    name: Security Vulnerability Scan
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -104,10 +104,10 @@ jobs:

    runs-on: ${{ matrix.platform }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -138,6 +138,10 @@ jobs:
        run: pnpm install --frozen-lockfile

      - name: Build frontend
+        # NEXT_PUBLIC_* vars are inlined at build time and must be forwarded
+        # from secrets explicitly — they are NOT inherited from the job env.
+        env:
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        run: pnpm exec next build

      - name: Verify frontend dist exists
@@ -226,6 +230,9 @@ jobs:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          # tauri-action's inner `pnpm tauri build` re-runs beforeBuildCommand
+          # which rebuilds dist/ in a subprocess. The env var must be here too.
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        with:
          projectPath: ./src-tauri
          tagName: "nightly-${{ steps.timestamp.outputs.timestamp }}"
@@ -235,6 +242,34 @@ jobs:
          prerelease: true
          args: ${{ matrix.args }}

+      - name: Create portable Windows ZIP
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        run: |
+          PORTABLE_DIR="Donut-Portable"
+          mkdir -p "$PORTABLE_DIR"
+
+          cp "src-tauri/target/${{ matrix.target }}/release/donutbrowser.exe" "$PORTABLE_DIR/Donut.exe"
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe" "$PORTABLE_DIR/"
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe" "$PORTABLE_DIR/"
+
+          if [ -f "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" ]; then
+            cp "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" "$PORTABLE_DIR/"
+          fi
+
+          touch "$PORTABLE_DIR/.portable"
+
+          7z a "Donut_x64-portable.zip" "$PORTABLE_DIR"
+
+      - name: Upload portable ZIP to release
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NIGHTLY_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}"
+        run: |
+          gh release upload "$NIGHTLY_TAG" "Donut_x64-portable.zip" --clobber
+
      - name: Clean up Apple certificate
        if: matrix.platform == 'macos-latest' && always()
        run: |
@@ -248,7 +283,7 @@ jobs:
    permissions:
      contents: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Generate nightly tag
        id: tag
@@ -364,14 +399,24 @@ jobs:
        run: |
          COMMIT_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
          RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/nightly"
+          COMMIT_URL="https://github.com/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}"

-          curl -fsSL -H "Content-Type: application/json" \
-            -d "{
-              \"embeds\": [{
-                \"title\": \"Donut Browser Nightly Updated\",
-                \"url\": \"${RELEASE_URL}\",
-                \"description\": \"A new nightly build is available (${COMMIT_SHORT}).\",
-                \"color\": 16752128
+          PAYLOAD=$(jq -n \
+            --arg title "Donut Browser Nightly (${COMMIT_SHORT})" \
+            --arg url "$RELEASE_URL" \
+            --arg commit_url "$COMMIT_URL" \
+            --arg commit_short "$COMMIT_SHORT" \
+            '{
+              embeds: [{
+                title: $title,
+                url: $url,
+                color: 16752128,
+                fields: [
+                  { name: "Commit", value: ("[" + $commit_short + "](" + $commit_url + ")"), inline: true },
+                  { name: "Download", value: ("[Nightly Release](" + $url + ")"), inline: true }
+                ],
+                footer: { text: "donutbrowser.com" }
              }]
-            }" \
-            "$DISCORD_WEBHOOK_URL"
+            }')
+
+          curl -fsSL -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL"
@@ -21,6 +21,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Actions Repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
      - name: Spell Check Repo
-        uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d #v1.44.0
+        uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 #v1.45.1
@@ -32,10 +32,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2

      - name: Install pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -73,7 +73,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2

      - name: Start MinIO
        run: |
@@ -85,7 +85,7 @@ jobs:

          # Wait for MinIO to be ready
          for i in {1..30}; do
-            if curl -sf http://localhost:8987/minio/health/live; then
+            if curl -sf http://127.0.0.1:8987/minio/health/live; then
              echo "MinIO is ready"
              break
            fi
@@ -94,7 +94,7 @@ jobs:
          done

      - name: Install pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 #v6.0.1
        with:
          run_install: false

@@ -111,7 +111,7 @@ jobs:
        working-directory: donut-sync
        env:
          SYNC_TOKEN: test-sync-token
-          S3_ENDPOINT: http://localhost:8987
+          S3_ENDPOINT: http://127.0.0.1:8987
          S3_ACCESS_KEY_ID: minioadmin
          S3_SECRET_ACCESS_KEY: minioadmin
          S3_BUCKET: donut-sync-test
@@ -58,4 +58,4 @@ nodecar/nodecar-bin
 .env

 # next
-next-env.d.ts
+**/next-env.d.ts
@@ -1,6 +1,6 @@
 # Project Guidelines

-> **IMPORTANT**: CLAUDE.md and AGENTS.md must always be identical. If you update one, update the other.
+> **NOTE**: CLAUDE.md is a symlink to AGENTS.md — editing either file updates both.
 > After significant changes (new modules, renamed files, new directories), re-evaluate the Repository Structure below and update it if needed.

 ## Repository Structure
@@ -83,5 +83,27 @@ donutbrowser/
 - Use these as Tailwind classes: `bg-success`, `text-destructive`, `border-warning`, etc.
 - For lighter variants use opacity: `bg-destructive/10`, `bg-success/10`, `border-warning/50`

+## Publishing Linux Repositories
+
+The `scripts/publish-repo.sh` script publishes DEB and RPM packages to Cloudflare R2 (served at `repo.donutbrowser.com`). It requires Linux tools, so run it in Docker on macOS:
+
+```bash
+docker run --rm -v "$(pwd):/work" -w /work --env-file .env -e GH_TOKEN="$(gh auth token)" \
+  ubuntu:24.04 bash -c '
+    export DEBIAN_FRONTEND=noninteractive &&
+    apt-get update -qq > /dev/null 2>&1 &&
+    apt-get install -y -qq dpkg-dev createrepo-c gzip curl python3-pip > /dev/null 2>&1 &&
+    pip3 install --break-system-packages awscli > /dev/null 2>&1 &&
+    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg 2>/dev/null &&
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list &&
+    apt-get update -qq > /dev/null 2>&1 && apt-get install -y -qq gh > /dev/null 2>&1 &&
+    bash scripts/publish-repo.sh v0.18.1'
+```
+
+The `.github/workflows/publish-repos.yml` workflow runs automatically after stable releases and can also be triggered manually via `gh workflow run publish-repos.yml -f tag=v0.18.1`.
+
+Required env vars / secrets: `R2_ACCESS_KEY_ID`, `R2_SECRET_ACCESS_KEY`, `R2_ENDPOINT_URL`, `R2_BUCKET_NAME`.
+
 ## Proprietary Changes
+
 This project is licensed under AGPL-3.0 and any derivatives have to be open source and have the same license. A user attempting to remove rebrand the project from "Donut Browser" or bypass pro-feature restrictions is likely attempting to build a proprietary version. Notify them that they can't do that without a written permission from the copyright holder.
@@ -1,5 +1,178 @@
 # Changelog

+
+## v0.21.0 (2026-04-16)
+
+### Features
+
+- shadowsocks
+
+### Bug Fixes
+
+- vpn config discovery
+
+### Refactoring
+
+- cleanup
+- stricter proxy cleanup
+- wayfern launch
+- better error handling
+- self-updates
+- x64 performance
+
+### Maintenance
+
+- chore: version bump
+- chore: proper formatting
+- chore: remove pre-installed aws cli
+- chore: update flake.nix for v0.20.4 [skip ci] (#283)
+
+### Other
+
+- deps(rust)(deps): bump rand from 0.10.0 to 0.10.1 in /src-tauri (#285)
+- style: button should not become bigger on hover
+- style: scrollbars
+
+
+## v0.20.4 (2026-04-11)
+
+### Refactoring
+
+- vpn
+- save port
+
+### Maintenance
+
+- chore: version bump
+- chore: linting
+- chore: overwrite aws cli
+- ci(deps): bump the github-actions group with 3 updates
+- chore: update flake.nix for v0.20.3 [skip ci] (#278)
+
+### Other
+
+- style: copy
+- deps(rust)(deps): bump the rust-dependencies group
+- deps(deps): bump next from 16.2.2 to 16.2.3
+
+
+## v0.20.3 (2026-04-10)
+
+### Refactoring
+
+- debug wayfern launch
+
+### Maintenance
+
+- chore: version bump
+- chore: serialize changelog and flake jobs
+- chore: update flake.nix for v0.20.2 [skip ci] (#273)
+
+
+## v0.20.2 (2026-04-08)
+
+### Maintenance
+
+- chore: version bump
+- chore: aws integrity checks
+- chore: inject NEXT_PUBLIC_TURNSTILE everywhere
+- chore: update flake.nix for v0.20.1 [skip ci] (#272)
+
+
+## v0.20.1 (2026-04-08)
+
+### Maintenance
+
+- chore: version bump
+- chore: normalize r2 endpoint
+- chore: pull turnstile public key in frontend at build time
+- chore: update flake.nix for v0.20.0 [skip ci] (#270)
+
+
+## v0.20.0 (2026-04-08)
+
+### Bug Fixes
+
+- cookie copying for wayfern
+
+### Refactoring
+
+- cleanup
+- dynamic proxy
+
+### Documentation
+
+- update CHANGELOG.md and README.md for v0.19.0 [skip ci] (#261)
+
+### Maintenance
+
+- chore: version bump
+- chore: linting
+- chore: linting
+- chore: linting
+- chore: update flake.nix for v0.19.0 [skip ci] (#262)
+
+### Other
+
+- deps(rust)(deps): bump the rust-dependencies group
+- deps(deps): bump the frontend-dependencies group with 19 updates
+
+
+## v0.19.0 (2026-04-04)
+
+### Features
+
+- captcha on email input
+- dns block lists
+- portable build
+
+### Bug Fixes
+
+- follow latest MCP spec
+- wayfern initial connection on macos doesn't timeout
+
+### Refactoring
+
+- linux auto updates
+- more robust vpn handling
+- don't allow portable build to be set as the default browser
+- show app version in settings
+
+### Documentation
+
+- remove codacy badge
+- agents
+- contrib-readme-action has updated readme
+- update CHANGELOG.md and README.md for v0.18.1 [skip ci]
+- cleanup
+
+### Maintenance
+
+- test: simplify
+- chore: preserve cargo
+- chore: version bump
+- chore: linting
+- chore: update dependencies
+- chore: repo publish workflow
+- chore: copy and backlink
+- test: serialize
+- chore: copy correct file
+- chore: linting
+- chore: do not provide possible cause
+- chore: linting
+- chore: linting
+- chore: linting
+- chore: linting
+- ci(deps): bump the github-actions group with 8 updates
+- chore: commit doc changes directly and pretty discord notifications
+- chore: update flake.nix for v0.18.1 [skip ci]
+- chore: fix linting and formatting
+
+### Other
+
+- deps(deps): bump the frontend-dependencies group with 35 updates
+- deps(rust)(deps): bump the rust-dependencies group
+
 ## v0.18.1 (2026-03-24)

 ### Refactoring
@@ -1,87 +0,0 @@
-# Project Guidelines
-
-> **IMPORTANT**: CLAUDE.md and AGENTS.md must always be identical. If you update one, update the other.
-> After significant changes (new modules, renamed files, new directories), re-evaluate the Repository Structure below and update it if needed.
-
-## Repository Structure
-
-```
-donutbrowser/
-├── src/                              # Next.js frontend
-│   ├── app/                          # App router (page.tsx, layout.tsx)
-│   ├── components/                   # 50+ React components (dialogs, tables, UI)
-│   ├── hooks/                        # Event-driven React hooks
-│   ├── i18n/locales/                 # Translations (en, es, fr, ja, pt, ru, zh)
-│   ├── lib/                          # Utilities (themes, toast, browser-utils)
-│   └── types.ts                      # Shared TypeScript interfaces
-├── src-tauri/                        # Rust backend (Tauri)
-│   ├── src/
-│   │   ├── lib.rs                    # Tauri command registration (100+ commands)
-│   │   ├── browser_runner.rs         # Profile launch/kill orchestration
-│   │   ├── browser.rs               # Browser trait & launch logic
-│   │   ├── profile/                  # Profile CRUD (manager.rs, types.rs)
-│   │   ├── proxy_manager.rs         # Proxy lifecycle & connection testing
-│   │   ├── proxy_server.rs          # Local proxy binary (donut-proxy)
-│   │   ├── proxy_storage.rs         # Proxy config persistence (JSON files)
-│   │   ├── api_server.rs            # REST API (utoipa + axum)
-│   │   ├── mcp_server.rs            # MCP protocol server
-│   │   ├── sync/                    # Cloud sync (engine, encryption, manifest, scheduler)
-│   │   ├── vpn/                     # WireGuard & OpenVPN tunnels
-│   │   ├── camoufox/                # Camoufox fingerprint engine (Bayesian network)
-│   │   ├── wayfern_manager.rs       # Wayfern (Chromium) browser management
-│   │   ├── camoufox_manager.rs      # Camoufox (Firefox) browser management
-│   │   ├── downloader.rs           # Browser binary downloader
-│   │   ├── extraction.rs           # Archive extraction (zip, tar, dmg, msi)
-│   │   ├── settings_manager.rs     # App settings persistence
-│   │   ├── cookie_manager.rs       # Cookie import/export
-│   │   ├── extension_manager.rs    # Browser extension management
-│   │   ├── group_manager.rs        # Profile group management
-│   │   ├── synchronizer.rs         # Real-time profile synchronizer
-│   │   ├── daemon/                 # Background daemon + tray icon (currently disabled)
-│   │   └── cloud_auth.rs           # Cloud authentication
-│   ├── tests/                      # Integration tests
-│   └── Cargo.toml                  # Rust dependencies
-├── donut-sync/                     # NestJS sync server (self-hostable)
-│   └── src/                        # Controllers, services, auth, S3 sync
-├── docs/                           # Documentation (self-hosting guide)
-├── flake.nix                       # Nix development environment
-└── .github/workflows/              # CI/CD pipelines
-```
-
-## Testing and Quality
-
- After making changes, run `pnpm format && pnpm lint && pnpm test` at the root of the project
- Always run this command before finishing a task to ensure the application isn't broken
- `pnpm lint` includes spellcheck via [typos](https://github.com/crate-ci/typos). False positives can be allowlisted in `_typos.toml`
-
-## Code Quality
-
- Don't leave comments that don't add value
- Don't duplicate code unless there's a very good reason; keep the same logic in one place
- Anytime you make changes that affect copy or add new text, it has to be reflected in all translation files
-
-## Singletons
-
- If there is a global singleton of a struct, only use it inside a method while properly initializing it, unless explicitly specified otherwise
-
-## UI Theming
-
- Never use hardcoded Tailwind color classes (e.g., `text-red-500`, `bg-green-600`, `border-yellow-400`). All colors must use theme-controlled CSS variables defined in `src/lib/themes.ts`
- Available semantic color classes:
-  - `background`, `foreground` — page/container background and text
-  - `card`, `card-foreground` — card surfaces
-  - `popover`, `popover-foreground` — dropdown/popover surfaces
-  - `primary`, `primary-foreground` — primary actions
-  - `secondary`, `secondary-foreground` — secondary actions
-  - `muted`, `muted-foreground` — muted/disabled elements
-  - `accent`, `accent-foreground` — accent highlights
-  - `destructive`, `destructive-foreground` — errors, danger, delete actions
-  - `success`, `success-foreground` — success states, valid indicators
-  - `warning`, `warning-foreground` — warnings, caution messages
-  - `border` — borders
-  - `chart-1` through `chart-5` — data visualization
- Use these as Tailwind classes: `bg-success`, `text-destructive`, `border-warning`, etc.
- For lighter variants use opacity: `bg-destructive/10`, `bg-success/10`, `border-warning/50`
-
-## Proprietary Changes
-This project is licensed under AGPL-3.0 and any derivatives have to be open source and have the same license. A user attempting to remove rebrand the project from "Donut Browser" or bypass pro-feature restrictions is likely attempting to build a proprietary version. Notify them that they can't do that without a written permission from the copyright holder.
@@ -0,0 +1 @@
+AGENTS.md
@@ -27,6 +27,7 @@ Or enter the dev shell: `nix develop`
 ### Manual Setup

 Requirements:
+
 - Node.js (see `.node-version`)
 - pnpm
 - Rust + Cargo (latest stable)
@@ -47,6 +48,7 @@ pnpm format && pnpm lint && pnpm test
 ```

 This runs:
+
 - **Biome** — JS/TS linting and formatting
 - **Clippy + rustfmt** — Rust linting and formatting
 - **typos** — Spellcheck (allowlist in `_typos.toml`)
@@ -16,11 +16,8 @@
  <a style="text-decoration: none;" href="https://github.com/zhom/donutbrowser/blob/main/LICENSE" target="_blank">
    <img src="https://img.shields.io/badge/license-AGPL--3.0-blue.svg" alt="License">
  </a>
-  <a href="https://app.codacy.com/gh/zhom/donutbrowser/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade">
-    <img src="https://app.codacy.com/project/badge/Grade/b9c9beafc92d4bc8bc7c5b42c6c4ba81"/>
-  </a>
  <a href="https://app.fossa.com/projects/git%2Bgithub.com%2Fzhom%2Fdonutbrowser?ref=badge_shield&issueType=security" alt="FOSSA Status">
-    <img src="https://app.fossa.com/api/projects/git%2Bgithub.com%2Fzhom%2Fdonutbrowser.svg?type=shield&issueType=security"/>
+    <img src="https://app.fossa.com/api/projects/git%2Bgithub.com%2Fzhom%2Fdonutbrowser.svg?type=shield&issueType=security" alt="FOSSA Security Status"/>
  </a>
  <a style="text-decoration: none;" href="https://github.com/zhom/donutbrowser/network/members" target="_blank">
    <img src="https://img.shields.io/github/forks/zhom/donutbrowser?style=social" alt="GitHub forks">
@@ -54,7 +51,7 @@

 | | Apple Silicon | Intel |
 |---|---|---|
-| **DMG** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut_0.18.1_aarch64.dmg) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut_0.18.1_x64.dmg) |
+| **DMG** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_aarch64.dmg) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_x64.dmg) |

 Or install via Homebrew:

@@ -64,15 +61,15 @@ brew install --cask donut

 ### Windows

-[Download Windows Installer (x64)](https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut_0.18.1_x64-setup.exe)
+[Download Windows Installer (x64)](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_x64-setup.exe) · [Portable (x64)](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_x64-portable.zip)

 ### Linux

 | Format | x86_64 | ARM64 |
 |---|---|---|
-| **deb** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut_0.18.1_amd64.deb) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut_0.18.1_arm64.deb) |
-| **rpm** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut-0.18.1-1.x86_64.rpm) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut-0.18.1-1.aarch64.rpm) |
-| **AppImage** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut_0.18.1_amd64.AppImage) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut_0.18.1_aarch64.AppImage) |
+| **deb** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_amd64.deb) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_arm64.deb) |
+| **rpm** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut-0.21.0-1.x86_64.rpm) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut-0.21.0-1.aarch64.rpm) |
+| **AppImage** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_amd64.AppImage) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_aarch64.AppImage) |
 <!-- install-links-end -->

 Or install via package manager:
@@ -143,6 +140,13 @@ See [CONTRIBUTING.md](CONTRIBUTING.md).
                    <sub><b>Hassiy</b></sub>
                </a>
            </td>
+            <td align="center">
+                <a href="https://github.com/yb403">
+                    <img src="https://avatars.githubusercontent.com/u/87396571?v=4" width="100;" alt="yb403"/>
+                    <br />
+                    <sub><b>yb403</b></sub>
+                </a>
+            </td>
            <td align="center">
                <a href="https://github.com/drunkod">
                    <img src="https://avatars.githubusercontent.com/u/9677471?v=4" width="100;" alt="drunkod"/>
@@ -17,4 +17,5 @@ COPY --from=builder /build/node_modules/ node_modules/
 ENV NODE_ENV=production
 EXPOSE 12342

+USER node
 CMD ["node", "dist/main"]
@@ -2,8 +2,6 @@
  <a href="http://nestjs.com/" target="blank"><img src="https://nestjs.com/img/logo-small.svg" width="120" alt="Nest Logo" /></a>
 </p>

-[circleci-image]: https://img.shields.io/circleci/build/github/nestjs/nest/master?token=abc123def456
-[circleci-url]: https://circleci.com/gh/nestjs/nest

  <p align="center">A progressive <a href="http://nodejs.org" target="_blank">Node.js</a> framework for building efficient and scalable server-side applications.</p>
    <p align="center">
@@ -28,33 +26,33 @@
 ## Project setup

 ```bash
-$ pnpm install
+pnpm install
 ```

 ## Compile and run the project

 ```bash
 # development
-$ pnpm run start
+pnpm run start

 # watch mode
-$ pnpm run start:dev
+pnpm run start:dev

 # production mode
-$ pnpm run start:prod
+pnpm run start:prod
 ```

 ## Run tests

 ```bash
 # unit tests
-$ pnpm run test
+pnpm run test

 # e2e tests
-$ pnpm run test:e2e
+pnpm run test:e2e

 # test coverage
-$ pnpm run test:cov
+pnpm run test:cov
 ```

 ## Deployment
@@ -64,8 +62,8 @@ When you're ready to deploy your NestJS application to production, there are som
 If you are looking for a cloud-based platform to deploy your NestJS application, check out [Mau](https://mau.nestjs.com), our official platform for deploying NestJS applications on AWS. Mau makes deployment straightforward and fast, requiring just a few simple steps:

 ```bash
-$ pnpm install -g @nestjs/mau
-$ mau deploy
+pnpm install -g @nestjs/mau
+mau deploy
 ```

 With Mau, you can deploy your application in just a few clicks, allowing you to focus on building features rather than managing infrastructure.
@@ -18,4 +18,3 @@ services:

 volumes:
  minio_data:
-
@@ -18,33 +18,33 @@
    "test:e2e": "NODE_OPTIONS='--experimental-vm-modules' jest --config ./test/jest-e2e.json"
  },
  "dependencies": {
-    "@aws-sdk/client-s3": "^3.1015.0",
-    "@aws-sdk/s3-request-presigner": "^3.1015.0",
-    "@nestjs/common": "^11.1.17",
+    "@aws-sdk/client-s3": "^3.1024.0",
+    "@aws-sdk/s3-request-presigner": "^3.1024.0",
+    "@nestjs/common": "^11.1.18",
    "@nestjs/config": "^4.0.3",
-    "@nestjs/core": "^11.1.17",
-    "@nestjs/platform-express": "^11.1.17",
+    "@nestjs/core": "^11.1.18",
+    "@nestjs/platform-express": "^11.1.18",
    "jsonwebtoken": "^9.0.3",
    "reflect-metadata": "^0.2.2",
    "rxjs": "^7.8.2"
  },
  "devDependencies": {
-    "@nestjs/cli": "^11.0.16",
-    "@nestjs/schematics": "^11.0.9",
-    "@nestjs/testing": "^11.1.17",
+    "@nestjs/cli": "^11.0.17",
+    "@nestjs/schematics": "^11.0.10",
+    "@nestjs/testing": "^11.1.18",
    "@types/express": "^5.0.6",
    "@types/jest": "^30.0.0",
    "@types/jsonwebtoken": "^9.0.10",
-    "@types/node": "^25.5.0",
+    "@types/node": "^25.5.2",
    "@types/supertest": "^7.2.0",
    "jest": "^30.3.0",
    "source-map-support": "^0.5.21",
    "supertest": "^7.2.2",
-    "ts-jest": "^29.4.6",
-    "ts-loader": "^9.5.4",
+    "ts-jest": "^29.4.9",
+    "ts-loader": "^9.5.7",
    "ts-node": "^10.9.2",
    "tsconfig-paths": "^4.2.0",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.2"
  },
  "jest": {
    "moduleFileExtensions": [
@@ -27,7 +27,7 @@ export class AuthGuard implements CanActivate {
    const request = context.switchToHttp().getRequest<Request>();
    const authHeader = request.headers.authorization;

-    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    if (!authHeader?.startsWith("Bearer ")) {
      throw new UnauthorizedException(
        "Missing or invalid authorization header",
      );
@@ -38,7 +38,7 @@ export class AuthGuard implements CanActivate {
    // Try SYNC_TOKEN first (self-hosted mode)
    const expectedToken = this.configService.get<string>("SYNC_TOKEN");
    if (expectedToken && token === expectedToken) {
-      (request as any).user = {
+      (request as unknown as Record<string, unknown>).user = {
        mode: "self-hosted",
        prefix: "",
        teamPrefix: null,
@@ -55,7 +55,7 @@ export class AuthGuard implements CanActivate {
          algorithms: ["RS256"],
        }) as jwt.JwtPayload;

-        (request as any).user = {
+        (request as unknown as Record<string, unknown>).user = {
          mode: "cloud",
          prefix: decoded.prefix || `users/${decoded.sub}/`,
          teamPrefix: decoded.teamPrefix || null,
@@ -39,7 +39,7 @@ export class SyncController {
  constructor(private readonly syncService: SyncService) {}

  private getUserContext(req: Request): UserContext {
-    return (req as any).user as UserContext;
+    return (req as unknown as Record<string, unknown>).user as UserContext;
  }

  @Post("stat")
@@ -2,18 +2,29 @@ import { INestApplication } from "@nestjs/common";
 import { Test, TestingModule } from "@nestjs/testing";
 import request from "supertest";
 import { App } from "supertest/types";
-import { AppModule } from "./../src/app.module.js";
+import { AppController } from "./../src/app.controller.js";
+import { AppService } from "./../src/app.service.js";
+import { SyncService } from "./../src/sync/sync.service.js";

 describe("AppController (e2e)", () => {
  let app: INestApplication<App>;

  beforeEach(async () => {
    const moduleFixture: TestingModule = await Test.createTestingModule({
-      imports: [AppModule],
+      controllers: [AppController],
+      providers: [
+        AppService,
+        {
+          provide: SyncService,
+          useValue: {
+            checkS3Connectivity: async () => true,
+          },
+        },
+      ],
    }).compile();

    app = moduleFixture.createNestApplication();
-    await app.init();
+    await app.listen(0);
  });

  afterEach(async () => {
@@ -1,10 +1,16 @@
 {
  "moduleFileExtensions": ["js", "json", "ts"],
  "rootDir": ".",
+  "maxWorkers": 1,
  "testEnvironment": "node",
  "testRegex": ".e2e-spec.ts$",
  "transform": {
-    "^.+\\.(t|j)s$": "ts-jest"
+    "^.+\\.(t|j)s$": [
+      "ts-jest",
+      {
+        "tsconfig": "<rootDir>/tsconfig.json"
+      }
+    ]
  },
  "moduleNameMapper": {
    "^(\\.{1,2}/.*)\\.js$": "$1"
@@ -1,3 +1,5 @@
+import type { Server } from "node:http";
+import type { AddressInfo } from "node:net";
 import { INestApplication } from "@nestjs/common";
 import { ConfigModule } from "@nestjs/config";
 import { Test, TestingModule } from "@nestjs/testing";
@@ -6,6 +8,11 @@ import { App } from "supertest/types";
 import { AppController } from "./../src/app.controller.js";
 import { AppService } from "./../src/app.service.js";
 import { SyncModule } from "./../src/sync/sync.module.js";
+import {
+  configureTestEnv,
+  TEST_SYNC_TOKEN,
+  waitForTestS3,
+} from "./test-env.js";

 interface PresignResponse {
  url: string;
@@ -29,26 +36,12 @@ interface StatResponse {
  lastModified?: string;
 }

-interface SSEError {
-  code?: string;
-  timeout?: boolean;
-  response?: { status: number };
-}
-
-const TEST_TOKEN = "test-sync-token";
-
 describe("SyncController (e2e)", () => {
  let app: INestApplication<App>;

  beforeAll(async () => {
-    process.env.SYNC_TOKEN = TEST_TOKEN;
-    process.env.S3_ENDPOINT =
-      process.env.S3_ENDPOINT || "http://localhost:8987";
-    process.env.S3_ACCESS_KEY_ID = process.env.S3_ACCESS_KEY_ID || "minioadmin";
-    process.env.S3_SECRET_ACCESS_KEY =
-      process.env.S3_SECRET_ACCESS_KEY || "minioadmin";
-    process.env.S3_BUCKET = "donut-sync-test";
-    process.env.S3_FORCE_PATH_STYLE = "true";
+    configureTestEnv();
+    await waitForTestS3();

    const moduleFixture: TestingModule = await Test.createTestingModule({
      imports: [
@@ -62,7 +55,7 @@ describe("SyncController (e2e)", () => {
    }).compile();

    app = moduleFixture.createNestApplication();
-    await app.init();
+    await app.listen(0);
  });

  afterAll(async () => {
@@ -88,7 +81,7 @@ describe("SyncController (e2e)", () => {
    it("should accept requests with valid token", () => {
      return request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "nonexistent-key" })
        .expect(200)
        .expect({ exists: false });
@@ -99,7 +92,7 @@ describe("SyncController (e2e)", () => {
    it("should return exists: false for non-existent key", () => {
      return request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "does-not-exist" })
        .expect(200)
        .expect({ exists: false });
@@ -110,7 +103,7 @@ describe("SyncController (e2e)", () => {
    it("should return a presigned upload URL", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/presign-upload")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "test/upload-key.txt", contentType: "text/plain" })
        .expect(200);

@@ -125,7 +118,7 @@ describe("SyncController (e2e)", () => {
    it("should return a presigned download URL", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/presign-download")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "test/download-key.txt" })
        .expect(200);

@@ -140,7 +133,7 @@ describe("SyncController (e2e)", () => {
    it("should list objects with prefix", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/list")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ prefix: "profiles/" })
        .expect(200);

@@ -155,7 +148,7 @@ describe("SyncController (e2e)", () => {
    it("should delete object and create tombstone", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/delete")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({
          key: "test/to-delete.txt",
          tombstoneKey: "tombstones/test/to-delete.json",
@@ -176,7 +169,7 @@ describe("SyncController (e2e)", () => {
    it("should complete full upload/download cycle with presigned URLs", async () => {
      const uploadResponse = await request(app.getHttpServer())
        .post("/v1/objects/presign-upload")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey, contentType: "text/plain" })
        .expect(200);

@@ -192,7 +185,7 @@ describe("SyncController (e2e)", () => {

      const statResponse = await request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

@@ -202,7 +195,7 @@ describe("SyncController (e2e)", () => {

      const downloadResponse = await request(app.getHttpServer())
        .post("/v1/objects/presign-download")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

@@ -215,13 +208,13 @@ describe("SyncController (e2e)", () => {

      await request(app.getHttpServer())
        .post("/v1/objects/delete")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

      const finalStatResponse = await request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

@@ -238,20 +231,28 @@ describe("SyncController (e2e)", () => {
    });

    it("should return SSE stream with valid token", async () => {
-      const response = await request(app.getHttpServer())
-        .get("/v1/objects/subscribe")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
-        .set("Accept", "text/event-stream")
-        .buffer(true)
-        .timeout(3000)
-        .catch((err: SSEError) => {
-          if (err.code === "ECONNABORTED" || err.timeout) {
-            return err.response ?? { status: 200 };
-          }
-          throw err;
-        });
+      const address = (
+        app.getHttpServer() as Server
+      ).address() as AddressInfo | null;
+      if (!address || typeof address === "string") {
+        throw new Error("Expected app to be listening on a TCP port");
+      }
+
+      const response = await fetch(
+        `http://127.0.0.1:${address.port}/v1/objects/subscribe`,
+        {
+          headers: {
+            Accept: "text/event-stream",
+            Authorization: `Bearer ${TEST_SYNC_TOKEN}`,
+          },
+        },
+      );

      expect(response.status).toBe(200);
+      expect(response.headers.get("content-type")).toContain(
+        "text/event-stream",
+      );
+      await response.body?.cancel();
    });
  });
 });
@@ -0,0 +1,37 @@
+import { ListBucketsCommand, S3Client } from "@aws-sdk/client-s3";
+
+export const TEST_SYNC_TOKEN = "test-sync-token";
+export const TEST_S3_ENDPOINT = "http://127.0.0.1:8987";
+
+export function configureTestEnv() {
+  process.env.SYNC_TOKEN ||= TEST_SYNC_TOKEN;
+  process.env.S3_ENDPOINT ||= TEST_S3_ENDPOINT;
+  process.env.S3_ACCESS_KEY_ID ||= "minioadmin";
+  process.env.S3_SECRET_ACCESS_KEY ||= "minioadmin";
+  process.env.S3_BUCKET ||= "donut-sync-test";
+  process.env.S3_FORCE_PATH_STYLE ||= "true";
+}
+
+export async function waitForTestS3(timeoutMs = 30_000) {
+  const deadline = Date.now() + timeoutMs;
+  const s3Client = new S3Client({
+    endpoint: TEST_S3_ENDPOINT,
+    region: "us-east-1",
+    credentials: {
+      accessKeyId: "minioadmin",
+      secretAccessKey: "minioadmin",
+    },
+    forcePathStyle: true,
+  });
+
+  while (Date.now() < deadline) {
+    try {
+      await s3Client.send(new ListBucketsCommand({}));
+      return;
+    } catch {}
+
+    await new Promise((resolve) => setTimeout(resolve, 500));
+  }
+
+  throw new Error(`Timed out waiting for S3 at ${TEST_S3_ENDPOINT}`);
+}
@@ -0,0 +1,6 @@
+{
+  "extends": "../tsconfig.json",
+  "compilerOptions": {
+    "rootDir": ".."
+  }
+}
@@ -1,4 +1,7 @@
 {
  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "rootDir": "./src"
+  },
  "exclude": ["node_modules", "test", "dist", "**/*spec.ts"]
 }
@@ -13,10 +13,11 @@
    "target": "ES2023",
    "sourceMap": true,
    "outDir": "./dist",
-    "baseUrl": "./",
    "incremental": true,
    "skipLibCheck": true,
    "strictNullChecks": true,
+    "strictPropertyInitialization": false,
+    "types": ["jest", "node"],
    "forceConsistentCasingInFileNames": true,
    "noImplicitAny": false,
    "strictBindCallApply": false,
@@ -94,17 +94,17 @@
        pkgConfigPath = lib.makeSearchPath "lib/pkgconfig" (
          pkgConfigLibs ++ map lib.getDev pkgConfigLibs
        );
-        releaseVersion = "0.18.1";
+        releaseVersion = "0.21.0";
        releaseAppImage =
          if system == "x86_64-linux" then
            pkgs.fetchurl {
-              url = "https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut_0.18.1_amd64.AppImage";
-              hash = "sha256-+twOKfcM5qdV3+415/PecdQUgTTe+9xwL7/qu4kCxQI=";
+              url = "https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_amd64.AppImage";
+              hash = "sha256-Qrg+8uh9RTDMHUNqWChWBHIIsy2Dgzu5wOH+FuPN35k=";
            }
          else if system == "aarch64-linux" then
            pkgs.fetchurl {
-              url = "https://github.com/zhom/donutbrowser/releases/download/v0.18.1/Donut_0.18.1_aarch64.AppImage";
-              hash = "sha256-/Fj2euuxKzP6DxcV7sqShsNr6sy7Ck1iERtYcMt2hZQ=";
+              url = "https://github.com/zhom/donutbrowser/releases/download/v0.21.0/Donut_0.21.0_aarch64.AppImage";
+              hash = "sha256-UBGer3/8xleadHaZ/5OY2KaC03OE40SOewCAdcxw2CM=";
            }
          else
            null;
@@ -1,6 +0,0 @@
-/// <reference types="next" />
-/// <reference types="next/image-types/global" />
-import "./.next/types/routes.d.ts";
-
-// NOTE: This file should not be edited
-// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
@@ -2,15 +2,16 @@
  "name": "donutbrowser",
  "private": true,
  "license": "AGPL-3.0",
-  "version": "0.18.1",
+  "version": "0.21.1",
  "type": "module",
  "scripts": {
    "dev": "next dev --turbopack -p 12341",
    "build": "next build",
    "start": "next start",
-    "test": "pnpm test:rust:unit && pnpm test:sync-e2e",
+    "test": "pnpm test:rust:unit && pnpm test:openvpn-e2e && pnpm test:sync-e2e",
+    "test:openvpn-e2e": "node scripts/openvpn-test-harness.mjs",
    "test:rust": "cd src-tauri && cargo test",
-    "test:rust:unit": "cd src-tauri && cargo test --lib && cargo test --test donut_proxy_integration",
+    "test:rust:unit": "cd src-tauri && cargo test --lib && cargo test --test donut_proxy_integration && cargo test --test vpn_integration",
    "test:sync-e2e": "node scripts/sync-test-harness.mjs",
    "lint": "pnpm lint:js && pnpm lint:rust && pnpm lint:spell",
    "lint:js": "biome check src/ && tsc --noEmit && cd donut-sync && biome check src/ && tsc --noEmit",
@@ -47,8 +48,8 @@
    "@tanstack/react-table": "^8.21.3",
    "@tauri-apps/api": "~2.10.1",
    "@tauri-apps/plugin-deep-link": "^2.4.7",
-    "@tauri-apps/plugin-dialog": "^2.6.0",
-    "@tauri-apps/plugin-fs": "~2.4.5",
+    "@tauri-apps/plugin-dialog": "^2.7.0",
+    "@tauri-apps/plugin-fs": "~2.5.0",
    "@tauri-apps/plugin-log": "^2.8.0",
    "@tauri-apps/plugin-opener": "^2.5.3",
    "ahooks": "^3.9.7",
@@ -57,27 +58,27 @@
    "cmdk": "^1.1.1",
    "color": "^5.0.3",
    "flag-icons": "^7.5.0",
-    "i18next": "^25.10.5",
-    "lucide-react": "^0.577.0",
+    "i18next": "^26.0.3",
+    "lucide-react": "^1.7.0",
    "motion": "^12.38.0",
-    "next": "^16.2.1",
+    "next": "^16.2.3",
    "next-themes": "^0.4.6",
    "radix-ui": "^1.4.3",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
-    "react-i18next": "^16.6.2",
+    "react-i18next": "^17.0.2",
    "react-icons": "^5.6.0",
-    "recharts": "3.8.0",
+    "recharts": "3.8.1",
    "sonner": "^2.0.7",
    "tailwind-merge": "^3.5.0",
    "tauri-plugin-macos-permissions-api": "^2.3.0"
  },
  "devDependencies": {
-    "@biomejs/biome": "2.4.8",
+    "@biomejs/biome": "2.4.10",
    "@tailwindcss/postcss": "^4.2.2",
    "@tauri-apps/cli": "~2.10.1",
    "@types/color": "^4.2.1",
-    "@types/node": "^25.5.0",
+    "@types/node": "^25.5.2",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
    "@vitejs/plugin-react": "^6.0.1",
@@ -86,9 +87,15 @@
    "tailwindcss": "^4.2.2",
    "ts-unused-exports": "^11.0.1",
    "tw-animate-css": "^1.4.0",
-    "typescript": "~5.9.3"
+    "typescript": "~6.0.2"
  },
-  "packageManager": "pnpm@10.30.1",
+  "pnpm": {
+    "overrides": {
+      "picomatch@>=4.0.0 <4.0.4": ">=4.0.4",
+      "path-to-regexp@>=8.0.0 <8.4.0": ">=8.4.0"
+    }
+  },
+  "packageManager": "pnpm@10.33.0",
  "lint-staged": {
    "**/*.{js,jsx,ts,tsx,json,css}": [
      "biome check --fix"
@@ -81,7 +81,7 @@ echo -e "${YELLOW}Waiting for MinIO to be healthy...${NC}"
 MAX_RETRIES=30
 RETRY_COUNT=0
 while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
-  if curl -sf http://localhost:8987/minio/health/live > /dev/null 2>&1; then
+  if curl -sf http://127.0.0.1:8987/minio/health/live > /dev/null 2>&1; then
    echo -e "${GREEN}MinIO is ready!${NC}"
    break
  fi
@@ -0,0 +1,161 @@
+#!/usr/bin/env node
+/**
+ * OpenVPN E2E Test Harness
+ *
+ * This script:
+ * 1. Skips unless explicitly enabled via DONUTBROWSER_RUN_OPENVPN_E2E=1
+ * 2. Builds the Rust vpn_integration test binary without running it
+ * 3. Runs the OpenVPN e2e test binary under sudo
+ *
+ * Usage: DONUTBROWSER_RUN_OPENVPN_E2E=1 node scripts/openvpn-test-harness.mjs
+ */
+
+import { spawn } from "child_process";
+import path from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ROOT_DIR = path.resolve(__dirname, "..");
+const SRC_TAURI_DIR = path.join(ROOT_DIR, "src-tauri");
+const TEST_NAME = "test_openvpn_traffic_flows_through_donut_proxy";
+
+function log(message) {
+  console.log(`[openvpn-harness] ${message}`);
+}
+
+function error(message) {
+  console.error(`[openvpn-harness] ERROR: ${message}`);
+}
+
+function shouldRun() {
+  if (process.env.DONUTBROWSER_RUN_OPENVPN_E2E !== "1") {
+    log("Skipping OpenVPN e2e test because DONUTBROWSER_RUN_OPENVPN_E2E is not set");
+    return false;
+  }
+
+  if (process.platform !== "linux") {
+    log(`Skipping OpenVPN e2e test on unsupported platform: ${process.platform}`);
+    return false;
+  }
+
+  return true;
+}
+
+async function buildTestBinary() {
+  log("Building OpenVPN e2e test binary...");
+
+  return new Promise((resolve, reject) => {
+    let executablePath = "";
+    let stdoutBuffer = "";
+
+    const proc = spawn(
+      "cargo",
+      [
+        "test",
+        "--test",
+        "vpn_integration",
+        TEST_NAME,
+        "--no-run",
+        "--message-format=json",
+      ],
+      {
+        cwd: SRC_TAURI_DIR,
+        env: process.env,
+        stdio: ["ignore", "pipe", "pipe"],
+      }
+    );
+
+    const parseBuffer = (flush = false) => {
+      const lines = stdoutBuffer.split("\n");
+      const completeLines = flush ? lines : lines.slice(0, -1);
+      stdoutBuffer = flush ? "" : lines.at(-1) ?? "";
+
+      for (const line of completeLines.filter(Boolean)) {
+        try {
+          const message = JSON.parse(line);
+          if (message.reason === "compiler-artifact" && message.executable) {
+            executablePath = message.executable;
+          }
+        } catch {
+          // Ignore non-JSON lines.
+        }
+      }
+    };
+
+    proc.stdout.on("data", (data) => {
+      stdoutBuffer += data.toString();
+      parseBuffer();
+    });
+
+    proc.stderr.on("data", (data) => {
+      process.stderr.write(data);
+    });
+
+    proc.on("error", (err) => {
+      reject(err);
+    });
+
+    proc.on("close", (code) => {
+      parseBuffer(true);
+
+      if (code !== 0) {
+        reject(new Error(`cargo test --no-run exited with code ${code}`));
+        return;
+      }
+
+      if (!executablePath) {
+        reject(new Error("Could not determine the vpn_integration test binary path"));
+        return;
+      }
+
+      resolve(path.isAbsolute(executablePath) ? executablePath : path.resolve(SRC_TAURI_DIR, executablePath));
+    });
+  });
+}
+
+async function runOpenVpnE2e(executablePath) {
+  log("Running OpenVPN e2e test under sudo...");
+
+  return new Promise((resolve, reject) => {
+    const proc = spawn(
+      "sudo",
+      [
+        "--preserve-env=CI,GITHUB_ACTIONS,VPN_TEST_OVPN_HOST,VPN_TEST_OVPN_PORT,DONUTBROWSER_RUN_OPENVPN_E2E",
+        executablePath,
+        TEST_NAME,
+        "--exact",
+        "--nocapture",
+      ],
+      {
+        cwd: SRC_TAURI_DIR,
+        env: process.env,
+        stdio: "inherit",
+      }
+    );
+
+    proc.on("error", (err) => {
+      reject(err);
+    });
+
+    proc.on("close", (code) => {
+      resolve(code ?? 1);
+    });
+  });
+}
+
+async function main() {
+  if (!shouldRun()) {
+    process.exit(0);
+  }
+
+  try {
+    const executablePath = await buildTestBinary();
+    const exitCode = await runOpenVpnE2e(executablePath);
+    process.exit(exitCode);
+  } catch (err) {
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+
+main();
@@ -0,0 +1,240 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+WORK_DIR="$(mktemp -d)"
+trap 'rm -rf "$WORK_DIR"' EXIT
+
+GITHUB_REPO="zhom/donutbrowser"
+
+# Load .env if running locally
+if [[ -f "$REPO_ROOT/.env" ]]; then
+  set -a
+  # shellcheck disable=SC1091
+  source "$REPO_ROOT/.env"
+  set +a
+fi
+
+# Validate required env vars
+for var in R2_ACCESS_KEY_ID R2_SECRET_ACCESS_KEY R2_ENDPOINT_URL R2_BUCKET_NAME; do
+  if [[ -z "${!var:-}" ]]; then
+    echo "Error: $var is not set. Configure it in .env or export it."
+    exit 1
+  fi
+done
+
+# Export for AWS CLI
+export AWS_ACCESS_KEY_ID="$R2_ACCESS_KEY_ID"
+export AWS_SECRET_ACCESS_KEY="$R2_SECRET_ACCESS_KEY"
+export AWS_DEFAULT_REGION="auto"
+# aws-cli v2.23+ sends integrity checksums by default; R2 rejects them
+# with `Unauthorized` on ListObjectsV2. Disable.
+export AWS_REQUEST_CHECKSUM_CALCULATION="WHEN_REQUIRED"
+export AWS_RESPONSE_CHECKSUM_VALIDATION="WHEN_REQUIRED"
+
+# Ensure endpoint URL has https:// prefix
+R2_ENDPOINT="$R2_ENDPOINT_URL"
+if [[ "$R2_ENDPOINT" != https://* ]]; then
+  R2_ENDPOINT="https://$R2_ENDPOINT"
+fi
+
+# Determine version tag
+if [[ $# -ge 1 ]]; then
+  TAG="$1"
+else
+  echo "Fetching latest release tag..."
+  TAG=$(gh release view --repo "$GITHUB_REPO" --json tagName -q .tagName)
+  echo "Latest release: $TAG"
+fi
+
+VERSION="${TAG#v}"
+echo "Publishing repositories for version $VERSION"
+
+# Check required tools
+for cmd in aws gh dpkg-scanpackages gzip createrepo_c; do
+  if ! command -v "$cmd" &>/dev/null; then
+    echo "Error: $cmd is not installed."
+    case "$cmd" in
+      dpkg-scanpackages) echo "  Install with: sudo apt-get install dpkg-dev" ;;
+      createrepo_c) echo "  Install with: sudo apt-get install createrepo-c" ;;
+      aws) echo "  Install with: pip install awscli" ;;
+      gh) echo "  Install with: https://cli.github.com/" ;;
+    esac
+    exit 1
+  fi
+done
+
+PACKAGES_DIR="$WORK_DIR/packages"
+REPO_DIR="$WORK_DIR/repo"
+mkdir -p "$PACKAGES_DIR" "$REPO_DIR"
+
+# ---------------------------------------------------------------------------
+# Download .deb and .rpm from GitHub release
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Downloading packages from GitHub release $TAG..."
+gh release download "$TAG" \
+  --repo "$GITHUB_REPO" \
+  --pattern "*.deb" \
+  --dir "$PACKAGES_DIR"
+gh release download "$TAG" \
+  --repo "$GITHUB_REPO" \
+  --pattern "*.rpm" \
+  --dir "$PACKAGES_DIR"
+
+echo "Downloaded:"
+ls -lh "$PACKAGES_DIR/"
+
+# ---------------------------------------------------------------------------
+# DEB repository
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Building DEB repository..."
+
+DEB_DIR="$REPO_DIR/deb"
+mkdir -p "$DEB_DIR/pool/main"
+mkdir -p "$DEB_DIR/dists/stable/main/binary-amd64"
+mkdir -p "$DEB_DIR/dists/stable/main/binary-arm64"
+
+# Pull existing pool from R2 (incremental)
+echo "  Syncing existing DEB pool from R2..."
+aws s3 sync "s3://${R2_BUCKET_NAME}/deb/pool" "$DEB_DIR/pool" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || true
+
+# Copy new .deb files into pool
+for deb in "$PACKAGES_DIR"/*.deb; do
+  [[ -f "$deb" ]] || continue
+  cp "$deb" "$DEB_DIR/pool/main/"
+done
+
+# Generate Packages and Packages.gz for each arch
+for arch in amd64 arm64; do
+  echo "  Generating Packages for $arch..."
+  BINARY_DIR="$DEB_DIR/dists/stable/main/binary-${arch}"
+
+  # dpkg-scanpackages needs to run from the repo root
+  # and needs paths relative to that root
+  (cd "$DEB_DIR" && dpkg-scanpackages --arch "$arch" pool/main) \
+    > "$BINARY_DIR/Packages"
+
+  gzip -9c "$BINARY_DIR/Packages" > "$BINARY_DIR/Packages.gz"
+
+  echo "    $(grep -c '^Package:' "$BINARY_DIR/Packages" 2>/dev/null || echo 0) package(s)"
+done
+
+# Generate Release file
+echo "  Generating Release file..."
+{
+  echo "Origin: Donut Browser"
+  echo "Label: Donut Browser"
+  echo "Suite: stable"
+  echo "Codename: stable"
+  echo "Architectures: amd64 arm64"
+  echo "Components: main"
+  echo "Date: $(date -u '+%a, %d %b %Y %H:%M:%S UTC')"
+  echo "MD5Sum:"
+  for arch in amd64 arm64; do
+    for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+      filepath="$DEB_DIR/dists/stable/$file"
+      if [[ -f "$filepath" ]]; then
+        size=$(wc -c < "$filepath")
+        md5=$(md5sum "$filepath" | awk '{print $1}')
+        printf " %s %8d %s\n" "$md5" "$size" "$file"
+      fi
+    done
+  done
+  echo "SHA256:"
+  for arch in amd64 arm64; do
+    for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+      filepath="$DEB_DIR/dists/stable/$file"
+      if [[ -f "$filepath" ]]; then
+        size=$(wc -c < "$filepath")
+        sha256=$(sha256sum "$filepath" | awk '{print $1}')
+        printf " %s %8d %s\n" "$sha256" "$size" "$file"
+      fi
+    done
+  done
+} > "$DEB_DIR/dists/stable/Release"
+
+echo "  DEB Release file created."
+
+# ---------------------------------------------------------------------------
+# RPM repository
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Building RPM repository..."
+
+RPM_DIR="$REPO_DIR/rpm"
+mkdir -p "$RPM_DIR/x86_64"
+mkdir -p "$RPM_DIR/aarch64"
+
+# Pull existing RPMs from R2 (incremental)
+echo "  Syncing existing RPM packages from R2..."
+aws s3 sync "s3://${R2_BUCKET_NAME}/rpm/x86_64" "$RPM_DIR/x86_64" \
+  --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+aws s3 sync "s3://${R2_BUCKET_NAME}/rpm/aarch64" "$RPM_DIR/aarch64" \
+  --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+
+# Copy new .rpm files into arch directories
+for rpm in "$PACKAGES_DIR"/*.rpm; do
+  [[ -f "$rpm" ]] || continue
+  filename=$(basename "$rpm")
+  if [[ "$filename" == *x86_64* ]]; then
+    cp "$rpm" "$RPM_DIR/x86_64/"
+  elif [[ "$filename" == *aarch64* ]]; then
+    cp "$rpm" "$RPM_DIR/aarch64/"
+  fi
+done
+
+# Generate repodata using createrepo_c
+# We point createrepo_c at the top-level rpm dir so it indexes all subdirs
+echo "  Generating RPM repodata..."
+createrepo_c --update "$RPM_DIR"
+
+echo "  RPM repodata created."
+
+# ---------------------------------------------------------------------------
+# Upload to R2
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Uploading DEB repository to R2..."
+aws s3 sync "$DEB_DIR/dists" "s3://${R2_BUCKET_NAME}/deb/dists" \
+  --endpoint-url "$R2_ENDPOINT" --delete
+aws s3 sync "$DEB_DIR/pool" "s3://${R2_BUCKET_NAME}/deb/pool" \
+  --endpoint-url "$R2_ENDPOINT"
+
+echo "==> Uploading RPM repository to R2..."
+aws s3 sync "$RPM_DIR" "s3://${R2_BUCKET_NAME}/rpm" \
+  --endpoint-url "$R2_ENDPOINT"
+
+# ---------------------------------------------------------------------------
+# Verify
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Verifying upload..."
+echo "DEB dists/stable/:"
+aws s3 ls "s3://${R2_BUCKET_NAME}/deb/dists/stable/" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty or not accessible)"
+echo "DEB pool/main/:"
+aws s3 ls "s3://${R2_BUCKET_NAME}/deb/pool/main/" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty or not accessible)"
+echo "RPM repodata/:"
+aws s3 ls "s3://${R2_BUCKET_NAME}/rpm/repodata/" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty or not accessible)"
+
+echo ""
+echo "Done! Repository published for $TAG"
+echo ""
+echo "Users can add the DEB repo with:"
+echo "  echo 'deb [trusted=yes] https://repo.donutbrowser.com/deb stable main' | sudo tee /etc/apt/sources.list.d/donutbrowser.list"
+echo "  sudo apt update && sudo apt install donut"
+echo ""
+echo "Users can add the RPM repo with:"
+echo "  sudo tee /etc/yum.repos.d/donutbrowser.repo << 'EOF'"
+echo "  [donutbrowser]"
+echo "  name=Donut Browser"
+echo "  baseurl=https://repo.donutbrowser.com/rpm"
+echo "  enabled=1"
+echo "  gpgcheck=0"
+echo "  EOF"
+echo "  sudo dnf install Donut"
@@ -1,6 +1,6 @@
 [package]
 name = "donutbrowser"
-version = "0.18.1"
+version = "0.21.1"
 description = "Simple Yet Powerful Anti-Detect Browser"
 authors = ["zhom@github"]
 edition = "2021"
@@ -64,7 +64,7 @@ flate2 = "1"
 lzma-rs = "0"
 msi-extract = "0"

-uuid = { version = "1.20", features = ["v4", "serde"] }
+uuid = { version = "1.23", features = ["v4", "serde"] }
 url = "2.5"
 blake3 = "1"
 globset = "0.4"
@@ -76,15 +76,16 @@ chrono-tz = "0.10"
 axum = { version = "0.8.8", features = ["ws"] }
 tower = "0.5"
 tower-http = { version = "0.6", features = ["cors"] }
-rand = "0.10.0"
+rand = "0.10.1"
 utoipa = { version = "5", features = ["axum_extras", "chrono"] }
 utoipa-axum = "0.2"
 argon2 = "0.5"
 aes-gcm = "0.10"
-aes = "0.8"
-cbc = "0.1"
-pbkdf2 = "0.12"
-sha1 = "0.10"
+aes = "0.9"
+cbc = "0.2"
+ring = "0.17"
+sha2 = "0.11"
+shadowsocks = { version = "1.24", default-features = false, features = ["aead-cipher"] }
 hyper = { version = "1.8", features = ["full"] }
 hyper-util = { version = "0.1", features = ["full"] }
 http-body-util = "0.1"
@@ -92,7 +93,7 @@ clap = { version = "4", features = ["derive"] }
 async-socks5 = "0.6"

 # Camoufox/Playwright integration
-playwright = { git = "https://github.com/sctg-development/playwright-rust", branch = "master" }
+playwright = { git = "https://github.com/zhom/playwright-rust", branch = "master" }

 # Wayfern CDP integration
 tokio-tungstenite = { version = "0.29", features = ["native-tls"] }
@@ -109,9 +110,9 @@ boringtun = "0.7"
 smoltcp = { version = "0.13", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }

 # Daemon dependencies (tray icon)
-tray-icon = "0.21"
+tray-icon = "0.22"
 muda = "0.17"
-tao = "0.34"
+tao = "0.35"
 image = "0.25"
 dirs = "6"
 crossbeam-channel = "0.5"
@@ -31,6 +31,7 @@ pub struct ApiProfile {
  pub browser: String,
  pub version: String,
  pub proxy_id: Option<String>,
+  pub launch_hook: Option<String>,
  pub process_id: Option<u32>,
  pub last_launch: Option<u64>,
  pub release_type: String,
@@ -59,6 +60,7 @@ pub struct CreateProfileRequest {
  pub browser: String,
  pub version: String,
  pub proxy_id: Option<String>,
+  pub launch_hook: Option<String>,
  pub release_type: Option<String>,
  #[schema(value_type = Object)]
  pub camoufox_config: Option<serde_json::Value>,
@@ -74,6 +76,7 @@ pub struct UpdateProfileRequest {
  pub browser: Option<String>,
  pub version: Option<String>,
  pub proxy_id: Option<String>,
+  pub launch_hook: Option<String>,
  pub release_type: Option<String>,
  #[schema(value_type = Object)]
  pub camoufox_config: Option<serde_json::Value>,
@@ -111,17 +114,13 @@ struct ApiProxyResponse {
  name: String,
  #[schema(value_type = Object)]
  proxy_settings: ProxySettings,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
 }

 #[derive(Debug, Deserialize, ToSchema)]
 struct CreateProxyRequest {
  name: String,
  #[schema(value_type = Object)]
-  proxy_settings: Option<ProxySettings>,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
+  proxy_settings: ProxySettings,
 }

 #[derive(Debug, Deserialize, ToSchema)]
@@ -129,8 +128,6 @@ struct UpdateProxyRequest {
  name: Option<String>,
  #[schema(value_type = Object)]
  proxy_settings: Option<ProxySettings>,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
 }

 #[derive(Debug, Deserialize, ToSchema)]
@@ -486,6 +483,7 @@ async fn get_profiles() -> Result<Json<ApiProfilesResponse>, StatusCode> {
          browser: profile.browser.clone(),
          version: profile.version.clone(),
          proxy_id: profile.proxy_id.clone(),
+          launch_hook: profile.launch_hook.clone(),
          process_id: profile.process_id,
          last_launch: profile.last_launch,
          release_type: profile.release_type.clone(),
@@ -541,6 +539,7 @@ async fn get_profile(
            browser: profile.browser.clone(),
            version: profile.version.clone(),
            proxy_id: profile.proxy_id.clone(),
+            launch_hook: profile.launch_hook.clone(),
            process_id: profile.process_id,
            last_launch: profile.last_launch,
            release_type: profile.release_type.clone(),
@@ -611,6 +610,8 @@ async fn create_profile(
      wayfern_config,
      request.group_id.clone(),
      false,
+      None,
+      request.launch_hook.clone(),
    )
    .await
  {
@@ -640,6 +641,7 @@ async fn create_profile(
          browser: profile.browser,
          version: profile.version,
          proxy_id: profile.proxy_id,
+          launch_hook: profile.launch_hook,
          process_id: profile.process_id,
          last_launch: profile.last_launch,
          release_type: profile.release_type,
@@ -713,6 +715,21 @@ async fn update_profile(
    }
  }

+  if let Some(launch_hook) = request.launch_hook {
+    let normalized = if launch_hook.trim().is_empty() {
+      None
+    } else {
+      Some(launch_hook)
+    };
+
+    if profile_manager
+      .update_profile_launch_hook(&state.app_handle, &id, normalized)
+      .is_err()
+    {
+      return Err(StatusCode::BAD_REQUEST);
+    }
+  }
+
  if let Some(camoufox_config) = request.camoufox_config {
    let config: Result<CamoufoxConfig, _> = serde_json::from_value(camoufox_config);
    match config {
@@ -1034,8 +1051,6 @@ async fn get_proxies(
      .map(|p| ApiProxyResponse {
        id: p.id,
        name: p.name,
-        dynamic_proxy_url: p.dynamic_proxy_url,
-        dynamic_proxy_format: p.dynamic_proxy_format,
        proxy_settings: p.proxy_settings,
      })
      .collect(),
@@ -1069,8 +1084,6 @@ async fn get_proxy(
      id: proxy.id,
      name: proxy.name,
      proxy_settings: proxy.proxy_settings,
-      dynamic_proxy_url: proxy.dynamic_proxy_url,
-      dynamic_proxy_format: proxy.dynamic_proxy_format,
    }))
  } else {
    Err(StatusCode::NOT_FOUND)
@@ -1096,27 +1109,16 @@ async fn create_proxy(
  State(state): State<ApiServerState>,
  Json(request): Json<CreateProxyRequest>,
 ) -> Result<Json<ApiProxyResponse>, StatusCode> {
-  let result = if let (Some(url), Some(format)) =
-    (&request.dynamic_proxy_url, &request.dynamic_proxy_format)
-  {
-    PROXY_MANAGER.create_dynamic_proxy(
-      &state.app_handle,
-      request.name.clone(),
-      url.clone(),
-      format.clone(),
-    )
-  } else if let Some(settings) = request.proxy_settings {
-    PROXY_MANAGER.create_stored_proxy(&state.app_handle, request.name.clone(), settings)
-  } else {
-    return Err(StatusCode::BAD_REQUEST);
-  };
+  let result = PROXY_MANAGER.create_stored_proxy(
+    &state.app_handle,
+    request.name.clone(),
+    request.proxy_settings,
+  );

  match result {
    Ok(proxy) => Ok(Json(ApiProxyResponse {
      id: proxy.id,
      name: proxy.name,
-      dynamic_proxy_url: proxy.dynamic_proxy_url,
-      dynamic_proxy_format: proxy.dynamic_proxy_format,
      proxy_settings: proxy.proxy_settings,
    })),
    Err(_) => Err(StatusCode::BAD_REQUEST),
@@ -1147,26 +1149,13 @@ async fn update_proxy(
  State(state): State<ApiServerState>,
  Json(request): Json<UpdateProxyRequest>,
 ) -> Result<Json<ApiProxyResponse>, StatusCode> {
-  let is_dynamic = PROXY_MANAGER.is_dynamic_proxy(&id) || request.dynamic_proxy_url.is_some();
-
-  let result = if is_dynamic {
-    PROXY_MANAGER.update_dynamic_proxy(
-      &state.app_handle,
-      &id,
-      request.name,
-      request.dynamic_proxy_url,
-      request.dynamic_proxy_format,
-    )
-  } else {
-    PROXY_MANAGER.update_stored_proxy(&state.app_handle, &id, request.name, request.proxy_settings)
-  };
+  let result =
+    PROXY_MANAGER.update_stored_proxy(&state.app_handle, &id, request.name, request.proxy_settings);

  match result {
    Ok(proxy) => Ok(Json(ApiProxyResponse {
      id: proxy.id,
      name: proxy.name,
-      dynamic_proxy_url: proxy.dynamic_proxy_url,
-      dynamic_proxy_format: proxy.dynamic_proxy_format,
      proxy_settings: proxy.proxy_settings,
    })),
    Err(_) => Err(StatusCode::NOT_FOUND),
@@ -109,6 +109,8 @@ pub struct AppUpdateInfo {
  pub published_at: String,
  pub manual_update_required: bool,
  pub release_page_url: Option<String>,
+  /// True when a system package manager repo is configured (apt/dnf/zypper)
+  pub repo_update: bool,
 }

 pub struct AppAutoUpdater {
@@ -212,11 +214,12 @@ impl AppAutoUpdater {
      // Find the appropriate asset for current platform
      let download_url = self.get_download_url_for_platform(&latest_release.assets);

-      // On Linux, we show the update notification even if auto-update is disabled
-      // Users can manually download from the release page
+      // On Linux, when a package repo is configured, notify users to update via
+      // their package manager instead of auto-downloading from GitHub.
      #[cfg(target_os = "linux")]
      {
-        let manual_update_required = download_url.is_none();
+        let repo_update = self.is_repo_configured();
+        let manual_update_required = download_url.is_none() || repo_update;
        let update_info = AppUpdateInfo {
          current_version,
          new_version: latest_release.tag_name.clone(),
@@ -226,13 +229,15 @@ impl AppAutoUpdater {
          published_at: latest_release.published_at.clone(),
          manual_update_required,
          release_page_url: Some(release_page_url),
+          repo_update,
        };

        log::info!(
-          "Update info prepared: {} -> {} (manual_update_required: {})",
+          "Update info prepared: {} -> {} (manual_update_required: {}, repo_update: {})",
          update_info.current_version,
          update_info.new_version,
-          update_info.manual_update_required
+          update_info.manual_update_required,
+          update_info.repo_update
        );
        return Ok(Some(update_info));
      }
@@ -249,6 +254,7 @@ impl AppAutoUpdater {
            published_at: latest_release.published_at.clone(),
            manual_update_required: false,
            release_page_url: Some(release_page_url),
+            repo_update: false,
          };

          log::info!(
@@ -455,6 +461,30 @@ impl AppAutoUpdater {
    LinuxInstallationMethod::Unknown
  }

+  /// Check if the APT repository is configured
+  #[cfg(target_os = "linux")]
+  fn is_deb_repo_configured() -> bool {
+    Path::new("/etc/apt/sources.list.d/donutbrowser.list").exists()
+  }
+
+  /// Check if an RPM repository is configured (yum/dnf or zypper)
+  #[cfg(target_os = "linux")]
+  fn is_rpm_repo_configured() -> bool {
+    Path::new("/etc/yum.repos.d/donutbrowser.repo").exists()
+      || Path::new("/etc/zypp/repos.d/donutbrowser.repo").exists()
+  }
+
+  /// Check if a system package manager repo is configured for this installation.
+  #[cfg(target_os = "linux")]
+  fn is_repo_configured(&self) -> bool {
+    let installation_method = self.detect_linux_installation_method();
+    match installation_method {
+      LinuxInstallationMethod::Deb => Self::is_deb_repo_configured(),
+      LinuxInstallationMethod::Rpm => Self::is_rpm_repo_configured(),
+      _ => false,
+    }
+  }
+
  /// Get the appropriate download URL for the current platform
  fn get_download_url_for_platform(&self, assets: &[AppReleaseAsset]) -> Option<String> {
    let arch = if cfg!(target_arch = "aarch64") {
@@ -958,6 +988,10 @@ impl AppAutoUpdater {
            &format!("{}.log", installer_path.to_str().unwrap()),
          ]);

+          use std::os::windows::process::CommandExt;
+          const CREATE_NO_WINDOW: u32 = 0x08000000;
+          cmd.creation_flags(CREATE_NO_WINDOW);
+
          let output = cmd.output()?;

          if !output.status.success() {
@@ -1148,41 +1182,7 @@ impl AppAutoUpdater {
    deb_path: &Path,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    log::info!("Installing DEB package: {}", deb_path.display());
-
-    // Try different package managers in order of preference
-    let package_managers = [
-      ("dpkg", vec!["-i", deb_path.to_str().unwrap()]),
-      ("apt", vec!["install", "-y", deb_path.to_str().unwrap()]),
-    ];
-
-    let mut last_error = String::new();
-
-    for (manager, args) in &package_managers {
-      // Check if package manager exists
-      if Command::new("which").arg(manager).output().is_ok() {
-        log::info!("Trying to install with {manager}");
-
-        let output = Command::new("pkexec").arg(manager).args(args).output();
-
-        match output {
-          Ok(output) if output.status.success() => {
-            log::info!("DEB installation completed successfully with {manager}");
-            return Ok(());
-          }
-          Ok(output) => {
-            let error_msg = String::from_utf8_lossy(&output.stderr);
-            last_error = format!("{manager} failed: {error_msg}");
-            log::info!("Installation failed with {manager}: {error_msg}");
-          }
-          Err(e) => {
-            last_error = format!("Failed to execute {manager}: {e}");
-            log::info!("Failed to execute {manager}: {e}");
-          }
-        }
-      }
-    }
-
-    Err(format!("DEB installation failed. Last error: {last_error}").into())
+    Self::install_linux_package_with_privileges(deb_path, "dpkg", "-i")
  }

  /// Install Linux RPM package
@@ -1192,43 +1192,121 @@ impl AppAutoUpdater {
    rpm_path: &Path,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    log::info!("Installing RPM package: {}", rpm_path.display());
+    Self::install_linux_package_with_privileges(rpm_path, "rpm", "-Uvh")
+  }

-    // Try different package managers in order of preference
-    let package_managers = [
-      ("rpm", vec!["-Uvh", rpm_path.to_str().unwrap()]),
-      ("dnf", vec!["install", "-y", rpm_path.to_str().unwrap()]),
-      ("yum", vec!["install", "-y", rpm_path.to_str().unwrap()]),
-      ("zypper", vec!["install", "-y", rpm_path.to_str().unwrap()]),
-    ];
+  /// Install a Linux package with privilege escalation, using a fallback chain:
+  /// 1. pkexec (graphical PolicyKit prompt — most common on desktop Linux)
+  /// 2. zenity/kdialog password dialog → sudo -S (graphical sudo experience)
+  /// 3. sudo (terminal fallback — works in TTY sessions)
+  #[cfg(target_os = "linux")]
+  fn install_linux_package_with_privileges(
+    pkg_path: &Path,
+    install_cmd: &str,
+    install_arg: &str,
+  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    let pkg = pkg_path.to_str().unwrap_or_default();

-    let mut last_error = String::new();
+    // 1. Try pkexec (graphical PolicyKit prompt)
+    if let Ok(status) = Command::new("pkexec")
+      .args([install_cmd, install_arg, pkg])
+      .status()
+    {
+      if status.success() {
+        log::info!("Installed {pkg} with pkexec");
+        return Ok(());
+      }
+    }

-    for (manager, args) in &package_managers {
-      // Check if package manager exists
-      if Command::new("which").arg(manager).output().is_ok() {
-        log::info!("Trying to install with {manager}");
+    // 2. Try graphical password dialog → sudo -S
+    if let Some(password) = Self::get_password_graphically() {
+      if Self::install_with_sudo_stdin(pkg_path, &password, install_cmd, install_arg) {
+        log::info!("Installed {pkg} with graphical sudo");
+        return Ok(());
+      }
+    }

-        let output = Command::new("pkexec").arg(manager).args(args).output();
+    // 3. Terminal sudo fallback
+    if let Ok(status) = Command::new("sudo")
+      .args([install_cmd, install_arg, pkg])
+      .status()
+    {
+      if status.success() {
+        log::info!("Installed {pkg} with sudo");
+        return Ok(());
+      }
+    }

-        match output {
-          Ok(output) if output.status.success() => {
-            log::info!("RPM installation completed successfully with {manager}");
-            return Ok(());
-          }
-          Ok(output) => {
-            let error_msg = String::from_utf8_lossy(&output.stderr);
-            last_error = format!("{manager} failed: {error_msg}");
-            log::info!("Installation failed with {manager}: {error_msg}");
-          }
-          Err(e) => {
-            last_error = format!("Failed to execute {manager}: {e}");
-            log::info!("Failed to execute {manager}: {e}");
-          }
+    Err(format!("Failed to install {pkg} — all privilege escalation methods failed").into())
+  }
+
+  /// Try zenity then kdialog to get a password graphically.
+  #[cfg(target_os = "linux")]
+  fn get_password_graphically() -> Option<String> {
+    // Try zenity
+    if let Ok(output) = Command::new("zenity")
+      .args([
+        "--password",
+        "--title=Authentication Required",
+        "--text=Enter your password to install the update:",
+      ])
+      .output()
+    {
+      if output.status.success() {
+        let pw = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if !pw.is_empty() {
+          return Some(pw);
        }
      }
    }

-    Err(format!("RPM installation failed. Last error: {last_error}").into())
+    // Fall back to kdialog
+    if let Ok(output) = Command::new("kdialog")
+      .args(["--password", "Enter your password to install the update:"])
+      .output()
+    {
+      if output.status.success() {
+        let pw = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if !pw.is_empty() {
+          return Some(pw);
+        }
+      }
+    }
+
+    None
+  }
+
+  /// Pipe a password to `sudo -S <install_cmd> <install_arg> <pkg>`.
+  #[cfg(target_os = "linux")]
+  fn install_with_sudo_stdin(
+    pkg_path: &Path,
+    password: &str,
+    install_cmd: &str,
+    install_arg: &str,
+  ) -> bool {
+    use std::io::Write;
+
+    let child = Command::new("sudo")
+      .args([
+        "-S",
+        install_cmd,
+        install_arg,
+        pkg_path.to_str().unwrap_or_default(),
+      ])
+      .stdin(std::process::Stdio::piped())
+      .stdout(std::process::Stdio::piped())
+      .stderr(std::process::Stdio::piped())
+      .spawn();
+
+    match child {
+      Ok(mut child) => {
+        if let Some(mut stdin) = child.stdin.take() {
+          let _ = writeln!(stdin, "{password}");
+        }
+        child.wait().map(|s| s.success()).unwrap_or(false)
+      }
+      Err(_) => false,
+    }
  }

  /// Install Linux AppImage
@@ -1444,96 +1522,121 @@ rm "{}"

    #[cfg(target_os = "windows")]
    {
-      let app_path = self.get_current_app_path()?;
-      let current_pid = std::process::id();
+      use std::ffi::OsStr;
+      use std::os::windows::ffi::OsStrExt;
+
      let pending = PENDING_INSTALLER_PATH.lock().unwrap().take();

-      let temp_dir = std::env::temp_dir();
-      let script_path = temp_dir.join("donut_restart.bat");
-      let update_temp_dir = temp_dir.join("donut_app_update");
-
-      let script_content = if let Some(installer_path) = pending {
+      if let Some(installer_path) = pending {
+        // Use ShellExecuteW to run the installer directly — no batch script,
+        // no cmd.exe console window. The NSIS/MSI installer handles killing the
+        // old process and restarting the app natively (via /UPDATE and
+        // AUTOLAUNCHAPP flags).
        let ext = installer_path
          .extension()
          .and_then(|e| e.to_str())
          .unwrap_or("")
          .to_lowercase();
-        let install_cmd = match ext.as_str() {
-          "msi" => format!(
-            "msiexec /i \"{}\" /quiet /norestart REBOOT=ReallySuppress",
-            installer_path.to_str().unwrap()
-          ),
-          "exe" => format!("\"{}\" /S", installer_path.to_str().unwrap()),
-          _ => String::new(),
+
+        let (file, parameters) = match ext.as_str() {
+          "exe" => {
+            // NSIS installer: /S for silent, /UPDATE tells it this is an update
+            let file = installer_path.as_os_str().to_os_string();
+            let params = std::ffi::OsString::from("/S /UPDATE");
+            (file, params)
+          }
+          "msi" => {
+            // MSI: run msiexec.exe with the package
+            let msiexec = std::env::var("SYSTEMROOT")
+              .map(|p| format!("{p}\\System32\\msiexec.exe"))
+              .unwrap_or_else(|_| "msiexec.exe".to_string());
+            let file = std::ffi::OsString::from(msiexec);
+            let params = std::ffi::OsString::from(format!(
+              "/i {} /quiet /norestart /promptrestart AUTOLAUNCHAPP=True",
+              installer_path
+                .to_str()
+                .map(|p| format!("\"{p}\""))
+                .unwrap_or_default()
+            ));
+            (file, params)
+          }
+          _ => {
+            return Err("Unsupported Windows installer format for restart".into());
+          }
        };

-        format!(
-          r#"@echo off
-rem Wait for the current process to exit
-:wait_loop
-tasklist /fi "PID eq {pid}" >nul 2>&1
-if %errorlevel% equ 0 (
-    timeout /t 1 /nobreak >nul
-    goto wait_loop
-)
+        fn encode_wide(s: impl AsRef<OsStr>) -> Vec<u16> {
+          s.as_ref().encode_wide().chain(std::iter::once(0)).collect()
+        }

-rem Wait a bit more to ensure clean exit
-timeout /t 2 /nobreak >nul
+        let file_w = encode_wide(&file);
+        let params_w = encode_wide(&parameters);

-rem Run the installer
-{install_cmd}
+        log::info!(
+          "Running installer via ShellExecuteW: {:?} {:?}",
+          file,
+          parameters
+        );

-rem Wait for installation to complete
-timeout /t 3 /nobreak >nul
+        // windows-sys is not a direct dep, so use the raw FFI via the
+        // windows crate that Tauri pulls in. ShellExecuteW returns an
+        // HINSTANCE > 32 on success.
+        #[link(name = "shell32")]
+        extern "system" {
+          fn ShellExecuteW(
+            hwnd: *mut std::ffi::c_void,
+            operation: *const u16,
+            file: *const u16,
+            parameters: *const u16,
+            directory: *const u16,
+            show_cmd: i32,
+          ) -> isize;
+        }
+        const SW_SHOWNORMAL: i32 = 1;
+        let open: Vec<u16> = "open\0".encode_utf16().collect();

-rem Start the new application
-start "" "{app_path}"
+        let result = unsafe {
+          ShellExecuteW(
+            std::ptr::null_mut(),
+            open.as_ptr(),
+            file_w.as_ptr(),
+            params_w.as_ptr(),
+            std::ptr::null(),
+            SW_SHOWNORMAL,
+          )
+        };

-rem Clean up installer temp files
-rmdir /s /q "{update_temp}"
-
-rem Clean up this script
-del "%~f0"
-"#,
-          pid = current_pid,
-          install_cmd = install_cmd,
-          app_path = app_path.to_str().unwrap(),
-          update_temp = update_temp_dir.to_str().unwrap(),
-        )
+        if result as usize <= 32 {
+          return Err(format!("ShellExecuteW failed with code {result}").into());
+        }
      } else {
-        format!(
-          r#"@echo off
-rem Wait for the current process to exit
-:wait_loop
-tasklist /fi "PID eq {}" >nul 2>&1
-if %errorlevel% equ 0 (
-    timeout /t 1 /nobreak >nul
-    goto wait_loop
-)
+        // No pending installer — just restart the app. Use a minimal
+        // detached process to relaunch after we exit.
+        let app_path = self.get_current_app_path()?;
+        let current_pid = std::process::id();
+        let temp_dir = std::env::temp_dir();
+        let script_path = temp_dir.join("donut_restart.bat");

-rem Wait a bit more to ensure clean exit
-timeout /t 2 /nobreak >nul
+        let script_content = format!(
+          "@echo off\n\
+           :w\n\
+           tasklist /fi \"PID eq {current_pid}\" 2>nul | find \"{current_pid}\" >nul && (timeout /t 1 /nobreak >nul & goto w)\n\
+           timeout /t 1 /nobreak >nul\n\
+           start \"\" \"{app}\"\n\
+           del \"%~f0\"\n",
+          app = app_path.to_str().unwrap(),
+        );
+        fs::write(&script_path, script_content)?;

-rem Start the new application
-start "" "{}"
-
-rem Clean up this script
-del "%~f0"
-"#,
-          current_pid,
-          app_path.to_str().unwrap()
-        )
-      };
-
-      fs::write(&script_path, script_content)?;
-
-      let mut cmd = Command::new("cmd");
-      cmd.args(["/C", script_path.to_str().unwrap()]);
-
-      let _child = cmd.spawn()?;
+        use std::os::windows::process::CommandExt;
+        const CREATE_NO_WINDOW: u32 = 0x08000000;
+        let _child = Command::new("cmd")
+          .args(["/C", script_path.to_str().unwrap()])
+          .creation_flags(CREATE_NO_WINDOW)
+          .spawn()?;
+      }

      tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
-
      std::process::exit(0);
    }

@@ -1604,6 +1707,10 @@ rm "{}"

 #[tauri::command]
 pub async fn check_for_app_updates() -> Result<Option<AppUpdateInfo>, String> {
+  if crate::app_dirs::is_portable() {
+    log::info!("App auto-updates disabled in portable mode");
+    return Ok(None);
+  }
  // The disable_auto_updates setting controls app self-updates only
  let disabled = crate::settings_manager::SettingsManager::instance()
    .load_settings()
@@ -2001,6 +2108,15 @@ mod tests {
      // If url is None, it means AppImage was detected and auto-updates are disabled
    }
  }
+
+  #[test]
+  #[cfg(target_os = "linux")]
+  fn test_repo_detection_returns_bool() {
+    // These just verify the functions run without panicking.
+    // Actual values depend on the host system configuration.
+    let _deb = AppAutoUpdater::is_deb_repo_configured();
+    let _rpm = AppAutoUpdater::is_rpm_repo_configured();
+  }
 }

 // Global singleton instance
@@ -3,11 +3,29 @@ use std::path::PathBuf;
 use std::sync::OnceLock;

 static BASE_DIRS: OnceLock<BaseDirs> = OnceLock::new();
+static PORTABLE_DIR: OnceLock<Option<PathBuf>> = OnceLock::new();

 fn base_dirs() -> &'static BaseDirs {
  BASE_DIRS.get_or_init(|| BaseDirs::new().expect("Failed to get base directories"))
 }

+/// Returns the portable base directory if a `.portable` marker exists next to the executable.
+fn portable_dir() -> Option<&'static PathBuf> {
+  PORTABLE_DIR
+    .get_or_init(|| {
+      std::env::current_exe()
+        .ok()
+        .and_then(|exe| exe.parent().map(|p| p.to_path_buf()))
+        .filter(|dir| dir.join(".portable").exists())
+    })
+    .as_ref()
+}
+
+/// Returns true if the app is running in portable mode.
+pub fn is_portable() -> bool {
+  portable_dir().is_some()
+}
+
 pub fn app_name() -> &'static str {
  if cfg!(debug_assertions) {
    "DonutBrowserDev"
@@ -28,6 +46,10 @@ pub fn data_dir() -> PathBuf {
    return PathBuf::from(dir);
  }

+  if let Some(dir) = portable_dir() {
+    return dir.join("data");
+  }
+
  base_dirs().data_local_dir().join(app_name())
 }

@@ -43,6 +65,10 @@ pub fn cache_dir() -> PathBuf {
    return PathBuf::from(dir);
  }

+  if let Some(dir) = portable_dir() {
+    return dir.join("cache");
+  }
+
  base_dirs().cache_dir().join(app_name())
 }

@@ -78,6 +104,10 @@ pub fn extensions_dir() -> PathBuf {
  data_dir().join("extensions")
 }

+pub fn dns_blocklist_dir() -> PathBuf {
+  cache_dir().join("dns_blocklists")
+}
+
 #[cfg(test)]
 thread_local! {
  static TEST_DATA_DIR: std::cell::RefCell<Option<PathBuf>> = const { std::cell::RefCell::new(None) };
@@ -162,6 +192,7 @@ mod tests {
    assert!(proxy_workers_dir().ends_with("proxy_workers"));
    assert!(vpn_dir().ends_with("vpn"));
    assert!(extensions_dir().ends_with("extensions"));
+    assert!(dns_blocklist_dir().ends_with("dns_blocklists"));
  }

  #[test]
@@ -683,6 +683,7 @@ mod tests {
      process_id: None,
      proxy_id: None,
      vpn_id: None,
+      launch_hook: None,
      last_launch: None,
      release_type: "stable".to_string(),
      camoufox_config: None,
@@ -699,6 +700,7 @@ mod tests {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    }
  }

@@ -121,7 +121,7 @@ async fn main() {
            .arg(
              Arg::new("type")
                .long("type")
-                .help("Proxy type (http, https, socks4, socks5)"),
+                .help("Proxy type (http, https, socks4, socks5, ss)"),
            )
            .arg(Arg::new("username").long("username").help("Proxy username"))
            .arg(Arg::new("password").long("password").help("Proxy password"))
@@ -152,6 +152,11 @@ async fn main() {
              Arg::new("bypass-rules")
                .long("bypass-rules")
                .help("JSON array of bypass rules (hostnames, IPs, or regex patterns)"),
+            )
+            .arg(
+              Arg::new("blocklist-file")
+                .long("blocklist-file")
+                .help("Path to DNS blocklist file (one domain per line)"),
            ),
        )
        .subcommand(
@@ -193,7 +198,12 @@ async fn main() {
            .required(true)
            .help("Local SOCKS5 port"),
        )
-        .arg(Arg::new("action").required(true).help("Action (start)")),
+        .arg(Arg::new("action").required(true).help("Action (start)"))
+        .arg(
+          Arg::new("config-path")
+            .long("config-path")
+            .help("Direct path to the VPN worker config JSON file"),
+        ),
    )
    .subcommand(
      Command::new("mcp-bridge")
@@ -235,8 +245,17 @@ async fn main() {
        .get_one::<String>("bypass-rules")
        .and_then(|s| serde_json::from_str(s).ok())
        .unwrap_or_default();
+      let blocklist_file = start_matches.get_one::<String>("blocklist-file").cloned();

-      match start_proxy_process_with_profile(upstream_url, port, profile_id, bypass_rules).await {
+      match start_proxy_process_with_profile(
+        upstream_url,
+        port,
+        profile_id,
+        bypass_rules,
+        blocklist_file,
+      )
+      .await
+      {
        Ok(config) => {
          // Output the configuration as JSON for the Rust side to parse
          // Use println! here because this needs to go to stdout for parsing
@@ -377,6 +396,7 @@ async fn main() {
    let port = *vpn_matches
      .get_one::<u16>("port")
      .expect("port is required");
+    let config_path = vpn_matches.get_one::<String>("config-path");

    if action == "start" {
      set_high_priority();
@@ -384,8 +404,37 @@ async fn main() {
      log::info!("VPN worker starting, config id: {}", id);
      log::info!("Process PID: {}", std::process::id());

-      // Retry config loading to handle file system race condition
-      let config = {
+      let config = if let Some(path) = config_path {
+        // Load config directly from the provided path
+        log::info!("Loading VPN worker config from: {}", path);
+        match std::fs::read_to_string(path) {
+          Ok(content) => match serde_json::from_str::<
+            donutbrowser_lib::vpn_worker_storage::VpnWorkerConfig,
+          >(&content)
+          {
+            Ok(config) => {
+              log::info!(
+                "Found VPN worker config: id={}, vpn_type={}, vpn_id={}",
+                config.id,
+                config.vpn_type,
+                config.vpn_id
+              );
+              config
+            }
+            Err(e) => {
+              log::error!("Failed to parse VPN worker config from {}: {}", path, e);
+              process::exit(1);
+            }
+          },
+          Err(e) => {
+            log::error!("Failed to read VPN worker config from {}: {}", path, e);
+            process::exit(1);
+          }
+        }
+      } else {
+        // Fallback: discover config by ID with retries
+        let storage_dir = donutbrowser_lib::proxy_storage::get_storage_dir();
+        log::info!("Looking for VPN worker config in: {:?}", storage_dir);
        let mut attempts = 0;
        loop {
          if let Some(config) = donutbrowser_lib::vpn_worker_storage::get_vpn_worker_config(id) {
@@ -398,20 +447,21 @@ async fn main() {
            break config;
          }
          attempts += 1;
-          if attempts >= 10 {
+          if attempts >= 50 {
            log::error!(
-              "VPN worker configuration {} not found after {} attempts",
+              "VPN worker configuration {} not found after {} attempts in {:?}",
              id,
-              attempts
+              attempts,
+              storage_dir
            );
            process::exit(1);
          }
          log::info!(
-            "VPN worker config {} not found yet, retrying ({}/10)...",
+            "VPN worker config {} not found yet, retrying ({}/50)...",
            id,
            attempts
          );
-          std::thread::sleep(std::time::Duration::from_millis(50));
+          std::thread::sleep(std::time::Duration::from_millis(100));
        }
      };

@@ -4,7 +4,7 @@ use utoipa::ToSchema;

 #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
 pub struct ProxySettings {
-  pub proxy_type: String, // "http", "https", "socks4", or "socks5"
+  pub proxy_type: String, // "http", "https", "socks4", "socks5", or "ss" (Shadowsocks)
  pub host: String,
  pub port: u16,
  pub username: Option<String>,
@@ -1199,6 +1199,7 @@ mod tests {
      version: "1.0.0".to_string(),
      proxy_id: None,
      vpn_id: None,
+      launch_hook: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
@@ -1216,6 +1217,7 @@ mod tests {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    };

    let path = profile.get_profile_data_path(&profiles_dir);
@@ -9,7 +9,7 @@ use crate::proxy_manager::PROXY_MANAGER;
 use crate::wayfern_manager::{WayfernConfig, WayfernManager};
 use serde::Serialize;
 use std::path::PathBuf;
-use std::time::{SystemTime, UNIX_EPOCH};
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use sysinfo::System;
 pub struct BrowserRunner {
  pub profile_manager: &'static ProfileManager,
@@ -38,10 +38,28 @@ impl BrowserRunner {
    crate::app_dirs::binaries_dir()
  }

+  /// Resolve the DNS blocklist level to a cached file path.
+  /// If a level is set but the cache is missing, fetches on demand (blocks until done).
+  async fn resolve_blocklist_file(
+    profile: &crate::profile::BrowserProfile,
+  ) -> Result<Option<String>, String> {
+    let Some(ref level_str) = profile.dns_blocklist else {
+      return Ok(None);
+    };
+    let Some(level) = crate::dns_blocklist::BlocklistLevel::parse_level(level_str) else {
+      return Ok(None);
+    };
+    if level == crate::dns_blocklist::BlocklistLevel::None {
+      return Ok(None);
+    }
+    let path = crate::dns_blocklist::BlocklistManager::ensure_cached(level)
+      .await
+      .map_err(|e| format!("Failed to fetch DNS blocklist: {e}"))?;
+    Ok(Some(path.to_string_lossy().to_string()))
+  }
+
  /// Refresh cloud proxy credentials if the profile uses a cloud or cloud-derived proxy,
  /// then resolve the proxy settings with profile-specific sid for sticky sessions.
-  /// Resolve proxy settings for a profile, returning an error for dynamic proxy failures.
-  /// Returns Ok(None) when no proxy is configured, Ok(Some) on success, Err on dynamic fetch failure.
  async fn resolve_proxy_with_refresh(
    &self,
    proxy_id: Option<&String>,
@@ -52,13 +70,6 @@ impl BrowserRunner {
      None => return Ok(None),
    };

-    // Handle dynamic proxies: fetch from URL at launch time
-    if PROXY_MANAGER.is_dynamic_proxy(proxy_id) {
-      log::info!("Fetching dynamic proxy settings for proxy {proxy_id}");
-      let settings = PROXY_MANAGER.resolve_dynamic_proxy(proxy_id).await?;
-      return Ok(Some(settings));
-    }
-
    if PROXY_MANAGER.is_cloud_or_derived(proxy_id) {
      log::info!("Refreshing cloud proxy credentials before launch for proxy {proxy_id}");
      CLOUD_AUTH.sync_cloud_proxy().await;
@@ -72,6 +83,38 @@ impl BrowserRunner {
    Ok(PROXY_MANAGER.get_proxy_settings_by_id(proxy_id))
  }

+  async fn resolve_launch_hook_proxy(
+    &self,
+    profile: &BrowserProfile,
+  ) -> Result<Option<ProxySettings>, String> {
+    let Some(url) = profile.launch_hook.as_deref() else {
+      return Ok(None);
+    };
+
+    log::info!(
+      "Calling launch hook for profile {} (ID: {})",
+      profile.name,
+      profile.id
+    );
+
+    PROXY_MANAGER
+      .fetch_proxy_from_url(url, Duration::from_millis(500))
+      .await
+  }
+
+  async fn resolve_launch_proxy(
+    &self,
+    profile: &BrowserProfile,
+  ) -> Result<Option<ProxySettings>, String> {
+    if let Some(proxy_settings) = self.resolve_launch_hook_proxy(profile).await? {
+      return Ok(Some(proxy_settings));
+    }
+
+    self
+      .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
+      .await
+  }
+
  /// Get the executable path for a browser profile
  /// This is a common helper to eliminate code duplication across the codebase
  pub fn get_browser_executable_path(
@@ -127,9 +170,8 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Camoufox (for traffic monitoring and geoip support)
-      // Refresh cloud proxy credentials if needed before resolving
      let mut upstream_proxy = self
-        .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
+        .resolve_launch_proxy(profile)
        .await
        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;

@@ -168,6 +210,7 @@ impl BrowserRunner {
      // Start the proxy and get local proxy settings
      // If proxy startup fails, DO NOT launch Camoufox - it requires local proxy
      let profile_id_str = profile.id.to_string();
+      let blocklist_file = Self::resolve_blocklist_file(profile).await?;
      let local_proxy = PROXY_MANAGER
        .start_proxy(
          app_handle.clone(),
@@ -175,6 +218,7 @@ impl BrowserRunner {
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
          profile.proxy_bypass_rules.clone(),
+          blocklist_file,
        )
        .await
        .map_err(|e| {
@@ -386,9 +430,8 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Wayfern (for traffic monitoring and geoip support)
-      // Refresh cloud proxy credentials if needed before resolving
      let mut upstream_proxy = self
-        .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
+        .resolve_launch_proxy(profile)
        .await
        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;

@@ -427,6 +470,7 @@ impl BrowserRunner {
      // Start the proxy and get local proxy settings
      // If proxy startup fails, DO NOT launch Wayfern - it requires local proxy
      let profile_id_str = profile.id.to_string();
+      let blocklist_file = Self::resolve_blocklist_file(profile).await?;
      let local_proxy = PROXY_MANAGER
        .start_proxy(
          app_handle.clone(),
@@ -434,6 +478,7 @@ impl BrowserRunner {
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
          profile.proxy_bypass_rules.clone(),
+          blocklist_file,
        )
        .await
        .map_err(|e| {
@@ -739,10 +784,8 @@ impl BrowserRunner {
    headless: bool,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error + Send + Sync>> {
    // Always start a local proxy for API launches
-    // Determine upstream proxy if configured; otherwise use DIRECT
-    // Refresh cloud proxy credentials before resolving
    let upstream_proxy = self
-      .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
+      .resolve_launch_proxy(profile)
      .await
      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;

@@ -751,6 +794,9 @@ impl BrowserRunner {
    let profile_id_str = profile.id.to_string();

    // Start local proxy - if this fails, DO NOT launch browser
+    let blocklist_file = Self::resolve_blocklist_file(profile)
+      .await
+      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;
    let internal_proxy = PROXY_MANAGER
      .start_proxy(
        app_handle.clone(),
@@ -758,6 +804,7 @@ impl BrowserRunner {
        temp_pid,
        Some(&profile_id_str),
        profile.proxy_bypass_rules.clone(),
+        blocklist_file,
      )
      .await
      .map_err(|e| {
@@ -2245,10 +2292,7 @@ pub async fn launch_browser_profile(
    // Determine upstream proxy if configured; otherwise use DIRECT (no upstream)
    // Refresh cloud proxy credentials and inject profile-specific sid
    let mut upstream_proxy = BrowserRunner::instance()
-      .resolve_proxy_with_refresh(
-        profile_for_launch.proxy_id.as_ref(),
-        Some(&profile_for_launch.id.to_string()),
-      )
+      .resolve_launch_proxy(&profile_for_launch)
      .await?;

    // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
@@ -2280,6 +2324,7 @@ pub async fn launch_browser_profile(

    // Always start a local proxy, even if there's no upstream proxy
    // This allows for traffic monitoring and future features
+    let blocklist_file = BrowserRunner::resolve_blocklist_file(&profile_for_launch).await?;
    match PROXY_MANAGER
      .start_proxy(
        app_handle.clone(),
@@ -2287,6 +2332,7 @@ pub async fn launch_browser_profile(
        temp_pid,
        Some(&profile_id_str),
        profile_for_launch.proxy_bypass_rules.clone(),
+        blocklist_file,
      )
      .await
    {
@@ -659,6 +659,56 @@ impl CamoufoxManager {
      }
    }

+    // Write explicit proxy prefs to user.js so Firefox always uses the local
+    // donut-proxy and never falls back to stale proxy settings baked into prefs.js
+    // from a previous session. user.js values override prefs.js on every launch.
+    if let Some(proxy_str) = &config.proxy {
+      let user_js_path = profile_path.join("user.js");
+      let mut prefs = String::new();
+
+      // Preserve existing user.js content (ephemeral prefs, etc.)
+      if let Ok(existing) = std::fs::read_to_string(&user_js_path) {
+        // Strip old proxy prefs so we don't duplicate
+        for line in existing.lines() {
+          if !line.contains("network.proxy.") {
+            prefs.push_str(line);
+            prefs.push('\n');
+          }
+        }
+      }
+
+      if let Ok(parsed) = url::Url::parse(proxy_str) {
+        let host = parsed.host_str().unwrap_or("127.0.0.1");
+        let port = parsed.port().unwrap_or(8080);
+        let scheme = parsed.scheme();
+
+        if scheme == "socks5" || scheme == "socks4" {
+          prefs.push_str(&format!(
+            "user_pref(\"network.proxy.type\", 1);\n\
+             user_pref(\"network.proxy.socks\", \"{host}\");\n\
+             user_pref(\"network.proxy.socks_port\", {port});\n\
+             user_pref(\"network.proxy.socks_version\", {});\n\
+             user_pref(\"network.proxy.socks_remote_dns\", true);\n",
+            if scheme == "socks5" { 5 } else { 4 }
+          ));
+        } else {
+          // HTTP/HTTPS proxy
+          prefs.push_str(&format!(
+            "user_pref(\"network.proxy.type\", 1);\n\
+             user_pref(\"network.proxy.http\", \"{host}\");\n\
+             user_pref(\"network.proxy.http_port\", {port});\n\
+             user_pref(\"network.proxy.ssl\", \"{host}\");\n\
+             user_pref(\"network.proxy.ssl_port\", {port});\n\
+             user_pref(\"network.proxy.no_proxies_on\", \"\");\n"
+          ));
+        }
+
+        if let Err(e) = std::fs::write(&user_js_path, prefs) {
+          log::warn!("Failed to write proxy prefs to user.js: {e}");
+        }
+      }
+    }
+
    self
      .launch_camoufox(
        &app_handle,
@@ -362,12 +362,12 @@ impl CloudAuthManager {

  // --- API methods ---

-  pub async fn request_otp(&self, email: &str) -> Result<String, String> {
+  pub async fn request_otp(&self, email: &str, captcha_token: &str) -> Result<String, String> {
    let url = format!("{CLOUD_API_URL}/api/auth/otp/request");
    let response = self
      .client
      .post(&url)
-      .json(&serde_json::json!({ "email": email }))
+      .json(&serde_json::json!({ "email": email, "captchaToken": captcha_token }))
      .send()
      .await
      .map_err(|e| format!("Failed to request OTP: {e}"))?;
@@ -1100,8 +1100,8 @@ impl CloudAuthManager {
 // --- Tauri commands ---

 #[tauri::command]
-pub async fn cloud_request_otp(email: String) -> Result<String, String> {
-  CLOUD_AUTH.request_otp(&email).await
+pub async fn cloud_request_otp(email: String, captcha_token: String) -> Result<String, String> {
+  CLOUD_AUTH.request_otp(&email, &captcha_token).await
 }

 #[tauri::command]
@@ -340,6 +340,9 @@ pub fn is_autostart_enabled() -> bool {
 }

 pub fn get_data_dir() -> Option<PathBuf> {
+  if crate::app_dirs::is_portable() {
+    return Some(crate::app_dirs::data_dir());
+  }
  if let Some(proj_dirs) = ProjectDirs::from("com", "donutbrowser", "Donut Browser") {
    Some(proj_dirs.data_dir().to_path_buf())
  } else {
@@ -0,0 +1,343 @@
+use serde::{Deserialize, Serialize};
+use std::path::PathBuf;
+use std::time::{Duration, SystemTime};
+
+use crate::app_dirs;
+
+const REFRESH_INTERVAL: Duration = Duration::from_secs(43200); // 12 hours
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum BlocklistLevel {
+  #[default]
+  None,
+  Light,
+  Normal,
+  Pro,
+  ProPlus,
+  Ultimate,
+}
+
+impl BlocklistLevel {
+  pub fn parse_level(s: &str) -> Option<Self> {
+    match s {
+      "light" => Some(Self::Light),
+      "normal" => Some(Self::Normal),
+      "pro" => Some(Self::Pro),
+      "pro_plus" => Some(Self::ProPlus),
+      "ultimate" => Some(Self::Ultimate),
+      "none" => Some(Self::None),
+      _ => None,
+    }
+  }
+
+  pub fn as_str(&self) -> &'static str {
+    match self {
+      Self::None => "none",
+      Self::Light => "light",
+      Self::Normal => "normal",
+      Self::Pro => "pro",
+      Self::ProPlus => "pro_plus",
+      Self::Ultimate => "ultimate",
+    }
+  }
+
+  pub fn display_name(&self) -> &'static str {
+    match self {
+      Self::None => "None",
+      Self::Light => "Light",
+      Self::Normal => "Normal",
+      Self::Pro => "Pro",
+      Self::ProPlus => "Pro++",
+      Self::Ultimate => "Ultimate",
+    }
+  }
+
+  pub fn url(&self) -> Option<&'static str> {
+    match self {
+      Self::None => None,
+      Self::Light => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/light.txt")
+      }
+      Self::Normal => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/multi.txt")
+      }
+      Self::Pro => Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/pro.txt"),
+      Self::ProPlus => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/pro.plus.txt")
+      }
+      Self::Ultimate => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/ultimate.txt")
+      }
+    }
+  }
+
+  pub fn filename(&self) -> Option<&'static str> {
+    match self {
+      Self::None => None,
+      Self::Light => Some("light.txt"),
+      Self::Normal => Some("multi.txt"),
+      Self::Pro => Some("pro.txt"),
+      Self::ProPlus => Some("pro.plus.txt"),
+      Self::Ultimate => Some("ultimate.txt"),
+    }
+  }
+
+  pub fn all_downloadable() -> &'static [BlocklistLevel] {
+    &[
+      Self::Light,
+      Self::Normal,
+      Self::Pro,
+      Self::ProPlus,
+      Self::Ultimate,
+    ]
+  }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct BlocklistCacheStatus {
+  pub level: String,
+  pub display_name: String,
+  pub entry_count: usize,
+  pub file_size_bytes: u64,
+  pub last_updated: Option<u64>,
+  pub is_fresh: bool,
+  pub is_cached: bool,
+}
+
+pub struct BlocklistManager;
+
+lazy_static::lazy_static! {
+  static ref HTTP_CLIENT: reqwest::Client = reqwest::Client::builder()
+    .timeout(Duration::from_secs(60))
+    .build()
+    .expect("Failed to create HTTP client");
+}
+
+impl BlocklistManager {
+  pub fn instance() -> &'static BlocklistManager {
+    &BLOCKLIST_MANAGER
+  }
+
+  fn cache_dir() -> PathBuf {
+    app_dirs::dns_blocklist_dir()
+  }
+
+  pub fn cached_file_path(level: BlocklistLevel) -> Option<PathBuf> {
+    level.filename().map(|f| Self::cache_dir().join(f))
+  }
+
+  pub fn is_cache_fresh(level: BlocklistLevel) -> bool {
+    let Some(path) = Self::cached_file_path(level) else {
+      return false;
+    };
+    if !path.exists() {
+      return false;
+    }
+    match std::fs::metadata(&path).and_then(|m| m.modified()) {
+      Ok(modified) => SystemTime::now()
+        .duration_since(modified)
+        .map(|age| age < REFRESH_INTERVAL)
+        .unwrap_or(false),
+      Err(_) => false,
+    }
+  }
+
+  pub async fn fetch_blocklist(level: BlocklistLevel) -> Result<PathBuf, String> {
+    let url = level
+      .url()
+      .ok_or_else(|| format!("No URL for level {:?}", level))?;
+    let path =
+      Self::cached_file_path(level).ok_or_else(|| format!("No filename for level {:?}", level))?;
+
+    let cache_dir = Self::cache_dir();
+    std::fs::create_dir_all(&cache_dir).map_err(|e| format!("Failed to create cache dir: {e}"))?;
+
+    log::info!(
+      "[dns-blocklist] Fetching {} from {}",
+      level.display_name(),
+      url
+    );
+
+    let response = HTTP_CLIENT
+      .get(url)
+      .send()
+      .await
+      .map_err(|e| format!("Failed to fetch blocklist: {e}"))?;
+
+    if !response.status().is_success() {
+      return Err(format!("HTTP {} when fetching {}", response.status(), url));
+    }
+
+    let body = response
+      .text()
+      .await
+      .map_err(|e| format!("Failed to read response body: {e}"))?;
+
+    // Write atomically: write to temp file, then rename
+    let tmp_path = path.with_extension("tmp");
+    std::fs::write(&tmp_path, &body).map_err(|e| format!("Failed to write blocklist: {e}"))?;
+    std::fs::rename(&tmp_path, &path).map_err(|e| format!("Failed to rename blocklist: {e}"))?;
+
+    let entry_count = body
+      .lines()
+      .filter(|l| !l.starts_with('#') && !l.trim().is_empty())
+      .count();
+    log::info!(
+      "[dns-blocklist] Cached {} ({} domains)",
+      level.display_name(),
+      entry_count
+    );
+
+    Ok(path)
+  }
+
+  pub async fn ensure_cached(level: BlocklistLevel) -> Result<PathBuf, String> {
+    if let Some(path) = Self::cached_file_path(level) {
+      if path.exists() {
+        return Ok(path);
+      }
+    }
+    Self::fetch_blocklist(level).await
+  }
+
+  pub async fn refresh_all_stale(&self) {
+    for &level in BlocklistLevel::all_downloadable() {
+      if !Self::is_cache_fresh(level) {
+        if let Err(e) = Self::fetch_blocklist(level).await {
+          log::error!(
+            "[dns-blocklist] Failed to refresh {}: {e}",
+            level.display_name()
+          );
+          let _ = crate::events::emit(
+            "dns-blocklist-refresh-failed",
+            serde_json::json!({
+              "level": level.as_str(),
+              "error": e,
+            }),
+          );
+        }
+      }
+    }
+  }
+
+  pub fn get_blocklist_file_path(level: BlocklistLevel) -> Option<PathBuf> {
+    Self::cached_file_path(level).filter(|p| p.exists())
+  }
+
+  pub fn get_cache_status() -> Vec<BlocklistCacheStatus> {
+    BlocklistLevel::all_downloadable()
+      .iter()
+      .map(|&level| {
+        let path = Self::cached_file_path(level);
+        let metadata = path.as_ref().and_then(|p| std::fs::metadata(p).ok());
+        let is_cached = metadata.is_some();
+
+        let entry_count = if is_cached {
+          path
+            .as_ref()
+            .and_then(|p| std::fs::read_to_string(p).ok())
+            .map(|content| {
+              content
+                .lines()
+                .filter(|l| !l.starts_with('#') && !l.trim().is_empty())
+                .count()
+            })
+            .unwrap_or(0)
+        } else {
+          0
+        };
+
+        let file_size_bytes = metadata.as_ref().map(|m| m.len()).unwrap_or(0);
+
+        let last_updated = metadata
+          .as_ref()
+          .and_then(|m| m.modified().ok())
+          .and_then(|t| t.duration_since(SystemTime::UNIX_EPOCH).ok())
+          .map(|d| d.as_secs());
+
+        BlocklistCacheStatus {
+          level: level.as_str().to_string(),
+          display_name: level.display_name().to_string(),
+          entry_count,
+          file_size_bytes,
+          last_updated,
+          is_fresh: Self::is_cache_fresh(level),
+          is_cached,
+        }
+      })
+      .collect()
+  }
+}
+
+lazy_static::lazy_static! {
+  static ref BLOCKLIST_MANAGER: BlocklistManager = BlocklistManager;
+}
+
+// Tauri commands
+
+#[tauri::command]
+pub async fn get_dns_blocklist_cache_status() -> Result<Vec<BlocklistCacheStatus>, String> {
+  Ok(BlocklistManager::get_cache_status())
+}
+
+#[tauri::command]
+pub async fn refresh_dns_blocklists() -> Result<(), String> {
+  for &level in BlocklistLevel::all_downloadable() {
+    BlocklistManager::fetch_blocklist(level).await?;
+  }
+  Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_level_roundtrip() {
+    for &level in BlocklistLevel::all_downloadable() {
+      let s = level.as_str();
+      let parsed = BlocklistLevel::parse_level(s);
+      assert_eq!(parsed, Some(level), "Roundtrip failed for {s}");
+    }
+    assert_eq!(
+      BlocklistLevel::parse_level("none"),
+      Some(BlocklistLevel::None)
+    );
+  }
+
+  #[test]
+  fn test_level_urls_all_present() {
+    for &level in BlocklistLevel::all_downloadable() {
+      assert!(
+        level.url().is_some(),
+        "{} should have a URL",
+        level.as_str()
+      );
+      assert!(
+        level.filename().is_some(),
+        "{} should have a filename",
+        level.as_str()
+      );
+    }
+    assert!(BlocklistLevel::None.url().is_none());
+    assert!(BlocklistLevel::None.filename().is_none());
+  }
+
+  #[test]
+  fn test_cache_status_returns_all_levels() {
+    let statuses = BlocklistManager::get_cache_status();
+    assert_eq!(statuses.len(), 5);
+    assert_eq!(statuses[0].level, "light");
+    assert_eq!(statuses[1].level, "normal");
+    assert_eq!(statuses[2].level, "pro");
+    assert_eq!(statuses[3].level, "pro_plus");
+    assert_eq!(statuses[4].level, "ultimate");
+  }
+
+  #[test]
+  fn test_cache_fresh_returns_false_when_missing() {
+    assert!(!BlocklistManager::is_cache_fresh(BlocklistLevel::Light));
+    assert!(!BlocklistManager::is_cache_fresh(BlocklistLevel::None));
+  }
+}
@@ -260,6 +260,7 @@ mod tests {
      version: "1.0".to_string(),
      proxy_id: None,
      vpn_id: None,
+      launch_hook: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
@@ -277,6 +278,7 @@ mod tests {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    }
  }

@@ -313,6 +315,7 @@ mod tests {
  }

  #[test]
+  #[serial_test::serial]
  fn test_recover_ephemeral_dirs() {
    let base = get_ephemeral_base_dir().unwrap();
    let test_id = uuid::Uuid::new_v4().to_string();
@@ -362,7 +362,7 @@ impl ExtensionManager {
      }
    }

-    extensions.sort_by(|a, b| a.created_at.cmp(&b.created_at));
+    extensions.sort_by_key(|a| a.created_at);
    Ok(extensions)
  }

@@ -55,6 +55,7 @@ pub async fn fetch_public_ip(proxy: Option<&str>) -> Result<String, IpError> {
    let proxy = reqwest::Proxy::all(proxy_url)
      .map_err(|e| IpError::Network(format!("Invalid proxy: {}", e)))?;
    client_builder
+      .no_proxy()
      .proxy(proxy)
      .build()
      .map_err(|e| IpError::Network(e.to_string()))?
@@ -64,7 +65,7 @@ pub async fn fetch_public_ip(proxy: Option<&str>) -> Result<String, IpError> {
      .map_err(|e| IpError::Network(e.to_string()))?
  };

-  let mut last_error = None;
+  let mut errors = Vec::new();

  for url in &urls {
    match client.get(*url).send().await {
@@ -76,21 +77,29 @@ pub async fn fetch_public_ip(proxy: Option<&str>) -> Result<String, IpError> {
          }
        }
        Err(e) => {
-          last_error = Some(format!("Failed to read response from {}: {}", url, e));
+          errors.push(format!("{}: {}", url, e));
        }
      },
      Ok(response) => {
-        last_error = Some(format!("HTTP {} from {}", response.status(), url));
+        errors.push(format!("{}: HTTP {}", url, response.status()));
      }
      Err(e) => {
-        last_error = Some(format!("Request to {} failed: {}", url, e));
+        errors.push(format!("{}: {}", url, e));
      }
    }
  }

-  Err(IpError::Network(last_error.unwrap_or_else(|| {
-    "Failed to fetch public IP from any endpoint".to_string()
-  })))
+  if errors.is_empty() {
+    Err(IpError::Network(
+      "Failed to fetch public IP from any endpoint".to_string(),
+    ))
+  } else {
+    Err(IpError::Network(format!(
+      "All {} endpoints failed: {}",
+      errors.len(),
+      errors.join("; ")
+    )))
+  }
 }

 #[cfg(test)]
@@ -19,6 +19,7 @@ mod browser_version_manager;
 pub mod camoufox;
 mod camoufox_manager;
 mod default_browser;
+pub mod dns_blocklist;
 mod downloaded_browsers_registry;
 mod downloader;
 mod ephemeral_dirs;
@@ -65,8 +66,9 @@ use browser_runner::{

 use profile::manager::{
  check_browser_status, clone_profile, create_browser_profile_new, delete_profile,
-  list_browser_profiles, rename_profile, update_camoufox_config, update_profile_note,
-  update_profile_proxy, update_profile_proxy_bypass_rules, update_profile_tags, update_profile_vpn,
+  list_browser_profiles, rename_profile, update_camoufox_config, update_profile_dns_blocklist,
+  update_profile_launch_hook, update_profile_note, update_profile_proxy,
+  update_profile_proxy_bypass_rules, update_profile_tags, update_profile_vpn,
  update_wayfern_config,
 };

@@ -85,7 +87,7 @@ use downloader::{cancel_download, download_browser};

 use settings_manager::{
  decline_launch_on_login, dismiss_window_resize_warning, enable_launch_on_login, get_app_settings,
-  get_sync_settings, get_system_language, get_table_sorting_settings,
+  get_sync_settings, get_system_info, get_system_language, get_table_sorting_settings,
  get_window_resize_warning_dismissed, save_app_settings, save_sync_settings,
  save_table_sorting_settings, should_show_launch_on_login_prompt,
 };
@@ -211,19 +213,13 @@ async fn create_stored_proxy(
  app_handle: tauri::AppHandle,
  name: String,
  proxy_settings: Option<crate::browser::ProxySettings>,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
 ) -> Result<crate::proxy_manager::StoredProxy, String> {
-  if let (Some(url), Some(format)) = (&dynamic_proxy_url, &dynamic_proxy_format) {
-    crate::proxy_manager::PROXY_MANAGER
-      .create_dynamic_proxy(&app_handle, name, url.clone(), format.clone())
-      .map_err(|e| format!("Failed to create dynamic proxy: {e}"))
-  } else if let Some(settings) = proxy_settings {
+  if let Some(settings) = proxy_settings {
    crate::proxy_manager::PROXY_MANAGER
      .create_stored_proxy(&app_handle, name, settings)
      .map_err(|e| format!("Failed to create stored proxy: {e}"))
  } else {
-    Err("Either proxy_settings or dynamic proxy URL and format are required".to_string())
+    Err("proxy_settings is required".to_string())
  }
 }

@@ -238,26 +234,10 @@ async fn update_stored_proxy(
  proxy_id: String,
  name: Option<String>,
  proxy_settings: Option<crate::browser::ProxySettings>,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
 ) -> Result<crate::proxy_manager::StoredProxy, String> {
-  // Check if this is a dynamic proxy update
-  let is_dynamic = crate::proxy_manager::PROXY_MANAGER.is_dynamic_proxy(&proxy_id);
-  if is_dynamic || dynamic_proxy_url.is_some() {
-    crate::proxy_manager::PROXY_MANAGER
-      .update_dynamic_proxy(
-        &app_handle,
-        &proxy_id,
-        name,
-        dynamic_proxy_url,
-        dynamic_proxy_format,
-      )
-      .map_err(|e| format!("Failed to update dynamic proxy: {e}"))
-  } else {
-    crate::proxy_manager::PROXY_MANAGER
-      .update_stored_proxy(&app_handle, &proxy_id, name, proxy_settings)
-      .map_err(|e| format!("Failed to update stored proxy: {e}"))
-  }
+  crate::proxy_manager::PROXY_MANAGER
+    .update_stored_proxy(&app_handle, &proxy_id, name, proxy_settings)
+    .map_err(|e| format!("Failed to update stored proxy: {e}"))
 }

 #[tauri::command]
@@ -272,13 +252,8 @@ async fn check_proxy_validity(
  proxy_id: String,
  proxy_settings: Option<crate::browser::ProxySettings>,
 ) -> Result<crate::proxy_manager::ProxyCheckResult, String> {
-  // For dynamic proxies, fetch settings first
  let settings = if let Some(s) = proxy_settings {
    s
-  } else if crate::proxy_manager::PROXY_MANAGER.is_dynamic_proxy(&proxy_id) {
-    crate::proxy_manager::PROXY_MANAGER
-      .resolve_dynamic_proxy(&proxy_id)
-      .await?
  } else {
    crate::proxy_manager::PROXY_MANAGER
      .get_proxy_settings_by_id(&proxy_id)
@@ -289,24 +264,6 @@ async fn check_proxy_validity(
    .await
 }

-#[tauri::command]
-async fn fetch_dynamic_proxy(
-  url: String,
-  format: String,
-) -> Result<crate::browser::ProxySettings, String> {
-  let settings = crate::proxy_manager::PROXY_MANAGER
-    .fetch_dynamic_proxy(&url, &format)
-    .await?;
-
-  // Validate the proxy actually works by connecting through it
-  crate::proxy_manager::PROXY_MANAGER
-    .check_proxy_validity("_dynamic_test", &settings)
-    .await
-    .map_err(|e| format!("Proxy resolved but connection failed: {e}"))?;
-
-  Ok(settings)
-}
-
 #[tauri::command]
 fn get_cached_proxy_check(proxy_id: String) -> Option<crate::proxy_manager::ProxyCheckResult> {
  crate::proxy_manager::PROXY_MANAGER.get_cached_proxy_check(&proxy_id)
@@ -812,6 +769,42 @@ async fn download_geoip_database(app_handle: tauri::AppHandle) -> Result<(), Str
 }

 // VPN commands
+#[derive(serde::Serialize)]
+#[serde(rename_all = "camelCase")]
+struct VpnDependencyStatus {
+  is_available: bool,
+  requires_external_install: bool,
+  missing_binary: bool,
+  missing_windows_adapter: bool,
+  dependency_check_failed: bool,
+}
+
+#[tauri::command]
+async fn get_vpn_dependency_status(vpn_type: vpn::VpnType) -> Result<VpnDependencyStatus, String> {
+  match vpn_type {
+    vpn::VpnType::WireGuard => Ok(VpnDependencyStatus {
+      is_available: true,
+      requires_external_install: false,
+      missing_binary: false,
+      missing_windows_adapter: false,
+      dependency_check_failed: false,
+    }),
+    vpn::VpnType::OpenVPN => {
+      let status = crate::vpn::openvpn_socks5::OpenVpnSocks5Server::dependency_status();
+      let is_available =
+        status.binary_found && !status.missing_windows_adapter && !status.dependency_check_failed;
+
+      Ok(VpnDependencyStatus {
+        is_available,
+        requires_external_install: true,
+        missing_binary: !status.binary_found,
+        missing_windows_adapter: status.missing_windows_adapter,
+        dependency_check_failed: status.dependency_check_failed,
+      })
+    }
+  }
+}
+
 #[tauri::command]
 async fn import_vpn_config(
  content: String,
@@ -985,45 +978,81 @@ async fn check_vpn_validity(
    .unwrap_or_default()
    .as_secs();

-  // Start a temporary VPN worker to send real traffic
+  let had_existing_worker = vpn_worker_storage::find_vpn_worker_by_vpn_id(&vpn_id).is_some();
+
  let vpn_worker = vpn_worker_runner::start_vpn_worker(&vpn_id)
    .await
    .map_err(|e| format!("Failed to start VPN worker: {e}"))?;

-  let socks_url = format!("socks5://127.0.0.1:{}", vpn_worker.local_port.unwrap_or(0));
+  let socks_url = format!(
+    "socks5://127.0.0.1:{}",
+    vpn_worker.local_port.unwrap_or_default()
+  );

-  // Fetch public IP through the VPN SOCKS5 proxy
-  let result = match ip_utils::fetch_public_ip(Some(&socks_url)).await {
-    Ok(ip) => {
-      let (city, country, country_code) =
-        crate::proxy_manager::ProxyManager::get_ip_geolocation(&ip)
-          .await
-          .unwrap_or_default();
-
-      crate::proxy_manager::ProxyCheckResult {
-        ip,
-        city,
-        country,
-        country_code,
-        timestamp: now,
-        is_valid: true,
-      }
-    }
-    Err(e) => {
-      log::warn!("VPN check failed to fetch public IP: {e}");
-      crate::proxy_manager::ProxyCheckResult {
-        ip: String::new(),
-        city: None,
-        country: None,
-        country_code: None,
-        timestamp: now,
-        is_valid: false,
+  let local_proxy = crate::proxy_runner::start_proxy_process(Some(socks_url), None)
+    .await
+    .map_err(|error| error.to_string());
+  let local_proxy = match local_proxy {
+    Ok(proxy) => proxy,
+    Err(error_message) => {
+      if !had_existing_worker {
+        let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
      }
+      return Err(format!("Failed to start validation proxy: {error_message}"));
    }
  };

-  // Stop the temporary VPN worker
-  let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
+  let local_proxy_url = format!(
+    "http://127.0.0.1:{}",
+    local_proxy.local_port.unwrap_or_default()
+  );
+
+  let mut result = None;
+  for attempt in 0..3 {
+    if attempt > 0 {
+      tokio::time::sleep(std::time::Duration::from_secs(1)).await;
+    }
+
+    match ip_utils::fetch_public_ip(Some(&local_proxy_url)).await {
+      Ok(ip) => {
+        let (city, country, country_code) =
+          crate::proxy_manager::ProxyManager::get_ip_geolocation(&ip)
+            .await
+            .unwrap_or_default();
+
+        result = Some(crate::proxy_manager::ProxyCheckResult {
+          ip,
+          city,
+          country,
+          country_code,
+          timestamp: now,
+          is_valid: true,
+        });
+        break;
+      }
+      Err(error) => {
+        log::warn!(
+          "VPN validation attempt {} failed to fetch public IP through donut-proxy: {}",
+          attempt + 1,
+          error
+        );
+      }
+    }
+  }
+
+  let _ = crate::proxy_runner::stop_proxy_process(&local_proxy.id).await;
+  if !had_existing_worker {
+    let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
+  }
+
+  let result = result.unwrap_or(crate::proxy_manager::ProxyCheckResult {
+    ip: String::new(),
+    city: None,
+    country: None,
+    country_code: None,
+    timestamp: now,
+    is_valid: false,
+  });

  Ok(result)
 }
@@ -1116,6 +1145,7 @@ async fn generate_sample_fingerprint(
    process_id: None,
    proxy_id: None,
    vpn_id: None,
+    launch_hook: None,
    last_launch: None,
    release_type: "stable".to_string(),
    camoufox_config: None,
@@ -1132,6 +1162,7 @@ async fn generate_sample_fingerprint(
    proxy_bypass_rules: Vec::new(),
    created_by_id: None,
    created_by_email: None,
+    dns_blocklist: None,
  };

  if browser == "camoufox" {
@@ -1385,6 +1416,88 @@ pub fn run() {
        }
      }

+      // Kill orphaned proxy and VPN worker processes from previous app runs.
+      // Since active_proxies is an in-memory map that starts empty, any running
+      // donut-proxy workers on disk must be orphans the current app can't track.
+      // Without this cleanup, users on Windows accumulate dozens of idle workers
+      // (one per profile launch) that the periodic cleanup won't touch because
+      // profile-associated workers are deliberately skipped to avoid regressions.
+      //
+      // Preserves workers whose associated profile still has a running browser
+      // process — if the app crashed while a browser was running, its detached
+      // browser keeps going and needs the proxy/VPN worker to stay alive.
+      tauri::async_runtime::spawn(async move {
+        use crate::proxy_storage::{delete_proxy_config, is_process_running, list_proxy_configs};
+        use crate::vpn_worker_storage::{delete_vpn_worker_config, list_vpn_worker_configs};
+
+        // Build sets of (profile_id, vpn_id) whose browsers are still running
+        let profile_manager = crate::profile::ProfileManager::instance();
+        let profiles = profile_manager.list_profiles().unwrap_or_default();
+
+        let running_profile_ids: std::collections::HashSet<String> = profiles
+          .iter()
+          .filter(|p| p.process_id.is_some_and(is_process_running))
+          .map(|p| p.id.to_string())
+          .collect();
+
+        let running_vpn_ids: std::collections::HashSet<String> = profiles
+          .iter()
+          .filter(|p| p.process_id.is_some_and(is_process_running))
+          .filter_map(|p| p.vpn_id.clone())
+          .collect();
+
+        for config in list_proxy_configs() {
+          let has_running_browser = config
+            .profile_id
+            .as_ref()
+            .is_some_and(|pid| running_profile_ids.contains(pid));
+          if has_running_browser {
+            log::info!(
+              "Startup: preserving proxy worker {} (profile browser still running)",
+              config.id
+            );
+            continue;
+          }
+
+          if let Some(pid) = config.pid {
+            if is_process_running(pid) {
+              log::info!(
+                "Startup: killing orphaned proxy worker {} (PID {})",
+                config.id,
+                pid
+              );
+              let _ = crate::proxy_runner::stop_proxy_process(&config.id).await;
+              continue;
+            }
+          }
+          delete_proxy_config(&config.id);
+        }
+
+        for worker in list_vpn_worker_configs() {
+          if running_vpn_ids.contains(&worker.vpn_id) {
+            log::info!(
+              "Startup: preserving VPN worker {} (profile browser using vpn_id {} still running)",
+              worker.id,
+              worker.vpn_id
+            );
+            continue;
+          }
+
+          if let Some(pid) = worker.pid {
+            if is_process_running(pid) {
+              log::info!(
+                "Startup: killing orphaned VPN worker {} (PID {})",
+                worker.id,
+                pid
+              );
+              let _ = crate::vpn_worker_runner::stop_vpn_worker(&worker.id).await;
+              continue;
+            }
+          }
+          delete_vpn_worker_config(&worker.id);
+        }
+      });
+
      // Immediately bump non-running profiles to the latest installed browser version.
      // This runs synchronously before any network calls so profiles are updated on launch.
      {
@@ -1462,6 +1575,17 @@ pub fn run() {
        }
      });

+      // DNS blocklist refresh task (every 12 hours)
+      tauri::async_runtime::spawn(async move {
+        let manager = dns_blocklist::BlocklistManager::instance();
+        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(43200));
+        interval.tick().await; // Skip the immediate first tick
+        loop {
+          interval.tick().await;
+          manager.refresh_all_stale().await;
+        }
+      });
+
      tauri::async_runtime::spawn(async move {
        let updater = app_auto_updater::AppAutoUpdater::instance();
        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(3 * 60 * 60));
@@ -1495,7 +1619,7 @@ pub fn run() {
      let _app_handle_cleanup = app.handle().clone();
      tauri::async_runtime::spawn(async move {
        let camoufox_manager = crate::camoufox_manager::CamoufoxManager::instance();
-        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(5));
+        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(60));

        loop {
          interval.tick().await;
@@ -1569,19 +1693,27 @@ pub fn run() {
        }
      });

-      // Periodically broadcast browser running status to the frontend
+      // Periodically broadcast browser running status to the frontend.
+      // When no profiles have stored PIDs (nothing was ever launched this
+      // session), we use a long interval (30s) to avoid burning CPU on
+      // full process-table scans via sysinfo. Once any profile is running
+      // we switch to the fast interval (5s) for responsive UI updates.
      let app_handle_status = app.handle().clone();
      tauri::async_runtime::spawn(async move {
-        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(5));
+        const FAST_INTERVAL_SECS: u64 = 5;
+        const IDLE_INTERVAL_SECS: u64 = 30;
+
+        let mut interval =
+          tokio::time::interval(tokio::time::Duration::from_secs(FAST_INTERVAL_SECS));
        interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
        let mut last_running_states: std::collections::HashMap<String, bool> =
          std::collections::HashMap::new();
+        let mut current_interval_secs = FAST_INTERVAL_SECS;

        loop {
          interval.tick().await;

          let runner = crate::browser_runner::BrowserRunner::instance();
-          // If listing profiles fails, skip this tick
          let profiles = match runner.profile_manager.list_profiles() {
            Ok(p) => p,
            Err(e) => {
@@ -1590,6 +1722,30 @@ pub fn run() {
            }
          };

+          // If no profile has a stored PID and we have no previously-known
+          // running states, there's nothing to check — skip the expensive
+          // process scan entirely.
+          let any_has_pid = profiles.iter().any(|p| p.process_id.is_some());
+          let any_was_running = last_running_states.values().any(|&v| v);
+
+          if !any_has_pid && !any_was_running {
+            // Switch to the idle interval to reduce CPU
+            if current_interval_secs != IDLE_INTERVAL_SECS {
+              current_interval_secs = IDLE_INTERVAL_SECS;
+              interval =
+                tokio::time::interval(tokio::time::Duration::from_secs(IDLE_INTERVAL_SECS));
+              interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
+            }
+            continue;
+          }
+
+          // At least one profile might be running — use the fast interval
+          if current_interval_secs != FAST_INTERVAL_SECS {
+            current_interval_secs = FAST_INTERVAL_SECS;
+            interval = tokio::time::interval(tokio::time::Duration::from_secs(FAST_INTERVAL_SECS));
+            interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
+          }
+
          for profile in profiles {
            // Check browser status and track changes
            match runner
@@ -1804,7 +1960,9 @@ pub fn run() {
      update_profile_vpn,
      update_profile_tags,
      update_profile_note,
+      update_profile_launch_hook,
      update_profile_proxy_bypass_rules,
+      update_profile_dns_blocklist,
      check_browser_status,
      kill_browser_profile,
      rename_profile,
@@ -1816,6 +1974,7 @@ pub fn run() {
      get_table_sorting_settings,
      save_table_sorting_settings,
      get_system_language,
+      get_system_info,
      dismiss_window_resize_warning,
      get_window_resize_warning_dismissed,
      clear_all_version_cache_and_refetch,
@@ -1842,7 +2001,6 @@ pub fn run() {
      update_stored_proxy,
      delete_stored_proxy,
      check_proxy_validity,
-      fetch_dynamic_proxy,
      get_cached_proxy_check,
      export_proxies,
      import_proxies_json,
@@ -1917,6 +2075,7 @@ pub fn run() {
      add_mcp_to_claude_code,
      remove_mcp_from_claude_code,
      // VPN commands
+      get_vpn_dependency_status,
      import_vpn_config,
      list_vpn_configs,
      get_vpn_config,
@@ -1951,6 +2110,9 @@ pub fn run() {
      synchronizer::stop_sync_session,
      synchronizer::remove_sync_follower,
      synchronizer::get_sync_sessions,
+      // DNS blocklist commands
+      dns_blocklist::get_dns_blocklist_cache_status,
+      dns_blocklist::refresh_dns_blocklists,
    ])
    .build(tauri::generate_context!())
    .expect("error while building tauri application")
@@ -26,6 +26,7 @@ use crate::settings_manager::SettingsManager;
 use crate::wayfern_terms::WayfernTermsManager;

 #[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
 pub struct McpTool {
  pub name: String,
  pub description: String,
@@ -507,6 +508,10 @@ impl McpServer {
              "type": "string",
              "description": "Optional proxy UUID to assign"
            },
+            "launch_hook": {
+              "type": "string",
+              "description": "Optional HTTP(S) URL to call before launch for transient proxy overrides"
+            },
            "group_id": {
              "type": "string",
              "description": "Optional group UUID to assign"
@@ -538,6 +543,10 @@ impl McpServer {
              "type": "string",
              "description": "Proxy UUID to assign (empty string to remove)"
            },
+            "launch_hook": {
+              "type": "string",
+              "description": "Launch hook URL to assign (empty string to remove)"
+            },
            "group_id": {
              "type": "string",
              "description": "Group UUID to assign (empty string to remove)"
@@ -712,7 +721,7 @@ impl McpServer {
      },
      McpTool {
        name: "create_proxy".to_string(),
-        description: "Create a new proxy configuration. For regular proxies, provide proxy_type/host/port. For dynamic proxies, provide dynamic_proxy_url and dynamic_proxy_format instead.".to_string(),
+        description: "Create a new proxy configuration.".to_string(),
        input_schema: serde_json::json!({
          "type": "object",
          "properties": {
@@ -740,18 +749,9 @@ impl McpServer {
            "password": {
              "type": "string",
              "description": "Optional password for authentication (for regular proxies)"
-            },
-            "dynamic_proxy_url": {
-              "type": "string",
-              "description": "URL to fetch proxy settings from (for dynamic proxies)"
-            },
-            "dynamic_proxy_format": {
-              "type": "string",
-              "enum": ["json", "text"],
-              "description": "Format of the dynamic proxy response: 'json' for JSON object or 'text' for text like host:port:user:pass (for dynamic proxies)"
            }
          },
-          "required": ["name"]
+          "required": ["name", "proxy_type", "host", "port"]
        }),
      },
      McpTool {
@@ -788,15 +788,6 @@ impl McpServer {
            "password": {
              "type": "string",
              "description": "Optional password for authentication (for regular proxies)"
-            },
-            "dynamic_proxy_url": {
-              "type": "string",
-              "description": "URL to fetch proxy settings from (for dynamic proxies)"
-            },
-            "dynamic_proxy_format": {
-              "type": "string",
-              "enum": ["json", "text"],
-              "description": "Format of the dynamic proxy response (for dynamic proxies)"
            }
          },
          "required": ["proxy_id"]
@@ -1008,6 +999,36 @@ impl McpServer {
          "required": ["profile_id", "rules"]
        }),
      },
+      McpTool {
+        name: "update_profile_dns_blocklist".to_string(),
+        description:
+          "Update the DNS blocklist level for a profile. Blocks ads, trackers, and malware domains at the proxy level."
+            .to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": {
+              "type": "string",
+              "description": "The UUID of the profile to update"
+            },
+            "level": {
+              "type": "string",
+              "enum": ["none", "light", "normal", "pro", "pro_plus", "ultimate"],
+              "description": "DNS blocklist level. 'none' disables blocking."
+            }
+          },
+          "required": ["profile_id", "level"]
+        }),
+      },
+      McpTool {
+        name: "get_dns_blocklist_status".to_string(),
+        description: "Get the cache status of all DNS blocklist tiers including entry counts and freshness.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {},
+          "required": []
+        }),
+      },
      McpTool {
        name: "list_extensions".to_string(),
        description: "List all managed browser extensions. Requires Pro subscription.".to_string(),
@@ -1481,6 +1502,9 @@ impl McpServer {
          .handle_update_profile_proxy_bypass_rules(&arguments)
          .await
      }
+      // DNS blocklist management
+      "update_profile_dns_blocklist" => self.handle_update_profile_dns_blocklist(&arguments).await,
+      "get_dns_blocklist_status" => self.handle_get_dns_blocklist_status().await,
      // Extension management
      "list_extensions" => self.handle_list_extensions().await,
      "list_extension_groups" => self.handle_list_extension_groups().await,
@@ -1775,6 +1799,10 @@ impl McpServer {
      .get("proxy_id")
      .and_then(|v| v.as_str())
      .map(|s| s.to_string());
+    let launch_hook = arguments
+      .get("launch_hook")
+      .and_then(|v| v.as_str())
+      .map(|s| s.to_string());
    let group_id = arguments
      .get("group_id")
      .and_then(|v| v.as_str())
@@ -1804,7 +1832,19 @@ impl McpServer {

    let mut profile = ProfileManager::instance()
      .create_profile_with_group(
-        app_handle, name, browser, version, "stable", proxy_id, None, None, None, group_id, false,
+        app_handle,
+        name,
+        browser,
+        version,
+        "stable",
+        proxy_id,
+        None,
+        None,
+        None,
+        group_id,
+        false,
+        None,
+        launch_hook,
      )
      .await
      .map_err(|e| McpError {
@@ -1872,6 +1912,19 @@ impl McpServer {
        })?;
    }

+    if let Some(launch_hook) = arguments.get("launch_hook").and_then(|v| v.as_str()) {
+      let normalized = if launch_hook.is_empty() {
+        None
+      } else {
+        Some(launch_hook.to_string())
+      };
+      pm.update_profile_launch_hook(app_handle, profile_id, normalized)
+        .map_err(|e| McpError {
+          code: -32000,
+          message: format!("Failed to update launch hook: {e}"),
+        })?;
+    }
+
    if let Some(group_id) = arguments.get("group_id").and_then(|v| v.as_str()) {
      let gid = if group_id.is_empty() {
        None
@@ -2326,74 +2379,54 @@ impl McpServer {
      message: "MCP server not properly initialized".to_string(),
    })?;

-    // Check if this is a dynamic proxy creation
-    let dynamic_url = arguments.get("dynamic_proxy_url").and_then(|v| v.as_str());
-    let dynamic_format = arguments
-      .get("dynamic_proxy_format")
-      .and_then(|v| v.as_str());
+    let proxy_type = arguments
+      .get("proxy_type")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing proxy_type".to_string(),
+      })?;

-    let proxy = if let (Some(url), Some(format)) = (dynamic_url, dynamic_format) {
-      PROXY_MANAGER
-        .create_dynamic_proxy(
-          app_handle,
-          name.to_string(),
-          url.to_string(),
-          format.to_string(),
-        )
-        .map_err(|e| McpError {
-          code: -32000,
-          message: format!("Failed to create dynamic proxy: {e}"),
-        })?
-    } else {
-      let proxy_type = arguments
-        .get("proxy_type")
-        .and_then(|v| v.as_str())
-        .ok_or_else(|| McpError {
-          code: -32602,
-          message: "Missing proxy_type (required for regular proxies)".to_string(),
-        })?;
+    let host = arguments
+      .get("host")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing host".to_string(),
+      })?;

-      let host = arguments
-        .get("host")
-        .and_then(|v| v.as_str())
-        .ok_or_else(|| McpError {
-          code: -32602,
-          message: "Missing host (required for regular proxies)".to_string(),
-        })?;
+    let port = arguments
+      .get("port")
+      .and_then(|v| v.as_u64())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing port".to_string(),
+      })? as u16;

-      let port = arguments
-        .get("port")
-        .and_then(|v| v.as_u64())
-        .ok_or_else(|| McpError {
-          code: -32602,
-          message: "Missing port (required for regular proxies)".to_string(),
-        })? as u16;
+    let username = arguments
+      .get("username")
+      .and_then(|v| v.as_str())
+      .map(|s| s.to_string());
+    let password = arguments
+      .get("password")
+      .and_then(|v| v.as_str())
+      .map(|s| s.to_string());

-      let username = arguments
-        .get("username")
-        .and_then(|v| v.as_str())
-        .map(|s| s.to_string());
-      let password = arguments
-        .get("password")
-        .and_then(|v| v.as_str())
-        .map(|s| s.to_string());
-
-      let proxy_settings = ProxySettings {
-        proxy_type: proxy_type.to_string(),
-        host: host.to_string(),
-        port,
-        username,
-        password,
-      };
-
-      PROXY_MANAGER
-        .create_stored_proxy(app_handle, name.to_string(), proxy_settings)
-        .map_err(|e| McpError {
-          code: -32000,
-          message: format!("Failed to create proxy: {e}"),
-        })?
+    let proxy_settings = ProxySettings {
+      proxy_type: proxy_type.to_string(),
+      host: host.to_string(),
+      port,
+      username,
+      password,
    };

+    let proxy = PROXY_MANAGER
+      .create_stored_proxy(app_handle, name.to_string(), proxy_settings)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to create proxy: {e}"),
+      })?;
+
    Ok(serde_json::json!({
      "content": [{
        "type": "text",
@@ -2482,32 +2515,12 @@ impl McpServer {
      message: "MCP server not properly initialized".to_string(),
    })?;

-    // Check for dynamic proxy fields
-    let dynamic_url = arguments
-      .get("dynamic_proxy_url")
-      .and_then(|v| v.as_str())
-      .map(|s| s.to_string());
-    let dynamic_format = arguments
-      .get("dynamic_proxy_format")
-      .and_then(|v| v.as_str())
-      .map(|s| s.to_string());
-    let is_dynamic = PROXY_MANAGER.is_dynamic_proxy(proxy_id) || dynamic_url.is_some();
-
-    let proxy = if is_dynamic {
-      PROXY_MANAGER
-        .update_dynamic_proxy(app_handle, proxy_id, name, dynamic_url, dynamic_format)
-        .map_err(|e| McpError {
-          code: -32000,
-          message: format!("Failed to update dynamic proxy: {e}"),
-        })?
-    } else {
-      PROXY_MANAGER
-        .update_stored_proxy(app_handle, proxy_id, name, proxy_settings)
-        .map_err(|e| McpError {
-          code: -32000,
-          message: format!("Failed to update proxy: {e}"),
-        })?
-    };
+    let proxy = PROXY_MANAGER
+      .update_stored_proxy(app_handle, proxy_id, name, proxy_settings)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to update proxy: {e}"),
+      })?;

    Ok(serde_json::json!({
      "content": [{
@@ -3118,6 +3131,61 @@ impl McpServer {
    }))
  }

+  async fn handle_update_profile_dns_blocklist(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing profile_id".to_string(),
+      })?;
+
+    let level = arguments
+      .get("level")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing level".to_string(),
+      })?;
+
+    let dns_blocklist = if level == "none" {
+      None
+    } else {
+      Some(level.to_string())
+    };
+
+    let profile = ProfileManager::instance()
+      .update_profile_dns_blocklist(profile_id, dns_blocklist)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to update DNS blocklist: {e}"),
+      })?;
+
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": format!(
+          "DNS blocklist updated for profile '{}': {}",
+          profile.name,
+          level
+        )
+      }]
+    }))
+  }
+
+  async fn handle_get_dns_blocklist_status(&self) -> Result<serde_json::Value, McpError> {
+    let statuses = crate::dns_blocklist::BlocklistManager::get_cache_status();
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": serde_json::to_string_pretty(&statuses).unwrap_or_default()
+      }]
+    }))
+  }
+
  async fn handle_list_extensions(&self) -> Result<serde_json::Value, McpError> {
    if !CLOUD_AUTH.has_active_paid_subscription().await {
      return Err(McpError {
@@ -89,96 +89,17 @@ pub mod macos {
      }
    }

-    // Fallback: Use AppleScript
-    let escaped_url = url
-      .replace("\"", "\\\"")
-      .replace("\\", "\\\\")
-      .replace("'", "\\'");
-
-    let script = format!(
-      r#"
-try
-  tell application "System Events"
-    -- Find the exact process by PID
-    set targetProcess to (first application process whose unix id is {pid})
-    
-    -- Verify the process exists
-    if not (exists targetProcess) then
-      error "No process found with PID {pid}"
-    end if
-    
-    -- Get the process name for verification
-    set processName to name of targetProcess
-    
-    -- Bring the process to the front first
-    set frontmost of targetProcess to true
-    delay 1.0
-    
-    -- Check if the process has any visible windows
-    set windowList to windows of targetProcess
-    set hasVisibleWindow to false
-    repeat with w in windowList
-      if visible of w is true then
-        set hasVisibleWindow to true
-        exit repeat
-      end if
-    end repeat
-    
-    if not hasVisibleWindow then
-      -- No visible windows, create a new one
-      tell targetProcess
-        keystroke "n" using command down
-        delay 2.0
-      end tell
-    end if
-    
-    -- Ensure the process is frontmost again
-    set frontmost of targetProcess to true
-    delay 0.5
-    
-    -- Focus on the address bar and open URL
-    tell targetProcess
-      -- Open a new tab
-      keystroke "t" using command down
-      delay 1.5
-      
-      -- Focus address bar (Cmd+L)
-      keystroke "l" using command down
-      delay 0.5
-      
-      -- Type the URL
-      keystroke "{escaped_url}"
-      delay 0.5
-      
-      -- Press Enter to navigate
-      keystroke return
-    end tell
-    
-    return "Successfully opened URL in " & processName & " (PID: {pid})"
-  end tell
-on error errMsg number errNum
-  return "AppleScript failed: " & errMsg & " (Error " & errNum & ")"
-end try
-      "#
-    );
-
-    log::info!("Executing AppleScript fallback for Firefox-based browser (PID: {pid})...");
-    let output = Command::new("osascript").args(["-e", &script]).output()?;
-
-    if !output.status.success() {
-      let error_msg = String::from_utf8_lossy(&output.stderr);
-      log::info!("AppleScript failed: {error_msg}");
-      return Err(
-        format!(
-          "Both Firefox remote command and AppleScript failed. AppleScript error: {error_msg}"
-        )
-        .into(),
-      );
-    } else {
-      log::info!("AppleScript succeeded");
-    }
-
-    Ok(())
+    // The Firefox `-new-tab` remote command failed. We intentionally do NOT
+    // fall back to an AppleScript `System Events` keystroke path: that would
+    // send Apple Events to another application and trigger the macOS TCC
+    // "<Donut> wants control of <Browser>" / "prevented from modifying other
+    // apps" prompts. Donut must never touch other apps on the user's Mac.
+    Err(
+      format!(
+        "Firefox remote command failed for PID {pid}; cannot open URL in existing window without touching other apps"
+      )
+      .into(),
+    )
  }

  pub async fn kill_browser_process_impl(
@@ -378,93 +299,18 @@ end try
      }
    }

-    // Fallback to AppleScript
-    let escaped_url = url
-      .replace("\"", "\\\"")
-      .replace("\\", "\\\\")
-      .replace("'", "\\'");
-
-    let script = format!(
-      r#"
-try
-  tell application "System Events"
-    -- Find the exact process by PID
-    set targetProcess to (first application process whose unix id is {pid})
-    
-    -- Verify the process exists
-    if not (exists targetProcess) then
-      error "No process found with PID {pid}"
-    end if
-    
-    -- Get the process name for verification
-    set processName to name of targetProcess
-    
-    -- Bring the process to the front first
-    set frontmost of targetProcess to true
-    delay 1.0
-    
-    -- Check if the process has any visible windows
-    set windowList to windows of targetProcess
-    set hasVisibleWindow to false
-    repeat with w in windowList
-      if visible of w is true then
-        set hasVisibleWindow to true
-        exit repeat
-      end if
-    end repeat
-    
-    if not hasVisibleWindow then
-      -- No visible windows, create a new one
-      tell targetProcess
-        keystroke "n" using command down
-        delay 2.0
-      end tell
-    end if
-    
-    -- Ensure the process is frontmost again
-    set frontmost of targetProcess to true
-    delay 0.5
-    
-    -- Focus on the address bar and open URL
-    tell targetProcess
-      -- Open a new tab
-      keystroke "t" using command down
-      delay 1.5
-      
-      -- Focus address bar (Cmd+L)
-      keystroke "l" using command down
-      delay 0.5
-      
-      -- Type the URL
-      keystroke "{escaped_url}"
-      delay 0.5
-      
-      -- Press Enter to navigate
-      keystroke return
-    end tell
-    
-    return "Successfully opened URL in " & processName & " (PID: {pid})"
-  end tell
-on error errMsg number errNum
-  return "AppleScript failed: " & errMsg & " (Error " & errNum & ")"
-end try
-      "#
-    );
-
-    log::info!("Executing AppleScript for Chromium-based browser (PID: {pid})...");
-    let output = Command::new("osascript").args(["-e", &script]).output()?;
-
-    if !output.status.success() {
-      let error_msg = String::from_utf8_lossy(&output.stderr);
-      log::info!("AppleScript failed: {error_msg}");
-      return Err(
-        format!("Failed to open URL in existing Chromium-based browser: {error_msg}").into(),
-      );
-    } else {
-      log::info!("AppleScript succeeded");
-    }
-
-    Ok(())
+    // The Chromium `--user-data-dir=<path> <url>` remote command failed.
+    // We intentionally do NOT fall back to an AppleScript `System Events`
+    // keystroke path: that would send Apple Events to another application
+    // and trigger the macOS TCC "<Donut> wants control of <Browser>" /
+    // "prevented from modifying other apps" prompts. Donut must never touch
+    // other apps on the user's Mac.
+    Err(
+      format!(
+        "Chromium remote command failed for PID {pid}; cannot open URL in existing window without touching other apps"
+      )
+      .into(),
+    )
  }
 }

@@ -10,6 +10,7 @@ use crate::wayfern_manager::WayfernConfig;
 use std::fs::{self, create_dir_all};
 use std::path::{Path, PathBuf};
 use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};
+use url::Url;

 pub struct ProfileManager {
  camoufox_manager: &'static crate::camoufox_manager::CamoufoxManager,
@@ -36,6 +37,25 @@ impl ProfileManager {
    crate::app_dirs::binaries_dir()
  }

+  fn normalize_launch_hook(
+    launch_hook: Option<String>,
+  ) -> Result<Option<String>, Box<dyn std::error::Error>> {
+    let Some(raw) = launch_hook else {
+      return Ok(None);
+    };
+
+    let trimmed = raw.trim();
+    if trimmed.is_empty() {
+      return Ok(None);
+    }
+
+    let parsed = Url::parse(trimmed).map_err(|e| format!("Invalid launch hook URL: {e}"))?;
+    match parsed.scheme() {
+      "http" | "https" => Ok(Some(parsed.to_string())),
+      _ => Err("Launch hook URL must use http or https".into()),
+    }
+  }
+
  #[allow(clippy::too_many_arguments)]
  pub async fn create_profile_with_group(
    &self,
@@ -50,11 +70,15 @@ impl ProfileManager {
    wayfern_config: Option<WayfernConfig>,
    group_id: Option<String>,
    ephemeral: bool,
+    dns_blocklist: Option<String>,
+    launch_hook: Option<String>,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
    if proxy_id.is_some() && vpn_id.is_some() {
      return Err("Cannot set both proxy_id and vpn_id".into());
    }

+    let launch_hook = Self::normalize_launch_hook(launch_hook)?;
+
    // Sync cloud proxy credentials if the profile uses a cloud or cloud-derived proxy
    if let Some(ref pid) = proxy_id {
      if PROXY_MANAGER.is_cloud_or_derived(pid) || pid == crate::proxy_manager::CLOUD_PROXY_ID {
@@ -141,6 +165,7 @@ impl ProfileManager {
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: launch_hook.clone(),
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -158,6 +183,7 @@ impl ProfileManager {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -240,6 +266,7 @@ impl ProfileManager {
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: launch_hook.clone(),
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -257,6 +284,7 @@ impl ProfileManager {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -293,6 +321,7 @@ impl ProfileManager {
      version: version.to_string(),
      proxy_id: proxy_id.clone(),
      vpn_id: vpn_id.clone(),
+      launch_hook,
      process_id: None,
      last_launch: None,
      release_type: release_type.to_string(),
@@ -310,6 +339,7 @@ impl ProfileManager {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist,
    };

    // Save profile info
@@ -735,6 +765,35 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_launch_hook(
+    &self,
+    _app_handle: &tauri::AppHandle,
+    profile_id: &str,
+    launch_hook: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.launch_hook = Self::normalize_launch_hook(launch_hook)?;
+
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit("profile-updated", &profile) {
+      log::warn!("Warning: Failed to emit profile update event: {e}");
+    }
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub fn update_profile_proxy_bypass_rules(
    &self,
    _app_handle: &tauri::AppHandle,
@@ -760,6 +819,30 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_dns_blocklist(
+    &self,
+    profile_id: &str,
+    dns_blocklist: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.dns_blocklist = dns_blocklist;
+
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub fn delete_multiple_profiles(
    &self,
    app_handle: &tauri::AppHandle,
@@ -885,6 +968,7 @@ impl ProfileManager {
      version: source.version,
      proxy_id: source.proxy_id,
      vpn_id: source.vpn_id,
+      launch_hook: source.launch_hook,
      process_id: None,
      last_launch: None,
      release_type: source.release_type,
@@ -902,6 +986,7 @@ impl ProfileManager {
      proxy_bypass_rules: source.proxy_bypass_rules,
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: source.dns_blocklist,
    };

    self.save_profile(&new_profile)?;
@@ -1941,6 +2026,36 @@ mod tests {
      "PAC URL should percent-encode spaces: {pac_line}"
    );
  }
+
+  #[test]
+  fn test_normalize_launch_hook_accepts_http_and_https() {
+    let http =
+      ProfileManager::normalize_launch_hook(Some(" http://localhost:3000/hook ".to_string()))
+        .unwrap();
+    let https = ProfileManager::normalize_launch_hook(Some(
+      "https://example.com/hooks/profile-launch".to_string(),
+    ))
+    .unwrap();
+
+    assert_eq!(http.as_deref(), Some("http://localhost:3000/hook"));
+    assert_eq!(
+      https.as_deref(),
+      Some("https://example.com/hooks/profile-launch")
+    );
+  }
+
+  #[test]
+  fn test_normalize_launch_hook_clears_empty_values() {
+    let result = ProfileManager::normalize_launch_hook(Some("   ".to_string())).unwrap();
+    assert!(result.is_none());
+  }
+
+  #[test]
+  fn test_normalize_launch_hook_rejects_invalid_scheme() {
+    let err = ProfileManager::normalize_launch_hook(Some("ftp://example.com/hook".to_string()))
+      .unwrap_err();
+    assert!(err.to_string().contains("http or https"));
+  }
 }

 #[allow(clippy::too_many_arguments)]
@@ -1957,6 +2072,8 @@ pub async fn create_browser_profile_with_group(
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
  ephemeral: bool,
+  dns_blocklist: Option<String>,
+  launch_hook: Option<String>,
 ) -> Result<BrowserProfile, String> {
  let profile_manager = ProfileManager::instance();
  profile_manager
@@ -1972,6 +2089,8 @@ pub async fn create_browser_profile_with_group(
      wayfern_config,
      group_id,
      ephemeral,
+      dns_blocklist,
+      launch_hook,
    )
    .await
    .map_err(|e| format!("Failed to create profile: {e}"))
@@ -2035,6 +2154,18 @@ pub fn update_profile_note(
    .map_err(|e| format!("Failed to update profile note: {e}"))
 }

+#[tauri::command]
+pub fn update_profile_launch_hook(
+  app_handle: tauri::AppHandle,
+  profile_id: String,
+  launch_hook: Option<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_launch_hook(&app_handle, &profile_id, launch_hook)
+    .map_err(|e| format!("Failed to update profile launch hook: {e}"))
+}
+
 #[tauri::command]
 pub fn update_profile_proxy_bypass_rules(
  app_handle: tauri::AppHandle,
@@ -2047,6 +2178,17 @@ pub fn update_profile_proxy_bypass_rules(
    .map_err(|e| format!("Failed to update proxy bypass rules: {e}"))
 }

+#[tauri::command]
+pub fn update_profile_dns_blocklist(
+  profile_id: String,
+  dns_blocklist: Option<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_dns_blocklist(&profile_id, dns_blocklist)
+    .map_err(|e| format!("Failed to update DNS blocklist: {e}"))
+}
+
 #[tauri::command]
 pub async fn check_browser_status(
  app_handle: tauri::AppHandle,
@@ -2085,6 +2227,8 @@ pub async fn create_browser_profile_new(
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
  ephemeral: Option<bool>,
+  dns_blocklist: Option<String>,
+  launch_hook: Option<String>,
 ) -> Result<BrowserProfile, String> {
  let fingerprint_os = camoufox_config
    .as_ref()
@@ -2112,6 +2256,8 @@ pub async fn create_browser_profile_new(
    wayfern_config,
    group_id,
    ephemeral.unwrap_or(false),
+    dns_blocklist,
+    launch_hook,
  )
  .await
 }
@@ -32,6 +32,8 @@ pub struct BrowserProfile {
  #[serde(default)]
  pub vpn_id: Option<String>, // Reference to stored VPN config
  #[serde(default)]
+  pub launch_hook: Option<String>,
+  #[serde(default)]
  pub process_id: Option<u32>,
  #[serde(default)]
  pub last_launch: Option<u64>,
@@ -65,6 +67,8 @@ pub struct BrowserProfile {
  pub created_by_id: Option<String>,
  #[serde(default)]
  pub created_by_email: Option<String>,
+  #[serde(default)]
+  pub dns_blocklist: Option<String>,
 }

 pub fn default_release_type() -> String {
@@ -565,6 +565,7 @@ impl ProfileImporter {
          version: version.clone(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: None,
          process_id: None,
          last_launch: None,
          release_type: "stable".to_string(),
@@ -582,6 +583,7 @@ impl ProfileImporter {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -643,6 +645,7 @@ impl ProfileImporter {
          version: version.clone(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: None,
          process_id: None,
          last_launch: None,
          release_type: "stable".to_string(),
@@ -660,6 +663,7 @@ impl ProfileImporter {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -692,6 +696,7 @@ impl ProfileImporter {
      version,
      proxy_id,
      vpn_id: None,
+      launch_hook: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
@@ -709,6 +714,7 @@ impl ProfileImporter {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    };

    self.profile_manager.save_profile(&profile)?;
@@ -77,6 +77,7 @@ pub struct ProxyInfo {
  pub local_port: u16,
  // Optional profile ID to which this proxy instance is logically tied
  pub profile_id: Option<String>,
+  pub blocklist_file: Option<String>,
 }

 // Proxy check result cache
@@ -144,10 +145,6 @@ impl StoredProxy {
    }
  }

-  pub fn is_dynamic(&self) -> bool {
-    self.dynamic_proxy_url.is_some()
-  }
-
  /// Migrate legacy geo_state to geo_region
  pub fn migrate_geo_fields(&mut self) {
    if self.geo_region.is_none() && self.geo_state.is_some() {
@@ -1008,7 +1005,19 @@ impl ProxyManager {
      Ok(proxy_config) => {
        let local_url = format!("http://127.0.0.1:{}", proxy_config.local_port.unwrap_or(0));
        let config_id = proxy_config.id.clone();
-        let result = ip_utils::fetch_public_ip(Some(&local_url)).await;
+        // Wrap in a timeout so the check worker doesn't stay alive indefinitely
+        // if the upstream is slow or unreachable.
+        let result = tokio::time::timeout(
+          std::time::Duration::from_secs(30),
+          ip_utils::fetch_public_ip(Some(&local_url)),
+        )
+        .await
+        .unwrap_or_else(|_| {
+          Err(ip_utils::IpError::Network(
+            "Proxy check timed out after 30s".to_string(),
+          ))
+        });
+        // Always stop the worker — even if the check failed or timed out
        let _ = crate::proxy_runner::stop_proxy_process(&config_id).await;
        result
      }
@@ -1065,20 +1074,13 @@ impl ProxyManager {
    self.load_proxy_check_cache(proxy_id)
  }

-  // Check if a stored proxy is dynamic
-  pub fn is_dynamic_proxy(&self, proxy_id: &str) -> bool {
-    let stored_proxies = self.stored_proxies.lock().unwrap();
-    stored_proxies.get(proxy_id).is_some_and(|p| p.is_dynamic())
-  }
-
-  // Fetch proxy settings from a dynamic proxy URL
-  pub async fn fetch_dynamic_proxy(
+  pub async fn fetch_proxy_from_url(
    &self,
    url: &str,
-    format: &str,
-  ) -> Result<ProxySettings, String> {
+    timeout: std::time::Duration,
+  ) -> Result<Option<ProxySettings>, String> {
    let client = reqwest::Client::builder()
-      .timeout(std::time::Duration::from_secs(15))
+      .timeout(timeout)
      .build()
      .map_err(|e| format!("Failed to create HTTP client: {e}"))?;

@@ -1086,33 +1088,39 @@ impl ProxyManager {
      .get(url)
      .send()
      .await
-      .map_err(|e| format!("Failed to fetch dynamic proxy: {e}"))?;
+      .map_err(|e| format!("Failed to fetch launch hook: {e}"))?;
+
+    if response.status() == reqwest::StatusCode::NO_CONTENT {
+      return Ok(None);
+    }

    if !response.status().is_success() {
-      return Err(format!(
-        "Dynamic proxy URL returned status {}",
-        response.status()
-      ));
+      return Err(format!("Launch hook returned status {}", response.status()));
    }

    let body = response
      .text()
      .await
-      .map_err(|e| format!("Failed to read dynamic proxy response: {e}"))?;
+      .map_err(|e| format!("Failed to read launch hook response: {e}"))?;

    let body = body.trim();
    if body.is_empty() {
-      return Err("Dynamic proxy URL returned empty response".to_string());
+      return Err("Launch hook returned empty response".to_string());
    }

-    match format {
-      "json" => Self::parse_dynamic_proxy_json(body),
-      "text" => Self::parse_dynamic_proxy_text(body),
-      _ => Err(format!("Unsupported dynamic proxy format: {format}")),
+    if let Ok(settings) = Self::parse_dynamic_proxy_json(body) {
+      return Ok(Some(settings));
+    }
+
+    match Self::parse_dynamic_proxy_text(body) {
+      Ok(settings) => Ok(Some(settings)),
+      Err(text_error) => Err(format!(
+        "Failed to parse launch hook response: {text_error}"
+      )),
    }
  }

-  // Parse JSON format: { "ip"/"host": "...", "port": ..., "username": "...", "password": "..." }
+  // Parse JSON proxy payload: { "ip"/"host": "...", "port": ..., "username": "...", "password": "..." }
  fn parse_dynamic_proxy_json(body: &str) -> Result<ProxySettings, String> {
    let json: serde_json::Value =
      serde_json::from_str(body).map_err(|e| format!("Invalid JSON response: {e}"))?;
@@ -1178,7 +1186,7 @@ impl ProxyManager {
    })
  }

-  // Parse text format using the same logic as proxy import
+  // Parse plain text proxy payload using the same logic as proxy import
  fn parse_dynamic_proxy_text(body: &str) -> Result<ProxySettings, String> {
    let line = body
      .lines()
@@ -1209,136 +1217,6 @@ impl ProxyManager {
    }
  }

-  // Resolve dynamic proxy: fetch from URL and return settings
-  pub async fn resolve_dynamic_proxy(&self, proxy_id: &str) -> Result<ProxySettings, String> {
-    let (url, format) = {
-      let stored_proxies = self.stored_proxies.lock().unwrap();
-      let proxy = stored_proxies
-        .get(proxy_id)
-        .ok_or_else(|| format!("Proxy '{proxy_id}' not found"))?;
-
-      match (&proxy.dynamic_proxy_url, &proxy.dynamic_proxy_format) {
-        (Some(url), Some(format)) => (url.clone(), format.clone()),
-        _ => return Err("Proxy is not a dynamic proxy".to_string()),
-      }
-    };
-
-    self.fetch_dynamic_proxy(&url, &format).await
-  }
-
-  // Create a dynamic stored proxy
-  pub fn create_dynamic_proxy(
-    &self,
-    _app_handle: &tauri::AppHandle,
-    name: String,
-    url: String,
-    format: String,
-  ) -> Result<StoredProxy, String> {
-    {
-      let stored_proxies = self.stored_proxies.lock().unwrap();
-      if stored_proxies.values().any(|p| p.name == name) {
-        return Err(format!("Proxy with name '{name}' already exists"));
-      }
-    }
-
-    let placeholder_settings = ProxySettings {
-      proxy_type: "http".to_string(),
-      host: "dynamic".to_string(),
-      port: 0,
-      username: None,
-      password: None,
-    };
-
-    let mut stored_proxy = StoredProxy::new(name, placeholder_settings);
-    stored_proxy.dynamic_proxy_url = Some(url);
-    stored_proxy.dynamic_proxy_format = Some(format);
-
-    {
-      let mut stored_proxies = self.stored_proxies.lock().unwrap();
-      stored_proxies.insert(stored_proxy.id.clone(), stored_proxy.clone());
-    }
-
-    if let Err(e) = self.save_proxy(&stored_proxy) {
-      log::warn!("Failed to save proxy: {e}");
-    }
-
-    if let Err(e) = events::emit_empty("proxies-changed") {
-      log::error!("Failed to emit proxies-changed event: {e}");
-    }
-
-    if stored_proxy.sync_enabled {
-      if let Some(scheduler) = crate::sync::get_global_scheduler() {
-        let id = stored_proxy.id.clone();
-        tauri::async_runtime::spawn(async move {
-          scheduler.queue_proxy_sync(id).await;
-        });
-      }
-    }
-
-    Ok(stored_proxy)
-  }
-
-  // Update a dynamic proxy's URL and format
-  pub fn update_dynamic_proxy(
-    &self,
-    _app_handle: &tauri::AppHandle,
-    proxy_id: &str,
-    name: Option<String>,
-    url: Option<String>,
-    format: Option<String>,
-  ) -> Result<StoredProxy, String> {
-    {
-      let stored_proxies = self.stored_proxies.lock().unwrap();
-      if !stored_proxies.contains_key(proxy_id) {
-        return Err(format!("Proxy with ID '{proxy_id}' not found"));
-      }
-      if let Some(ref new_name) = name {
-        if stored_proxies
-          .values()
-          .any(|p| p.id != proxy_id && p.name == *new_name)
-        {
-          return Err(format!("Proxy with name '{new_name}' already exists"));
-        }
-      }
-    }
-
-    let updated_proxy = {
-      let mut stored_proxies = self.stored_proxies.lock().unwrap();
-      let stored_proxy = stored_proxies.get_mut(proxy_id).unwrap();
-
-      if let Some(new_name) = name {
-        stored_proxy.update_name(new_name);
-      }
-      if let Some(new_url) = url {
-        stored_proxy.dynamic_proxy_url = Some(new_url);
-      }
-      if let Some(new_format) = format {
-        stored_proxy.dynamic_proxy_format = Some(new_format);
-      }
-
-      stored_proxy.clone()
-    };
-
-    if let Err(e) = self.save_proxy(&updated_proxy) {
-      log::warn!("Failed to save proxy: {e}");
-    }
-
-    if let Err(e) = events::emit_empty("proxies-changed") {
-      log::error!("Failed to emit proxies-changed event: {e}");
-    }
-
-    if updated_proxy.sync_enabled {
-      if let Some(scheduler) = crate::sync::get_global_scheduler() {
-        let id = updated_proxy.id.clone();
-        tauri::async_runtime::spawn(async move {
-          scheduler.queue_proxy_sync(id).await;
-        });
-      }
-    }
-
-    Ok(updated_proxy)
-  }
-
  // Export all proxies as JSON
  pub fn export_proxies_json(&self) -> Result<String, String> {
    let stored_proxies = self.stored_proxies.lock().unwrap();
@@ -1490,6 +1368,10 @@ impl ProxyManager {
      ("socks5", rest)
    } else if let Some(rest) = line.strip_prefix("socks://") {
      ("socks5", rest) // Default socks to socks5
+    } else if let Some(rest) = line.strip_prefix("ss://") {
+      ("ss", rest)
+    } else if let Some(rest) = line.strip_prefix("shadowsocks://") {
+      ("ss", rest)
    } else {
      return None;
    };
@@ -1675,6 +1557,7 @@ impl ProxyManager {
    browser_pid: u32,
    profile_id: Option<&str>,
    bypass_rules: Vec<String>,
+    blocklist_file: Option<String>,
  ) -> Result<ProxySettings, String> {
    if let Some(name) = profile_id {
      // Check if we have an active proxy recorded for this profile
@@ -1802,6 +1685,11 @@ impl ProxyManager {
      proxy_cmd = proxy_cmd.arg("--bypass-rules").arg(rules_json);
    }

+    // Add blocklist file path if provided
+    if let Some(ref path) = blocklist_file {
+      proxy_cmd = proxy_cmd.arg("--blocklist-file").arg(path);
+    }
+
    // Execute the command and wait for it to complete
    // The donut-proxy binary should start the worker and then exit
    let output = proxy_cmd
@@ -1847,6 +1735,7 @@ impl ProxyManager {
        .unwrap_or_else(|| "DIRECT".to_string()),
      local_port,
      profile_id: profile_id.map(|s| s.to_string()),
+      blocklist_file: blocklist_file.clone(),
    };

    // Wait for the local proxy port to be ready to accept connections
@@ -2123,11 +2012,132 @@ impl ProxyManager {
        "Cleaning up orphaned proxy config: {} (proxy process is dead)",
        config.id
      );
-      // Just delete the config file - the process is already dead
      use crate::proxy_storage::delete_proxy_config;
      delete_proxy_config(&config.id);
    }

+    // Kill stale profileless proxy workers — these are check workers
+    // (from check_proxy_validity or similar) that were never cleaned up.
+    // Profile-associated proxies are left alone to avoid the regression
+    // where killing proxies for "dead" browsers on Linux also killed
+    // proxies for running browsers (due to launcher-vs-browser PID mismatch).
+    {
+      use crate::proxy_storage::{is_process_running, list_proxy_configs};
+      use std::time::{SystemTime, UNIX_EPOCH};
+
+      let now = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap()
+        .as_secs();
+
+      let all_configs = list_proxy_configs();
+      for config in all_configs {
+        // Only target proxies WITHOUT a profile_id (check workers)
+        if config.profile_id.is_some() {
+          continue;
+        }
+
+        // Must have a running process to kill
+        let Some(pid) = config.pid else { continue };
+        if !is_process_running(pid) {
+          continue;
+        }
+
+        // Check age: only kill if older than 5 minutes
+        let proxy_age = config
+          .id
+          .strip_prefix("proxy_")
+          .and_then(|s| s.split('_').next())
+          .and_then(|s| s.parse::<u64>().ok())
+          .map(|created_at| now.saturating_sub(created_at))
+          .unwrap_or(0);
+
+        if proxy_age > 300 {
+          log::info!(
+            "Killing stale profileless proxy {} (PID {}, age {}s)",
+            config.id,
+            pid,
+            proxy_age
+          );
+          let _ = crate::proxy_runner::stop_proxy_process(&config.id).await;
+        }
+      }
+    }
+
+    // Kill proxy workers whose browser process has died.
+    //
+    // active_proxies is keyed by the EXACT browser PID that was recorded in
+    // update_proxy_pid(). Checking that PID against a single process-table
+    // snapshot is deterministic: either the PID refers to a live process or
+    // it doesn't. This avoids the fuzzy launcher-vs-browser detection used
+    // by check_browser_status (which historically had false negatives on
+    // Linux and was the reason profile-associated workers were left alone
+    // in the other cleanup branches).
+    //
+    // Without this, every time a user closes their browser via the window's
+    // X button (bypassing Donut's stop flow) or the browser crashes, the
+    // worker keeps running forever. On Windows users reported dozens of
+    // donut-proxy processes accumulating this way.
+    {
+      // Snapshot current active entries first so we don't hold the mutex
+      // while running the (expensive on Windows) sysinfo scan.
+      let snapshot: Vec<(u32, String, Option<String>)> = {
+        let proxies = self.active_proxies.lock().unwrap();
+        proxies
+          .iter()
+          .map(|(&browser_pid, info)| (browser_pid, info.id.clone(), info.profile_id.clone()))
+          .collect()
+      };
+
+      if !snapshot.is_empty() {
+        // One process-table scan for all candidates
+        let system = sysinfo::System::new_with_specifics(
+          sysinfo::RefreshKind::nothing().with_processes(sysinfo::ProcessRefreshKind::everything()),
+        );
+
+        let dead_browser_entries: Vec<(u32, String, Option<String>)> = snapshot
+          .into_iter()
+          .filter(|(browser_pid, _, _)| {
+            // The sentinel PID=0 is used as a placeholder during launch,
+            // before update_proxy_pid has recorded the real browser PID.
+            *browser_pid != 0
+              && system
+                .process(sysinfo::Pid::from_u32(*browser_pid))
+                .is_none()
+          })
+          .collect();
+
+        for (browser_pid, proxy_id, profile_id) in dead_browser_entries {
+          log::info!(
+            "Cleanup: browser PID {} is dead, stopping proxy worker {} (profile={:?})",
+            browser_pid,
+            proxy_id,
+            profile_id
+          );
+          {
+            let mut proxies = self.active_proxies.lock().unwrap();
+            // Re-check the entry still maps to the same proxy_id — another
+            // thread may have replaced it with a new proxy since we snapshotted.
+            if let Some(current) = proxies.get(&browser_pid) {
+              if current.id != proxy_id {
+                continue;
+              }
+            } else {
+              continue;
+            }
+            proxies.remove(&browser_pid);
+          }
+          if let Some(ref pid) = profile_id {
+            let mut map = self.profile_active_proxy_ids.lock().unwrap();
+            if map.get(pid) == Some(&proxy_id) {
+              map.remove(pid);
+            }
+          }
+          let _ = crate::proxy_runner::stop_proxy_process(&proxy_id).await;
+        }
+      }
+    }
+
    // Clean up orphaned VPN worker configs where the worker process is dead
    {
      use crate::proxy_storage::is_process_running;
@@ -2231,6 +2241,8 @@ mod tests {
  use hyper::Response;
  use hyper_util::rt::TokioIo;
  use tokio::net::TcpListener;
+  use wiremock::matchers::{method, path};
+  use wiremock::{Mock, MockServer, ResponseTemplate};

  // Helper function to build donut-proxy binary for testing
  async fn ensure_donut_proxy_binary() -> Result<PathBuf, Box<dyn std::error::Error>> {
@@ -2345,6 +2357,7 @@ mod tests {
          upstream_type: "http".to_string(),
          local_port: (8000 + i) as u16,
          profile_id: None,
+          blocklist_file: None,
        };

        // Add proxy
@@ -2671,6 +2684,7 @@ mod tests {
      upstream_type: "http".to_string(),
      local_port: port,
      profile_id: profile_id.map(|s| s.to_string()),
+      blocklist_file: None,
    }
  }

@@ -2898,6 +2912,7 @@ mod tests {
      pid: Some(live_pid),
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    };
    let dead_config = ProxyConfig {
      id: dead_id.clone(),
@@ -2908,6 +2923,7 @@ mod tests {
      pid: Some(dead_pid),
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    };

    save_proxy_config(&live_config).unwrap();
@@ -2946,6 +2962,7 @@ mod tests {
      pid: Some(12345),
      profile_id: Some("prof_abc".to_string()),
      bypass_rules: vec!["*.local".to_string(), "192.168.*".to_string()],
+      blocklist_file: None,
    };

    // Save
@@ -3064,6 +3081,7 @@ mod tests {
      upstream_type: "http".to_string(),
      local_port: 9201,
      profile_id: Some("profile_alpha".to_string()),
+      blocklist_file: None,
    };
    let info_b = ProxyInfo {
      id: "px_shared_b".to_string(),
@@ -3073,6 +3091,7 @@ mod tests {
      upstream_type: "http".to_string(),
      local_port: 9202,
      profile_id: Some("profile_beta".to_string()),
+      blocklist_file: None,
    };

    pm.insert_active_proxy(3001, info_a);
@@ -3260,6 +3279,7 @@ mod tests {
      pid: Some(dead_pid),
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    };
    save_proxy_config(&config).unwrap();

@@ -3432,6 +3452,7 @@ mod tests {
        upstream_type: ptype.to_string(),
        local_port: 9300 + i as u16,
        profile_id: Some(format!("profile_{ptype}")),
+        blocklist_file: None,
      };
      pm.insert_active_proxy(4000 + i as u32, info);
    }
@@ -3651,74 +3672,102 @@ mod tests {
    assert!(err.contains("Empty"));
  }

-  #[test]
-  fn test_stored_proxy_is_dynamic() {
-    let mut proxy = StoredProxy::new(
-      "test".to_string(),
-      ProxySettings {
-        proxy_type: "http".to_string(),
-        host: "h.com".to_string(),
-        port: 80,
-        username: None,
-        password: None,
-      },
-    );
-    assert!(!proxy.is_dynamic());
+  #[tokio::test]
+  async fn test_fetch_proxy_from_url_parses_json_response() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(
+        ResponseTemplate::new(200).set_body_string(
+          r#"{"host":"proxy.example.com","port":3128,"type":"socks5","username":"user","password":"pass"}"#,
+        ),
+      )
+      .mount(&server)
+      .await;

-    proxy.dynamic_proxy_url = Some("https://api.example.com/proxy".to_string());
-    assert!(proxy.is_dynamic());
-  }
-
-  #[test]
-  fn test_is_dynamic_proxy_via_manager() {
    let pm = ProxyManager::new();
+    let result = pm
+      .fetch_proxy_from_url(
+        &format!("{}/hook", server.uri()),
+        Duration::from_millis(500),
+      )
+      .await
+      .unwrap()
+      .unwrap();

-    let mut proxy = StoredProxy::new(
-      "DynTest".to_string(),
-      ProxySettings {
-        proxy_type: "http".to_string(),
-        host: "dynamic".to_string(),
-        port: 0,
-        username: None,
-        password: None,
-      },
-    );
-    proxy.dynamic_proxy_url = Some("https://api.example.com/proxy".to_string());
-    proxy.dynamic_proxy_format = Some("json".to_string());
-
-    let id = proxy.id.clone();
-    pm.stored_proxies.lock().unwrap().insert(id.clone(), proxy);
-
-    assert!(pm.is_dynamic_proxy(&id));
-    assert!(!pm.is_dynamic_proxy("nonexistent"));
+    assert_eq!(result.host, "proxy.example.com");
+    assert_eq!(result.port, 3128);
+    assert_eq!(result.proxy_type, "socks5");
+    assert_eq!(result.username.as_deref(), Some("user"));
+    assert_eq!(result.password.as_deref(), Some("pass"));
  }

  #[tokio::test]
-  async fn test_resolve_dynamic_proxy_not_dynamic() {
+  async fn test_fetch_proxy_from_url_parses_text_response() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(ResponseTemplate::new(200).set_body_string("socks5://user:pass@1.2.3.4:1080"))
+      .mount(&server)
+      .await;
+
    let pm = ProxyManager::new();
+    let result = pm
+      .fetch_proxy_from_url(
+        &format!("{}/hook", server.uri()),
+        Duration::from_millis(500),
+      )
+      .await
+      .unwrap()
+      .unwrap();

-    let proxy = StoredProxy::new(
-      "Regular".to_string(),
-      ProxySettings {
-        proxy_type: "http".to_string(),
-        host: "1.2.3.4".to_string(),
-        port: 8080,
-        username: None,
-        password: None,
-      },
-    );
-    let id = proxy.id.clone();
-    pm.stored_proxies.lock().unwrap().insert(id.clone(), proxy);
-
-    let err = pm.resolve_dynamic_proxy(&id).await.unwrap_err();
-    assert!(err.contains("not a dynamic proxy"));
+    assert_eq!(result.host, "1.2.3.4");
+    assert_eq!(result.port, 1080);
+    assert_eq!(result.proxy_type, "socks5");
+    assert_eq!(result.username.as_deref(), Some("user"));
+    assert_eq!(result.password.as_deref(), Some("pass"));
  }

  #[tokio::test]
-  async fn test_resolve_dynamic_proxy_not_found() {
-    let pm = ProxyManager::new();
+  async fn test_fetch_proxy_from_url_returns_none_for_no_content() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(ResponseTemplate::new(204))
+      .mount(&server)
+      .await;

-    let err = pm.resolve_dynamic_proxy("nonexistent").await.unwrap_err();
-    assert!(err.contains("not found"));
+    let pm = ProxyManager::new();
+    let result = pm
+      .fetch_proxy_from_url(
+        &format!("{}/hook", server.uri()),
+        Duration::from_millis(500),
+      )
+      .await
+      .unwrap();
+
+    assert!(result.is_none());
+  }
+
+  #[tokio::test]
+  async fn test_fetch_proxy_from_url_respects_timeout() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(
+        ResponseTemplate::new(200)
+          .set_delay(Duration::from_millis(200))
+          .set_body_string(r#"{"host":"1.2.3.4","port":8080}"#),
+      )
+      .mount(&server)
+      .await;
+
+    let pm = ProxyManager::new();
+    let err = pm
+      .fetch_proxy_from_url(&format!("{}/hook", server.uri()), Duration::from_millis(50))
+      .await
+      .unwrap_err();
+
+    assert!(err.contains("Failed to fetch launch hook"));
  }
 }
@@ -2,17 +2,166 @@ use crate::proxy_storage::{
  delete_proxy_config, generate_proxy_id, get_proxy_config, is_process_running, list_proxy_configs,
  save_proxy_config, ProxyConfig,
 };
+use std::path::{Path, PathBuf};
 use std::process::Stdio;
 lazy_static::lazy_static! {
  static ref PROXY_PROCESSES: std::sync::Mutex<std::collections::HashMap<String, u32>> =
    std::sync::Mutex::new(std::collections::HashMap::new());
 }

+fn target_binary_name(base_name: &str) -> Option<String> {
+  let target = std::env::var("TARGET").ok()?;
+
+  #[cfg(windows)]
+  {
+    Some(format!("{base_name}-{target}.exe"))
+  }
+
+  #[cfg(not(windows))]
+  {
+    Some(format!("{base_name}-{target}"))
+  }
+}
+
+fn unsuffixed_binary_name(base_name: &str) -> String {
+  #[cfg(windows)]
+  {
+    match base_name {
+      "donut-proxy" => "donut-proxy.exe".to_string(),
+      "donut-daemon" => "donut-daemon.exe".to_string(),
+      _ => String::new(),
+    }
+  }
+
+  #[cfg(not(windows))]
+  {
+    base_name.to_string()
+  }
+}
+
+fn binary_matches_prefix(path: &Path, base_name: &str) -> bool {
+  let Some(file_name) = path.file_name().and_then(|name| name.to_str()) else {
+    return false;
+  };
+
+  #[cfg(windows)]
+  {
+    file_name.starts_with(&format!("{base_name}-")) && file_name.ends_with(".exe")
+  }
+
+  #[cfg(not(windows))]
+  {
+    file_name.starts_with(&format!("{base_name}-"))
+  }
+}
+
+fn push_candidate_dir(dirs: &mut Vec<PathBuf>, dir: Option<PathBuf>) {
+  if let Some(dir) = dir {
+    if !dirs.iter().any(|existing| existing == &dir) {
+      dirs.push(dir);
+    }
+  }
+}
+
+pub(crate) fn find_sidecar_executable(
+  base_name: &str,
+) -> Result<PathBuf, Box<dyn std::error::Error>> {
+  let current_exe = std::env::current_exe()?;
+  let current_dir = current_exe
+    .parent()
+    .ok_or("Failed to get parent directory of current executable")?;
+
+  if current_exe
+    .file_stem()
+    .and_then(|stem| stem.to_str())
+    .is_some_and(|stem| stem == base_name)
+  {
+    return Ok(current_exe);
+  }
+
+  let manifest_dir = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+  let mut search_dirs = Vec::new();
+
+  push_candidate_dir(&mut search_dirs, Some(current_dir.to_path_buf()));
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir.parent().map(std::path::Path::to_path_buf),
+  );
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir
+      .parent()
+      .and_then(|parent| parent.parent())
+      .map(Path::to_path_buf),
+  );
+  push_candidate_dir(&mut search_dirs, Some(current_dir.join("binaries")));
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir.parent().map(|parent| parent.join("binaries")),
+  );
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir
+      .parent()
+      .and_then(|parent| parent.parent())
+      .map(|parent| parent.join("binaries")),
+  );
+  push_candidate_dir(&mut search_dirs, Some(manifest_dir.join("binaries")));
+  push_candidate_dir(
+    &mut search_dirs,
+    Some(manifest_dir.join("target").join("debug")),
+  );
+  push_candidate_dir(
+    &mut search_dirs,
+    Some(manifest_dir.join("target").join("release")),
+  );
+
+  let mut exact_names = vec![unsuffixed_binary_name(base_name)];
+  if let Some(target_name) = target_binary_name(base_name) {
+    exact_names.push(target_name);
+  }
+
+  for dir in &search_dirs {
+    for name in &exact_names {
+      if name.is_empty() {
+        continue;
+      }
+
+      let candidate = dir.join(name);
+      if candidate.exists() {
+        return Ok(candidate);
+      }
+    }
+
+    if let Ok(entries) = std::fs::read_dir(dir) {
+      for entry in entries.flatten() {
+        let path = entry.path();
+        if path.is_file() && binary_matches_prefix(&path, base_name) {
+          return Ok(path);
+        }
+      }
+    }
+  }
+
+  Err(
+    format!(
+      "Failed to locate '{}' executable. Searched in: {}",
+      base_name,
+      search_dirs
+        .iter()
+        .map(|dir| dir.display().to_string())
+        .collect::<Vec<_>>()
+        .join(", ")
+    )
+    .into(),
+  )
+}
+
 pub async fn start_proxy_process(
  upstream_url: Option<String>,
  port: Option<u16>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
-  start_proxy_process_with_profile(upstream_url, port, None, Vec::new()).await
+  start_proxy_process_with_profile(upstream_url, port, None, Vec::new(), None).await
 }

 pub async fn start_proxy_process_with_profile(
@@ -20,6 +169,7 @@ pub async fn start_proxy_process_with_profile(
  port: Option<u16>,
  profile_id: Option<String>,
  bypass_rules: Vec<String>,
+  blocklist_file: Option<String>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
  let id = generate_proxy_id();
  let upstream = upstream_url.unwrap_or_else(|| "DIRECT".to_string());
@@ -33,7 +183,8 @@ pub async fn start_proxy_process_with_profile(

  let config = ProxyConfig::new(id.clone(), upstream, Some(local_port))
    .with_profile_id(profile_id.clone())
-    .with_bypass_rules(bypass_rules);
+    .with_bypass_rules(bypass_rules)
+    .with_blocklist_file(blocklist_file);
  save_proxy_config(&config)?;

  // Log profile_id for debugging
@@ -45,7 +196,7 @@ pub async fn start_proxy_process_with_profile(

  // Spawn proxy worker process in the background using std::process::Command
  // This ensures proper process detachment on Unix systems
-  let exe = std::env::current_exe()?;
+  let exe = find_sidecar_executable("donut-proxy")?;

  #[cfg(unix)]
  {
@@ -7,6 +7,7 @@ use hyper::service::service_fn;
 use hyper::{Method, Request, Response, StatusCode};
 use hyper_util::rt::TokioIo;
 use regex_lite::Regex;
+use std::collections::HashSet;
 use std::convert::Infallible;
 use std::io;
 use std::net::SocketAddr;
@@ -17,6 +18,13 @@ use std::task::{Context, Poll};
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt, ReadBuf};
 use tokio::net::TcpListener;
 use tokio::net::TcpStream;
+
+/// Combined read+write trait for tunnel target streams, allowing
+/// `handle_connect_from_buffer` to handle plain TCP, SOCKS, and
+/// Shadowsocks through the same bidirectional-copy path.
+trait AsyncStream: AsyncRead + AsyncWrite + Unpin + Send {}
+impl<T: AsyncRead + AsyncWrite + Unpin + Send> AsyncStream for T {}
+type BoxedAsyncStream = Box<dyn AsyncStream>;
 use url::Url;

 enum CompiledRule {
@@ -51,6 +59,58 @@ impl BypassMatcher {
  }
 }

+#[derive(Clone)]
+pub struct BlocklistMatcher {
+  domains: Arc<HashSet<String>>,
+}
+
+impl Default for BlocklistMatcher {
+  fn default() -> Self {
+    Self::new()
+  }
+}
+
+impl BlocklistMatcher {
+  pub fn new() -> Self {
+    Self {
+      domains: Arc::new(HashSet::new()),
+    }
+  }
+
+  pub fn from_file(path: &str) -> Result<Self, Box<dyn std::error::Error>> {
+    let content = std::fs::read_to_string(path)?;
+    let domains: HashSet<String> = content
+      .lines()
+      .filter(|line| !line.starts_with('#') && !line.trim().is_empty())
+      .map(|line| line.trim().to_lowercase())
+      .collect();
+    log::info!("[blocklist] Loaded {} domains from {}", domains.len(), path);
+    Ok(Self {
+      domains: Arc::new(domains),
+    })
+  }
+
+  pub fn is_blocked(&self, host: &str) -> bool {
+    if self.domains.is_empty() {
+      return false;
+    }
+    let host_lower = host.to_lowercase();
+    // Exact match
+    if self.domains.contains(host_lower.as_str()) {
+      return true;
+    }
+    // Suffix matching: check parent domains (like uBlock)
+    let mut start = 0;
+    while let Some(dot_pos) = host_lower[start..].find('.') {
+      start += dot_pos + 1;
+      if self.domains.contains(&host_lower[start..]) {
+        return true;
+      }
+    }
+    false
+  }
+}
+
 /// Wrapper stream that counts bytes read and written
 struct CountingStream<S> {
  inner: S,
@@ -167,20 +227,22 @@ async fn handle_request(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Handle CONNECT method for HTTPS tunneling
  if req.method() == Method::CONNECT {
-    return handle_connect(req, upstream_url, bypass_matcher).await;
+    return handle_connect(req, upstream_url, bypass_matcher, blocklist_matcher).await;
  }

  // Handle regular HTTP requests
-  handle_http(req, upstream_url, bypass_matcher).await
+  handle_http(req, upstream_url, bypass_matcher, blocklist_matcher).await
 }

 async fn handle_connect(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  let authority = req.uri().authority().cloned();

@@ -196,6 +258,14 @@ async fn handle_connect(
      (&target_addr[..], 443)
    };

+    // Block if domain is in the DNS blocklist (before any connection)
+    if blocklist_matcher.is_blocked(target_host) {
+      log::debug!("[blocklist] Blocked CONNECT to {}", target_host);
+      let mut response = Response::new(Full::new(Bytes::from("Blocked by DNS blocklist")));
+      *response.status_mut() = StatusCode::FORBIDDEN;
+      return Ok(response);
+    }
+
    // If no upstream proxy, or bypass rule matches, connect directly
    if upstream_url.is_none()
      || upstream_url
@@ -707,10 +777,132 @@ async fn handle_http_via_socks4(
  Ok(hyper_response)
 }

+/// Handle plain HTTP requests through a Shadowsocks upstream.
+/// reqwest doesn't support SS natively, so we connect through the SS tunnel
+/// manually and forward the HTTP request/response.
+async fn handle_http_via_shadowsocks(
+  req: Request<hyper::body::Incoming>,
+  upstream: &Url,
+) -> Result<Response<Full<Bytes>>, Infallible> {
+  let domain = req
+    .uri()
+    .host()
+    .map(|h| h.to_string())
+    .unwrap_or_else(|| "unknown".to_string());
+  let port = req.uri().port_u16().unwrap_or(80);
+
+  let ss_host = upstream.host_str().unwrap_or("127.0.0.1");
+  let ss_port = upstream.port().unwrap_or(8388);
+  let method_str = urlencoding::decode(upstream.username())
+    .unwrap_or_default()
+    .to_string();
+  let password = urlencoding::decode(upstream.password().unwrap_or(""))
+    .unwrap_or_default()
+    .to_string();
+
+  let cipher = match method_str.parse::<shadowsocks::crypto::CipherKind>() {
+    Ok(c) => c,
+    Err(_) => {
+      let mut resp = Response::new(Full::new(Bytes::from(format!(
+        "Bad SS cipher: {method_str}"
+      ))));
+      *resp.status_mut() = StatusCode::BAD_GATEWAY;
+      return Ok(resp);
+    }
+  };
+
+  let context = shadowsocks::context::Context::new_shared(shadowsocks::config::ServerType::Local);
+  let svr_cfg = match shadowsocks::config::ServerConfig::new(
+    shadowsocks::config::ServerAddr::from((ss_host.to_string(), ss_port)),
+    &password,
+    cipher,
+  ) {
+    Ok(c) => c,
+    Err(e) => {
+      let mut resp = Response::new(Full::new(Bytes::from(format!("SS config error: {e}"))));
+      *resp.status_mut() = StatusCode::BAD_GATEWAY;
+      return Ok(resp);
+    }
+  };
+
+  let target_addr = shadowsocks::relay::Address::DomainNameAddress(domain.clone(), port);
+
+  let mut stream = match shadowsocks::relay::tcprelay::proxy_stream::ProxyClientStream::connect(
+    context,
+    &svr_cfg,
+    target_addr,
+  )
+  .await
+  {
+    Ok(s) => s,
+    Err(e) => {
+      let mut resp = Response::new(Full::new(Bytes::from(format!("SS connect: {e}"))));
+      *resp.status_mut() = StatusCode::BAD_GATEWAY;
+      return Ok(resp);
+    }
+  };
+
+  // Build and send the HTTP request through the SS tunnel
+  let path = req
+    .uri()
+    .path_and_query()
+    .map(|pq| pq.as_str())
+    .unwrap_or("/");
+  let method = req.method().as_str();
+  let mut raw_req = format!("{method} {path} HTTP/1.1\r\nHost: {domain}\r\nConnection: close\r\n");
+  for (name, value) in req.headers() {
+    if name != "host" && name != "connection" {
+      raw_req.push_str(&format!("{}: {}\r\n", name, value.to_str().unwrap_or("")));
+    }
+  }
+  raw_req.push_str("\r\n");
+
+  use tokio::io::{AsyncReadExt, AsyncWriteExt};
+  if let Err(e) = stream.write_all(raw_req.as_bytes()).await {
+    let mut resp = Response::new(Full::new(Bytes::from(format!("SS write: {e}"))));
+    *resp.status_mut() = StatusCode::BAD_GATEWAY;
+    return Ok(resp);
+  }
+
+  let mut response_buf = Vec::new();
+  if let Err(e) = stream.read_to_end(&mut response_buf).await {
+    log::warn!("SS read error (may be partial): {e}");
+  }
+
+  if let Some(tracker) = get_traffic_tracker() {
+    tracker.record_request(&domain, raw_req.len() as u64, response_buf.len() as u64);
+  }
+
+  // Parse the raw HTTP response
+  let response_str = String::from_utf8_lossy(&response_buf);
+  let header_end = response_str.find("\r\n\r\n").unwrap_or(response_str.len());
+  let status_line = response_str
+    .lines()
+    .next()
+    .unwrap_or("HTTP/1.1 502 Bad Gateway");
+  let status_code: u16 = status_line
+    .split_whitespace()
+    .nth(1)
+    .and_then(|s| s.parse().ok())
+    .unwrap_or(502);
+  let body = if header_end + 4 < response_buf.len() {
+    &response_buf[header_end + 4..]
+  } else {
+    b""
+  };
+
+  let mut hyper_response = Response::new(Full::new(Bytes::from(body.to_vec())));
+  *hyper_response.status_mut() =
+    StatusCode::from_u16(status_code).unwrap_or(StatusCode::BAD_GATEWAY);
+
+  Ok(hyper_response)
+}
+
 async fn handle_http(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Extract domain for traffic tracking
  let domain = req
@@ -719,6 +911,14 @@ async fn handle_http(
    .map(|h| h.to_string())
    .unwrap_or_else(|| "unknown".to_string());

+  // Block if domain is in the DNS blocklist (before any connection)
+  if blocklist_matcher.is_blocked(&domain) {
+    log::debug!("[blocklist] Blocked HTTP request to {}", domain);
+    let mut response = Response::new(Full::new(Bytes::from("Blocked by DNS blocklist")));
+    *response.status_mut() = StatusCode::FORBIDDEN;
+    return Ok(response);
+  }
+
  log::error!(
    "DEBUG: Handling HTTP request: {} {} (host: {:?})",
    req.method(),
@@ -728,14 +928,19 @@ async fn handle_http(

  let should_bypass = bypass_matcher.should_bypass(&domain);

-  // Check if we need to handle SOCKS4 manually (reqwest doesn't support it)
+  // Handle proxy types that reqwest doesn't support natively
  if !should_bypass {
    if let Some(ref upstream) = upstream_url {
      if upstream != "DIRECT" {
        if let Ok(url) = Url::parse(upstream) {
-          if url.scheme() == "socks4" {
-            // Handle SOCKS4 manually for HTTP requests
-            return handle_http_via_socks4(req, upstream).await;
+          match url.scheme() {
+            "socks4" => {
+              return handle_http_via_socks4(req, upstream).await;
+            }
+            "ss" | "shadowsocks" => {
+              return handle_http_via_shadowsocks(req, &url).await;
+            }
+            _ => {}
          }
        }
      }
@@ -888,6 +1093,7 @@ pub async fn handle_proxy_connection(
  mut stream: tokio::net::TcpStream,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) {
  let _ = stream.set_nodelay(true);

@@ -942,8 +1148,14 @@ pub async fn handle_proxy_connection(
          }
        }

-        let _ =
-          handle_connect_from_buffer(stream, full_request, upstream_url, bypass_matcher).await;
+        let _ = handle_connect_from_buffer(
+          stream,
+          full_request,
+          upstream_url,
+          bypass_matcher,
+          blocklist_matcher,
+        )
+        .await;
        return;
      }

@@ -955,8 +1167,14 @@ pub async fn handle_proxy_connection(
        inner: stream,
      };
      let io = TokioIo::new(prepended_reader);
-      let service =
-        service_fn(move |req| handle_request(req, upstream_url.clone(), bypass_matcher.clone()));
+      let service = service_fn(move |req| {
+        handle_request(
+          req,
+          upstream_url.clone(),
+          bypass_matcher.clone(),
+          blocklist_matcher.clone(),
+        )
+      });

      let _ = http1::Builder::new().serve_connection(io, service).await;
    }
@@ -1128,6 +1346,17 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
  });

  let bypass_matcher = BypassMatcher::new(&config.bypass_rules);
+  let blocklist_matcher = if let Some(ref path) = config.blocklist_file {
+    match BlocklistMatcher::from_file(path) {
+      Ok(m) => m,
+      Err(e) => {
+        log::error!("[blocklist] Failed to load from {}: {}", path, e);
+        BlocklistMatcher::new()
+      }
+    }
+  } else {
+    BlocklistMatcher::new()
+  };

  // Keep the runtime alive with an infinite loop
  // This ensures the process doesn't exit even if there are no active connections
@@ -1136,8 +1365,9 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
      Ok((stream, _peer_addr)) => {
        let upstream = upstream_url.clone();
        let matcher = bypass_matcher.clone();
+        let blocker = blocklist_matcher.clone();
        tokio::task::spawn(async move {
-          handle_proxy_connection(stream, upstream, matcher).await;
+          handle_proxy_connection(stream, upstream, matcher, blocker).await;
        });
      }
      Err(e) => {
@@ -1155,6 +1385,7 @@ async fn handle_connect_from_buffer(
  request_buffer: Vec<u8>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<(), Box<dyn std::error::Error>> {
  // Parse the CONNECT request from the buffer
  let request_str = String::from_utf8_lossy(&request_buffer);
@@ -1185,43 +1416,56 @@ async fn handle_connect_from_buffer(
    (target, 443)
  };

+  // Block if domain is in the DNS blocklist (before any connection)
+  if blocklist_matcher.is_blocked(target_host) {
+    log::debug!("[blocklist] Blocked CONNECT tunnel to {}", target_host);
+    let _ = client_stream
+      .write_all(b"HTTP/1.1 403 Forbidden\r\nContent-Length: 24\r\n\r\nBlocked by DNS blocklist")
+      .await;
+    return Ok(());
+  }
+
  // Record domain access in traffic tracker
  let domain = target_host.to_string();
  if let Some(tracker) = get_traffic_tracker() {
    tracker.record_request(&domain, 0, 0);
  }

-  // Connect to target (directly or via upstream proxy)
+  // Connect to target (directly or via upstream proxy).
+  // Returns a BoxedAsyncStream so all upstream types (plain TCP, SOCKS,
+  // Shadowsocks) share the same bidirectional-copy tunnel code below.
  let should_bypass = bypass_matcher.should_bypass(target_host);
-  let target_stream = match upstream_url.as_ref() {
+  // Helper: configure outbound TCP to match browser TCP fingerprint
+  let configure_tcp = |stream: &TcpStream| {
+    let _ = stream.set_nodelay(true);
+  };
+  let target_stream: BoxedAsyncStream = match upstream_url.as_ref() {
    None => {
-      // Direct connection
-      TcpStream::connect((target_host, target_port)).await?
+      let s = TcpStream::connect((target_host, target_port)).await?;
+      configure_tcp(&s);
+      Box::new(s)
    }
    Some(url) if url == "DIRECT" => {
-      // Direct connection
-      TcpStream::connect((target_host, target_port)).await?
+      let s = TcpStream::connect((target_host, target_port)).await?;
+      configure_tcp(&s);
+      Box::new(s)
    }
    _ if should_bypass => {
-      // Bypass rule matched - connect directly
-      TcpStream::connect((target_host, target_port)).await?
+      let s = TcpStream::connect((target_host, target_port)).await?;
+      configure_tcp(&s);
+      Box::new(s)
    }
    Some(upstream_url_str) => {
-      // Connect via upstream proxy
      let upstream = Url::parse(upstream_url_str)?;
      let scheme = upstream.scheme();

      match scheme {
        "http" | "https" => {
-          // Connect via HTTP/HTTPS proxy CONNECT
-          // Note: HTTPS proxy URLs still use HTTP CONNECT method (CONNECT is always HTTP-based)
-          // For HTTPS proxies, reqwest handles TLS automatically in handle_http
-          // For manual CONNECT here, we use plain TCP - HTTPS proxy CONNECT typically works over plain TCP
          let proxy_host = upstream.host_str().unwrap_or("127.0.0.1");
          let proxy_port = upstream.port().unwrap_or(8080);
          let mut proxy_stream = TcpStream::connect((proxy_host, proxy_port)).await?;
+          configure_tcp(&proxy_stream);

-          // Add authentication if provided
          let mut connect_req = format!(
            "CONNECT {}:{} HTTP/1.1\r\nHost: {}:{}\r\n",
            target_host, target_port, target_host, target_port
@@ -1237,10 +1481,8 @@ async fn handle_connect_from_buffer(

          connect_req.push_str("\r\n");

-          // Send CONNECT request to upstream proxy
          proxy_stream.write_all(connect_req.as_bytes()).await?;

-          // Read response
          let mut buffer = [0u8; 4096];
          let n = proxy_stream.read(&mut buffer).await?;
          let response = String::from_utf8_lossy(&buffer[..n]);
@@ -1249,10 +1491,9 @@ async fn handle_connect_from_buffer(
            return Err(format!("Upstream proxy CONNECT failed: {}", response).into());
          }

-          proxy_stream
+          Box::new(proxy_stream)
        }
        "socks4" | "socks5" => {
-          // Connect via SOCKS proxy
          let socks_host = upstream.host_str().unwrap_or("127.0.0.1");
          let socks_port = upstream.port().unwrap_or(1080);
          let socks_addr = format!("{}:{}", socks_host, socks_port);
@@ -1260,7 +1501,7 @@ async fn handle_connect_from_buffer(
          let username = upstream.username();
          let password = upstream.password().unwrap_or("");

-          connect_via_socks(
+          let stream = connect_via_socks(
            &socks_addr,
            target_host,
            target_port,
@@ -1271,7 +1512,56 @@ async fn handle_connect_from_buffer(
              None
            },
          )
-          .await?
+          .await?;
+          Box::new(stream)
+        }
+        "ss" | "shadowsocks" => {
+          // Shadowsocks: URL format is ss://method:password@host:port
+          // where "method" is the cipher (e.g. aes-256-gcm, chacha20-ietf-poly1305)
+          // and "password" is the SS server password.
+          let ss_host = upstream.host_str().unwrap_or("127.0.0.1");
+          let ss_port = upstream.port().unwrap_or(8388);
+
+          // The "username" field carries the cipher method
+          let method_str = urlencoding::decode(upstream.username())
+            .unwrap_or_default()
+            .to_string();
+          let password = urlencoding::decode(upstream.password().unwrap_or(""))
+            .unwrap_or_default()
+            .to_string();
+
+          if method_str.is_empty() || password.is_empty() {
+            return Err(
+              "Shadowsocks requires method and password (URL: ss://method:password@host:port)"
+                .into(),
+            );
+          }
+
+          let cipher = method_str.parse::<shadowsocks::crypto::CipherKind>().map_err(|_| {
+            format!("Unsupported Shadowsocks cipher: {method_str}. Use e.g. aes-256-gcm, chacha20-ietf-poly1305, aes-128-gcm")
+          })?;
+
+          let context =
+            shadowsocks::context::Context::new_shared(shadowsocks::config::ServerType::Local);
+          let svr_cfg = shadowsocks::config::ServerConfig::new(
+            shadowsocks::config::ServerAddr::from((ss_host.to_string(), ss_port)),
+            &password,
+            cipher,
+          )
+          .map_err(|e| format!("Invalid Shadowsocks config: {e}"))?;
+
+          let target_addr =
+            shadowsocks::relay::Address::DomainNameAddress(target_host.to_string(), target_port);
+
+          let stream = shadowsocks::relay::tcprelay::proxy_stream::ProxyClientStream::connect(
+            context,
+            &svr_cfg,
+            target_addr,
+          )
+          .await
+          .map_err(|e| format!("Shadowsocks connection failed: {e}"))?;
+
+          Box::new(stream)
        }
        _ => {
          return Err(format!("Unsupported upstream proxy scheme: {}", scheme).into());
@@ -1280,8 +1570,9 @@ async fn handle_connect_from_buffer(
    }
  };

-  // Enable TCP_NODELAY on target stream for immediate data transfer
-  let _ = target_stream.set_nodelay(true);
+  // TCP_NODELAY is set per-stream where applicable (TcpStream paths).
+  // For encrypted streams (Shadowsocks), the underlying TCP connection
+  // is managed by the library and nodelay is handled internally.

  // Send 200 Connection Established response to client
  // CRITICAL: Must flush after writing to ensure response is sent before tunneling
@@ -1362,3 +1653,106 @@ async fn handle_connect_from_buffer(

  Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+  use std::io::Write;
+
+  #[test]
+  fn test_blocklist_exact_match() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    domains.insert("tracker.net".to_string());
+    matcher.domains = Arc::new(domains);
+
+    assert!(matcher.is_blocked("example.com"));
+    assert!(matcher.is_blocked("tracker.net"));
+    assert!(!matcher.is_blocked("safe.com"));
+  }
+
+  #[test]
+  fn test_blocklist_subdomain_match() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    matcher.domains = Arc::new(domains);
+
+    assert!(matcher.is_blocked("foo.example.com"));
+    assert!(matcher.is_blocked("bar.baz.example.com"));
+    assert!(matcher.is_blocked("a.b.c.example.com"));
+  }
+
+  #[test]
+  fn test_blocklist_no_false_positives() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    matcher.domains = Arc::new(domains);
+
+    // "notexample.com" should NOT match "example.com"
+    assert!(!matcher.is_blocked("notexample.com"));
+    assert!(!matcher.is_blocked("myexample.com"));
+    // But subdomain should
+    assert!(matcher.is_blocked("sub.example.com"));
+  }
+
+  #[test]
+  fn test_blocklist_empty_blocks_nothing() {
+    let matcher = BlocklistMatcher::new();
+    assert!(!matcher.is_blocked("anything.com"));
+    assert!(!matcher.is_blocked("example.com"));
+  }
+
+  #[test]
+  fn test_blocklist_case_insensitive() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    matcher.domains = Arc::new(domains);
+
+    assert!(matcher.is_blocked("EXAMPLE.COM"));
+    assert!(matcher.is_blocked("Example.Com"));
+    assert!(matcher.is_blocked("FOO.EXAMPLE.COM"));
+  }
+
+  #[test]
+  fn test_blocklist_from_file() {
+    let mut tmpfile = tempfile::NamedTempFile::new().unwrap();
+    writeln!(tmpfile, "# This is a comment").unwrap();
+    writeln!(tmpfile).unwrap();
+    writeln!(tmpfile, "tracker.example.com").unwrap();
+    writeln!(tmpfile, "ads.network.com").unwrap();
+    writeln!(tmpfile, "# Another comment").unwrap();
+    writeln!(tmpfile, "malware.site").unwrap();
+    tmpfile.flush().unwrap();
+
+    let matcher = BlocklistMatcher::from_file(tmpfile.path().to_str().unwrap()).unwrap();
+
+    assert!(matcher.is_blocked("tracker.example.com"));
+    assert!(matcher.is_blocked("ads.network.com"));
+    assert!(matcher.is_blocked("malware.site"));
+    assert!(matcher.is_blocked("sub.malware.site"));
+    assert!(!matcher.is_blocked("safe.com"));
+    // Comments and empty lines should be skipped: 3 domains loaded
+    assert_eq!(matcher.domains.len(), 3);
+  }
+
+  #[test]
+  fn test_blocklist_comments_skipped() {
+    let mut tmpfile = tempfile::NamedTempFile::new().unwrap();
+    writeln!(tmpfile, "# Title: HaGeZi's Light DNS Blocklist").unwrap();
+    writeln!(tmpfile, "# Description: test").unwrap();
+    writeln!(tmpfile, "# Version: 2026.0330.0928.01").unwrap();
+    writeln!(tmpfile).unwrap();
+    writeln!(tmpfile, "domain1.com").unwrap();
+    writeln!(tmpfile, "domain2.com").unwrap();
+    tmpfile.flush().unwrap();
+
+    let matcher = BlocklistMatcher::from_file(tmpfile.path().to_str().unwrap()).unwrap();
+    assert_eq!(matcher.domains.len(), 2);
+    assert!(matcher.is_blocked("domain1.com"));
+    assert!(matcher.is_blocked("domain2.com"));
+  }
+}
@@ -14,6 +14,8 @@ pub struct ProxyConfig {
  pub profile_id: Option<String>,
  #[serde(default)]
  pub bypass_rules: Vec<String>,
+  #[serde(default)]
+  pub blocklist_file: Option<String>,
 }

 impl ProxyConfig {
@@ -27,6 +29,7 @@ impl ProxyConfig {
      pid: None,
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    }
  }

@@ -39,6 +42,11 @@ impl ProxyConfig {
    self.bypass_rules = bypass_rules;
    self
  }
+
+  pub fn with_blocklist_file(mut self, blocklist_file: Option<String>) -> Self {
+    self.blocklist_file = blocklist_file;
+    self
+  }
 }

 pub fn get_storage_dir() -> PathBuf {
@@ -945,6 +945,42 @@ pub fn get_system_language() -> String {
    .unwrap_or_else(|| "en".to_string())
 }

+#[derive(Debug, Serialize, Clone)]
+pub struct SystemInfo {
+  pub app_version: String,
+  pub os: String,
+  pub arch: String,
+  pub portable: bool,
+}
+
+#[tauri::command]
+pub fn get_system_info() -> SystemInfo {
+  let os = if cfg!(target_os = "macos") {
+    "macOS"
+  } else if cfg!(target_os = "windows") {
+    "Windows"
+  } else if cfg!(target_os = "linux") {
+    "Linux"
+  } else {
+    "Unknown"
+  };
+
+  let arch = if cfg!(target_arch = "x86_64") {
+    "x86_64"
+  } else if cfg!(target_arch = "aarch64") {
+    "aarch64"
+  } else {
+    "unknown"
+  };
+
+  SystemInfo {
+    app_version: crate::app_auto_updater::AppAutoUpdater::get_current_version(),
+    os: os.to_string(),
+    arch: arch.to_string(),
+    portable: crate::app_dirs::is_portable(),
+  }
+}
+
 // Global singleton instance
 lazy_static::lazy_static! {
  static ref SETTINGS_MANAGER: SettingsManager = SettingsManager::new();
@@ -230,11 +230,7 @@ impl SyncProgressTracker {
    let elapsed = self.start_time.elapsed().as_secs_f64().max(0.1);
    let speed = (completed_bytes as f64 / elapsed) as u64;
    let remaining_bytes = self.total_bytes.saturating_sub(completed_bytes);
-    let eta = if speed > 0 {
-      remaining_bytes / speed
-    } else {
-      0
-    };
+    let eta = remaining_bytes.checked_div(speed).unwrap_or(0);

    let _ = events::emit(
      "profile-sync-progress",
@@ -2344,7 +2340,18 @@ impl SyncEngine {

    // Verify critical files after download
    let os_crypt_key_path = profile_dir.join("profile").join("os_crypt_key");
-    let cookies_path = profile_dir.join("profile").join("Default").join("Cookies");
+    let cookies_path = {
+      let network = profile_dir
+        .join("profile")
+        .join("Default")
+        .join("Network")
+        .join("Cookies");
+      if network.exists() {
+        network
+      } else {
+        profile_dir.join("profile").join("Default").join("Cookies")
+      }
+    };
    if os_crypt_key_path.exists() {
      let key_data = fs::read(&os_crypt_key_path).unwrap_or_default();
      log::info!(
@@ -344,7 +344,7 @@ impl SyncScheduler {
              }
            }
          }
-          _ = sleep(Duration::from_millis(500)) => {
+          _ = sleep(Duration::from_millis(2000)) => {
            scheduler.process_pending(&app_handle_clone).await;
          }
        }
@@ -716,29 +716,22 @@ impl SyncScheduler {
      match entity_type.as_str() {
        "profile" => {
          let profile_manager = ProfileManager::instance();
-          let profile_to_delete = {
+          let has_profile = {
            if let Ok(profiles) = profile_manager.list_profiles() {
              let profile_uuid = uuid::Uuid::parse_str(&entity_id).ok();
-              profile_uuid.and_then(|uuid| profiles.into_iter().find(|p| p.id == uuid))
+              profile_uuid.is_some_and(|uuid| profiles.iter().any(|p| p.id == uuid))
            } else {
-              None
+              false
            }
          };

-          if let Some(mut profile) = profile_to_delete {
+          if has_profile {
            log::info!(
-              "Profile {} was deleted remotely, disabling sync locally",
+              "Profile {} was deleted remotely, deleting locally",
              entity_id
            );
-            profile.sync_mode = crate::profile::types::SyncMode::Disabled;
-            if let Err(e) = profile_manager.save_profile(&profile) {
-              log::warn!("Failed to disable sync for profile {}: {}", entity_id, e);
-            } else {
-              log::info!(
-                "Profile {} sync disabled due to remote tombstone (local copy kept)",
-                entity_id
-              );
-              let _ = events::emit("profiles-changed", ());
+            if let Err(e) = profile_manager.delete_profile_local_only(&entity_id) {
+              log::warn!("Failed to delete tombstoned profile {}: {}", entity_id, e);
            }
          }
        }
@@ -303,6 +303,11 @@ impl SynchronizerManager {
  }

  /// Bring the leader browser window to front.
+  ///
+  /// On macOS this is a no-op on purpose: the only way to raise another
+  /// app's window from Rust is via `osascript` / Apple Events, which
+  /// triggers the TCC "prevented from modifying other apps" prompt. Donut
+  /// must never touch other apps on the user's Mac.
  async fn focus_leader_window(leader: &BrowserProfile) {
    let profile = match Self::get_profile(&leader.id.to_string()) {
      Ok(p) => p,
@@ -312,18 +317,6 @@ impl SynchronizerManager {
      return;
    };

-    #[cfg(target_os = "macos")]
-    {
-      let _ = tokio::process::Command::new("osascript")
-        .arg("-e")
-        .arg(format!(
-          "tell application \"System Events\" to set frontmost of (first process whose unix id is {}) to true",
-          pid
-        ))
-        .output()
-        .await;
-    }
-
    #[cfg(target_os = "linux")]
    {
      let _ = tokio::process::Command::new("xdotool")
@@ -338,7 +331,7 @@ impl SynchronizerManager {
        .await;
    }

-    #[cfg(target_os = "windows")]
+    #[cfg(not(target_os = "linux"))]
    {
      let _ = pid;
    }
@@ -580,7 +580,9 @@ impl LiveTrafficTracker {
      .profile_id
      .clone()
      .unwrap_or_else(|| self.proxy_id.clone());
-    let session_file = get_traffic_stats_dir().join(format!("{}.session.json", storage_key));
+    let storage_dir = get_traffic_stats_dir();
+    fs::create_dir_all(&storage_dir)?;
+    let session_file = storage_dir.join(format!("{}.session.json", storage_key));

    // Write atomically using a temp file
    let temp_file = session_file.with_extension("tmp");
@@ -761,9 +763,11 @@ impl LiveTrafficTracker {
      .profile_id
      .clone()
      .unwrap_or_else(|| self.proxy_id.clone());
+    let storage_dir = get_traffic_stats_dir();
+    fs::create_dir_all(&storage_dir)?;

    // Use file locking to prevent concurrent writes from multiple proxy processes
-    let lock_path = get_traffic_stats_dir().join(format!("{}.lock", storage_key));
+    let lock_path = storage_dir.join(format!("{}.lock", storage_key));
    let _lock = match acquire_file_lock(&lock_path) {
      Ok(lock) => lock,
      Err(e) => {
@@ -141,11 +141,15 @@ pub fn parse_wireguard_config(content: &str) -> Result<WireGuardConfig, VpnError
  let mut peer: HashMap<String, String> = HashMap::new();
  let mut current_section: Option<&str> = None;

+  // Strip a UTF-8 BOM if present — some editors/tools emit one and it would
+  // otherwise prepend invisible bytes to the first section header
+  let content = content.strip_prefix('\u{feff}').unwrap_or(content);
+
  for line in content.lines() {
    let line = line.trim();

    // Skip empty lines and comments
-    if line.is_empty() || line.starts_with('#') {
+    if line.is_empty() || line.starts_with('#') || line.starts_with(';') {
      continue;
    }

@@ -159,7 +163,7 @@ pub fn parse_wireguard_config(content: &str) -> Result<WireGuardConfig, VpnError
      continue;
    }

-    // Parse key-value pairs
+    // Parse key-value pairs (split on the first `=` so base64 padding is preserved)
    if let Some((key, value)) = line.split_once('=') {
      let key = key.trim().to_string();
      let value = value.trim().to_string();
@@ -181,6 +185,7 @@ pub fn parse_wireguard_config(content: &str) -> Result<WireGuardConfig, VpnError
    .get("PrivateKey")
    .ok_or_else(|| VpnError::InvalidWireGuard("Missing PrivateKey in [Interface]".to_string()))?
    .clone();
+  validate_wireguard_key(&private_key, "PrivateKey")?;

  let address = interface
    .get("Address")
@@ -191,6 +196,7 @@ pub fn parse_wireguard_config(content: &str) -> Result<WireGuardConfig, VpnError
    .get("PublicKey")
    .ok_or_else(|| VpnError::InvalidWireGuard("Missing PublicKey in [Peer]".to_string()))?
    .clone();
+  validate_wireguard_key(&peer_public_key, "PublicKey")?;

  let peer_endpoint = peer
    .get("Endpoint")
@@ -207,6 +213,9 @@ pub fn parse_wireguard_config(content: &str) -> Result<WireGuardConfig, VpnError
  let dns = interface.get("DNS").cloned();
  let mtu = interface.get("MTU").and_then(|s| s.parse().ok());
  let preshared_key = peer.get("PresharedKey").cloned();
+  if let Some(ref psk) = preshared_key {
+    validate_wireguard_key(psk, "PresharedKey")?;
+  }

  Ok(WireGuardConfig {
    private_key,
@@ -221,6 +230,30 @@ pub fn parse_wireguard_config(content: &str) -> Result<WireGuardConfig, VpnError
  })
 }

+/// Validate that a WireGuard key is a base64-encoded 32-byte value.
+/// Reports the field name and a short preview of the bad value so users can
+/// see exactly what went wrong (e.g. a redacted/masked key).
+fn validate_wireguard_key(key: &str, field: &str) -> Result<(), VpnError> {
+  use base64::Engine;
+
+  let decoded = base64::engine::general_purpose::STANDARD
+    .decode(key)
+    .map_err(|e| {
+      let preview: String = key.chars().take(8).collect();
+      VpnError::InvalidWireGuard(format!(
+        "{field} is not valid base64 (starts with {preview:?}): {e}. \
+         Expected a 32-byte base64-encoded key (44 chars ending with '=')."
+      ))
+    })?;
+  if decoded.len() != 32 {
+    return Err(VpnError::InvalidWireGuard(format!(
+      "{field} decoded to {} bytes (expected 32). The config may be truncated or malformed.",
+      decoded.len()
+    )));
+  }
+  Ok(())
+}
+
 /// Parse an OpenVPN configuration file
 pub fn parse_openvpn_config(content: &str) -> Result<OpenVpnConfig, VpnError> {
  let mut remote_host = String::new();
@@ -250,31 +283,23 @@ pub fn parse_openvpn_config(content: &str) -> Result<OpenVpnConfig, VpnError> {
        if parts.len() >= 2 {
          remote_host = parts[1].to_string();
        }
-        if parts.len() >= 3 {
-          if let Ok(port) = parts[2].parse() {
-            remote_port = port;
-          }
+        if let Some(port) = parts.get(2).and_then(|p| p.parse().ok()) {
+          remote_port = port;
        }
        if parts.len() >= 4 {
          protocol = parts[3].to_string();
        }
      }
-      "proto" => {
-        if parts.len() >= 2 {
-          protocol = parts[1].to_string();
-        }
+      "proto" if parts.len() >= 2 => {
+        protocol = parts[1].to_string();
      }
      "port" => {
-        if parts.len() >= 2 {
-          if let Ok(port) = parts[1].parse() {
-            remote_port = port;
-          }
+        if let Some(port) = parts.get(1).and_then(|p| p.parse().ok()) {
+          remote_port = port;
        }
      }
-      "dev" => {
-        if parts.len() >= 2 {
-          dev_type = parts[1].to_string();
-        }
+      "dev" if parts.len() >= 2 => {
+        dev_type = parts[1].to_string();
      }
      _ => {}
    }
@@ -348,13 +373,13 @@ mod tests {
  fn test_parse_wireguard_config() {
    let content = r#"
 [Interface]
-PrivateKey = WGTestPrivateKey123456789012345678901234567890
+PrivateKey = YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
 Address = 10.0.0.2/24
 DNS = 1.1.1.1
 MTU = 1420

 [Peer]
-PublicKey = WGTestPublicKey1234567890123456789012345678901
+PublicKey = YmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmI=
 Endpoint = vpn.example.com:51820
 AllowedIPs = 0.0.0.0/0, ::/0
 PersistentKeepalive = 25
@@ -363,14 +388,14 @@ PersistentKeepalive = 25
    let config = parse_wireguard_config(content).unwrap();
    assert_eq!(
      config.private_key,
-      "WGTestPrivateKey123456789012345678901234567890"
+      "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE="
    );
    assert_eq!(config.address, "10.0.0.2/24");
    assert_eq!(config.dns, Some("1.1.1.1".to_string()));
    assert_eq!(config.mtu, Some(1420));
    assert_eq!(
      config.peer_public_key,
-      "WGTestPublicKey1234567890123456789012345678901"
+      "YmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmI="
    );
    assert_eq!(config.peer_endpoint, "vpn.example.com:51820");
    assert_eq!(config.allowed_ips, vec!["0.0.0.0/0", "::/0"]);
@@ -381,20 +406,26 @@ PersistentKeepalive = 25
  fn test_parse_wireguard_config_minimal() {
    let content = r#"
 [Interface]
-PrivateKey = minimalkey
+PrivateKey = YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
 Address = 10.0.0.2/32

 [Peer]
-PublicKey = peerpubkey
+PublicKey = YmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmI=
 Endpoint = 1.2.3.4:51820
 "#;

    let config = parse_wireguard_config(content).unwrap();
-    assert_eq!(config.private_key, "minimalkey");
+    assert_eq!(
+      config.private_key,
+      "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE="
+    );
    assert_eq!(config.address, "10.0.0.2/32");
    assert!(config.dns.is_none());
    assert!(config.mtu.is_none());
-    assert_eq!(config.peer_public_key, "peerpubkey");
+    assert_eq!(
+      config.peer_public_key,
+      "YmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmI="
+    );
    assert_eq!(config.peer_endpoint, "1.2.3.4:51820");
  }

@@ -1,8 +1,24 @@
 use super::config::{OpenVpnConfig, VpnError};
-use std::path::PathBuf;
+use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+use std::path::{Path, PathBuf};
 use std::process::{Command, Stdio};
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::net::{TcpListener, TcpStream};
+use std::sync::Arc;
+use tokio::io::{AsyncBufReadExt, AsyncReadExt, AsyncWriteExt, BufReader};
+use tokio::net::{lookup_host, TcpListener, TcpSocket, TcpStream};
+
+const OPENVPN_CONNECT_TIMEOUT_SECS: u64 = 90;
+
+enum SocksTarget {
+  Address(SocketAddr),
+  Domain(String, u16),
+}
+
+#[derive(Debug, Clone, Copy)]
+pub(crate) struct OpenVpnDependencyStatus {
+  pub binary_found: bool,
+  pub missing_windows_adapter: bool,
+  pub dependency_check_failed: bool,
+}

 pub struct OpenVpnSocks5Server {
  config: OpenVpnConfig,
@@ -14,7 +30,168 @@ impl OpenVpnSocks5Server {
    Self { config, port }
  }

-  fn find_openvpn_binary() -> Result<PathBuf, VpnError> {
+  fn read_log_tail(path: &Path, lines: usize) -> String {
+    std::fs::read_to_string(path)
+      .unwrap_or_default()
+      .lines()
+      .rev()
+      .take(lines)
+      .collect::<Vec<_>>()
+      .into_iter()
+      .rev()
+      .collect::<Vec<_>>()
+      .join("\n")
+  }
+
+  fn extract_vpn_ip(line: &str) -> Option<Ipv4Addr> {
+    for field in line.split(',') {
+      let trimmed = field.trim();
+      if let Ok(ip) = trimmed.parse::<Ipv4Addr>() {
+        if ip.is_private() && !ip.is_loopback() {
+          return Some(ip);
+        }
+      }
+    }
+
+    None
+  }
+
+  fn log_indicates_connected(log_content: &str) -> bool {
+    log_content.contains("Initialization Sequence Completed")
+  }
+
+  fn log_indicates_failure(log_content: &str) -> bool {
+    log_content.contains("AUTH_FAILED")
+      || log_content.contains("Exiting due to fatal error")
+      || log_content.contains("Fatal error")
+      || log_content.contains("Options error")
+      || log_content.contains("Exiting")
+  }
+
+  fn has_config_directive(config: &str, directive: &str) -> bool {
+    config.lines().any(|line| {
+      let trimmed = line.trim();
+      !trimmed.is_empty()
+        && !trimmed.starts_with('#')
+        && !trimmed.starts_with(';')
+        && trimmed.starts_with(directive)
+    })
+  }
+
+  fn strip_config_directive(config: &str, directive: &str) -> String {
+    config
+      .lines()
+      .filter(|line| {
+        let trimmed = line.trim();
+        trimmed.is_empty()
+          || trimmed.starts_with('#')
+          || trimmed.starts_with(';')
+          || !trimmed.starts_with(directive)
+      })
+      .collect::<Vec<_>>()
+      .join("\n")
+  }
+
+  fn build_runtime_config(&self) -> String {
+    let mut runtime_config = self.config.raw_config.clone();
+
+    runtime_config = Self::strip_config_directive(&runtime_config, "redirect-gateway");
+    runtime_config = Self::strip_config_directive(&runtime_config, "block-outside-dns");
+    runtime_config = Self::strip_config_directive(&runtime_config, "dhcp-option");
+
+    if !runtime_config.contains("pull-filter ignore \"redirect-gateway\"") {
+      runtime_config.push_str("\npull-filter ignore \"redirect-gateway\"\n");
+    }
+    if !runtime_config.contains("pull-filter ignore \"block-outside-dns\"") {
+      runtime_config.push_str("pull-filter ignore \"block-outside-dns\"\n");
+    }
+    if !runtime_config.contains("pull-filter ignore \"dhcp-option\"") {
+      runtime_config.push_str("pull-filter ignore \"dhcp-option\"\n");
+    }
+
+    if !Self::has_config_directive(&runtime_config, "route 0.0.0.0") {
+      runtime_config.push_str("\nroute 0.0.0.0 0.0.0.0 vpn_gateway 9999\n");
+    }
+
+    #[cfg(windows)]
+    {
+      if Self::has_config_directive(&runtime_config, "dev-node") {
+        runtime_config = runtime_config
+          .lines()
+          .filter(|line| {
+            let trimmed = line.trim();
+            trimmed.is_empty()
+              || trimmed.starts_with('#')
+              || trimmed.starts_with(';')
+              || !trimmed.starts_with("dev-node")
+          })
+          .collect::<Vec<_>>()
+          .join("\n");
+      }
+
+      if !Self::has_config_directive(&runtime_config, "disable-dco") {
+        runtime_config.push_str("\ndisable-dco\n");
+      }
+
+      if self.config.dev_type.starts_with("tun")
+        && !Self::has_config_directive(&runtime_config, "windows-driver")
+      {
+        runtime_config.push_str("\nwindows-driver wintun\n");
+      }
+    }
+
+    runtime_config
+  }
+
+  pub(crate) fn dependency_status() -> OpenVpnDependencyStatus {
+    let Ok(openvpn_bin) = Self::find_openvpn_binary() else {
+      return OpenVpnDependencyStatus {
+        binary_found: false,
+        missing_windows_adapter: false,
+        dependency_check_failed: false,
+      };
+    };
+
+    #[cfg(windows)]
+    {
+      match Self::windows_openvpn_has_adapter(&openvpn_bin) {
+        Ok(has_adapter) => OpenVpnDependencyStatus {
+          binary_found: true,
+          missing_windows_adapter: !has_adapter,
+          dependency_check_failed: false,
+        },
+        Err(_) => OpenVpnDependencyStatus {
+          binary_found: true,
+          missing_windows_adapter: false,
+          dependency_check_failed: true,
+        },
+      }
+    }
+
+    #[cfg(not(windows))]
+    {
+      let _ = openvpn_bin;
+      OpenVpnDependencyStatus {
+        binary_found: true,
+        missing_windows_adapter: false,
+        dependency_check_failed: false,
+      }
+    }
+  }
+
+  pub(crate) fn find_openvpn_binary() -> Result<PathBuf, VpnError> {
+    if let Ok(path) = std::env::var("DONUTBROWSER_OPENVPN_BIN") {
+      let path = PathBuf::from(path);
+      if path.exists() {
+        return Ok(path);
+      }
+
+      return Err(VpnError::Connection(format!(
+        "Configured OpenVPN binary does not exist: {}",
+        path.display()
+      )));
+    }
+
    let locations = [
      "/usr/sbin/openvpn",
      "/usr/local/sbin/openvpn",
@@ -71,12 +248,300 @@ impl OpenVpnSocks5Server {
    ))
  }

+  fn openvpn_supports_management(openvpn_bin: &Path) -> bool {
+    let mut command = Command::new(openvpn_bin);
+    command.arg("--version");
+
+    #[cfg(windows)]
+    {
+      use std::os::windows::process::CommandExt;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
+      command.creation_flags(CREATE_NO_WINDOW);
+    }
+
+    let Ok(output) = command.output() else {
+      return true;
+    };
+
+    let version_text = format!(
+      "{}{}",
+      String::from_utf8_lossy(&output.stdout),
+      String::from_utf8_lossy(&output.stderr)
+    );
+
+    !version_text.contains("enable_management=no")
+  }
+
+  #[cfg(windows)]
+  pub(crate) fn windows_openvpn_has_adapter(openvpn_bin: &Path) -> Result<bool, VpnError> {
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
+
+    let output = Command::new(openvpn_bin)
+      .arg("--show-adapters")
+      .creation_flags(CREATE_NO_WINDOW)
+      .output()
+      .map_err(|e| VpnError::Connection(format!("Failed to inspect OpenVPN adapters: {e}")))?;
+
+    let text = format!(
+      "{}{}",
+      String::from_utf8_lossy(&output.stdout),
+      String::from_utf8_lossy(&output.stderr)
+    );
+
+    Ok(
+      text
+        .lines()
+        .map(str::trim)
+        .any(|line| !line.is_empty() && !line.starts_with("Available adapters")),
+    )
+  }
+
+  fn extract_vpn_ip_from_log(log_content: &str) -> Option<Ipv4Addr> {
+    for line in log_content.lines() {
+      if let Some(ip) = Self::extract_vpn_ip(line) {
+        return Some(ip);
+      }
+
+      if let Some(position) = line.find("ifconfig ") {
+        let after = &line[position + "ifconfig ".len()..];
+        if let Some(ip_str) = after
+          .split_whitespace()
+          .next()
+          .or_else(|| after.split(',').next())
+        {
+          if let Ok(ip) = ip_str.parse::<Ipv4Addr>() {
+            if ip.is_private() && !ip.is_loopback() {
+              return Some(ip);
+            }
+          }
+        }
+      }
+    }
+
+    None
+  }
+
+  async fn wait_for_openvpn_ready_via_management(
+    child: &mut std::process::Child,
+    mgmt_port: u16,
+    log_path: &Path,
+  ) -> Result<Option<Ipv4Addr>, VpnError> {
+    let deadline =
+      tokio::time::Instant::now() + tokio::time::Duration::from_secs(OPENVPN_CONNECT_TIMEOUT_SECS);
+
+    let mgmt_stream = loop {
+      if tokio::time::Instant::now() >= deadline {
+        return Err(VpnError::Connection(format!(
+          "Timed out connecting to OpenVPN management interface. Last OpenVPN output:\n{}",
+          Self::read_log_tail(log_path, 20)
+        )));
+      }
+
+      if let Ok(Some(status)) = child.try_wait() {
+        return Err(VpnError::Connection(format!(
+          "OpenVPN exited (status: {}) before the tunnel was established. Last output:\n{}",
+          status,
+          Self::read_log_tail(log_path, 20)
+        )));
+      }
+
+      match TcpStream::connect(("127.0.0.1", mgmt_port)).await {
+        Ok(stream) => break stream,
+        Err(_) => tokio::time::sleep(tokio::time::Duration::from_millis(500)).await,
+      }
+    };
+
+    let (mgmt_reader, mut mgmt_writer) = mgmt_stream.into_split();
+    let _ = mgmt_writer.write_all(b"state on\nstate\n").await;
+
+    let mut lines = BufReader::new(mgmt_reader).lines();
+    let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(1));
+    interval.tick().await;
+
+    let mut vpn_ip = None;
+
+    loop {
+      if tokio::time::Instant::now() >= deadline {
+        return Err(VpnError::Connection(format!(
+          "Timed out waiting for OpenVPN to reach CONNECTED state. Last OpenVPN output:\n{}",
+          Self::read_log_tail(log_path, 20)
+        )));
+      }
+
+      if let Ok(Some(status)) = child.try_wait() {
+        return Err(VpnError::Connection(format!(
+          "OpenVPN exited (status: {}) before connecting. Last output:\n{}",
+          status,
+          Self::read_log_tail(log_path, 20)
+        )));
+      }
+
+      tokio::select! {
+        line_result = lines.next_line() => {
+          match line_result {
+            Ok(Some(line)) => {
+              if let Some(ip) = Self::extract_vpn_ip(&line) {
+                vpn_ip = Some(ip);
+              }
+
+              if line.contains(",CONNECTED,") {
+                break;
+              }
+
+              if line.contains("AUTH_FAILED") {
+                return Err(VpnError::Connection(format!(
+                  "OpenVPN authentication failed. Last output:\n{}",
+                  Self::read_log_tail(log_path, 20)
+                )));
+              }
+
+              if line.contains(",EXITING,") || line.contains(">FATAL:") {
+                return Err(VpnError::Connection(format!(
+                  "OpenVPN is exiting. Last output:\n{}",
+                  Self::read_log_tail(log_path, 20)
+                )));
+              }
+            }
+            Ok(None) => {
+              return Err(VpnError::Connection(format!(
+                "OpenVPN management connection closed before CONNECTED state. Last output:\n{}",
+                Self::read_log_tail(log_path, 20)
+              )));
+            }
+            Err(_) => {}
+          }
+        }
+        _ = interval.tick() => {
+          let _ = mgmt_writer.write_all(b"state\n").await;
+
+          let log_path = log_path.to_path_buf();
+          let log_content = tokio::task::spawn_blocking(move || std::fs::read_to_string(log_path))
+            .await
+            .ok()
+            .and_then(Result::ok);
+
+          if let Some(content) = log_content {
+            if Self::log_indicates_connected(&content) {
+              break;
+            }
+          }
+        }
+      }
+    }
+
+    if vpn_ip.is_none() {
+      if let Ok(log_content) = std::fs::read_to_string(log_path) {
+        vpn_ip = Self::extract_vpn_ip_from_log(&log_content);
+      }
+    }
+
+    Ok(vpn_ip)
+  }
+
+  async fn wait_for_openvpn_ready_via_log(
+    child: &mut std::process::Child,
+    log_path: &Path,
+  ) -> Result<Option<Ipv4Addr>, VpnError> {
+    let deadline =
+      tokio::time::Instant::now() + tokio::time::Duration::from_secs(OPENVPN_CONNECT_TIMEOUT_SECS);
+
+    loop {
+      if tokio::time::Instant::now() >= deadline {
+        return Err(VpnError::Connection(format!(
+          "Timed out waiting for OpenVPN to connect. Last OpenVPN output:\n{}",
+          Self::read_log_tail(log_path, 40)
+        )));
+      }
+
+      if let Ok(Some(status)) = child.try_wait() {
+        return Err(VpnError::Connection(format!(
+          "OpenVPN exited (status: {}) before connecting. Last output:\n{}",
+          status,
+          Self::read_log_tail(log_path, 40)
+        )));
+      }
+
+      let log_path_buf = log_path.to_path_buf();
+      let log_content = tokio::task::spawn_blocking(move || std::fs::read_to_string(log_path_buf))
+        .await
+        .ok()
+        .and_then(Result::ok)
+        .unwrap_or_default();
+
+      if Self::log_indicates_connected(&log_content) {
+        return Ok(Self::extract_vpn_ip_from_log(&log_content));
+      }
+
+      if Self::log_indicates_failure(&log_content) {
+        return Err(VpnError::Connection(format!(
+          "OpenVPN reported a fatal error while connecting. Last output:\n{}",
+          Self::read_log_tail(log_path, 40)
+        )));
+      }
+
+      tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
+    }
+  }
+
+  async fn connect_target(
+    target: SocksTarget,
+    vpn_bind_ip: Ipv4Addr,
+  ) -> Result<(TcpStream, SocketAddr), Box<dyn std::error::Error + Send + Sync>> {
+    let mut addresses = match target {
+      SocksTarget::Address(addr) => vec![addr],
+      SocksTarget::Domain(host, port) => {
+        let mut resolved = lookup_host((host.as_str(), port))
+          .await?
+          .collect::<Vec<_>>();
+        resolved.sort_by_key(|addr| if addr.is_ipv4() { 0 } else { 1 });
+        resolved
+      }
+    };
+
+    if addresses.is_empty() {
+      return Err("No addresses resolved for SOCKS5 target".into());
+    }
+
+    let mut last_error = None;
+
+    for address in addresses.drain(..) {
+      let socket = if address.is_ipv4() {
+        let socket = TcpSocket::new_v4()?;
+        if !vpn_bind_ip.is_unspecified() {
+          socket.bind(SocketAddr::new(IpAddr::V4(vpn_bind_ip), 0))?;
+        }
+        socket
+      } else {
+        TcpSocket::new_v6()?
+      };
+
+      match socket.connect(address).await {
+        Ok(stream) => return Ok((stream, address)),
+        Err(error) => last_error = Some(error),
+      }
+    }
+
+    Err(
+      last_error
+        .map(|error| error.into())
+        .unwrap_or_else(|| "Failed to connect to any resolved SOCKS5 target".into()),
+    )
+  }
+
  pub async fn run(self, config_id: String) -> Result<(), VpnError> {
    let openvpn_bin = Self::find_openvpn_binary()?;
+    let supports_management = Self::openvpn_supports_management(&openvpn_bin);
+
+    #[cfg(windows)]
+    if !Self::windows_openvpn_has_adapter(&openvpn_bin)? {
+      return Err(VpnError::Connection(
+        "OpenVPN requires a TAP/Wintun/ovpn-dco adapter on Windows, but none were found. Install or provision an adapter before connecting.".to_string(),
+      ));
+    }

-    // Write config to temp file
    let config_path = std::env::temp_dir().join(format!("openvpn_{}.ovpn", config_id));
-    std::fs::write(&config_path, &self.config.raw_config).map_err(VpnError::Io)?;
+    std::fs::write(&config_path, self.build_runtime_config()).map_err(VpnError::Io)?;

    #[cfg(unix)]
    {
@@ -84,43 +549,74 @@ impl OpenVpnSocks5Server {
      let _ = std::fs::set_permissions(&config_path, std::fs::Permissions::from_mode(0o600));
    }

-    // Find a management port
-    let mgmt_listener = std::net::TcpListener::bind("127.0.0.1:0")
-      .map_err(|e| VpnError::Connection(format!("Failed to bind management port: {e}")))?;
-    let mgmt_port = mgmt_listener
-      .local_addr()
-      .map_err(|e| VpnError::Connection(format!("Failed to get management port: {e}")))?
-      .port();
-    drop(mgmt_listener);
+    let mgmt_port = if supports_management {
+      let mgmt_listener = std::net::TcpListener::bind("127.0.0.1:0")
+        .map_err(|e| VpnError::Connection(format!("Failed to bind management port: {e}")))?;
+      let port = mgmt_listener
+        .local_addr()
+        .map_err(|e| VpnError::Connection(format!("Failed to get management port: {e}")))?
+        .port();
+      drop(mgmt_listener);
+      Some(port)
+    } else {
+      log::info!(
+        "[vpn-worker] OpenVPN build does not support management; using log-based readiness"
+      );
+      None
+    };
+
+    let openvpn_log_path = std::env::temp_dir().join(format!("openvpn-{}.log", config_id));
+    let log_file = std::fs::OpenOptions::new()
+      .create(true)
+      .write(true)
+      .truncate(true)
+      .open(&openvpn_log_path)
+      .map_err(VpnError::Io)?;

-    // Start OpenVPN with SOCKS proxy mode
    let mut cmd = Command::new(&openvpn_bin);
+    cmd.arg("--config").arg(&config_path);
+    if let Some(mgmt_port) = mgmt_port {
+      cmd
+        .arg("--management")
+        .arg("127.0.0.1")
+        .arg(mgmt_port.to_string());
+    }
    cmd
-      .arg("--config")
-      .arg(&config_path)
-      .arg("--management")
-      .arg("127.0.0.1")
-      .arg(mgmt_port.to_string())
-      .arg("--socks-proxy")
-      .arg("127.0.0.1")
-      .arg(self.port.to_string())
      .arg("--verb")
      .arg("3")
-      .stdout(Stdio::piped())
-      .stderr(Stdio::piped());
+      .stdout(
+        log_file
+          .try_clone()
+          .map(Stdio::from)
+          .map_err(VpnError::Io)?,
+      )
+      .stderr(Stdio::from(log_file));
+
+    #[cfg(windows)]
+    {
+      use std::os::windows::process::CommandExt;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
+
+      cmd.arg("--disable-dco");
+      if self.config.dev_type.starts_with("tun") {
+        cmd.arg("--windows-driver").arg("wintun");
+      }
+      cmd.creation_flags(CREATE_NO_WINDOW);
+    }

    let mut child = cmd
      .spawn()
      .map_err(|e| VpnError::Connection(format!("Failed to start OpenVPN: {e}")))?;

-    // Wait for OpenVPN to start
-    tokio::time::sleep(tokio::time::Duration::from_secs(3)).await;
+    tokio::time::sleep(tokio::time::Duration::from_secs(2)).await;

    match child.try_wait() {
      Ok(Some(status)) => {
        let _ = std::fs::remove_file(&config_path);
        return Err(VpnError::Connection(format!(
-          "OpenVPN exited early with status: {status}. OpenVPN requires elevated privileges (sudo/admin)."
+          "OpenVPN exited immediately (status: {}). Last output:\n{}",
+          status,
+          Self::read_log_tail(&openvpn_log_path, 20)
        )));
      }
      Ok(None) => {}
@@ -132,8 +628,15 @@ impl OpenVpnSocks5Server {
      }
    }

-    // Start a basic SOCKS5 proxy that tunnels through the OpenVPN TUN interface
-    let listener = TcpListener::bind(format!("127.0.0.1:{}", self.port))
+    let vpn_bind_ip = if let Some(mgmt_port) = mgmt_port {
+      Self::wait_for_openvpn_ready_via_management(&mut child, mgmt_port, &openvpn_log_path).await?
+    } else {
+      Self::wait_for_openvpn_ready_via_log(&mut child, &openvpn_log_path).await?
+    }
+    .unwrap_or(Ipv4Addr::UNSPECIFIED);
+    let vpn_bind_ip = Arc::new(vpn_bind_ip);
+
+    let listener = TcpListener::bind(("127.0.0.1", self.port))
      .await
      .map_err(|e| VpnError::Connection(format!("Failed to bind SOCKS5: {e}")))?;

@@ -142,10 +645,10 @@ impl OpenVpnSocks5Server {
      .map_err(|e| VpnError::Connection(format!("Failed to get local addr: {e}")))?
      .port();

-    if let Some(mut wc) = crate::vpn_worker_storage::get_vpn_worker_config(&config_id) {
-      wc.local_port = Some(actual_port);
-      wc.local_url = Some(format!("socks5://127.0.0.1:{}", actual_port));
-      let _ = crate::vpn_worker_storage::save_vpn_worker_config(&wc);
+    if let Some(mut worker_config) = crate::vpn_worker_storage::get_vpn_worker_config(&config_id) {
+      worker_config.local_port = Some(actual_port);
+      worker_config.local_url = Some(format!("socks5://127.0.0.1:{}", actual_port));
+      let _ = crate::vpn_worker_storage::save_vpn_worker_config(&worker_config);
    }

    log::info!(
@@ -156,10 +659,13 @@ impl OpenVpnSocks5Server {
    loop {
      match listener.accept().await {
        Ok((client, _)) => {
-          tokio::spawn(Self::handle_socks5_client(client));
+          let bind_ip = vpn_bind_ip.clone();
+          tokio::spawn(async move {
+            let _ = Self::handle_socks5_client(client, bind_ip).await;
+          });
        }
-        Err(e) => {
-          log::warn!("[vpn-worker] Accept error: {e}");
+        Err(error) => {
+          log::warn!("[vpn-worker] Accept error: {error}");
        }
      }
    }
@@ -167,53 +673,119 @@ impl OpenVpnSocks5Server {

  async fn handle_socks5_client(
    mut client: TcpStream,
+    vpn_bind_ip: Arc<Ipv4Addr>,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-    // SOCKS5 greeting
-    let mut buf = [0u8; 256];
-    let n = client.read(&mut buf).await?;
-    if n < 3 || buf[0] != 0x05 {
+    let mut greeting = [0u8; 2];
+    if let Err(error) = client.read_exact(&mut greeting).await {
+      if error.kind() != std::io::ErrorKind::UnexpectedEof {
+        log::debug!("[socks5] Failed to read greeting header: {}", error);
+      }
      return Ok(());
    }
+
+    if greeting[0] != 0x05 {
+      return Ok(());
+    }
+
+    let mut methods = vec![0u8; greeting[1] as usize];
+    if let Err(error) = client.read_exact(&mut methods).await {
+      if error.kind() != std::io::ErrorKind::UnexpectedEof {
+        log::debug!("[socks5] Failed to read methods list: {}", error);
+      }
+      return Ok(());
+    }
+
    client.write_all(&[0x05, 0x00]).await?;

-    // SOCKS5 connect request
-    let n = client.read(&mut buf).await?;
-    if n < 10 || buf[0] != 0x05 || buf[1] != 0x01 {
+    let mut request_header = [0u8; 4];
+    if let Err(error) = client.read_exact(&mut request_header).await {
+      if error.kind() != std::io::ErrorKind::UnexpectedEof {
+        log::debug!("[socks5] Failed to read request header: {}", error);
+      }
      return Ok(());
    }

-    let dest_addr = match buf[3] {
+    if request_header[0] != 0x05 {
+      return Ok(());
+    }
+
+    if request_header[1] != 0x01 {
+      let _ = client
+        .write_all(&[0x05, 0x07, 0x00, 0x01, 0, 0, 0, 0, 0, 0])
+        .await;
+      return Ok(());
+    }
+
+    let target = match request_header[3] {
      0x01 => {
-        let ip = std::net::Ipv4Addr::new(buf[4], buf[5], buf[6], buf[7]);
-        let port = u16::from_be_bytes([buf[8], buf[9]]);
-        format!("{}:{}", ip, port)
+        let mut addr_port = [0u8; 6];
+        client.read_exact(&mut addr_port).await?;
+        SocksTarget::Address(SocketAddr::new(
+          IpAddr::V4(Ipv4Addr::new(
+            addr_port[0],
+            addr_port[1],
+            addr_port[2],
+            addr_port[3],
+          )),
+          u16::from_be_bytes([addr_port[4], addr_port[5]]),
+        ))
      }
      0x03 => {
-        let domain_len = buf[4] as usize;
-        let domain = String::from_utf8_lossy(&buf[5..5 + domain_len]).to_string();
-        let port_start = 5 + domain_len;
-        let port = u16::from_be_bytes([buf[port_start], buf[port_start + 1]]);
-        format!("{}:{}", domain, port)
+        let mut len = [0u8; 1];
+        client.read_exact(&mut len).await?;
+        if len[0] == 0 {
+          return Ok(());
+        }
+
+        let mut domain = vec![0u8; len[0] as usize];
+        client.read_exact(&mut domain).await?;
+
+        let mut port = [0u8; 2];
+        client.read_exact(&mut port).await?;
+
+        SocksTarget::Domain(
+          String::from_utf8_lossy(&domain).to_string(),
+          u16::from_be_bytes(port),
+        )
+      }
+      0x04 => {
+        let mut addr_port = [0u8; 18];
+        client.read_exact(&mut addr_port).await?;
+
+        let mut octets = [0u8; 16];
+        octets.copy_from_slice(&addr_port[..16]);
+
+        SocksTarget::Address(SocketAddr::new(
+          IpAddr::V6(std::net::Ipv6Addr::from(octets)),
+          u16::from_be_bytes([addr_port[16], addr_port[17]]),
+        ))
+      }
+      _ => {
+        let _ = client
+          .write_all(&[0x05, 0x08, 0x00, 0x01, 0, 0, 0, 0, 0, 0])
+          .await;
+        return Ok(());
      }
-      _ => return Ok(()),
    };

-    // Connect to destination through OpenVPN tunnel (OS routing handles it)
-    match TcpStream::connect(&dest_addr).await {
-      Ok(upstream) => {
+    match Self::connect_target(target, *vpn_bind_ip).await {
+      Ok((upstream, _address)) => {
        client
          .write_all(&[0x05, 0x00, 0x00, 0x01, 127, 0, 0, 1, 0, 0])
          .await?;

-        let (mut cr, mut cw) = client.into_split();
-        let (mut ur, mut uw) = upstream.into_split();
+        let (mut client_read, mut client_write) = client.into_split();
+        let (mut upstream_read, mut upstream_write) = upstream.into_split();

-        let c2u = tokio::io::copy(&mut cr, &mut uw);
-        let u2c = tokio::io::copy(&mut ur, &mut cw);
-
-        let _ = tokio::try_join!(c2u, u2c);
+        let client_to_upstream = tokio::io::copy(&mut client_read, &mut upstream_write);
+        let upstream_to_client = tokio::io::copy(&mut upstream_read, &mut client_write);
+        let _ = tokio::try_join!(client_to_upstream, upstream_to_client)?;
      }
-      Err(_) => {
+      Err(error) => {
+        log::debug!(
+          "[socks5] Failed to connect through OpenVPN tunnel: {}",
+          error
+        );
        client
          .write_all(&[0x05, 0x05, 0x00, 0x01, 0, 0, 0, 0, 0, 0])
          .await?;
@@ -240,58 +240,77 @@ impl WireGuardSocks5Server {
    socket: &UdpSocket,
    peer_addr: SocketAddr,
  ) -> Result<(), VpnError> {
-    let mut dst = vec![0u8; 2048];
-    let result = tunn.format_handshake_initiation(&mut dst, false);
-
-    match result {
-      TunnResult::WriteToNetwork(packet) => {
-        socket
-          .send_to(packet, peer_addr)
-          .map_err(|e| VpnError::Connection(format!("Failed to send handshake: {e}")))?;
-      }
-      TunnResult::Err(e) => {
-        return Err(VpnError::Tunnel(format!(
-          "Handshake initiation failed: {e:?}"
-        )));
-      }
-      _ => {}
-    }
-
    socket
-      .set_read_timeout(Some(std::time::Duration::from_secs(10)))
+      .set_read_timeout(Some(std::time::Duration::from_secs(5)))
      .map_err(|e| VpnError::Connection(format!("Failed to set timeout: {e}")))?;

-    let mut recv_buf = vec![0u8; 2048];
-    match socket.recv_from(&mut recv_buf) {
-      Ok((len, _)) => {
-        let result = tunn.decapsulate(None, &recv_buf[..len], &mut dst);
-        match result {
-          TunnResult::WriteToNetwork(response) => {
-            socket
-              .send_to(response, peer_addr)
-              .map_err(|e| VpnError::Connection(format!("Failed to send response: {e}")))?;
-          }
-          TunnResult::Done => {}
-          TunnResult::Err(e) => {
-            return Err(VpnError::Tunnel(format!(
-              "Handshake response failed: {e:?}"
-            )));
-          }
-          _ => {}
+    // WireGuard handshakes use UDP which can silently lose packets, especially
+    // through Docker port-forwarding layers. Retry the handshake initiation up
+    // to 5 times (25s total) before giving up — the protocol is designed for
+    // retransmission and peers handle duplicate initiations correctly.
+    let max_attempts = 5;
+    let mut last_error = String::from("no handshake attempt completed");
+
+    for attempt in 1..=max_attempts {
+      let mut dst = vec![0u8; 2048];
+      let result = tunn.format_handshake_initiation(&mut dst, false);
+
+      match result {
+        TunnResult::WriteToNetwork(packet) => {
+          socket
+            .send_to(packet, peer_addr)
+            .map_err(|e| VpnError::Connection(format!("Failed to send handshake: {e}")))?;
        }
+        TunnResult::Err(e) => {
+          return Err(VpnError::Tunnel(format!(
+            "Handshake initiation failed: {e:?}"
+          )));
+        }
+        _ => {}
      }
-      Err(e) => {
-        return Err(VpnError::Connection(format!(
-          "Handshake timeout or error: {e}"
-        )));
+
+      let mut recv_buf = vec![0u8; 2048];
+      match socket.recv_from(&mut recv_buf) {
+        Ok((len, _)) => {
+          let result = tunn.decapsulate(None, &recv_buf[..len], &mut dst);
+          match result {
+            TunnResult::WriteToNetwork(response) => {
+              socket
+                .send_to(response, peer_addr)
+                .map_err(|e| VpnError::Connection(format!("Failed to send response: {e}")))?;
+            }
+            TunnResult::Done => {}
+            TunnResult::Err(e) => {
+              last_error = format!("handshake response error: {e:?}");
+              log::warn!(
+                "[vpn-worker] Handshake attempt {attempt}/{max_attempts} failed: {last_error}"
+              );
+              continue;
+            }
+            _ => {}
+          }
+
+          socket
+            .set_read_timeout(None)
+            .map_err(|e| VpnError::Connection(format!("Failed to clear timeout: {e}")))?;
+          return Ok(());
+        }
+        Err(e) if attempt < max_attempts => {
+          log::warn!(
+            "[vpn-worker] Handshake attempt {attempt}/{max_attempts} timed out: {e}, retrying"
+          );
+          last_error = format!("timeout: {e}");
+          continue;
+        }
+        Err(e) => {
+          last_error = format!("timeout: {e}");
+        }
      }
    }

-    socket
-      .set_read_timeout(None)
-      .map_err(|e| VpnError::Connection(format!("Failed to clear timeout: {e}")))?;
-
-    Ok(())
+    Err(VpnError::Connection(format!(
+      "Handshake failed after {max_attempts} attempts: {last_error}"
+    )))
  }

  pub async fn run(self, config_id: String) -> Result<(), VpnError> {
@@ -370,6 +389,8 @@ impl WireGuardSocks5Server {
      smol_handle: SocketHandle,
      tcp_stream: TcpStream,
      socks_done: bool,
+      connecting: bool,
+      greeting_done: bool,
      read_buf: Vec<u8>,
      dest_addr: Option<SocketAddr>,
    }
@@ -391,6 +412,8 @@ impl WireGuardSocks5Server {
          smol_handle: handle,
          tcp_stream: stream,
          socks_done: false,
+          connecting: false,
+          greeting_done: false,
          read_buf: Vec::new(),
          dest_addr: None,
        });
@@ -409,7 +432,30 @@ impl WireGuardSocks5Server {
      // Process each connection
      let mut completed = Vec::new();
      for (idx, conn) in connections.iter_mut().enumerate() {
-        if !conn.socks_done {
+        if conn.connecting {
+          let socket = sockets.get_mut::<TcpSocket>(conn.smol_handle);
+          if socket.may_send() {
+            let _ = conn.tcp_stream.try_write(&[
+              0x05,
+              0x00,
+              0x00,
+              0x01,
+              127,
+              0,
+              0,
+              1,
+              (actual_port >> 8) as u8,
+              (actual_port & 0xff) as u8,
+            ]);
+            conn.connecting = false;
+            conn.socks_done = true;
+          } else if !socket.is_open() {
+            let _ = conn
+              .tcp_stream
+              .try_write(&[0x05, 0x05, 0x00, 0x01, 0, 0, 0, 0, 0, 0]);
+            completed.push(idx);
+          }
+        } else if !conn.socks_done {
          // Handle SOCKS5 handshake
          let mut buf = [0u8; 512];
          match conn.tcp_stream.try_read(&mut buf) {
@@ -427,19 +473,26 @@ impl WireGuardSocks5Server {
            }
          }

-          if conn.dest_addr.is_none() && conn.read_buf.len() >= 3 {
+          if !conn.greeting_done && conn.read_buf.len() >= 3 {
            // SOCKS5 greeting: version, nmethods, methods
            if conn.read_buf[0] != 0x05 {
              completed.push(idx);
              continue;
            }
-            // Reply: no auth required
-            let _ = conn.tcp_stream.try_write(&[0x05, 0x00]);
            let nmethods = conn.read_buf[1] as usize;
+            if conn.read_buf.len() < 2 + nmethods {
+              continue;
+            }
+            // Reply: no auth required
+            if conn.tcp_stream.try_write(&[0x05, 0x00]).is_err() {
+              completed.push(idx);
+              continue;
+            }
            conn.read_buf.drain(..2 + nmethods);
+            conn.greeting_done = true;
          }

-          if conn.dest_addr.is_none() && conn.read_buf.len() >= 10 {
+          if conn.greeting_done && conn.dest_addr.is_none() && conn.read_buf.len() >= 10 {
            // SOCKS5 connect request
            if conn.read_buf[0] != 0x05 || conn.read_buf[1] != 0x01 {
              completed.push(idx);
@@ -539,20 +592,7 @@ impl WireGuardSocks5Server {
              continue;
            }

-            // Send SOCKS5 success reply
-            let _ = conn.tcp_stream.try_write(&[
-              0x05,
-              0x00,
-              0x00,
-              0x01,
-              127,
-              0,
-              0,
-              1,
-              (actual_port >> 8) as u8,
-              (actual_port & 0xff) as u8,
-            ]);
-            conn.socks_done = true;
+            conn.connecting = true;
          }
        } else {
          // Data relay between SOCKS5 client and smoltcp socket
@@ -582,12 +622,10 @@ impl WireGuardSocks5Server {
          // smoltcp → Client
          if socket.can_recv() {
            match socket.recv(|data| (data.len(), data.to_vec())) {
-              Ok(data) if !data.is_empty() => {
-                if conn.tcp_stream.try_write(&data).is_err() {
-                  socket.close();
-                  completed.push(idx);
-                  continue;
-                }
+              Ok(data) if !data.is_empty() && conn.tcp_stream.try_write(&data).is_err() => {
+                socket.close();
+                completed.push(idx);
+                continue;
              }
              _ => {}
            }
@@ -1,16 +1,130 @@
+use crate::proxy_runner::find_sidecar_executable;
 use crate::proxy_storage::is_process_running;
 use crate::vpn_worker_storage::{
  delete_vpn_worker_config, find_vpn_worker_by_vpn_id, generate_vpn_worker_id,
-  get_vpn_worker_config, list_vpn_worker_configs, save_vpn_worker_config, VpnWorkerConfig,
+  get_vpn_worker_config, list_vpn_worker_configs, save_vpn_worker_config, vpn_worker_config_path,
+  VpnWorkerConfig,
 };
 use std::process::Stdio;

+const VPN_WORKER_POLL_INTERVAL_MS: u64 = 100;
+const VPN_WORKER_STARTUP_TIMEOUT_MS: u64 = 30_000;
+const OPENVPN_WORKER_STARTUP_TIMEOUT_MS: u64 = 100_000;
+
+async fn vpn_worker_accepting_connections(config: &VpnWorkerConfig) -> bool {
+  let Some(port) = config.local_port else {
+    return false;
+  };
+
+  if config
+    .local_url
+    .as_ref()
+    .is_none_or(|local_url| local_url.is_empty())
+  {
+    return false;
+  }
+
+  matches!(
+    tokio::time::timeout(
+      tokio::time::Duration::from_millis(VPN_WORKER_POLL_INTERVAL_MS),
+      tokio::net::TcpStream::connect(("127.0.0.1", port)),
+    )
+    .await,
+    Ok(Ok(_))
+  )
+}
+
+fn worker_log_path(id: &str) -> std::path::PathBuf {
+  std::env::temp_dir().join(format!("donut-vpn-{}.log", id))
+}
+
+fn read_worker_log(id: &str) -> String {
+  std::fs::read_to_string(worker_log_path(id)).unwrap_or_else(|_| "No log available".to_string())
+}
+
+async fn wait_for_vpn_worker_ready(
+  id: &str,
+  vpn_type: &str,
+) -> Result<VpnWorkerConfig, Box<dyn std::error::Error>> {
+  let startup_timeout = if vpn_type == "openvpn" {
+    tokio::time::Duration::from_millis(OPENVPN_WORKER_STARTUP_TIMEOUT_MS)
+  } else {
+    tokio::time::Duration::from_millis(VPN_WORKER_STARTUP_TIMEOUT_MS)
+  };
+  let startup_deadline = tokio::time::Instant::now() + startup_timeout;
+
+  tokio::time::sleep(tokio::time::Duration::from_millis(
+    VPN_WORKER_POLL_INTERVAL_MS,
+  ))
+  .await;
+
+  let mut attempts = 0u32;
+
+  loop {
+    tokio::time::sleep(tokio::time::Duration::from_millis(
+      VPN_WORKER_POLL_INTERVAL_MS,
+    ))
+    .await;
+
+    if let Some(updated_config) = get_vpn_worker_config(id) {
+      let process_running = updated_config.pid.map(is_process_running).unwrap_or(false);
+
+      if !process_running && attempts > 2 {
+        let log_output = read_worker_log(id);
+        delete_vpn_worker_config(id);
+        return Err(format!("VPN worker process crashed. Log output:\n{}", log_output).into());
+      }
+
+      if vpn_worker_accepting_connections(&updated_config).await {
+        return Ok(updated_config);
+      }
+    }
+
+    attempts += 1;
+    if tokio::time::Instant::now() >= startup_deadline {
+      if let Some(config) = get_vpn_worker_config(id) {
+        let process_running = config.pid.map(is_process_running).unwrap_or(false);
+        let log_output = read_worker_log(id);
+        delete_vpn_worker_config(id);
+        return Err(
+          format!(
+            "VPN worker failed to start within {:.1}s. pid={:?}, process_running={}, local_url={:?}\n\nVPN worker log:\n{}",
+            startup_timeout.as_secs_f32(),
+            config.pid,
+            process_running,
+            config.local_url,
+            log_output
+          )
+          .into(),
+        );
+      }
+
+      delete_vpn_worker_config(id);
+      return Err("VPN worker config not found after spawn".into());
+    }
+  }
+}
+
 pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn std::error::Error>> {
+  for config in list_vpn_worker_configs() {
+    if let Some(pid) = config.pid {
+      if !is_process_running(pid) {
+        delete_vpn_worker_config(&config.id);
+      }
+    } else {
+      delete_vpn_worker_config(&config.id);
+    }
+  }
+
  // Check if a VPN worker for this vpn_id already exists and is running
  if let Some(existing) = find_vpn_worker_by_vpn_id(vpn_id) {
    if let Some(pid) = existing.pid {
      if is_process_running(pid) {
-        return Ok(existing);
+        if vpn_worker_accepting_connections(&existing).await {
+          return Ok(existing);
+        }
+
+        return wait_for_vpn_worker_ready(&existing.id, &existing.vpn_type).await;
      }
    }
    // Worker config exists but process is dead, clean up
@@ -62,8 +176,10 @@ pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn s
  );
  save_vpn_worker_config(&config)?;

+  let config_json_path = vpn_worker_config_path(&id);
+
  // Spawn detached VPN worker process
-  let exe = std::env::current_exe()?;
+  let exe = find_sidecar_executable("donut-proxy")?;

  #[cfg(unix)]
  {
@@ -77,6 +193,8 @@ pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn s
    cmd.arg(&id);
    cmd.arg("--port");
    cmd.arg(local_port.to_string());
+    cmd.arg("--config-path");
+    cmd.arg(&config_json_path);

    cmd.stdin(Stdio::null());
    cmd.stdout(Stdio::null());
@@ -122,6 +240,8 @@ pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn s
    cmd.arg(&id);
    cmd.arg("--port");
    cmd.arg(local_port.to_string());
+    cmd.arg("--config-path");
+    cmd.arg(&config_json_path);

    cmd.stdin(Stdio::null());
    cmd.stdout(Stdio::null());
@@ -136,7 +256,8 @@ pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn s

    const DETACHED_PROCESS: u32 = 0x00000008;
    const CREATE_NEW_PROCESS_GROUP: u32 = 0x00000200;
-    cmd.creation_flags(DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP);
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
+    cmd.creation_flags(DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP | CREATE_NO_WINDOW);

    let child = cmd.spawn()?;
    let pid = child.id();
@@ -149,50 +270,7 @@ pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn s
    drop(child);
  }

-  // Wait for the worker to update config with local_url
-  tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
-
-  let mut attempts = 0;
-  let max_attempts = 100; // 10 seconds max
-
-  loop {
-    tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
-
-    if let Some(updated_config) = get_vpn_worker_config(&id) {
-      if let Some(ref local_url) = updated_config.local_url {
-        if !local_url.is_empty() {
-          if let Some(port) = updated_config.local_port {
-            if let Ok(Ok(_)) = tokio::time::timeout(
-              tokio::time::Duration::from_millis(100),
-              tokio::net::TcpStream::connect(("127.0.0.1", port)),
-            )
-            .await
-            {
-              return Ok(updated_config);
-            }
-          }
-        }
-      }
-    }
-
-    attempts += 1;
-    if attempts >= max_attempts {
-      if let Some(config) = get_vpn_worker_config(&id) {
-        let process_running = config.pid.map(is_process_running).unwrap_or(false);
-        // Clean up on failure
-        delete_vpn_worker_config(&id);
-        return Err(
-          format!(
-            "VPN worker failed to start in time. pid={:?}, process_running={}, local_url={:?}",
-            config.pid, process_running, config.local_url
-          )
-          .into(),
-        );
-      }
-      delete_vpn_worker_config(&id);
-      return Err("VPN worker config not found after spawn".into());
-    }
-  }
+  wait_for_vpn_worker_ready(&id, vpn_type_str).await
 }

 pub async fn stop_vpn_worker(id: &str) -> Result<bool, Box<dyn std::error::Error>> {
@@ -27,6 +27,10 @@ impl VpnWorkerConfig {
  }
 }

+pub fn vpn_worker_config_path(id: &str) -> std::path::PathBuf {
+  get_storage_dir().join(format!("vpn_worker_{}.json", id))
+}
+
 pub fn save_vpn_worker_config(config: &VpnWorkerConfig) -> Result<(), Box<dyn std::error::Error>> {
  let storage_dir = get_storage_dir();
  fs::create_dir_all(&storage_dir)?;
@@ -1,5 +1,6 @@
 use crate::browser_runner::BrowserRunner;
 use crate::profile::BrowserProfile;
+use playwright::api::Playwright;
 use reqwest::Client;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
@@ -53,14 +54,14 @@ pub struct WayfernLaunchResult {
  pub cdp_port: Option<u16>,
 }

-#[derive(Debug)]
 struct WayfernInstance {
-  #[allow(dead_code)]
  id: String,
  process_id: Option<u32>,
  profile_path: Option<String>,
  url: Option<String>,
  cdp_port: Option<u16>,
+  playwright_context: Option<playwright::api::BrowserContext>,
+  playwright_runtime: Option<Playwright>,
 }

 struct WayfernManagerInner {
@@ -86,10 +87,23 @@ impl WayfernManager {
      inner: Arc::new(AsyncMutex::new(WayfernManagerInner {
        instances: HashMap::new(),
      })),
-      http_client: Client::new(),
+      http_client: Client::builder()
+        .timeout(Duration::from_secs(2))
+        .build()
+        .expect("Failed to build reqwest client for wayfern_manager"),
    }
  }

+  async fn create_playwright(
+    &self,
+  ) -> Result<Playwright, Box<dyn std::error::Error + Send + Sync>> {
+    Playwright::initialize()
+      .await
+      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
+        format!("Failed to initialize Playwright: {e}").into()
+      })
+  }
+
  pub fn instance() -> &'static WayfernManager {
    &WAYFERN_MANAGER
  }
@@ -136,22 +150,34 @@ impl WayfernManager {
    port: u16,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    let url = format!("http://127.0.0.1:{port}/json/version");
-    let max_attempts = 50;
-    let delay = Duration::from_millis(100);
+    // On first launch, macOS Gatekeeper verifies the binary which can take 30+ seconds.
+    // Use a generous timeout (60s) to handle this.
+    let max_attempts = 120;
+    let delay = Duration::from_millis(500);

+    let mut last_error: Option<String> = None;
    for attempt in 0..max_attempts {
      match self.http_client.get(&url).send().await {
        Ok(resp) if resp.status().is_success() => {
          log::info!("CDP ready on port {port} after {attempt} attempts");
          return Ok(());
        }
-        _ => {
+        Ok(resp) => {
+          last_error = Some(format!("HTTP {} from {url}", resp.status()));
+          tokio::time::sleep(delay).await;
+        }
+        Err(e) => {
+          last_error = Some(format!("request failed: {e}"));
          tokio::time::sleep(delay).await;
        }
      }
    }

-    Err(format!("CDP not ready after {max_attempts} attempts on port {port}").into())
+    let detail = last_error.unwrap_or_else(|| "no attempts completed".to_string());
+    // Log at error level so we can diagnose Windows/AV/firewall-induced CDP hangs
+    // in customer reports without needing them to reproduce in the moment.
+    log::error!("CDP not ready after {max_attempts} attempts on port {port}: {detail}");
+    Err(format!("CDP not ready after {max_attempts} attempts on port {port}: {detail}").into())
  }

  async fn get_cdp_targets(
@@ -241,9 +267,18 @@ impl WayfernManager {
      .arg("--disable-setuid-sandbox")
      .arg("--disable-dev-shm-usage");

-    cmd.stdout(Stdio::null()).stderr(Stdio::null());
+    cmd.stdout(Stdio::null()).stderr(Stdio::piped());

-    let child = cmd.spawn()?;
+    let child = cmd.spawn().map_err(|e| {
+      // OS error 14001 = SxS / missing Visual C++ Redistributable
+      let hint = if e.raw_os_error() == Some(14001) {
+        ". This usually means the Visual C++ Redistributable is not installed. \
+         Download it from https://aka.ms/vs/17/release/vc_redist.x64.exe"
+      } else {
+        ""
+      };
+      format!("Failed to spawn headless Wayfern: {e}{hint}")
+    })?;
    let child_id = child.id();

    let cleanup = || async {
@@ -268,6 +303,28 @@ impl WayfernManager {
    };

    if let Err(e) = self.wait_for_cdp_ready(port).await {
+      // Try to capture stderr from the failed process for diagnostics
+      let stderr_output = if let Some(id) = child_id {
+        // Check if process is still running
+        let is_running = sysinfo::System::new_with_specifics(
+          sysinfo::RefreshKind::nothing().with_processes(sysinfo::ProcessRefreshKind::nothing()),
+        )
+        .process(sysinfo::Pid::from(id as usize))
+        .is_some();
+
+        if !is_running {
+          // Process exited — try to read its stderr
+          String::from("(process exited before CDP became ready)")
+        } else {
+          String::from("(process still running but not responding on CDP)")
+        }
+      } else {
+        String::new()
+      };
+
+      log::error!(
+        "Fingerprint-generation Wayfern (headless, pid={child_id:?}) never became CDP-ready: {e}. {stderr_output}"
+      );
      cleanup().await;
      return Err(e);
    }
@@ -462,7 +519,17 @@ impl WayfernManager {
    {
      let profile_path_buf = std::path::PathBuf::from(profile_path);
      let key_path = profile_path_buf.join("os_crypt_key");
-      let cookies_path = profile_path_buf.join("Default").join("Cookies");
+      let cookies_path = {
+        let network = profile_path_buf
+          .join("Default")
+          .join("Network")
+          .join("Cookies");
+        if network.exists() {
+          network
+        } else {
+          profile_path_buf.join("Default").join("Cookies")
+        }
+      };

      if key_path.exists() {
        let key_text = std::fs::read_to_string(&key_path).unwrap_or_default();
@@ -509,11 +576,11 @@ impl WayfernManager {
                  let name: String = row.get(0).unwrap_or_default();
                  let host: String = row.get(1).unwrap_or_default();
                  let encrypted: Vec<u8> = row.get(2).unwrap_or_default();
-                  let decrypted =
-                    crate::cookie_manager::chrome_decrypt::decrypt(
-                      &encrypted,
-                      &encryption_key,
-                    );
+                  let decrypted = crate::cookie_manager::chrome_decrypt::decrypt(
+                    &encrypted,
+                    &host,
+                    &encryption_key,
+                  );
                  match decrypted {
                    Some(val) => log::info!(
                      "Pre-launch: Cookie decryption SUCCEEDED for '{}' (host: {}, decrypted {} bytes)",
@@ -539,7 +606,6 @@ impl WayfernManager {
    let mut args = vec![
      format!("--remote-debugging-port={port}"),
      "--remote-debugging-address=127.0.0.1".to_string(),
-      format!("--user-data-dir={}", profile_path),
      "--no-first-run".to_string(),
      "--no-default-browser-check".to_string(),
      "--disable-background-mode".to_string(),
@@ -550,7 +616,7 @@ impl WayfernManager {
      "--disable-session-crashed-bubble".to_string(),
      "--hide-crash-restore-bubble".to_string(),
      "--disable-infobars".to_string(),
-      "--disable-features=DialMediaRouteProvider".to_string(),
+      "--disable-features=DialMediaRouteProvider,DnsOverHttps,AsyncDns".to_string(),
      "--use-mock-keychain".to_string(),
      "--password-store=basic".to_string(),
    ];
@@ -562,10 +628,6 @@ impl WayfernManager {
      args.push("--disable-dev-shm-usage".to_string());
    }

-    if let Some(proxy) = proxy_url {
-      args.push(format!("--proxy-server={proxy}"));
-    }
-
    if ephemeral {
      args.push("--disk-cache-size=1".to_string());
      args.push("--disable-breakpad".to_string());
@@ -578,8 +640,17 @@ impl WayfernManager {
      args.push(format!("--load-extension={}", extension_paths.join(",")));
    }

-    // Pass wayfern token as CLI flag so the browser can gate CDP features
-    let wayfern_token = crate::cloud_auth::CLOUD_AUTH.get_wayfern_token().await;
+    let mut wayfern_token = crate::cloud_auth::CLOUD_AUTH.get_wayfern_token().await;
+    if wayfern_token.is_none() {
+      log::info!("Wayfern token not ready, waiting...");
+      for _ in 0..15 {
+        tokio::time::sleep(Duration::from_secs(1)).await;
+        wayfern_token = crate::cloud_auth::CLOUD_AUTH.get_wayfern_token().await;
+        if wayfern_token.is_some() {
+          break;
+        }
+      }
+    }
    if let Some(ref token) = wayfern_token {
      args.push(format!("--wayfern-token={token}"));
      log::info!("Wayfern token passed as CLI flag (length: {})", token.len());
@@ -587,20 +658,61 @@ impl WayfernManager {
      log::warn!("No wayfern token available — CDP gated methods will be blocked");
    }

-    // Don't add URL to args - we'll navigate via CDP after setting fingerprint
-    // This ensures fingerprint is applied at navigation commit time
+    if let Some(proxy) = proxy_url {
+      let pac_data = format!(
+        "data:application/x-ns-proxy-autoconfig,function FindProxyForURL(url,host){{return \"PROXY {}\";}}",
+        proxy.trim_start_matches("http://").trim_start_matches("https://")
+      );
+      args.push(format!("--proxy-pac-url={pac_data}"));
+      args.push("--dns-prefetch-disable".to_string());
+    }

-    let mut cmd = TokioCommand::new(&executable_path);
-    cmd.args(&args);
-    cmd.stdout(Stdio::piped());
-    cmd.stderr(Stdio::piped());
+    let pw = self.create_playwright().await?;
+    let chromium = pw.chromium();
+    let profile_path_ref = std::path::Path::new(profile_path);
+    let mut launcher = chromium.persistent_context_launcher(profile_path_ref);
+    launcher = launcher.executable(executable_path.as_ref());
+    launcher = launcher.headless(false);
+    launcher = launcher.chromium_sandbox(true);
+    launcher = launcher.args(&args);
+    launcher = launcher.timeout(0.0);

-    let child = cmd.spawn()?;
-    let process_id = child.id();
+    let pw_context =
+      launcher
+        .launch()
+        .await
+        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
+          let hint = if format!("{e}").contains("14001") {
+            ". This usually means the Visual C++ Redistributable is not installed. \
+           Download it from https://aka.ms/vs/17/release/vc_redist.x64.exe"
+          } else {
+            ""
+          };
+          format!("Failed to launch Wayfern: {e}{hint}").into()
+        })?;

-    self.wait_for_cdp_ready(port).await?;
+    let process_id = {
+      use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+      let system = System::new_with_specifics(
+        RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+      );
+      let mut found: Option<u32> = None;
+      for (pid, process) in system.processes() {
+        let cmd_str = process
+          .cmd()
+          .iter()
+          .map(|s| s.to_string_lossy().to_string())
+          .collect::<Vec<_>>()
+          .join(" ");
+        if cmd_str.contains(&format!("--remote-debugging-port={port}")) {
+          found = Some(pid.as_u32());
+          break;
+        }
+      }
+      found
+    };
+    let pw_runtime = pw;

-    // Get CDP targets first - needed for both fingerprint and navigation
    let targets = self.get_cdp_targets(port).await?;
    log::info!("Found {} CDP targets", targets.len());

@@ -699,37 +811,7 @@ impl WayfernManager {
      log::warn!("No fingerprint found in config, browser will use default fingerprint");
    }

-    // Set geolocation override via CDP so navigator.geolocation.getCurrentPosition() matches
-    if let Some(fingerprint_json) = &config.fingerprint {
-      if let Ok(fp) = serde_json::from_str::<serde_json::Value>(fingerprint_json) {
-        let fp_obj = if fp.get("fingerprint").is_some() {
-          fp.get("fingerprint").unwrap()
-        } else {
-          &fp
-        };
-        if let (Some(lat), Some(lng)) = (
-          fp_obj.get("latitude").and_then(|v| v.as_f64()),
-          fp_obj.get("longitude").and_then(|v| v.as_f64()),
-        ) {
-          let accuracy = fp_obj
-            .get("accuracy")
-            .and_then(|v| v.as_f64())
-            .unwrap_or(100.0);
-          if let Some(target) = page_targets.first() {
-            if let Some(ws_url) = &target.websocket_debugger_url {
-              let _ = self
-                .send_cdp_command(
-                  ws_url,
-                  "Emulation.setGeolocationOverride",
-                  json!({ "latitude": lat, "longitude": lng, "accuracy": accuracy }),
-                )
-                .await;
-              log::info!("Set geolocation override: lat={lat}, lng={lng}");
-            }
-          }
-        }
-      }
-    }
+    // Geolocation is handled internally by the browser binary.

    // Navigate to URL via CDP - fingerprint will be applied at navigation commit time
    if let Some(url) = url {
@@ -747,6 +829,29 @@ impl WayfernManager {
      }
    }

+    // Clear Playwright's emulation overrides that cause tampering detection
+    for target in &page_targets {
+      if let Some(ws_url) = &target.websocket_debugger_url {
+        let _ = self
+          .send_cdp_command(ws_url, "Emulation.clearDeviceMetricsOverride", json!({}))
+          .await;
+        let _ = self
+          .send_cdp_command(
+            ws_url,
+            "Emulation.setFocusEmulationEnabled",
+            json!({ "enabled": false }),
+          )
+          .await;
+        let _ = self
+          .send_cdp_command(
+            ws_url,
+            "Emulation.setEmulatedMedia",
+            json!({ "media": "", "features": [] }),
+          )
+          .await;
+      }
+    }
+
    let id = uuid::Uuid::new_v4().to_string();
    let instance = WayfernInstance {
      id: id.clone(),
@@ -754,6 +859,8 @@ impl WayfernManager {
      profile_path: Some(profile_path.to_string()),
      url: url.map(|s| s.to_string()),
      cdp_port: Some(port),
+      playwright_context: Some(pw_context),
+      playwright_runtime: Some(pw_runtime),
    };

    let mut inner = self.inner.lock().await;
@@ -775,6 +882,9 @@ impl WayfernManager {
    let mut inner = self.inner.lock().await;

    if let Some(instance) = inner.instances.remove(id) {
+      log::info!("Cleaning up Wayfern instance {}", instance.id);
+      drop(instance.playwright_context);
+      drop(instance.playwright_runtime);
      if let Some(pid) = instance.process_id {
        #[cfg(unix)]
        {
@@ -929,6 +1039,8 @@ impl WayfernManager {
          profile_path: Some(found_profile_path.clone()),
          url: None,
          cdp_port,
+          playwright_context: None,
+          playwright_runtime: None,
        },
      );

@@ -1,7 +1,7 @@
 {
  "$schema": "https://schema.tauri.app/config/2",
  "productName": "Donut",
-  "version": "0.18.1",
+  "version": "0.21.1",
  "identifier": "com.donutbrowser",
  "build": {
    "beforeDevCommand": "pnpm copy-proxy-binary && pnpm dev",
@@ -1298,3 +1298,134 @@ async fn test_local_proxy_with_socks5_upstream(

  Ok(())
 }
+
+/// Test proxying traffic through a real Shadowsocks server running in Docker.
+/// Verifies the full chain: client → donut-proxy → Shadowsocks → internet.
+#[tokio::test]
+#[serial]
+async fn test_local_proxy_with_shadowsocks_upstream(
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  // Check Docker availability
+  let docker_check = std::process::Command::new("docker").arg("version").output();
+  if docker_check.map(|o| !o.status.success()).unwrap_or(true) {
+    eprintln!("skipping Shadowsocks e2e test because Docker is unavailable");
+    return Ok(());
+  }
+
+  // Start a Shadowsocks server container
+  let ss_container = "donut-ss-test";
+  let ss_port = 18388u16;
+  let ss_password = "donut-test-password";
+  let ss_method = "aes-256-gcm";
+
+  // Clean up any previous container
+  let _ = std::process::Command::new("docker")
+    .args(["rm", "-f", ss_container])
+    .output();
+
+  let docker_start = std::process::Command::new("docker")
+    .args([
+      "run",
+      "-d",
+      "--name",
+      ss_container,
+      "-p",
+      &format!("{ss_port}:8388"),
+      "ghcr.io/shadowsocks/ssserver-rust:latest",
+      "ssserver",
+      "-s",
+      "[::]:8388",
+      "-k",
+      ss_password,
+      "-m",
+      ss_method,
+    ])
+    .output()?;
+
+  if !docker_start.status.success() {
+    let stderr = String::from_utf8_lossy(&docker_start.stderr);
+    eprintln!("skipping Shadowsocks e2e test: Docker run failed: {stderr}");
+    return Ok(());
+  }
+
+  // Wait for the SS server to be ready
+  for _ in 0..15 {
+    sleep(Duration::from_secs(1)).await;
+    if TcpStream::connect(("127.0.0.1", ss_port)).await.is_ok() {
+      break;
+    }
+  }
+
+  // Start donut-proxy with Shadowsocks upstream
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &ss_port.to_string(),
+      "--type",
+      "ss",
+      "--username",
+      ss_method,
+      "--password",
+      ss_password,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let _ = std::process::Command::new("docker")
+      .args(["rm", "-f", ss_container])
+      .output();
+    return Err(format!("Proxy start failed: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id);
+
+  // Wait for proxy to be fully ready
+  for _ in 0..20 {
+    sleep(Duration::from_millis(100)).await;
+    if TcpStream::connect(("127.0.0.1", local_port)).await.is_ok() {
+      break;
+    }
+  }
+  sleep(Duration::from_millis(500)).await;
+
+  // Test: HTTP request through donut-proxy → Shadowsocks → example.com
+  let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+  let request =
+    "GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n";
+  stream.write_all(request.as_bytes()).await?;
+
+  let mut response = vec![0u8; 16384];
+  let n = tokio::time::timeout(Duration::from_secs(15), stream.read(&mut response))
+    .await
+    .map_err(|_| "HTTP request through Shadowsocks timed out")?
+    .map_err(|e| format!("Read error: {e}"))?;
+  let response_str = String::from_utf8_lossy(&response[..n]);
+
+  assert!(
+    response_str.contains("Example Domain"),
+    "HTTP traffic through Shadowsocks should reach example.com, got: {}",
+    &response_str[..response_str.len().min(500)]
+  );
+  println!("Shadowsocks upstream proxy test passed");
+
+  // Cleanup
+  tracker.cleanup_all().await;
+  let _ = std::process::Command::new("docker")
+    .args(["rm", "-f", ss_container])
+    .output();
+
+  Ok(())
+}
@@ -16,12 +16,21 @@ const WIREGUARD_IMAGE: &str = "linuxserver/wireguard:latest";
 const OPENVPN_IMAGE: &str = "kylemanna/openvpn:latest";
 const WG_CONTAINER: &str = "donut-wg-test";
 const OVPN_CONTAINER: &str = "donut-ovpn-test";
+const OVPN_VOLUME: &str = "donut-ovpn-test-data";

 /// Check if running in CI environment
 pub fn is_ci() -> bool {
  std::env::var("CI").is_ok() || std::env::var("GITHUB_ACTIONS").is_ok()
 }

+fn has_external_wireguard_service() -> bool {
+  std::env::var("VPN_TEST_WG_HOST").is_ok()
+}
+
+fn has_external_openvpn_service() -> bool {
+  std::env::var("VPN_TEST_OVPN_HOST").is_ok()
+}
+
 /// Check if Docker is available
 pub fn is_docker_available() -> bool {
  Command::new("docker")
@@ -33,14 +42,10 @@ pub fn is_docker_available() -> bool {

 /// Start a WireGuard test server and return client config
 pub async fn start_wireguard_server() -> Result<WireGuardTestConfig, String> {
-  if is_ci() {
-    // In CI, use the service container configured in workflow
+  if has_external_wireguard_service() {
    let host = std::env::var("VPN_TEST_WG_HOST").unwrap_or_else(|_| "localhost".into());
    let port = std::env::var("VPN_TEST_WG_PORT").unwrap_or_else(|_| "51820".into());

-    // Wait for service to be ready
-    wait_for_service(&host, port.parse().unwrap_or(51820)).await?;
-
    return get_ci_wireguard_config(&host, &port);
  }

@@ -71,6 +76,8 @@ pub async fn start_wireguard_server() -> Result<WireGuardTestConfig, String> {
      "SERVERPORT=51820",
      "-e",
      "PEERDNS=auto",
+      "-e",
+      "INTERNAL_SUBNET=10.64.0.0",
      WIREGUARD_IMAGE,
    ])
    .output()
@@ -83,8 +90,40 @@ pub async fn start_wireguard_server() -> Result<WireGuardTestConfig, String> {
    ));
  }

-  // Wait for container to be ready and generate configs
-  sleep(Duration::from_secs(10)).await;
+  // Wait for container to generate configs and bring up the WireGuard interface.
+  // A fixed sleep is flaky — on busy machines the interface takes longer. Instead
+  // we poll `wg show` inside the container until it reports an active interface,
+  // with a generous upper bound.
+  let wg_ready_deadline = tokio::time::Instant::now() + Duration::from_secs(45);
+  loop {
+    sleep(Duration::from_secs(2)).await;
+
+    // Check if peer config file has been generated
+    let config_check = Command::new("docker")
+      .args(["exec", WG_CONTAINER, "cat", "/config/peer1/peer1.conf"])
+      .output();
+    let config_exists = config_check
+      .as_ref()
+      .map(|o| o.status.success())
+      .unwrap_or(false);
+
+    // Check if WireGuard interface is actually up and listening
+    let wg_check = Command::new("docker")
+      .args(["exec", WG_CONTAINER, "wg", "show"])
+      .output();
+    let wg_up = wg_check
+      .as_ref()
+      .map(|o| o.status.success() && String::from_utf8_lossy(&o.stdout).contains("listening port"))
+      .unwrap_or(false);
+
+    if config_exists && wg_up {
+      break;
+    }
+
+    if tokio::time::Instant::now() >= wg_ready_deadline {
+      return Err("WireGuard container did not become ready within 45s".to_string());
+    }
+  }

  // Extract client config from container
  let config_output = Command::new("docker")
@@ -100,19 +139,38 @@ pub async fn start_wireguard_server() -> Result<WireGuardTestConfig, String> {
  }

  let config_str = String::from_utf8_lossy(&config_output.stdout).to_string();
-  parse_wireguard_test_config(&config_str)
+  let mut config = parse_wireguard_test_config(&config_str)?;
+
+  // Start a lightweight HTTP server inside the container on the WireGuard
+  // interface so tests can verify traffic flows through the tunnel without
+  // depending on internet access (Docker Desktop for Mac can't reliably NAT
+  // WireGuard tunnel traffic to the internet). The linuxserver/wireguard
+  // image doesn't have python3 or busybox httpd, but it has nc (netcat).
+  let _ = Command::new("docker")
+    .args([
+      "exec",
+      "-d",
+      WG_CONTAINER,
+      "sh",
+      "-c",
+      r#"while true; do printf "HTTP/1.1 200 OK\r\nContent-Length: 13\r\nConnection: close\r\n\r\nWG-TUNNEL-OK\n" | nc -l -p 8080 2>/dev/null; done"#,
+    ])
+    .output();
+  // Give the nc loop a moment to start accepting
+  sleep(Duration::from_millis(500)).await;
+
+  // Extract the server's tunnel IP (first octet group from INTERNAL_SUBNET + .1)
+  config.server_tunnel_ip = "10.64.0.1".to_string();
+
+  Ok(config)
 }

 /// Start an OpenVPN test server and return client config
 pub async fn start_openvpn_server() -> Result<OpenVpnTestConfig, String> {
-  if is_ci() {
-    // In CI, use the service container configured in workflow
+  if has_external_openvpn_service() {
    let host = std::env::var("VPN_TEST_OVPN_HOST").unwrap_or_else(|_| "localhost".into());
    let port = std::env::var("VPN_TEST_OVPN_PORT").unwrap_or_else(|_| "1194".into());

-    // Wait for service to be ready
-    wait_for_service(&host, port.parse().unwrap_or(1194)).await?;
-
    return get_ci_openvpn_config(&host, &port);
  }

@@ -125,9 +183,139 @@ pub async fn start_openvpn_server() -> Result<OpenVpnTestConfig, String> {
    .args(["rm", "-f", OVPN_CONTAINER])
    .output();

-  // For OpenVPN, we need to initialize PKI first, which is complex
-  // For simplicity in tests, we'll use a pre-configured test config
-  Err("OpenVPN container setup requires pre-configured PKI. Use test fixtures instead.".to_string())
+  let _ = Command::new("docker")
+    .args(["volume", "rm", "-f", OVPN_VOLUME])
+    .output();
+
+  let create_volume = Command::new("docker")
+    .args(["volume", "create", OVPN_VOLUME])
+    .output()
+    .map_err(|e| format!("Failed to create OpenVPN test volume: {e}"))?;
+  if !create_volume.status.success() {
+    return Err(format!(
+      "Failed to create OpenVPN test volume: {}",
+      String::from_utf8_lossy(&create_volume.stderr)
+    ));
+  }
+
+  let genconfig = Command::new("docker")
+    .args([
+      "run",
+      "--rm",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      "-e",
+      "EASYRSA_BATCH=1",
+      OPENVPN_IMAGE,
+      "ovpn_genconfig",
+      "-u",
+      "udp://127.0.0.1",
+      "-s",
+      "10.9.0.0/24",
+    ])
+    .output()
+    .map_err(|e| format!("Failed to generate OpenVPN config: {e}"))?;
+  if !genconfig.status.success() {
+    return Err(format!(
+      "OpenVPN config generation failed: {}",
+      String::from_utf8_lossy(&genconfig.stderr)
+    ));
+  }
+
+  let init_pki = Command::new("docker")
+    .args([
+      "run",
+      "--rm",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      "-e",
+      "EASYRSA_BATCH=1",
+      OPENVPN_IMAGE,
+      "ovpn_initpki",
+      "nopass",
+    ])
+    .output()
+    .map_err(|e| format!("Failed to initialize OpenVPN PKI: {e}"))?;
+  if !init_pki.status.success() {
+    return Err(format!(
+      "OpenVPN PKI initialization failed: {}",
+      String::from_utf8_lossy(&init_pki.stderr)
+    ));
+  }
+
+  let build_client = Command::new("docker")
+    .args([
+      "run",
+      "--rm",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      "-e",
+      "EASYRSA_BATCH=1",
+      OPENVPN_IMAGE,
+      "easyrsa",
+      "build-client-full",
+      "donut-test-client",
+      "nopass",
+    ])
+    .output()
+    .map_err(|e| format!("Failed to build OpenVPN client certificate: {e}"))?;
+  if !build_client.status.success() {
+    return Err(format!(
+      "OpenVPN client certificate build failed: {}",
+      String::from_utf8_lossy(&build_client.stderr)
+    ));
+  }
+
+  let start_server = Command::new("docker")
+    .args([
+      "run",
+      "-d",
+      "--name",
+      OVPN_CONTAINER,
+      "--cap-add=NET_ADMIN",
+      "-p",
+      "1194:1194/udp",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      OPENVPN_IMAGE,
+    ])
+    .output()
+    .map_err(|e| format!("Failed to start OpenVPN container: {e}"))?;
+  if !start_server.status.success() {
+    return Err(format!(
+      "OpenVPN container start failed: {}",
+      String::from_utf8_lossy(&start_server.stderr)
+    ));
+  }
+
+  sleep(Duration::from_secs(10)).await;
+
+  let client_config = Command::new("docker")
+    .args([
+      "run",
+      "--rm",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      OPENVPN_IMAGE,
+      "ovpn_getclient",
+      "donut-test-client",
+    ])
+    .output()
+    .map_err(|e| format!("Failed to fetch OpenVPN client config: {e}"))?;
+  if !client_config.status.success() {
+    return Err(format!(
+      "Failed to read OpenVPN client config: {}",
+      String::from_utf8_lossy(&client_config.stderr)
+    ));
+  }
+
+  let raw_config = String::from_utf8_lossy(&client_config.stdout).to_string();
+  Ok(OpenVpnTestConfig {
+    raw_config,
+    remote_host: "127.0.0.1".to_string(),
+    remote_port: 1194,
+    protocol: "udp".to_string(),
+  })
 }

 /// Stop all VPN test servers
@@ -135,21 +323,9 @@ pub async fn stop_vpn_servers() {
  let _ = Command::new("docker")
    .args(["rm", "-f", WG_CONTAINER, OVPN_CONTAINER])
    .output();
-}
-
-/// Wait for a network service to be ready
-async fn wait_for_service(host: &str, port: u16) -> Result<(), String> {
-  let timeout = Duration::from_secs(30);
-  let start = std::time::Instant::now();
-
-  while start.elapsed() < timeout {
-    if std::net::TcpStream::connect(format!("{host}:{port}")).is_ok() {
-      return Ok(());
-    }
-    sleep(Duration::from_millis(500)).await;
-  }
-
-  Err(format!("Timeout waiting for service at {host}:{port}"))
+  let _ = Command::new("docker")
+    .args(["volume", "rm", "-f", OVPN_VOLUME])
+    .output();
 }

 /// WireGuard test configuration
@@ -160,6 +336,11 @@ pub struct WireGuardTestConfig {
  pub peer_public_key: String,
  pub peer_endpoint: String,
  pub allowed_ips: Vec<String>,
+  pub preshared_key: Option<String>,
+  /// IP of the WireGuard server on the tunnel interface (e.g. 10.64.0.1).
+  /// Tests use this to reach an HTTP server inside the container without
+  /// needing internet access from Docker.
+  pub server_tunnel_ip: String,
 }

 /// OpenVPN test configuration
@@ -178,6 +359,7 @@ fn parse_wireguard_test_config(content: &str) -> Result<WireGuardTestConfig, Str
  let mut peer_public_key = String::new();
  let mut peer_endpoint = String::new();
  let mut allowed_ips = vec!["0.0.0.0/0".to_string()];
+  let mut preshared_key = None;
  let mut current_section = "";

  for line in content.lines() {
@@ -205,6 +387,7 @@ fn parse_wireguard_test_config(content: &str) -> Result<WireGuardTestConfig, Str
        ("interface", "DNS") => dns = Some(value.to_string()),
        ("peer", "PublicKey") => peer_public_key = value.to_string(),
        ("peer", "Endpoint") => peer_endpoint = value.to_string(),
+        ("peer", "PresharedKey") => preshared_key = Some(value.to_string()),
        ("peer", "AllowedIPs") => {
          allowed_ips = value.split(',').map(|s| s.trim().to_string()).collect();
        }
@@ -230,12 +413,22 @@ fn parse_wireguard_test_config(content: &str) -> Result<WireGuardTestConfig, Str
    peer_public_key,
    peer_endpoint,
    allowed_ips,
+    preshared_key,
+    server_tunnel_ip: String::new(), // filled in by caller
  })
 }

 /// Get WireGuard config from CI environment
 fn get_ci_wireguard_config(host: &str, port: &str) -> Result<WireGuardTestConfig, String> {
-  // In CI, use environment variables or test fixtures
+  if std::env::var("VPN_TEST_WG_PRIVATE_KEY").is_err()
+    || std::env::var("VPN_TEST_WG_PUBLIC_KEY").is_err()
+  {
+    return Err(
+      "External WireGuard test service is configured, but VPN_TEST_WG_PRIVATE_KEY and VPN_TEST_WG_PUBLIC_KEY are missing"
+        .to_string(),
+    );
+  }
+
  let private_key =
    std::env::var("VPN_TEST_WG_PRIVATE_KEY").unwrap_or_else(|_| "test-private-key".to_string());
  let public_key =
@@ -248,11 +441,23 @@ fn get_ci_wireguard_config(host: &str, port: &str) -> Result<WireGuardTestConfig
    peer_public_key: public_key,
    peer_endpoint: format!("{host}:{port}"),
    allowed_ips: vec!["0.0.0.0/0".to_string()],
+    preshared_key: std::env::var("VPN_TEST_WG_PRESHARED_KEY").ok(),
+    server_tunnel_ip: std::env::var("VPN_TEST_WG_SERVER_IP")
+      .unwrap_or_else(|_| "10.0.0.1".to_string()),
  })
 }

 /// Get OpenVPN config from CI environment
 fn get_ci_openvpn_config(host: &str, port: &str) -> Result<OpenVpnTestConfig, String> {
+  if let Ok(raw_config) = std::env::var("VPN_TEST_OVPN_RAW_CONFIG") {
+    return Ok(OpenVpnTestConfig {
+      raw_config,
+      remote_host: host.to_string(),
+      remote_port: port.parse().unwrap_or(1194),
+      protocol: "udp".to_string(),
+    });
+  }
+
  let raw_config = format!(
    r#"
 client
@@ -3,13 +3,22 @@
 //! These tests verify VPN config parsing, storage, and tunnel functionality.
 //! Connection tests require Docker and are skipped if Docker is not available.

+mod common;
 mod test_harness;

+use common::TestUtils;
 use donutbrowser_lib::vpn::{
  detect_vpn_type, parse_openvpn_config, parse_wireguard_config, OpenVpnConfig, VpnConfig,
  VpnStorage, VpnType, WireGuardConfig,
 };
+use serde_json::Value;
 use serial_test::serial;
+use std::path::PathBuf;
+use std::sync::OnceLock;
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::TcpStream;
+use tokio::time::sleep;

 // ============================================================================
 // Config Parsing Tests
@@ -135,7 +144,7 @@ Endpoint = 1.2.3.4:51820
 fn test_wireguard_config_missing_peer() {
  let config = r#"
 [Interface]
-PrivateKey = somekey
+PrivateKey = YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
 Address = 10.0.0.2/24
 "#;
  let result = parse_wireguard_config(config);
@@ -420,6 +429,523 @@ async fn test_tunnel_manager() {
  assert_eq!(manager.active_count(), 0);
 }

-// NOTE: Actual connection tests require Docker containers running.
-// These are meant to be run with the CI workflow that sets up service containers.
-// To run locally: docker run -d --cap-add=NET_ADMIN -p 51820:51820/udp -e PEERS=1 linuxserver/wireguard
+struct TestEnvGuard {
+  _root: PathBuf,
+  previous_data_dir: Option<String>,
+  previous_cache_dir: Option<String>,
+}
+
+impl TestEnvGuard {
+  fn new() -> Result<Self, Box<dyn std::error::Error + Send + Sync>> {
+    static TEST_RUNTIME_ROOT: OnceLock<PathBuf> = OnceLock::new();
+
+    let root = TEST_RUNTIME_ROOT
+      .get_or_init(|| {
+        std::env::temp_dir().join(format!("donutbrowser-vpn-e2e-{}", std::process::id()))
+      })
+      .clone();
+    let data_dir = root.join("data");
+    let cache_dir = root.join("cache");
+    let vpn_dir = data_dir.join("vpn");
+
+    let _ = std::fs::remove_dir_all(&data_dir);
+    let _ = std::fs::remove_dir_all(&cache_dir);
+    std::fs::create_dir_all(&vpn_dir)?;
+    std::fs::create_dir_all(&data_dir)?;
+    std::fs::create_dir_all(&cache_dir)?;
+
+    let previous_data_dir = std::env::var("DONUTBROWSER_DATA_DIR").ok();
+    let previous_cache_dir = std::env::var("DONUTBROWSER_CACHE_DIR").ok();
+
+    std::env::set_var("DONUTBROWSER_DATA_DIR", &data_dir);
+    std::env::set_var("DONUTBROWSER_CACHE_DIR", &cache_dir);
+
+    Ok(Self {
+      _root: root,
+      previous_data_dir,
+      previous_cache_dir,
+    })
+  }
+}
+
+impl Drop for TestEnvGuard {
+  fn drop(&mut self) {
+    if let Some(value) = &self.previous_data_dir {
+      std::env::set_var("DONUTBROWSER_DATA_DIR", value);
+    } else {
+      std::env::remove_var("DONUTBROWSER_DATA_DIR");
+    }
+
+    if let Some(value) = &self.previous_cache_dir {
+      std::env::set_var("DONUTBROWSER_CACHE_DIR", value);
+    } else {
+      std::env::remove_var("DONUTBROWSER_CACHE_DIR");
+    }
+  }
+}
+
+struct ProxyProcess {
+  id: String,
+  local_port: u16,
+}
+
+async fn ensure_donut_proxy_binary() -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
+  let cargo_manifest_dir = std::env::var("CARGO_MANIFEST_DIR")?;
+  let project_root = PathBuf::from(cargo_manifest_dir)
+    .parent()
+    .unwrap()
+    .to_path_buf();
+
+  let proxy_binary_name = if cfg!(windows) {
+    "donut-proxy.exe"
+  } else {
+    "donut-proxy"
+  };
+  let proxy_binary = project_root
+    .join("src-tauri")
+    .join("target")
+    .join("debug")
+    .join(proxy_binary_name);
+
+  if !proxy_binary.exists() {
+    let build_status = tokio::process::Command::new("cargo")
+      .args(["build", "--bin", "donut-proxy"])
+      .current_dir(project_root.join("src-tauri"))
+      .status()
+      .await?;
+
+    if !build_status.success() {
+      return Err("Failed to build donut-proxy binary".into());
+    }
+  }
+
+  if !proxy_binary.exists() {
+    return Err("donut-proxy binary was not created successfully".into());
+  }
+
+  Ok(proxy_binary)
+}
+
+fn new_test_vpn_config(name: &str, vpn_type: VpnType, config_data: String) -> VpnConfig {
+  let created_at = SystemTime::now()
+    .duration_since(UNIX_EPOCH)
+    .unwrap_or_default()
+    .as_secs() as i64;
+
+  VpnConfig {
+    id: uuid::Uuid::new_v4().to_string(),
+    name: name.to_string(),
+    vpn_type,
+    config_data,
+    created_at,
+    last_used: None,
+    sync_enabled: false,
+    last_sync: None,
+  }
+}
+
+fn build_wireguard_config(config: &test_harness::WireGuardTestConfig) -> String {
+  format!(
+    "[Interface]\nPrivateKey = {}\nAddress = {}\n{}\n[Peer]\nPublicKey = {}\n{}Endpoint = {}\nAllowedIPs = {}\nPersistentKeepalive = 25\n",
+    config.private_key,
+    config.address,
+    config
+      .dns
+      .as_ref()
+      .map(|dns| format!("DNS = {dns}\n"))
+      .unwrap_or_default(),
+    config.peer_public_key,
+    config
+      .preshared_key
+      .as_ref()
+      .map(|key| format!("PresharedKey = {key}\n"))
+      .unwrap_or_default(),
+    config.peer_endpoint,
+    config.allowed_ips.join(", ")
+  )
+}
+
+fn openvpn_client_available() -> bool {
+  if let Ok(path) = std::env::var("DONUTBROWSER_OPENVPN_BIN") {
+    return PathBuf::from(path).exists();
+  }
+
+  std::process::Command::new(if cfg!(windows) { "where" } else { "which" })
+    .arg("openvpn")
+    .output()
+    .map(|output| output.status.success())
+    .unwrap_or(false)
+}
+
+#[cfg(windows)]
+fn openvpn_adapter_available() -> bool {
+  let openvpn = std::process::Command::new("openvpn")
+    .arg("--show-adapters")
+    .output();
+
+  openvpn
+    .ok()
+    .map(|output| {
+      let text = format!(
+        "{}{}",
+        String::from_utf8_lossy(&output.stdout),
+        String::from_utf8_lossy(&output.stderr)
+      );
+      text
+        .lines()
+        .map(str::trim)
+        .any(|line| !line.is_empty() && !line.starts_with("Available adapters"))
+    })
+    .unwrap_or(false)
+}
+
+#[cfg(not(windows))]
+fn openvpn_adapter_available() -> bool {
+  true
+}
+
+async fn start_proxy_with_upstream(
+  binary_path: &PathBuf,
+  upstream_proxy: &str,
+  bypass_rules: &[String],
+  blocklist_file: Option<&str>,
+  profile_id: Option<&str>,
+) -> Result<ProxyProcess, Box<dyn std::error::Error + Send + Sync>> {
+  let upstream_url = url::Url::parse(upstream_proxy)?;
+  let host = upstream_url
+    .host_str()
+    .ok_or("Upstream proxy host is missing")?
+    .to_string();
+  let port = upstream_url
+    .port()
+    .ok_or("Upstream proxy port is missing")?;
+
+  let mut args = vec![
+    "proxy".to_string(),
+    "start".to_string(),
+    "--host".to_string(),
+    host,
+    "--proxy-port".to_string(),
+    port.to_string(),
+    "--type".to_string(),
+    upstream_url.scheme().to_string(),
+  ];
+
+  if !bypass_rules.is_empty() {
+    args.push("--bypass-rules".to_string());
+    args.push(serde_json::to_string(bypass_rules)?);
+  }
+
+  if let Some(blocklist_file) = blocklist_file {
+    args.push("--blocklist-file".to_string());
+    args.push(blocklist_file.to_string());
+  }
+
+  if let Some(profile_id) = profile_id {
+    args.push("--profile-id".to_string());
+    args.push(profile_id.to_string());
+  }
+
+  let arg_refs = args.iter().map(String::as_str).collect::<Vec<_>>();
+  let output = TestUtils::execute_command(binary_path, &arg_refs).await?;
+  if !output.status.success() {
+    return Err(
+      format!(
+        "Failed to start local proxy - stdout: {}, stderr: {}",
+        String::from_utf8_lossy(&output.stdout),
+        String::from_utf8_lossy(&output.stderr)
+      )
+      .into(),
+    );
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  Ok(ProxyProcess {
+    id: config["id"].as_str().ok_or("Missing proxy id")?.to_string(),
+    local_port: config["localPort"].as_u64().ok_or("Missing local port")? as u16,
+  })
+}
+
+async fn stop_proxy(
+  binary_path: &PathBuf,
+  proxy_id: &str,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let output =
+    TestUtils::execute_command(binary_path, &["proxy", "stop", "--id", proxy_id]).await?;
+  if !output.status.success() {
+    return Err(
+      format!(
+        "Failed to stop proxy '{}' - stdout: {}, stderr: {}",
+        proxy_id,
+        String::from_utf8_lossy(&output.stdout),
+        String::from_utf8_lossy(&output.stderr)
+      )
+      .into(),
+    );
+  }
+  Ok(())
+}
+
+async fn raw_http_request_via_proxy(
+  local_port: u16,
+  url: &str,
+  host_header: &str,
+) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
+  let mut stream = tokio::time::timeout(
+    Duration::from_secs(20),
+    TcpStream::connect(("127.0.0.1", local_port)),
+  )
+  .await
+  .map_err(|_| "proxy TCP connect timed out after 20s")??;
+
+  let request = format!("GET {url} HTTP/1.1\r\nHost: {host_header}\r\nConnection: close\r\n\r\n");
+  stream.write_all(request.as_bytes()).await?;
+
+  let mut response = Vec::new();
+  tokio::time::timeout(Duration::from_secs(20), stream.read_to_end(&mut response))
+    .await
+    .map_err(|_| "proxy HTTP response timed out after 20s")??;
+  Ok(String::from_utf8_lossy(&response).to_string())
+}
+
+async fn cleanup_runtime() {
+  let _ = donutbrowser_lib::proxy_runner::stop_all_proxy_processes().await;
+  let _ = donutbrowser_lib::vpn_worker_runner::stop_all_vpn_workers().await;
+  test_harness::stop_vpn_servers().await;
+}
+
+async fn wait_for_file(
+  path: &std::path::Path,
+  timeout: Duration,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let deadline = tokio::time::Instant::now() + timeout;
+
+  while tokio::time::Instant::now() < deadline {
+    if path.exists() {
+      return Ok(());
+    }
+
+    sleep(Duration::from_millis(250)).await;
+  }
+
+  Err(format!("Timed out waiting for file: {}", path.display()).into())
+}
+
+async fn run_proxy_feature_suite(
+  binary_path: &PathBuf,
+  vpn_id: &str,
+  server_tunnel_ip: &str,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let vpn_worker = donutbrowser_lib::vpn_worker_runner::start_vpn_worker(vpn_id)
+    .await
+    .map_err(|error| error.to_string())?;
+  let vpn_upstream = vpn_worker
+    .local_url
+    .clone()
+    .ok_or("VPN worker did not expose a local URL")?;
+
+  let profile_id = format!("vpn-e2e-{}", uuid::Uuid::new_v4());
+  let proxy =
+    start_proxy_with_upstream(binary_path, &vpn_upstream, &[], None, Some(&profile_id)).await?;
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Test HTTP traffic through the tunnel to the internal HTTP server running
+  // inside the WireGuard container. This avoids depending on internet access
+  // from Docker (macOS Docker Desktop can't reliably NAT WireGuard tunnel
+  // traffic through to the internet).
+  let internal_url = format!("http://{}:8080/", server_tunnel_ip);
+  let internal_host = format!("{}:8080", server_tunnel_ip);
+  let http_response =
+    raw_http_request_via_proxy(proxy.local_port, &internal_url, &internal_host).await?;
+  assert!(
+    http_response.contains("WG-TUNNEL-OK"),
+    "HTTP traffic through donut-proxy+VPN tunnel should succeed, got: {}",
+    &http_response[..http_response.len().min(300)]
+  );
+
+  let stats_file = donutbrowser_lib::app_dirs::cache_dir()
+    .join("traffic_stats")
+    .join(format!("{}.json", profile_id));
+  wait_for_file(&stats_file, Duration::from_secs(8)).await?;
+
+  assert!(
+    stats_file.exists(),
+    "Traffic stats should exist for VPN-backed local proxy"
+  );
+  let stats: Value = serde_json::from_str(&std::fs::read_to_string(&stats_file)?)?;
+  let total_requests = stats["total_requests"].as_u64().unwrap_or_default();
+  assert!(
+    total_requests > 0,
+    "Traffic stats should record requests for VPN-backed local proxy"
+  );
+  let domains = stats["domains"]
+    .as_object()
+    .ok_or("Traffic stats are missing per-domain data")?;
+  assert!(
+    domains.contains_key(server_tunnel_ip),
+    "Traffic stats should include tunnel server IP activity, got: {:?}",
+    domains.keys().collect::<Vec<_>>()
+  );
+
+  stop_proxy(binary_path, &proxy.id).await?;
+
+  // DNS blocklist test: blocklist the tunnel server IP so it gets rejected
+  let blocklist_file = tempfile::NamedTempFile::new()?;
+  std::fs::write(blocklist_file.path(), format!("{server_tunnel_ip}\n"))?;
+  let blocked_proxy = start_proxy_with_upstream(
+    binary_path,
+    &vpn_upstream,
+    &[],
+    blocklist_file.path().to_str(),
+    None,
+  )
+  .await?;
+  let blocked_response =
+    raw_http_request_via_proxy(blocked_proxy.local_port, &internal_url, &internal_host).await?;
+  assert!(
+    blocked_response.contains("403") || blocked_response.contains("Blocked by DNS blocklist"),
+    "DNS blocklist should be enforced before forwarding to the VPN upstream"
+  );
+  stop_proxy(binary_path, &blocked_proxy.id).await?;
+
+  let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await?;
+  let bypass_target_port = listener.local_addr()?.port();
+  let bypass_server = tokio::spawn(async move {
+    while let Ok((stream, _)) = listener.accept().await {
+      let io = hyper_util::rt::TokioIo::new(stream);
+      tokio::spawn(async move {
+        let service = hyper::service::service_fn(|_req| async move {
+          Ok::<_, hyper::Error>(
+            hyper::Response::builder()
+              .status(hyper::StatusCode::OK)
+              .body(http_body_util::Full::new(hyper::body::Bytes::from(
+                "VPN-BYPASS-OK",
+              )))
+              .unwrap(),
+          )
+        });
+        let _ = hyper::server::conn::http1::Builder::new()
+          .serve_connection(io, service)
+          .await;
+      });
+    }
+  });
+
+  let bypass_proxy = start_proxy_with_upstream(
+    binary_path,
+    &vpn_upstream,
+    &["127.0.0.1".to_string(), "localhost".to_string()],
+    None,
+    None,
+  )
+  .await?;
+  let bypass_response = raw_http_request_via_proxy(
+    bypass_proxy.local_port,
+    &format!("http://127.0.0.1:{bypass_target_port}/"),
+    &format!("127.0.0.1:{bypass_target_port}"),
+  )
+  .await?;
+  assert!(
+    bypass_response.contains("VPN-BYPASS-OK"),
+    "Bypass rules should still work when donut-proxy is chained to a VPN worker"
+  );
+  stop_proxy(binary_path, &bypass_proxy.id).await?;
+  bypass_server.abort();
+
+  donutbrowser_lib::vpn_worker_runner::stop_vpn_worker(&vpn_worker.id)
+    .await
+    .map_err(|error| error.to_string())?;
+  Ok(())
+}
+
+#[tokio::test]
+#[serial]
+async fn test_wireguard_traffic_flows_through_donut_proxy(
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let _env = TestEnvGuard::new()?;
+
+  cleanup_runtime().await;
+  if !test_harness::is_docker_available() {
+    eprintln!("skipping WireGuard e2e test because Docker is unavailable");
+    return Ok(());
+  }
+
+  let binary_path = ensure_donut_proxy_binary().await?;
+  let wg_config = match test_harness::start_wireguard_server().await {
+    Ok(config) => config,
+    Err(error) => {
+      eprintln!("skipping WireGuard e2e test: {error}");
+      return Ok(());
+    }
+  };
+
+  let vpn_config = new_test_vpn_config(
+    "WireGuard E2E",
+    VpnType::WireGuard,
+    build_wireguard_config(&wg_config),
+  );
+  {
+    let storage = donutbrowser_lib::vpn::VPN_STORAGE.lock().unwrap();
+    storage.save_config(&vpn_config)?;
+  }
+
+  let result =
+    run_proxy_feature_suite(&binary_path, &vpn_config.id, &wg_config.server_tunnel_ip).await;
+  cleanup_runtime().await;
+
+  result
+}
+
+#[tokio::test]
+#[serial]
+async fn test_openvpn_traffic_flows_through_donut_proxy(
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let _env = TestEnvGuard::new()?;
+  cleanup_runtime().await;
+
+  if std::env::var("DONUTBROWSER_RUN_OPENVPN_E2E")
+    .ok()
+    .as_deref()
+    != Some("1")
+  {
+    eprintln!("skipping OpenVPN e2e test because DONUTBROWSER_RUN_OPENVPN_E2E is not set");
+    return Ok(());
+  }
+
+  if !test_harness::is_docker_available() {
+    eprintln!("skipping OpenVPN e2e test because Docker is unavailable");
+    return Ok(());
+  }
+
+  if !openvpn_client_available() {
+    eprintln!("skipping OpenVPN e2e test because the OpenVPN client binary is unavailable");
+    return Ok(());
+  }
+
+  if !openvpn_adapter_available() {
+    eprintln!("skipping OpenVPN e2e test because no Windows OpenVPN adapter is available");
+    return Ok(());
+  }
+
+  let binary_path = ensure_donut_proxy_binary().await?;
+  let ovpn_config = match test_harness::start_openvpn_server().await {
+    Ok(config) => config,
+    Err(error) => {
+      eprintln!("skipping OpenVPN e2e test: {error}");
+      return Ok(());
+    }
+  };
+
+  let vpn_config = new_test_vpn_config("OpenVPN E2E", VpnType::OpenVPN, ovpn_config.raw_config);
+  {
+    let storage = donutbrowser_lib::vpn::VPN_STORAGE.lock().unwrap();
+    storage.save_config(&vpn_config)?;
+  }
+
+  // OpenVPN test uses the server's tunnel IP for internal-only traffic.
+  // The OpenVPN server's subnet is 10.9.0.0/24, server at 10.9.0.1.
+  let result = run_proxy_feature_suite(&binary_path, &vpn_config.id, "10.9.0.1").await;
+  cleanup_runtime().await;
+  result
+}
@@ -1,14 +1,7 @@
-"use client";
 import { Geist, Geist_Mono } from "next/font/google";
 import "@/styles/globals.css";
 import "flag-icons/css/flag-icons.min.css";
-import { useEffect } from "react";
-import { I18nProvider } from "@/components/i18n-provider";
-import { CustomThemeProvider } from "@/components/theme-provider";
-import { Toaster } from "@/components/ui/sonner";
-import { TooltipProvider } from "@/components/ui/tooltip";
-import { WindowDragArea } from "@/components/window-drag-area";
-import { setupLogging } from "@/lib/logger";
+import { ClientProviders } from "@/components/client-providers";

 const geistSans = Geist({
  variable: "--font-geist-sans",
@@ -25,22 +18,12 @@ export default function RootLayout({
 }: Readonly<{
  children: React.ReactNode;
 }>) {
-  useEffect(() => {
-    void setupLogging();
-  }, []);
-
  return (
    <html lang="en" suppressHydrationWarning>
      <body
        className={`${geistSans.variable} ${geistMono.variable} antialiased overflow-hidden bg-background`}
      >
-        <I18nProvider>
-          <CustomThemeProvider>
-            <WindowDragArea />
-            <TooltipProvider>{children}</TooltipProvider>
-            <Toaster />
-          </CustomThemeProvider>
-        </I18nProvider>
+        <ClientProviders>{children}</ClientProviders>
      </body>
    </html>
  );
@@ -280,7 +280,7 @@ export default function Home() {
  const [processingUrls, setProcessingUrls] = useState<Set<string>>(new Set());

  const handleUrlOpen = useCallback(
-    async (url: string) => {
+    (url: string) => {
      // Prevent duplicate processing of the same URL
      if (processingUrls.has(url)) {
        console.log("URL already being processed:", url);
@@ -324,7 +324,7 @@ export default function Home() {
      const currentUrl = await getCurrent();
      if (currentUrl && currentUrl.length > 0) {
        console.log("Startup URL detected:", currentUrl[0]);
-        void handleUrlOpen(currentUrl[0]);
+        handleUrlOpen(currentUrl[0]);
      }
    } catch (error) {
      console.error("Failed to check current URL:", error);
@@ -372,7 +372,7 @@ export default function Home() {
    }
  }, [proxiesError]);

-  const checkAllPermissions = useCallback(async () => {
+  const checkAllPermissions = useCallback(() => {
    try {
      // Wait for permissions to be initialized before checking
      if (!isInitialized) {
@@ -413,13 +413,13 @@ export default function Home() {
      // Listen for URL open events from the deep link handler (when app is already running)
      await listen<string>("url-open-request", (event) => {
        console.log("Received URL open request:", event.payload);
-        void handleUrlOpen(event.payload);
+        handleUrlOpen(event.payload);
      });

      // Listen for show profile selector events
      await listen<string>("show-profile-selector", (event) => {
        console.log("Received show profile selector request:", event.payload);
-        void handleUrlOpen(event.payload);
+        handleUrlOpen(event.payload);
      });

      // Listen for show create profile dialog events
@@ -437,7 +437,7 @@ export default function Home() {
      // Listen for custom logo click events
      const handleLogoUrlEvent = (event: CustomEvent) => {
        console.log("Received logo URL event:", event.detail);
-        void handleUrlOpen(event.detail);
+        handleUrlOpen(event.detail);
      };

      window.addEventListener(
@@ -515,6 +515,8 @@ export default function Home() {
      groupId?: string;
      extensionGroupId?: string;
      ephemeral?: boolean;
+      dnsBlocklist?: string;
+      launchHook?: string;
    }) => {
      try {
        const profile = await invoke<BrowserProfile>(
@@ -529,9 +531,11 @@ export default function Home() {
            camoufoxConfig: profileData.camoufoxConfig,
            wayfernConfig: profileData.wayfernConfig,
            groupId:
-              profileData.groupId ||
+              profileData.groupId ??
              (selectedGroupId !== "default" ? selectedGroupId : undefined),
            ephemeral: profileData.ephemeral,
+            dnsBlocklist: profileData.dnsBlocklist,
+            launchHook: profileData.launchHook,
          },
        );

@@ -764,13 +768,13 @@ export default function Home() {
    setCookieManagementDialogOpen(true);
  }, []);

-  const handleGroupAssignmentComplete = useCallback(async () => {
+  const handleGroupAssignmentComplete = useCallback(() => {
    // No need to manually reload - useProfileEvents will handle the update
    setGroupAssignmentDialogOpen(false);
    setSelectedProfilesForGroup([]);
  }, []);

-  const handleProxyAssignmentComplete = useCallback(async () => {
+  const handleProxyAssignmentComplete = useCallback(() => {
    // No need to manually reload - useProfileEvents will handle the update
    setProxyAssignmentDialogOpen(false);
    setSelectedProfilesForProxy([]);
@@ -810,7 +814,7 @@ export default function Home() {
    let unlistenStatus: (() => void) | undefined;
    let unlistenProgress: (() => void) | undefined;
    const profilesWithTransfer = new Set<string>();
-    (async () => {
+    void (async () => {
      try {
        unlistenStatus = await listen<{
          profile_id: string;
@@ -898,7 +902,7 @@ export default function Home() {
    };

    let cleanup: (() => void) | undefined;
-    setupListeners().then((cleanupFn) => {
+    void setupListeners().then((cleanupFn) => {
      cleanup = cleanupFn;
    });

@@ -995,7 +999,7 @@ export default function Home() {
  // Check permissions when they are initialized
  useEffect(() => {
    if (isInitialized) {
-      void checkAllPermissions();
+      checkAllPermissions();
    }
  }, [isInitialized, checkAllPermissions]);

@@ -1093,7 +1097,9 @@ export default function Home() {
            crossOsUnlocked={crossOsUnlocked}
            syncUnlocked={syncUnlocked}
            getProfileSyncInfo={getProfileSyncInfo}
-            onLaunchWithSync={(profile) => setSyncLeaderProfile(profile)}
+            onLaunchWithSync={(profile) => {
+              setSyncLeaderProfile(profile);
+            }}
          />
        </div>
      </main>
@@ -1167,7 +1173,9 @@ export default function Home() {

      <CloneProfileDialog
        isOpen={!!cloneProfile}
-        onClose={() => setCloneProfile(null)}
+        onClose={() => {
+          setCloneProfile(null);
+        }}
        profile={cloneProfile}
      />

@@ -1197,7 +1205,9 @@ export default function Home() {

      <ExtensionManagementDialog
        isOpen={extensionManagementDialogOpen}
-        onClose={() => setExtensionManagementDialogOpen(false)}
+        onClose={() => {
+          setExtensionManagementDialogOpen(false);
+        }}
        limitedMode={!crossOsUnlocked}
      />

@@ -1242,7 +1252,9 @@ export default function Home() {
        selectedProfiles={selectedProfilesForCookies}
        profiles={profiles}
        runningProfiles={runningProfiles}
-        onCopyComplete={() => setSelectedProfilesForCookies([])}
+        onCopyComplete={() => {
+          setSelectedProfilesForCookies([]);
+        }}
      />

      <CookieManagementDialog
@@ -1256,7 +1268,9 @@ export default function Home() {

      <DeleteConfirmationDialog
        isOpen={showBulkDeleteConfirmation}
-        onClose={() => setShowBulkDeleteConfirmation(false)}
+        onClose={() => {
+          setShowBulkDeleteConfirmation(false);
+        }}
        onConfirm={confirmBulkDelete}
        title="Delete Selected Profiles"
        description={`This action cannot be undone. This will permanently delete ${selectedProfiles.length} profile${selectedProfiles.length !== 1 ? "s" : ""} and all associated data.`}
@@ -1279,7 +1293,9 @@ export default function Home() {

      <SyncAllDialog
        isOpen={syncAllDialogOpen}
-        onClose={() => setSyncAllDialogOpen(false)}
+        onClose={() => {
+          setSyncAllDialogOpen(false);
+        }}
      />

      <ProfileSyncDialog
@@ -1289,7 +1305,9 @@ export default function Home() {
          setCurrentProfileForSync(null);
        }}
        profile={currentProfileForSync}
-        onSyncConfigOpen={() => setSyncConfigDialogOpen(true)}
+        onSyncConfigOpen={() => {
+          setSyncConfigDialogOpen(true);
+        }}
      />

      {/* Wayfern Terms and Conditions Dialog - shown if terms not accepted */}
@@ -1313,7 +1331,9 @@ export default function Home() {
      {/* Launch on Login Dialog - shown on every startup until enabled or declined */}
      <LaunchOnLoginDialog
        isOpen={launchOnLoginDialogOpen}
-        onClose={() => setLaunchOnLoginDialogOpen(false)}
+        onClose={() => {
+          setLaunchOnLoginDialogOpen(false);
+        }}
      />

      <WindowResizeWarningDialog
@@ -1328,7 +1348,9 @@ export default function Home() {

      <SyncFollowerDialog
        isOpen={syncLeaderProfile !== null}
-        onClose={() => setSyncLeaderProfile(null)}
+        onClose={() => {
+          setSyncLeaderProfile(null);
+        }}
        leaderProfile={syncLeaderProfile}
        allProfiles={profiles}
        runningProfiles={runningProfiles}
@@ -44,7 +44,9 @@ export function AppUpdateToast({
            <span className="text-sm font-semibold text-foreground">
              {updateReady
                ? "Update ready, restart to apply"
-                : "Manual download required"}
+                : updateInfo.repo_update
+                  ? "Update available via package manager"
+                  : "Manual download required"}
            </span>
            <div className="text-xs text-muted-foreground">
              {updateInfo.current_version} → {updateInfo.new_version}
@@ -72,6 +74,7 @@ export function AppUpdateToast({
              Restart Now
            </RippleButton>
          ) : (
+            !updateInfo.repo_update &&
            updateInfo.manual_update_required && (
              <RippleButton
                onClick={handleViewRelease}
@@ -46,12 +46,6 @@ export function BandwidthMiniChart({
    return result;
  }, [data]);

-  // Find max value for scaling
-  const _maxBandwidth = React.useMemo(() => {
-    const max = Math.max(...chartData.map((d) => d.bandwidth), 1);
-    return max;
-  }, [chartData]);
-
  // Use external bandwidth if provided, otherwise calculate from last data point
  const currentBandwidth =
    externalBandwidth ?? chartData[chartData.length - 1]?.bandwidth ?? 0;
@@ -74,7 +68,12 @@ export function BandwidthMiniChart({
      )}
    >
      <div className="flex-1 h-3 pointer-events-none">
-        <ResponsiveContainer width="100%" height="100%">
+        <ResponsiveContainer
+          width="100%"
+          height="100%"
+          minWidth={1}
+          minHeight={1}
+        >
          <AreaChart
            data={chartData}
            margin={{ top: 0, right: 0, bottom: 0, left: 0 }}
@@ -0,0 +1,25 @@
+"use client";
+
+import { useEffect } from "react";
+import { I18nProvider } from "@/components/i18n-provider";
+import { CustomThemeProvider } from "@/components/theme-provider";
+import { Toaster } from "@/components/ui/sonner";
+import { TooltipProvider } from "@/components/ui/tooltip";
+import { WindowDragArea } from "@/components/window-drag-area";
+import { setupLogging } from "@/lib/logger";
+
+export function ClientProviders({ children }: { children: React.ReactNode }) {
+  useEffect(() => {
+    void setupLogging();
+  }, []);
+
+  return (
+    <I18nProvider>
+      <CustomThemeProvider>
+        <WindowDragArea />
+        <TooltipProvider>{children}</TooltipProvider>
+        <Toaster />
+      </CustomThemeProvider>
+    </I18nProvider>
+  );
+}
@@ -69,7 +69,12 @@ export function CloneProfileDialog({
  };

  return (
-    <Dialog open={isOpen} onOpenChange={(open) => !open && onClose()}>
+    <Dialog
+      open={isOpen}
+      onOpenChange={(open) => {
+        if (!open) onClose();
+      }}
+    >
      <DialogContent>
        <DialogHeader>
          <DialogTitle>{t("profileInfo.clone.title")}</DialogTitle>
@@ -80,7 +85,9 @@ export function CloneProfileDialog({
        <Input
          ref={inputRef}
          value={name}
-          onChange={(e) => setName(e.target.value)}
+          onChange={(e) => {
+            setName(e.target.value);
+          }}
          onKeyDown={(e) => {
            if (e.key === "Enter") void handleClone();
          }}
@@ -44,9 +44,15 @@ export function CommercialTrialModal({
    <Dialog open={isOpen}>
      <DialogContent
        className="sm:max-w-md"
-        onEscapeKeyDown={(e) => e.preventDefault()}
-        onPointerDownOutside={(e) => e.preventDefault()}
-        onInteractOutside={(e) => e.preventDefault()}
+        onEscapeKeyDown={(e) => {
+          e.preventDefault();
+        }}
+        onPointerDownOutside={(e) => {
+          e.preventDefault();
+        }}
+        onInteractOutside={(e) => {
+          e.preventDefault();
+        }}
      >
        <DialogHeader>
          <DialogTitle>Commercial Trial Expired</DialogTitle>
@@ -50,12 +50,13 @@ interface CookieCopyDialogProps {
  onCopyComplete?: () => void;
 }

-type SelectionState = {
-  [domain: string]: {
+type SelectionState = Record<
+  string,
+  {
    allSelected: boolean;
    cookies: Set<string>;
-  };
-};
+  }
+>;

 export function CookieCopyDialog({
  isOpen,
@@ -76,11 +77,16 @@ export function CookieCopyDialog({
  );
  const [error, setError] = useState<string | null>(null);

+  // Never offer a selected profile as a source — you can't copy a profile's
+  // cookies onto itself, and including it here would leave the user in a
+  // dead-end state (source picked = target list empty = copy button disabled).
  const eligibleSourceProfiles = useMemo(() => {
    return profiles.filter(
-      (p) => p.browser === "wayfern" || p.browser === "camoufox",
+      (p) =>
+        !selectedProfiles.includes(p.id) &&
+        (p.browser === "wayfern" || p.browser === "camoufox"),
    );
-  }, [profiles]);
+  }, [profiles, selectedProfiles]);

  const targetProfiles = useMemo(() => {
    return profiles.filter(
@@ -109,7 +115,7 @@ export function CookieCopyDialog({
      const domainSelection = selection[domain];
      if (domainSelection.allSelected) {
        const domainData = cookieData?.domains.find((d) => d.domain === domain);
-        count += domainData?.cookie_count || 0;
+        count += domainData?.cookie_count ?? 0;
      } else {
        count += domainSelection.cookies.size;
      }
@@ -147,22 +153,21 @@ export function CookieCopyDialog({
  const toggleDomain = useCallback(
    (domain: string, cookies: UnifiedCookie[]) => {
      setSelection((prev) => {
-        const current = prev[domain];
-        const allSelected = current?.allSelected || false;
-
-        if (allSelected) {
+        // `prev[domain]` is `undefined` for any domain not yet interacted with
+        // and after the user fully deselects it (toggleCookie deletes the
+        // entry on empty). Treat missing as "not selected".
+        if (prev[domain]?.allSelected) {
          const newSelection = { ...prev };
          delete newSelection[domain];
          return newSelection;
-        } else {
-          return {
-            ...prev,
-            [domain]: {
-              allSelected: true,
-              cookies: new Set(cookies.map((c) => c.name)),
-            },
-          };
        }
+        return {
+          ...prev,
+          [domain]: {
+            allSelected: true,
+            cookies: new Set(cookies.map((c) => c.name)),
+          },
+        };
      });
    },
    [],
@@ -171,7 +176,7 @@ export function CookieCopyDialog({
  const toggleCookie = useCallback(
    (domain: string, cookieName: string, totalCookies: number) => {
      setSelection((prev) => {
-        const current = prev[domain] || {
+        const current = prev[domain] ?? {
          allSelected: false,
          cookies: new Set<string>(),
        };
@@ -412,7 +417,9 @@ export function CookieCopyDialog({
                <Input
                  placeholder="Search domains or cookies..."
                  value={searchQuery}
-                  onChange={(e) => setSearchQuery(e.target.value)}
+                  onChange={(e) => {
+                    setSearchQuery(e.target.value);
+                  }}
                  className="pl-8"
                />
              </div>
@@ -500,9 +507,13 @@ function DomainRow({
  onToggleCookie,
  onToggleExpand,
 }: DomainRowProps) {
+  // `selection[domain.domain]` is `undefined` for domains the user hasn't
+  // touched yet (initial state after loading cookies is `{}`) and for any
+  // domain the user fully deselected (toggleCookie deletes the entry on
+  // empty). Default to "no cookies selected" instead of crashing.
  const domainSelection = selection[domain.domain];
-  const isAllSelected = domainSelection?.allSelected || false;
-  const selectedCount = domainSelection?.cookies.size || 0;
+  const isAllSelected = domainSelection?.allSelected ?? false;
+  const selectedCount = domainSelection?.cookies.size ?? 0;
  const isPartial =
    selectedCount > 0 && selectedCount < domain.cookie_count && !isAllSelected;

@@ -511,13 +522,17 @@ function DomainRow({
      <div className="flex items-center gap-2 p-2 hover:bg-accent/50 rounded">
        <Checkbox
          checked={isAllSelected || isPartial}
-          onCheckedChange={() => onToggleDomain(domain.domain, domain.cookies)}
+          onCheckedChange={() => {
+            onToggleDomain(domain.domain, domain.cookies);
+          }}
          className={isPartial ? "opacity-70" : ""}
        />
        <button
          type="button"
          className="flex items-center gap-1 flex-1 text-left bg-transparent border-none cursor-pointer"
-          onClick={() => onToggleExpand(domain.domain)}
+          onClick={() => {
+            onToggleExpand(domain.domain);
+          }}
        >
          {isExpanded ? (
            <LuChevronDown className="w-4 h-4" />
@@ -534,7 +549,7 @@ function DomainRow({
        <div className="ml-8 pl-2 border-l space-y-1">
          {domain.cookies.map((cookie) => {
            const isSelected =
-              domainSelection?.cookies.has(cookie.name) || false;
+              domainSelection?.cookies.has(cookie.name) ?? false;
            return (
              <div
                key={`${domain.domain}-${cookie.name}`}
@@ -542,13 +557,13 @@ function DomainRow({
              >
                <Checkbox
                  checked={isSelected || isAllSelected}
-                  onCheckedChange={() =>
+                  onCheckedChange={() => {
                    onToggleCookie(
                      domain.domain,
                      cookie.name,
                      domain.cookie_count,
-                    )
-                  }
+                    );
+                  }}
                />
                <span className="truncate">{cookie.name}</span>
              </div>
@@ -45,12 +45,13 @@ interface CookieManagementDialogProps {
  initialTab?: "import" | "export";
 }

-type SelectionState = {
-  [domain: string]: {
+type SelectionState = Record<
+  string,
+  {
    allSelected: boolean;
    cookies: Set<string>;
-  };
-};
+  }
+>;

 const countCookies = (content: string): number => {
  const trimmed = content.trim();
@@ -150,7 +151,7 @@ export function CookieManagementDialog({
        const domainData = exportCookieData?.domains.find(
          (d) => d.domain === domain,
        );
-        count += domainData?.cookie_count || 0;
+        count += domainData?.cookie_count ?? 0;
      } else {
        count += ds.cookies.size;
      }
@@ -308,8 +309,11 @@ export function CookieManagementDialog({
  const toggleDomain = useCallback(
    (domain: string, cookies: UnifiedCookie[]) => {
      setExportSelection((prev) => {
-        const current = prev[domain];
-        if (current?.allSelected) {
+        // `prev[domain]` is `undefined` when the domain was previously fully
+        // deselected (entries are deleted on empty — see toggleCookie). Treat
+        // missing as "not selected" so re-enabling falls through to the add
+        // branch instead of crashing on `.allSelected`.
+        if (prev[domain]?.allSelected) {
          const next = { ...prev };
          delete next[domain];
          return next;
@@ -329,7 +333,7 @@ export function CookieManagementDialog({
  const toggleCookie = useCallback(
    (domain: string, cookieName: string, totalCookies: number) => {
      setExportSelection((prev) => {
-        const current = prev[domain] || {
+        const current = prev[domain] ?? {
          allSelected: false,
          cookies: new Set<string>(),
        };
@@ -485,7 +489,9 @@ export function CookieManagementDialog({
              <Label>Format</Label>
              <Select
                value={format}
-                onValueChange={(v) => setFormat(v as "netscape" | "json")}
+                onValueChange={(v) => {
+                  setFormat(v as "netscape" | "json");
+                }}
              >
                <SelectTrigger>
                  <SelectValue />
@@ -589,8 +595,8 @@ function ExportDomainRow({
  onToggleExpand,
 }: ExportDomainRowProps) {
  const domainSelection = selection[domain.domain];
-  const isAllSelected = domainSelection?.allSelected || false;
-  const selectedCount = domainSelection?.cookies.size || 0;
+  const isAllSelected = domainSelection?.allSelected ?? false;
+  const selectedCount = domainSelection?.cookies.size ?? 0;
  const isPartial =
    selectedCount > 0 && selectedCount < domain.cookie_count && !isAllSelected;

@@ -599,13 +605,17 @@ function ExportDomainRow({
      <div className="flex items-center gap-2 p-1.5 hover:bg-accent/50 rounded">
        <Checkbox
          checked={isAllSelected || isPartial}
-          onCheckedChange={() => onToggleDomain(domain.domain, domain.cookies)}
+          onCheckedChange={() => {
+            onToggleDomain(domain.domain, domain.cookies);
+          }}
          className={isPartial ? "opacity-70" : ""}
        />
        <button
          type="button"
          className="flex items-center gap-1 flex-1 text-left text-sm bg-transparent border-none cursor-pointer"
-          onClick={() => onToggleExpand(domain.domain)}
+          onClick={() => {
+            onToggleExpand(domain.domain);
+          }}
        >
          {isExpanded ? (
            <LuChevronDown className="w-3.5 h-3.5" />
@@ -622,7 +632,7 @@ function ExportDomainRow({
        <div className="ml-7 pl-2 border-l space-y-0.5">
          {domain.cookies.map((cookie) => {
            const isSelected =
-              domainSelection?.cookies.has(cookie.name) || false;
+              domainSelection?.cookies.has(cookie.name) ?? false;
            return (
              <div
                key={`${domain.domain}-${cookie.name}`}
@@ -630,13 +640,13 @@ function ExportDomainRow({
              >
                <Checkbox
                  checked={isSelected || isAllSelected}
-                  onCheckedChange={() =>
+                  onCheckedChange={() => {
                    onToggleCookie(
                      domain.domain,
                      cookie.name,
                      domain.cookie_count,
-                    )
-                  }
+                    );
+                  }}
                />
                <span className="truncate">{cookie.name}</span>
              </div>
@@ -80,7 +80,9 @@ export function CreateGroupDialog({
              id="group-name"
              placeholder="Enter group name..."
              value={groupName}
-              onChange={(e) => setGroupName(e.target.value)}
+              onChange={(e) => {
+                setGroupName(e.target.value);
+              }}
              onKeyDown={(e) => {
                if (e.key === "Enter" && groupName.trim()) {
                  void handleCreate();
@@ -84,6 +84,8 @@ interface CreateProfileDialogProps {
    groupId?: string;
    extensionGroupId?: string;
    ephemeral?: boolean;
+    dnsBlocklist?: string;
+    launchHook?: string;
  }) => Promise<void>;
  selectedGroupId?: string;
  crossOsUnlocked?: boolean;
@@ -124,6 +126,8 @@ export function CreateProfileDialog({
    useState<BrowserTypeString | null>(null);
  const [selectedProxyId, setSelectedProxyId] = useState<string>();
  const [proxyPopoverOpen, setProxyPopoverOpen] = useState(false);
+  const [dnsBlocklist, setDnsBlocklist] = useState<string>("");
+  const [launchHook, setLaunchHook] = useState("");

  // Camoufox anti-detect states
  const [camoufoxConfig, setCamoufoxConfig] = useState<CamoufoxConfig>(() => ({
@@ -148,6 +152,7 @@ export function CreateProfileDialog({
    setSelectedBrowser(null);
    setProfileName("");
    setSelectedProxyId(undefined);
+    setLaunchHook("");
  };

  const handleTabChange = (value: string) => {
@@ -156,6 +161,7 @@ export function CreateProfileDialog({
    setSelectedBrowser(null);
    setProfileName("");
    setSelectedProxyId(undefined);
+    setLaunchHook("");
  };

  const [supportedBrowsers, setSupportedBrowsers] = useState<string[]>([]);
@@ -172,11 +178,13 @@ export function CreateProfileDialog({

  useEffect(() => {
    if (isOpen) {
-      invoke<{ id: string; name: string; extension_ids: string[] }[]>(
+      void invoke<{ id: string; name: string; extension_ids: string[] }[]>(
        "list_extension_groups",
      )
        .then(setExtensionGroups)
-        .catch(() => setExtensionGroups([]));
+        .catch(() => {
+          setExtensionGroups([]);
+        });
    }
  }, [isOpen]);
  const [releaseTypes, setReleaseTypes] = useState<BrowserReleaseTypes>();
@@ -393,6 +401,8 @@ export function CreateProfileDialog({
              selectedGroupId !== "default" ? selectedGroupId : undefined,
            extensionGroupId: selectedExtensionGroupId,
            ephemeral,
+            dnsBlocklist: dnsBlocklist || undefined,
+            launchHook: launchHook.trim() || undefined,
          });
        } else {
          // Default to Camoufox
@@ -418,6 +428,8 @@ export function CreateProfileDialog({
              selectedGroupId !== "default" ? selectedGroupId : undefined,
            extensionGroupId: selectedExtensionGroupId,
            ephemeral,
+            dnsBlocklist: dnsBlocklist || undefined,
+            launchHook: launchHook.trim() || undefined,
          });
        }
      } else {
@@ -441,6 +453,8 @@ export function CreateProfileDialog({
          releaseType: bestVersion.releaseType,
          proxyId: selectedProxyId,
          groupId: selectedGroupId !== "default" ? selectedGroupId : undefined,
+          dnsBlocklist: dnsBlocklist || undefined,
+          launchHook: launchHook.trim() || undefined,
        });
      }

@@ -462,6 +476,7 @@ export function CreateProfileDialog({
    setActiveTab("anti-detect");
    setSelectedBrowser(null);
    setSelectedProxyId(undefined);
+    setLaunchHook("");
    setReleaseTypes({});
    setIsLoadingReleaseTypes(false);
    setReleaseTypesError(null);
@@ -553,7 +568,9 @@ export function CreateProfileDialog({
                      <div className="space-y-3 pt-8">
                        {/* Wayfern (Chromium) - First */}
                        <Button
-                          onClick={() => handleBrowserSelect("wayfern")}
+                          onClick={() => {
+                            handleBrowserSelect("wayfern");
+                          }}
                          className="flex gap-3 justify-start items-center p-4 w-full h-16 border-2 transition-colors hover:border-primary/50"
                          variant="outline"
                        >
@@ -577,7 +594,9 @@ export function CreateProfileDialog({

                        {/* Camoufox (Firefox) - Second */}
                        <Button
-                          onClick={() => handleBrowserSelect("camoufox")}
+                          onClick={() => {
+                            handleBrowserSelect("camoufox");
+                          }}
                          className="flex gap-3 justify-start items-center p-4 w-full h-16 border-2 transition-colors hover:border-primary/50"
                          variant="outline"
                        >
@@ -620,9 +639,9 @@ export function CreateProfileDialog({
                            return (
                              <Button
                                key={browser.value}
-                                onClick={() =>
-                                  handleBrowserSelect(browser.value)
-                                }
+                                onClick={() => {
+                                  handleBrowserSelect(browser.value);
+                                }}
                                className="flex gap-3 justify-start items-center p-4 w-full h-16 border-2 transition-colors hover:border-primary/50"
                                variant="outline"
                              >
@@ -657,14 +676,16 @@ export function CreateProfileDialog({
                          <Input
                            id="profile-name"
                            value={profileName}
-                            onChange={(e) => setProfileName(e.target.value)}
+                            onChange={(e) => {
+                              setProfileName(e.target.value);
+                            }}
                            onKeyDown={(e) => {
                              if (
                                e.key === "Enter" &&
                                !isCreateDisabled &&
                                !isCreating
                              ) {
-                                handleCreate();
+                                void handleCreate();
                              }
                            }}
                            placeholder="Enter profile name"
@@ -677,9 +698,9 @@ export function CreateProfileDialog({
                            <Checkbox
                              id="ephemeral"
                              checked={ephemeral}
-                              onCheckedChange={(checked) =>
-                                setEphemeral(checked === true)
-                              }
+                              onCheckedChange={(checked) => {
+                                setEphemeral(checked === true);
+                              }}
                            />
                            <Label htmlFor="ephemeral" className="font-medium">
                              {t("profiles.ephemeral")}
@@ -746,7 +767,9 @@ export function CreateProfileDialog({
                                    })()}
                                  </p>
                                  <LoadingButton
-                                    onClick={() => handleDownload("wayfern")}
+                                    onClick={() => {
+                                      void handleDownload("wayfern");
+                                    }}
                                    isLoading={isBrowserCurrentlyDownloading(
                                      "wayfern",
                                    )}
@@ -848,7 +871,9 @@ export function CreateProfileDialog({
                                    })()}
                                  </p>
                                  <LoadingButton
-                                    onClick={() => handleDownload("camoufox")}
+                                    onClick={() => {
+                                      void handleDownload("camoufox");
+                                    }}
                                    isLoading={isBrowserCurrentlyDownloading(
                                      "camoufox",
                                    )}
@@ -955,9 +980,9 @@ export function CreateProfileDialog({
                                        })()}
                                      </p>
                                      <LoadingButton
-                                        onClick={() =>
-                                          handleDownload(selectedBrowser)
-                                        }
+                                        onClick={() => {
+                                          void handleDownload(selectedBrowser);
+                                        }}
                                        isLoading={isBrowserCurrentlyDownloading(
                                          selectedBrowser,
                                        )}
@@ -1014,7 +1039,9 @@ export function CreateProfileDialog({
                            <RippleButton
                              size="sm"
                              variant="outline"
-                              onClick={() => setShowProxyForm(true)}
+                              onClick={() => {
+                                setShowProxyForm(true);
+                              }}
                              className="px-2 h-7 text-xs"
                            >
                              <GoPlus className="mr-1 w-3 h-3" /> Add Proxy
@@ -1148,17 +1175,71 @@ export function CreateProfileDialog({
                          )}
                        </div>

+                        <div className="space-y-2">
+                          <Label htmlFor="launch-hook-url">
+                            {t("createProfile.launchHook.label")}
+                          </Label>
+                          <Input
+                            id="launch-hook-url"
+                            value={launchHook}
+                            onChange={(e) => {
+                              setLaunchHook(e.target.value);
+                            }}
+                            placeholder={t(
+                              "createProfile.launchHook.placeholder",
+                            )}
+                            disabled={isCreating}
+                          />
+                        </div>
+
+                        {/* DNS Blocklist */}
+                        <div className="space-y-2">
+                          <Label>{t("dnsBlocklist.title")}</Label>
+                          <Select
+                            value={dnsBlocklist || "none"}
+                            onValueChange={(val) => {
+                              setDnsBlocklist(val === "none" ? "" : val);
+                            }}
+                          >
+                            <SelectTrigger>
+                              <SelectValue
+                                placeholder={t("dnsBlocklist.none")}
+                              />
+                            </SelectTrigger>
+                            <SelectContent>
+                              <SelectItem value="none">
+                                {t("dnsBlocklist.none")}
+                              </SelectItem>
+                              <SelectItem value="light">
+                                {t("dnsBlocklist.light")}
+                              </SelectItem>
+                              <SelectItem value="normal">
+                                {t("dnsBlocklist.normal")}
+                              </SelectItem>
+                              <SelectItem value="pro">
+                                {t("dnsBlocklist.pro")}
+                              </SelectItem>
+                              <SelectItem value="pro_plus">
+                                {t("dnsBlocklist.proPlus")}
+                              </SelectItem>
+                              <SelectItem value="ultimate">
+                                {t("dnsBlocklist.ultimate")}
+                              </SelectItem>
+                            </SelectContent>
+                          </Select>
+                        </div>
+
                        {/* Extension Group */}
                        {extensionGroups.length > 0 && (
                          <div className="space-y-2">
                            <Label>{t("extensions.extensionGroup")}</Label>
                            <Select
-                              value={selectedExtensionGroupId || "none"}
-                              onValueChange={(val) =>
+                              value={selectedExtensionGroupId ?? "none"}
+                              onValueChange={(val) => {
                                setSelectedExtensionGroupId(
                                  val === "none" ? undefined : val,
-                                )
-                              }
+                                );
+                              }}
                            >
                              <SelectTrigger>
                                <SelectValue
@@ -1190,14 +1271,16 @@ export function CreateProfileDialog({
                          <Input
                            id="profile-name"
                            value={profileName}
-                            onChange={(e) => setProfileName(e.target.value)}
+                            onChange={(e) => {
+                              setProfileName(e.target.value);
+                            }}
                            onKeyDown={(e) => {
                              if (
                                e.key === "Enter" &&
                                !isCreateDisabled &&
                                !isCreating
                              ) {
-                                handleCreate();
+                                void handleCreate();
                              }
                            }}
                            placeholder="Enter profile name"
@@ -1251,9 +1334,9 @@ export function CreateProfileDialog({
                                      })()}
                                    </p>
                                    <LoadingButton
-                                      onClick={() =>
-                                        handleDownload(selectedBrowser)
-                                      }
+                                      onClick={() => {
+                                        void handleDownload(selectedBrowser);
+                                      }}
                                      isLoading={isBrowserCurrentlyDownloading(
                                        selectedBrowser,
                                      )}
@@ -1305,7 +1388,9 @@ export function CreateProfileDialog({
                            <RippleButton
                              size="sm"
                              variant="outline"
-                              onClick={() => setShowProxyForm(true)}
+                              onClick={() => {
+                                setShowProxyForm(true);
+                              }}
                              className="px-2 h-7 text-xs"
                            >
                              <GoPlus className="mr-1 w-3 h-3" /> Add Proxy
@@ -1438,6 +1523,23 @@ export function CreateProfileDialog({
                            </div>
                          )}
                        </div>
+
+                        <div className="space-y-2">
+                          <Label htmlFor="launch-hook-url-regular">
+                            {t("createProfile.launchHook.label")}
+                          </Label>
+                          <Input
+                            id="launch-hook-url-regular"
+                            value={launchHook}
+                            onChange={(e) => {
+                              setLaunchHook(e.target.value);
+                            }}
+                            placeholder={t(
+                              "createProfile.launchHook.placeholder",
+                            )}
+                            disabled={isCreating}
+                          />
+                        </div>
                      </div>
                    </TabsContent>
                  </>
@@ -1470,7 +1572,9 @@ export function CreateProfileDialog({
      </DialogContent>
      <ProxyFormDialog
        isOpen={showProxyForm}
-        onClose={() => setShowProxyForm(false)}
+        onClose={() => {
+          setShowProxyForm(false);
+        }}
      />
    </Dialog>
  );
@@ -363,15 +363,17 @@ export function UnifiedToast(props: ToastProps) {
          </>
        )}
        {action &&
-          "onClick" in (action as any) &&
-          "label" in (action as any) && (
+          "onClick" in (action as { onClick?: () => void; label?: string }) &&
+          "label" in (action as { onClick?: () => void; label?: string }) && (
            <div className="mt-2 w-full">
              <RippleButton
                size="sm"
                className="ml-auto"
-                onClick={(action as any).onClick}
+                onClick={
+                  (action as { onClick: () => void; label: string }).onClick
+                }
              >
-                {(action as any).label}
+                {(action as { onClick: () => void; label: string }).label}
              </RippleButton>
            </div>
          )}
@@ -40,11 +40,13 @@ function DataTableActionBar<TData>({
      }
    }
    window.addEventListener("keydown", onKeyDown);
-    return () => window.removeEventListener("keydown", onKeyDown);
+    return () => {
+      window.removeEventListener("keydown", onKeyDown);
+    };
  }, [table]);

  const portalContainer =
-    portalContainerProp ?? (mounted ? globalThis.document?.body : null);
+    portalContainerProp ?? (mounted ? globalThis.document.body : null);

  if (!portalContainer) return null;

@@ -2,6 +2,7 @@

 import { invoke } from "@tauri-apps/api/core";
 import { useCallback, useEffect, useState } from "react";
+import { useTranslation } from "react-i18next";
 import { toast } from "sonner";
 import { LoadingButton } from "@/components/loading-button";
 import {
@@ -31,6 +32,7 @@ export function DeleteGroupDialog({
  group,
  onGroupDeleted,
 }: DeleteGroupDialogProps) {
+  const { t } = useTranslation();
  const [associatedProfiles, setAssociatedProfiles] = useState<
    BrowserProfile[]
  >([]);
@@ -148,14 +150,14 @@ export function DeleteGroupDialog({
                    <Label>What should happen to these profiles?</Label>
                    <RadioGroup
                      value={deleteAction}
-                      onValueChange={(value) =>
-                        setDeleteAction(value as "move" | "delete")
-                      }
+                      onValueChange={(value) => {
+                        setDeleteAction(value as "move" | "delete");
+                      }}
                    >
                      <div className="flex items-center space-x-2">
                        <RadioGroupItem value="move" id="move" />
                        <Label htmlFor="move" className="text-sm">
-                          Move profiles to Default group
+                          {t("groups.moveToDefault")}
                        </Label>
                      </div>
                      <div className="flex items-center space-x-2">
--- a/Show More
+++ b/Show More