Merge pull request #246 from zhom/contributors-readme-action-dXBtBkB7Gr

docs(contributor): contributors readme action update

.github/workflows/contributors.yml

@@ -14,6 +14,7 @@ permissions:
 
 jobs:
   contrib-readme-job:
+    if: github.repository == 'zhom/donutbrowser'
     runs-on: ubuntu-latest
     name: Automatically update the contributors list in the README
     permissions:

.github/workflows/dependabot-automerge.yml

@@ -12,7 +12,7 @@ permissions:
 jobs:
   security-scan:
     name: Security Vulnerability Scan
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
     with:
       scan-args: |-
@@ -28,7 +28,7 @@ jobs:
 
   lint-js:
     name: Lint JavaScript/TypeScript
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
     uses: ./.github/workflows/lint-js.yml
     secrets: inherit
     permissions:
@@ -36,7 +36,7 @@ jobs:
 
   lint-rust:
     name: Lint Rust
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
     uses: ./.github/workflows/lint-rs.yml
     secrets: inherit
     permissions:
@@ -44,7 +44,7 @@ jobs:
 
   codeql:
     name: CodeQL
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
     uses: ./.github/workflows/codeql.yml
     secrets: inherit
     permissions:
@@ -55,7 +55,7 @@ jobs:
 
   spellcheck:
     name: Spell Check
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
     uses: ./.github/workflows/spellcheck.yml
     secrets: inherit
     permissions:
@@ -63,7 +63,7 @@ jobs:
 
   dependabot-automerge:
     name: Dependabot Automerge
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
     needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]
     runs-on: ubuntu-latest
     steps:

.github/workflows/flake-test.yml

@@ -0,0 +1,49 @@
+name: Flake Test
+
+on:
+  pull_request:
+    paths:
+      - "flake.nix"
+      - "flake.lock"
+      - ".github/workflows/flake-test.yml"
+  push:
+    branches:
+      - main
+    paths:
+      - "flake.nix"
+      - "flake.lock"
+      - ".github/workflows/flake-test.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  flake:
+    name: validate-flake
+    runs-on: ubuntu-22.04
+    timeout-minutes: 90
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Evaluate flake outputs
+        run: nix flake show --all-systems
+
+      - name: Check setup app is exposed
+        run: nix eval .#apps.x86_64-linux.setup.program --raw
+
+      - name: Run flake setup app
+        env:
+          CI: "true"
+        run: nix run .#setup
+
+      - name: Run flake info app
+        run: nix run .#info

.github/workflows/issue-validation.yml

@@ -14,17 +14,13 @@ permissions:
   contents: read
   issues: write
   pull-requests: write
-  models: read
   id-token: write
 
 jobs:
   analyze-issue:
-    if: github.event_name == 'issues'
+    if: github.repository == 'zhom/donutbrowser' && github.event_name == 'issues'
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
-
       - name: Check if first-time contributor
         id: check-first-time
         env:
@@ -41,40 +37,87 @@ jobs:
             echo "is_first_time=false" >> $GITHUB_OUTPUT
           fi
 
-      - name: Analyze issue
-        uses: anomalyco/opencode/github@d954026dd855e018302a6c0733a1dd74140931df #v1.2.26
+      - name: Analyze issue with AI
         env:
-          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          model: zai-coding-plan/glm-4.7
-          prompt: |
-            You are a triage bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).
+          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_BODY: ${{ github.event.issue.body }}
+          ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
+          IS_FIRST_TIME: ${{ steps.check-first-time.outputs.is_first_time }}
+        run: |
+          GREETING=""
+          if [ "$IS_FIRST_TIME" = "true" ]; then
+            GREETING='This is a first-time contributor. Start your comment with: "Thanks for opening your first issue!"'
+          fi
 
-            ${{ steps.check-first-time.outputs.is_first_time == 'true' && 'This is a first-time contributor. Start your comment with: "Thanks for opening your first issue!"' || '' }}
+          # Write all user content to files to avoid shell escaping issues
+          printf '%s' "$ISSUE_TITLE" > /tmp/issue-title.txt
+          printf '%s' "${ISSUE_BODY:-}" > /tmp/issue-body.txt
+          printf '%s' "$ISSUE_AUTHOR" > /tmp/issue-author.txt
+          printf '%s' "$GREETING" > /tmp/greeting.txt
 
-            Analyze this issue and post a single concise comment. Format:
+          # Build the JSON payload entirely in jq — never interpolate user content in shell
+          PAYLOAD=$(jq -n \
+            --rawfile title /tmp/issue-title.txt \
+            --rawfile body /tmp/issue-body.txt \
+            --rawfile author /tmp/issue-author.txt \
+            --rawfile greeting /tmp/greeting.txt \
+            '{
+              model: "z-ai/glm-5",
+              max_tokens: 1024,
+              messages: [
+                {
+                  role: "system",
+                  content: "You are a triage bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).\n\nAnalyze the issue and produce a single concise comment. Format:\n\n1. One sentence acknowledging what the user wants.\n2. A short **Action items** list - what specific info is missing or what the user should do next. Only include items that are actually missing. If the issue is complete, say so and skip this section.\n3. Suggest a label at the very end of your response on its own line in the exact format: Label: bug OR Label: enhancement\n\nRules:\n- Be brief. No filler, no generic tips, no templates.\n- If it is a bug report, check for: reproduction steps, OS/version, error messages. Only ask for what is actually missing.\n- If it is a feature request, check for: clear description of desired behavior, use case. Only ask for what is actually missing.\n- If the issue already has everything needed, just acknowledge it.\n- Never exceed 6 items total."
+                },
+                {
+                  role: "user",
+                  content: (
+                    (if ($greeting | length) > 0 then $greeting + "\n\n" else "" end) +
+                    "Analyze this issue:\n\nTitle: " + $title +
+                    "\nAuthor: " + $author +
+                    "\n\nBody:\n" + $body
+                  )
+                }
+              ]
+            }')
 
-            1. One sentence acknowledging what the user wants.
-            2. A short **Action items** list — what specific info is missing or what the user should do next. Only include items that are actually missing. If the issue is complete, say so and skip this section.
-            3. Label the issue: add "bug" label for bug reports, "enhancement" label for feature requests.
+          RESPONSE=$(curl -fsSL https://openrouter.ai/api/v1/chat/completions \
+            -H "Authorization: Bearer $OPENROUTER_API_KEY" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD")
 
-            Rules:
-            - Be brief. No filler, no generic tips, no templates.
-            - If it's a bug report, check for: reproduction steps, OS/version, error messages. Only ask for what's actually missing.
-            - If it's a feature request, check for: clear description of desired behavior, use case. Only ask for what's actually missing.
-            - If the issue already has everything needed, just acknowledge it and label it.
-            - Never exceed 6 items total.
+          # Extract the comment using jq — never parse AI output in shell
+          jq -r '.choices[0].message.content // empty' <<< "$RESPONSE" > /tmp/ai-comment.txt
+
+          if [ ! -s /tmp/ai-comment.txt ]; then
+            echo "::error::AI response was empty"
+            echo "Raw response:"
+            echo "$RESPONSE"
+            exit 1
+          fi
+
+      - name: Post comment and label
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          # Extract and strip the label line before posting
+          LABEL=$(grep -oP '^Label:\s*\K.*' /tmp/ai-comment.txt | tail -1 | tr '[:upper:]' '[:lower:]' | xargs)
+          sed -i '/^Label:/d' /tmp/ai-comment.txt
+
+          gh issue comment "$ISSUE_NUMBER" --repo "$GITHUB_REPOSITORY" --body-file /tmp/ai-comment.txt
+
+          if [ "$LABEL" = "bug" ]; then
+            gh issue edit "$ISSUE_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "bug" 2>/dev/null || true
+          elif [ "$LABEL" = "enhancement" ]; then
+            gh issue edit "$ISSUE_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "enhancement" 2>/dev/null || true
+          fi
 
   analyze-pr:
-    if: github.event_name == 'pull_request_target' && github.actor != 'dependabot[bot]'
+    if: github.repository == 'zhom/donutbrowser' && github.event_name == 'pull_request_target' && github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
-        with:
-          fetch-depth: 0
-
       - name: Check if first-time contributor
         id: check-first-time
         env:
@@ -91,33 +134,91 @@ jobs:
             echo "is_first_time=false" >> $GITHUB_OUTPUT
           fi
 
-      - name: Analyze PR
-        uses: anomalyco/opencode/github@d954026dd855e018302a6c0733a1dd74140931df #v1.2.26
+      - name: Analyze PR with AI
         env:
-          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          model: zai-coding-plan/glm-4.7
-          prompt: |
-            You are a review bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_BODY: ${{ github.event.pull_request.body }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_BASE: ${{ github.event.pull_request.base.ref }}
+          PR_HEAD: ${{ github.event.pull_request.head.ref }}
+          IS_FIRST_TIME: ${{ steps.check-first-time.outputs.is_first_time }}
+        run: |
+          GREETING=""
+          if [ "$IS_FIRST_TIME" = "true" ]; then
+            GREETING='This is a first-time contributor. Start your comment with: "Thanks for your first PR!"'
+          fi
 
-            ${{ steps.check-first-time.outputs.is_first_time == 'true' && 'This is a first-time contributor. Start your comment with: "Thanks for your first PR!"' || '' }}
+          # Write all user content to files to avoid shell escaping issues
+          printf '%s' "$PR_TITLE" > /tmp/pr-title.txt
+          printf '%s' "${PR_BODY:-}" > /tmp/pr-body.txt
+          printf '%s' "$PR_AUTHOR" > /tmp/pr-author.txt
+          printf '%s' "$PR_BASE" > /tmp/pr-base.txt
+          printf '%s' "$PR_HEAD" > /tmp/pr-head.txt
+          printf '%s' "$GREETING" > /tmp/greeting.txt
 
-            Review this PR and post a single concise comment. Format:
+          gh api "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files" \
+            --jq '.[] | "- \(.filename) (\(.status)) +\(.additions)/-\(.deletions)"' \
+            > /tmp/pr-files.txt
 
-            1. One sentence summarizing what this PR does.
-            2. **Action items** — only list things that actually need to be fixed or addressed. If the PR looks good, say so and skip this section.
+          # Build the JSON payload entirely in jq — never interpolate user content in shell
+          PAYLOAD=$(jq -n \
+            --rawfile title /tmp/pr-title.txt \
+            --rawfile body /tmp/pr-body.txt \
+            --rawfile author /tmp/pr-author.txt \
+            --rawfile base /tmp/pr-base.txt \
+            --rawfile head /tmp/pr-head.txt \
+            --rawfile files /tmp/pr-files.txt \
+            --rawfile greeting /tmp/greeting.txt \
+            '{
+              model: "z-ai/glm-5",
+              max_tokens: 1024,
+              messages: [
+                {
+                  role: "system",
+                  content: "You are a review bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).\n\nReview this PR and produce a single concise comment. Format:\n\n1. One sentence summarizing what this PR does.\n2. **Action items** - only list things that actually need to be fixed or addressed. If the PR looks good, say so and skip this section.\n\nRules:\n- Be brief. No filler, no praise padding.\n- Focus on: bugs, security issues, missing edge cases, breaking changes.\n- If the PR touches UI text or adds new strings, remind to update translation files in src/i18n/locales/.\n- If the PR modifies Tauri commands, remind to check the unused-commands test.\n- Do not nitpick style or formatting - the project has automated linting.\n- Never exceed 8 lines total."
+                },
+                {
+                  role: "user",
+                  content: (
+                    (if ($greeting | length) > 0 then $greeting + "\n\n" else "" end) +
+                    "Review this PR:\n\nTitle: " + $title +
+                    "\nAuthor: " + $author +
+                    "\nBase: " + $base + " <- Head: " + $head +
+                    "\n\nDescription:\n" + $body +
+                    "\n\nChanged files:\n" + $files
+                  )
+                }
+              ]
+            }')
 
-            Rules:
-            - Be brief. No filler, no praise padding.
-            - Focus on: bugs, security issues, missing edge cases, breaking changes.
-            - If the PR touches UI text or adds new strings, remind to update translation files in src/i18n/locales/.
-            - If the PR modifies Tauri commands, remind to check the unused-commands test.
-            - Do not nitpick style or formatting — the project has automated linting.
-            - Never exceed 8 lines total.
+          RESPONSE=$(curl -fsSL https://openrouter.ai/api/v1/chat/completions \
+            -H "Authorization: Bearer $OPENROUTER_API_KEY" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD")
+
+          # Extract the comment using jq — never parse AI output in shell
+          jq -r '.choices[0].message.content // empty' <<< "$RESPONSE" > /tmp/ai-comment.txt
+
+          if [ ! -s /tmp/ai-comment.txt ]; then
+            echo "::error::AI response was empty"
+            echo "Raw response:"
+            echo "$RESPONSE"
+            exit 1
+          fi
+
+      - name: Post comment
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          gh pr comment "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --body-file /tmp/ai-comment.txt
 
   opencode-command:
     if: |
+      github.repository == 'zhom/donutbrowser' &&
       (github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') &&
       (contains(github.event.comment.body, ' /oc') ||
        startsWith(github.event.comment.body, '/oc') ||
@@ -129,7 +230,7 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
 
       - name: Run opencode
-        uses: anomalyco/opencode/github@d954026dd855e018302a6c0733a1dd74140931df #v1.2.26
+        uses: anomalyco/opencode/github@4ee426ba549131c4903a71dfb6259200467aca81 #v1.2.27
         env:
           ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
           TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-notes-generator.yml

@@ -13,7 +13,7 @@ permissions:
 jobs:
   generate-release-notes:
     runs-on: ubuntu-latest
-    if: github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'v')
+    if: github.repository == 'zhom/donutbrowser' && github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'v')
 
     steps:
       - name: Checkout repository

.github/workflows/release.yml

@@ -18,6 +18,7 @@ env:
 
 jobs:
   security-scan:
+    if: github.repository == 'zhom/donutbrowser'
     name: Security Vulnerability Scan
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
     with:
@@ -33,6 +34,7 @@ jobs:
       actions: read
 
   lint-js:
+    if: github.repository == 'zhom/donutbrowser'
     name: Lint JavaScript/TypeScript
     uses: ./.github/workflows/lint-js.yml
     secrets: inherit
@@ -40,6 +42,7 @@ jobs:
       contents: read
 
   lint-rust:
+    if: github.repository == 'zhom/donutbrowser'
     name: Lint Rust
     uses: ./.github/workflows/lint-rs.yml
     secrets: inherit
@@ -47,6 +50,7 @@ jobs:
       contents: read
 
   codeql:
+    if: github.repository == 'zhom/donutbrowser'
     name: CodeQL
     uses: ./.github/workflows/codeql.yml
     secrets: inherit
@@ -57,6 +61,7 @@ jobs:
       actions: read
 
   spellcheck:
+    if: github.repository == 'zhom/donutbrowser'
     name: Spell Check
     uses: ./.github/workflows/spellcheck.yml
     secrets: inherit
@@ -64,6 +69,7 @@ jobs:
       contents: read
 
   release:
+    if: github.repository == 'zhom/donutbrowser'
     needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]
     permissions:
       contents: write
@@ -202,7 +208,7 @@ jobs:
           rm -f $CERT_PATH $KEY_PATH $PEM_PATH $P12_PATH
 
       - name: Build Tauri app
-        uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1
+        uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 #v0.6.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REF_NAME: ${{ github.ref_name }}
@@ -225,98 +231,135 @@ jobs:
           security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true
           rm -f $RUNNER_TEMP/build_certificate.p12 || true
 
-#      - name: Commit CHANGELOG.md
-#        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 #v6.0.1
-#        with:
-#          branch: main
-#          commit_message: "docs: update CHANGELOG.md for ${{ github.ref_name }} [skip ci]"
-
-  publish-repos:
+  changelog:
+    if: github.repository == 'zhom/donutbrowser'
     needs: [release]
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
     steps:
-      - name: Download Linux packages from release
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Generate changelog
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          PREV_TAG=$(git tag --sort=-version:refname \
+            | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
+            | grep -v "^${TAG}$" \
+            | head -n 1)
+
+          if [ -z "$PREV_TAG" ]; then
+            PREV_TAG=$(git rev-list --max-parents=0 HEAD)
+          fi
+
+          echo "Generating changelog: ${PREV_TAG}..${TAG}"
+
+          features=""
+          fixes=""
+          refactors=""
+          perf=""
+          docs=""
+          maintenance=""
+          other=""
+
+          strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; }
+
+          while IFS= read -r msg; do
+            [ -z "$msg" ] && continue
+            case "$msg" in
+              feat\(*\):*|feat:*)
+                features="${features}- $(strip_prefix "$msg")"$'\n' ;;
+              fix\(*\):*|fix:*)
+                fixes="${fixes}- $(strip_prefix "$msg")"$'\n' ;;
+              refactor\(*\):*|refactor:*)
+                refactors="${refactors}- $(strip_prefix "$msg")"$'\n' ;;
+              perf\(*\):*|perf:*)
+                perf="${perf}- $(strip_prefix "$msg")"$'\n' ;;
+              docs\(*\):*|docs:*)
+                docs="${docs}- $(strip_prefix "$msg")"$'\n' ;;
+              build*|ci*|chore*|test*)
+                maintenance="${maintenance}- ${msg}"$'\n' ;;
+              *)
+                other="${other}- ${msg}"$'\n' ;;
+            esac
+          done < <(git log --pretty=format:"%s" "${PREV_TAG}..${TAG}" --no-merges)
+
+          {
+            echo "## ${TAG} ($(date -u +%Y-%m-%d))"
+            echo ""
+            [ -n "$features" ]    && printf "### Features\n\n%s\n" "$features"
+            [ -n "$fixes" ]       && printf "### Bug Fixes\n\n%s\n" "$fixes"
+            [ -n "$refactors" ]   && printf "### Refactoring\n\n%s\n" "$refactors"
+            [ -n "$perf" ]        && printf "### Performance\n\n%s\n" "$perf"
+            [ -n "$docs" ]        && printf "### Documentation\n\n%s\n" "$docs"
+            [ -n "$maintenance" ] && printf "### Maintenance\n\n%s\n" "$maintenance"
+            [ -n "$other" ]       && printf "### Other\n\n%s\n" "$other"
+          } > /tmp/release-changelog.md
+
+          echo "Generated changelog:"
+          cat /tmp/release-changelog.md
+
+      - name: Update CHANGELOG.md
+        run: |
+          if [ -f CHANGELOG.md ]; then
+            # Insert new entry after the "# Changelog" header (first 2 lines)
+            {
+              head -n 2 CHANGELOG.md
+              echo ""
+              cat /tmp/release-changelog.md
+              tail -n +3 CHANGELOG.md
+            } > CHANGELOG.tmp
+            mv CHANGELOG.tmp CHANGELOG.md
+          else
+            {
+              echo "# Changelog"
+              echo ""
+              cat /tmp/release-changelog.md
+            } > CHANGELOG.md
+          fi
+
+      - name: Commit CHANGELOG.md
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add CHANGELOG.md
+          if git diff --cached --quiet; then
+            echo "No changelog changes to commit"
+          else
+            git commit -m "docs: update CHANGELOG.md for ${{ github.ref_name }} [skip ci]"
+            git push origin main
+          fi
+
+      - name: Update release notes
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
         run: |
-          mkdir -p /tmp/packages
-          gh release download "$GITHUB_REF_NAME" \
-            --repo "$GITHUB_REPOSITORY" \
-            --pattern "*.deb" \
-            --dir /tmp/packages
-          gh release download "$GITHUB_REF_NAME" \
-            --repo "$GITHUB_REPOSITORY" \
-            --pattern "*.rpm" \
-            --dir /tmp/packages
-          echo "Downloaded packages:"
-          ls -la /tmp/packages/
+          gh release edit "$TAG" --notes-file /tmp/release-changelog.md
 
-      - name: Setup Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
-        with:
-          go-version: "1.23"
-          cache: false
-
-      - name: Install repogen
-        run: |
-          go install github.com/ralt/repogen/cmd/repogen@latest
-          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
-
-      - name: Sync existing repo metadata from R2
+  notify-discord:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [release]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Discord notification
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: auto
-          R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
-          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_STABLE_WEBHOOK_URL }}
         run: |
-          mkdir -p /tmp/repo
-          aws s3 cp "s3://${R2_BUCKET}/dists" /tmp/repo/dists \
-            --endpoint-url "${R2_ENDPOINT}" --recursive 2>/dev/null || true
-          aws s3 cp "s3://${R2_BUCKET}/repodata" /tmp/repo/repodata \
-            --endpoint-url "${R2_ENDPOINT}" --recursive 2>/dev/null || true
+          VERSION="${GITHUB_REF_NAME}"
+          RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/${VERSION}"
 
-      - name: Generate repository with repogen
-        run: |
-          repogen generate \
-            --input-dir /tmp/packages \
-            --output-dir /tmp/repo \
-            --incremental \
-            --arch amd64,arm64 \
-            --origin "Donut Browser" \
-            --label "Donut Browser" \
-            --codename stable \
-            --components main \
-            --verbose
-
-      - name: Upload repository to R2
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: auto
-          R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
-          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
-        run: |
-          aws s3 cp /tmp/repo/dists "s3://${R2_BUCKET}/dists" \
-            --endpoint-url "${R2_ENDPOINT}" --recursive
-          aws s3 cp /tmp/repo/pool "s3://${R2_BUCKET}/pool" \
-            --endpoint-url "${R2_ENDPOINT}" --recursive
-          aws s3 cp /tmp/repo/repodata "s3://${R2_BUCKET}/repodata" \
-            --endpoint-url "${R2_ENDPOINT}" --recursive
-          aws s3 cp /tmp/repo/Packages "s3://${R2_BUCKET}/Packages" \
-            --endpoint-url "${R2_ENDPOINT}" --recursive
-
-      - name: Verify upload
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: auto
-          R2_ENDPOINT: "https://${{ secrets.R2_ENDPOINT_URL }}"
-          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
-        run: |
-          echo "DEB repo:"
-          aws s3 ls "s3://${R2_BUCKET}/dists/stable/" --endpoint-url "${R2_ENDPOINT}" || echo "  (listing not available)"
-          echo "RPM repo:"
-          aws s3 ls "s3://${R2_BUCKET}/repodata/" --endpoint-url "${R2_ENDPOINT}" || echo "  (listing not available)"
+          curl -fsSL -H "Content-Type: application/json" \
+            -d "{
+              \"embeds\": [{
+                \"title\": \"Donut Browser ${VERSION} Released\",
+                \"url\": \"${RELEASE_URL}\",
+                \"description\": \"A new stable release of Donut Browser is available.\",
+                \"color\": 5814783
+              }]
+            }" \
+            "$DISCORD_WEBHOOK_URL"

.github/workflows/rolling-release.yml

@@ -17,6 +17,7 @@ env:
 
 jobs:
   security-scan:
+    if: github.repository == 'zhom/donutbrowser'
     name: Security Vulnerability Scan
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
     with:
@@ -32,6 +33,7 @@ jobs:
       actions: read
 
   lint-js:
+    if: github.repository == 'zhom/donutbrowser'
     name: Lint JavaScript/TypeScript
     uses: ./.github/workflows/lint-js.yml
     secrets: inherit
@@ -39,6 +41,7 @@ jobs:
       contents: read
 
   lint-rust:
+    if: github.repository == 'zhom/donutbrowser'
     name: Lint Rust
     uses: ./.github/workflows/lint-rs.yml
     secrets: inherit
@@ -46,6 +49,7 @@ jobs:
       contents: read
 
   codeql:
+    if: github.repository == 'zhom/donutbrowser'
     name: CodeQL
     uses: ./.github/workflows/codeql.yml
     secrets: inherit
@@ -56,6 +60,7 @@ jobs:
       actions: read
 
   spellcheck:
+    if: github.repository == 'zhom/donutbrowser'
     name: Spell Check
     uses: ./.github/workflows/spellcheck.yml
     secrets: inherit
@@ -63,6 +68,7 @@ jobs:
       contents: read
 
   rolling-release:
+    if: github.repository == 'zhom/donutbrowser'
     needs: [security-scan, lint-js, lint-rust, codeql, spellcheck]
     permissions:
       contents: write
@@ -210,7 +216,7 @@ jobs:
           echo "Generated timestamp: ${TIMESTAMP}-${COMMIT_HASH}"
 
       - name: Build Tauri app
-        uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1
+        uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 #v0.6.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           BUILD_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}"
@@ -236,6 +242,7 @@ jobs:
           rm -f $RUNNER_TEMP/build_certificate.p12 || true
 
   update-nightly-release:
+    if: github.repository == 'zhom/donutbrowser'
     needs: [rolling-release]
     runs-on: ubuntu-latest
     permissions:
@@ -250,6 +257,56 @@ jobs:
           COMMIT_HASH=$(echo "${GITHUB_SHA}" | cut -c1-7)
           echo "nightly_tag=nightly-${TIMESTAMP}-${COMMIT_HASH}" >> $GITHUB_OUTPUT
 
+      - name: Generate nightly changelog
+        id: nightly-changelog
+        run: |
+          LAST_STABLE=$(git tag --sort=-version:refname \
+            | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
+            | head -n 1)
+
+          if [ -z "$LAST_STABLE" ]; then
+            LAST_STABLE=$(git rev-list --max-parents=0 HEAD)
+          fi
+
+          COMMIT_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
+          {
+            echo "**Nightly build from main branch**"
+            echo ""
+            echo "Commit: ${GITHUB_SHA}"
+            echo "Changes since ${LAST_STABLE}:"
+            echo ""
+          } > /tmp/nightly-notes.md
+
+          strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; }
+
+          features=""
+          fixes=""
+          refactors=""
+          other=""
+
+          while IFS= read -r msg; do
+            [ -z "$msg" ] && continue
+            case "$msg" in
+              feat\(*\):*|feat:*)
+                features="${features}- $(strip_prefix "$msg")"$'\n' ;;
+              fix\(*\):*|fix:*)
+                fixes="${fixes}- $(strip_prefix "$msg")"$'\n' ;;
+              refactor\(*\):*|refactor:*)
+                refactors="${refactors}- $(strip_prefix "$msg")"$'\n' ;;
+              build*|ci*|chore*|test*|docs*|perf*)
+                ;; # skip maintenance commits from nightly notes
+              *)
+                other="${other}- ${msg}"$'\n' ;;
+            esac
+          done < <(git log --pretty=format:"%s" "${LAST_STABLE}..HEAD" --no-merges)
+
+          {
+            [ -n "$features" ]  && printf "### Features\n\n%s\n" "$features"
+            [ -n "$fixes" ]     && printf "### Bug Fixes\n\n%s\n" "$fixes"
+            [ -n "$refactors" ] && printf "### Refactoring\n\n%s\n" "$refactors"
+            [ -n "$other" ]     && printf "### Other\n\n%s\n" "$other"
+          } >> /tmp/nightly-notes.md
+
       - name: Update rolling nightly release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -284,5 +341,28 @@ jobs:
             "$ASSETS_DIR"/Donut_aarch64.app.tar.gz \
             "$ASSETS_DIR"/Donut_x64.app.tar.gz \
             --title "Donut Browser Nightly" \
-            --notes "Automatically updated nightly build from the latest main branch.\n\nCommit: ${GITHUB_SHA}" \
+            --notes-file /tmp/nightly-notes.md \
             --prerelease
+
+  notify-discord:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [update-nightly-release]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Discord notification
+        env:
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_NIGHTLY_WEBHOOK_URL }}
+        run: |
+          COMMIT_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
+          RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/nightly"
+
+          curl -fsSL -H "Content-Type: application/json" \
+            -d "{
+              \"embeds\": [{
+                \"title\": \"Donut Browser Nightly Updated\",
+                \"url\": \"${RELEASE_URL}\",
+                \"description\": \"A new nightly build is available (${COMMIT_SHORT}).\",
+                \"color\": 16752128
+              }]
+            }" \
+            "$DISCORD_WEBHOOK_URL"

.github/workflows/stale.yml

@@ -6,6 +6,7 @@ on:
 
 jobs:
   stale:
+    if: github.repository == 'zhom/donutbrowser'
     runs-on: ubuntu-latest
     permissions:
       issues: write

.vscode/settings.json

@@ -10,6 +10,7 @@
     "appindicator",
     "applescript",
     "asyncio",
+    "autocheckpoint",
     "autoconfig",
     "autologin",
     "biomejs",
@@ -46,6 +47,7 @@
     "desynced",
     "devedition",
     "direnv",
+    "diskutil",
     "distro",
     "dists",
     "DMABUF",
@@ -58,6 +60,7 @@
     "dtolnay",
     "dyld",
     "elif",
+    "erasevolume",
     "errorlevel",
     "esac",
     "esbuild",
@@ -82,6 +85,7 @@
     "idlelib",
     "idletime",
     "idna",
+    "imdisk",
     "infobars",
     "inkey",
     "Inno",
@@ -95,6 +99,7 @@
     "langpack",
     "launchservices",
     "letterboxing",
+    "leveldb",
     "libappindicator",
     "libatk",
     "libayatana",
@@ -114,6 +119,7 @@
     "macchiato",
     "Matchalk",
     "maxminddb",
+    "minidumps",
     "minioadmin",
     "mmdb",
     "mountpoint",
@@ -129,13 +135,16 @@
     "nodecar",
     "NODELAY",
     "nodemon",
+    "nomount",
     "norestart",
     "NSIS",
+    "ntfs",
     "ntlm",
     "numpy",
     "objc",
     "oneshot",
     "opencode",
+    "OPENROUTER",
     "orhun",
     "orjson",
     "osascript",
@@ -155,6 +164,7 @@
     "plasmohq",
     "platformdirs",
     "prefs",
+    "presign",
     "PRIO",
     "propertylist",
     "psutil",
@@ -179,6 +189,7 @@
     "rusqlite",
     "rustc",
     "rwxr",
+    "safebrowsing",
     "SARIF",
     "scipy",
     "screeninfo",
@@ -222,6 +233,7 @@
     "titlebar",
     "tkinter",
     "tmpfs",
+    "tombstoned",
     "tqdm",
     "trackingprotection",
     "trailhead",

README.md

@@ -36,14 +36,26 @@
 - Automatic updates for browsers
 - Set Donut Browser as your default browser to control in which profile to open links
 
-## Download
+## Install
 
-> For Linux, .deb and .rpm packages are available as well as standalone .AppImage files.
+### macOS
 
-The app can be downloaded from the [releases page](https://github.com/zhom/donutbrowser/releases/latest).
+```bash
+brew install --cask donut
+```
+
+### Linux
+
+```bash
+curl -fsSL https://donutbrowser.com/install.sh | sh
+```
+
+This sets up the package repository and installs Donut Browser via your system package manager. Supports Debian/Ubuntu, Fedora/RHEL, and openSUSE.
+
+Standalone `.AppImage` files are also available on the [releases page](https://github.com/zhom/donutbrowser/releases/latest).
 
 <details>
-<summary>Troubleshooting AppImage on Linux</summary>
+<summary>Troubleshooting AppImage</summary>
 
 If the AppImage segfaults on launch, install **libfuse2** (`sudo apt install libfuse2` / `yay -S libfuse2` / `sudo dnf install fuse-libs`), or bypass FUSE entirely:
 
@@ -55,11 +67,9 @@ If that gives an EGL display error, try adding `WEBKIT_DISABLE_DMABUF_RENDERER=1
 
 </details>
 
-<!-- ## Supported Platforms
+### Windows
 
-- ✅ **macOS** (Apple Silicon)
-- ✅ **Linux** (x64)
-- ✅ **Windows** (x64) -->
+Download the installer from the [releases page](https://github.com/zhom/donutbrowser/releases/latest).
 
 ## Development
 
@@ -77,7 +87,7 @@ Donut Browser supports syncing profiles, proxies, and groups across devices via
 
 ## Community
 
-Have questions or want to contribute? The team would love to hear from you!
+Have questions or want to contribute? I'd love to hear from you!
 
 - **Issues**: [GitHub Issues](https://github.com/zhom/donutbrowser/issues)
 - **Discussions**: [GitHub Discussions](https://github.com/zhom/donutbrowser/discussions)
@@ -112,6 +122,13 @@ Have questions or want to contribute? The team would love to hear from you!
                     <sub><b>Hassiy</b></sub>
                 </a>
             </td>
+            <td align="center">
+                <a href="https://github.com/drunkod">
+                    <img src="https://avatars.githubusercontent.com/u/9677471?v=4" width="100;" alt="drunkod"/>
+                    <br />
+                    <sub><b>drunkod</b></sub>
+                </a>
+            </td>
             <td align="center">
                 <a href="https://github.com/JorySeverijnse">
                     <img src="https://avatars.githubusercontent.com/u/117462355?v=4" width="100;" alt="JorySeverijnse"/>
@@ -126,7 +143,7 @@ Have questions or want to contribute? The team would love to hear from you!
 
 ## Contact
 
-Have an urgent question or want to report a security vulnerability? Send an email to [contact@donutbrowser.com](mailto:contact@donutbrowser.com) and the team will get back to you as fast as possible.
+Have an urgent question or want to report a security vulnerability? Send an email to [contact@donutbrowser.com](mailto:contact@donutbrowser.com) and I'll get back to you as fast as possible.
 
 ## License
 

SECURITY.md

@@ -4,13 +4,13 @@
 
 Thanks for helping make Donut Browser safe for everyone! ❤️
 
-We take the security of Donut Browser seriously. If you believe you have found a security vulnerability in Donut Browser, please report it to us through coordinated disclosure.
+I take the security of Donut Browser seriously. If you believe you have found a security vulnerability in Donut Browser, please report it to me through coordinated disclosure.
 
 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
 
 Instead, please send an email to **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)** with the subject line "Security Vulnerability Report".
 
-Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+Please include as much of the information listed below as you can to help me better understand and resolve the issue:
 
 - The type of issue (e.g., buffer overflow, injection attack, privilege escalation, or cross-site scripting)
 - Full paths of source file(s) related to the manifestation of the issue
@@ -21,18 +21,18 @@ Please include as much of the information listed below as you can to help us bet
 - Impact of the issue, including how an attacker might exploit the issue
 - Your assessment of the severity level
 
-This information will help us triage your report more quickly.
+This information will help me triage your report more quickly.
 
 ## What to Expect
 
-- **Response Time**: We will acknowledge receipt of your vulnerability report within 72 hours.
-- **Investigation**: We will investigate the issue and provide you with updates on our progress.
-- **Resolution**: We aim to resolve critical security issues as fast as possible, but no longer than in 30 days after the initial report.
-- **Disclosure**: We will coordinate with you on the timing of any public disclosure.
+- **Response Time**: I will acknowledge receipt of your vulnerability report within 72 hours.
+- **Investigation**: I will investigate the issue and provide you with updates on my progress.
+- **Resolution**: I aim to resolve critical security issues as fast as possible, but no longer than in 30 days after the initial report.
+- **Disclosure**: I will coordinate with you on the timing of any public disclosure.
 
 ## Contact
 
-For urgent security matters, please contact us at **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)**.
+For urgent security matters, please contact me at **[contact@donutbrowser.com](mailto:contact@donutbrowser.com)**.
 
 For general questions about this security policy, you can also reach out through:
 

donut-sync/package.json

@@ -18,12 +18,12 @@
     "test:e2e": "jest --config ./test/jest-e2e.json"
   },
   "dependencies": {
-    "@aws-sdk/client-s3": "^3.1009.0",
-    "@aws-sdk/s3-request-presigner": "^3.1009.0",
-    "@nestjs/common": "^11.1.16",
+    "@aws-sdk/client-s3": "^3.1015.0",
+    "@aws-sdk/s3-request-presigner": "^3.1015.0",
+    "@nestjs/common": "^11.1.17",
     "@nestjs/config": "^4.0.3",
-    "@nestjs/core": "^11.1.16",
-    "@nestjs/platform-express": "^11.1.16",
+    "@nestjs/core": "^11.1.17",
+    "@nestjs/platform-express": "^11.1.17",
     "jsonwebtoken": "^9.0.3",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.2"
@@ -31,7 +31,7 @@
   "devDependencies": {
     "@nestjs/cli": "^11.0.16",
     "@nestjs/schematics": "^11.0.9",
-    "@nestjs/testing": "^11.1.16",
+    "@nestjs/testing": "^11.1.17",
     "@types/express": "^5.0.6",
     "@types/jest": "^30.0.0",
     "@types/jsonwebtoken": "^9.0.10",

flake.lock

@@ -37,28 +37,7 @@
     "root": {
       "inputs": {
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs",
-        "rust-overlay": "rust-overlay"
-      }
-    },
-    "rust-overlay": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1767926800,
-        "narHash": "sha256-x0n73J6ufD/EhDlVdcoAmF0OQHZ+b0a2cKDc8RZyt+o=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "499e9eed88ff9494b6604205b42847e847dfeb91",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
+        "nixpkgs": "nixpkgs"
       }
     },
     "systems": {

flake.nix

@@ -1,66 +1,341 @@
 {
-  description = "Donut Browser Development Environment";
+  description = "Donut Browser development environment and quick-start commands";
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     flake-utils.url = "github:numtide/flake-utils";
-    rust-overlay = {
-      url = "github:oxalica/rust-overlay";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
   };
 
-  outputs = { self, nixpkgs, flake-utils, rust-overlay, ... }:
+  outputs = { self, nixpkgs, flake-utils, ... }:
     flake-utils.lib.eachDefaultSystem (system:
       let
-        overlays = [ (import rust-overlay) ];
         pkgs = import nixpkgs {
-          inherit system overlays;
+          inherit system;
+          config.allowUnfree = true;
         };
+        lib = pkgs.lib;
 
-        # Rust toolchain
-        rustToolchain = pkgs.rust-bin.stable.latest.default.override {
-          extensions = [ "rust-src" "rust-analyzer" "clippy" "rustfmt" ];
-        };
+        nodejs =
+          if pkgs ? nodejs_23 then
+            pkgs.nodejs_23
+          else
+            pkgs.nodejs_22;
 
-        # System dependencies for Tauri on Linux
-        libraries = with pkgs; [
+        rustPackages = with pkgs; [
+          cargo
+          clippy
+          rust-analyzer
+          rustc
+          rustfmt
+        ];
+
+        commonLibs = with pkgs; [
           webkitgtk_4_1
+          libsoup_3
+          glib
           gtk3
           cairo
           gdk-pixbuf
-          glib
+          pango
+          atk
+          at-spi2-atk
+          at-spi2-core
           dbus
-          librsvg
-          libsoup_3
+          nss
+          nspr
+          libdrm
+          libgbm
+          libxkbcommon
+          libx11
+          libxcomposite
+          libxdamage
+          libxext
+          libxfixes
+          libxrandr
+          libxcb
+          libxshmfence
+          libxtst
+          libxi
+          xdotool
+          libxrender
+          libxinerama
+          libxcursor
+          libxscrnsaver
+          fontconfig
+          freetype
+          fribidi
+          harfbuzz
+          expat
+          libglvnd
+          libgpg-error
+          e2fsprogs
+          gmp
+          zlib
+          stdenv.cc.cc.lib
         ];
 
-        packages = with pkgs; [
-          rustToolchain
-          nodejs_22
-          pnpm
-          pkg-config
-          cargo-tauri
-          openssl
-          # App specific tools
-          biome
-        ] ++ libraries;
+        runtimeLibPath = lib.makeLibraryPath commonLibs;
+        nixLd = pkgs.stdenv.cc.bintools.dynamicLinker;
+        pkgConfigLibs = [
+          pkgs.at-spi2-atk
+          pkgs.at-spi2-core
+          pkgs.cairo
+          pkgs.dbus
+          pkgs.gdk-pixbuf
+          pkgs.glib
+          pkgs.gtk3
+          pkgs.libsoup_3
+          pkgs.libxkbcommon
+          pkgs.openssl
+          pkgs.pango
+          pkgs.harfbuzz
+          pkgs.webkitgtk_4_1
+        ];
+        pkgConfigPath = lib.makeSearchPath "lib/pkgconfig" (
+          pkgConfigLibs ++ map lib.getDev pkgConfigLibs
+        );
+        releaseVersion = "0.17.6";
+        releaseAppImage =
+          if system == "x86_64-linux" then
+            pkgs.fetchurl {
+              url = "https://github.com/zhom/donutbrowser/releases/download/v${releaseVersion}/Donut_0.17.6_amd64.AppImage";
+              hash = "sha256-Bmqmb0zgaC02DKC9gcyI/St9wfwFWTEoYybOb1LXiS0=";
+            }
+          else if system == "aarch64-linux" then
+            pkgs.fetchurl {
+              url = "https://github.com/zhom/donutbrowser/releases/download/v${releaseVersion}/Donut_0.17.6_aarch64.AppImage";
+              hash = "sha256-FOV0PlYw59gY1QSoFrUcixtUcnFt27EYAzZE/KNQUrM=";
+            }
+          else
+            null;
+        releaseUnpacked =
+          if releaseAppImage != null then
+            pkgs.stdenvNoCC.mkDerivation {
+              pname = "donut-release-unpacked";
+              version = releaseVersion;
+              src = releaseAppImage;
+              dontUnpack = true;
+              nativeBuildInputs = [ pkgs.xz ];
+              installPhase = ''
+                runHook preInstall
 
+                cp "$src" ./donut.AppImage
+                chmod +x ./donut.AppImage
+                ./donut.AppImage --appimage-extract >/dev/null
+
+                mkdir -p "$out"
+                cp -a ./squashfs-root "$out/"
+
+                runHook postInstall
+              '';
+            }
+          else
+            null;
+        releaseWrapped =
+          if releaseAppImage != null then
+            pkgs.appimageTools.wrapType2 {
+              pname = "donut";
+              version = releaseVersion;
+              src = releaseAppImage;
+              extraPkgs = _: commonLibs;
+              extraInstallCommands = ''
+                for bin in "$out"/bin/*; do
+                  if [ -f "$bin" ]; then
+                    mv "$bin" "$out/bin/donut-release"
+                    break
+                  fi
+                done
+              '';
+            }
+          else
+            null;
+        releaseLauncher =
+          if releaseUnpacked != null then
+            pkgs.writeShellApplication {
+              name = "donut-release-start";
+              runtimeInputs = with pkgs; [
+                coreutils
+                xdg-utils
+              ];
+              text = ''
+                set -euo pipefail
+
+                if [ -x "${releaseWrapped}/bin/donut-release" ]; then
+                  if "${releaseWrapped}/bin/donut-release" "$@"; then
+                    exit 0
+                  fi
+                  echo "Wrapped AppImage failed, retrying with direct AppRun..." >&2
+                fi
+
+                export LD_LIBRARY_PATH="${releaseUnpacked}/squashfs-root/usr/lib:${releaseUnpacked}/squashfs-root/usr/lib64:${runtimeLibPath}:''${LD_LIBRARY_PATH:-}"
+                export NIX_LD_LIBRARY_PATH="$LD_LIBRARY_PATH"
+                export LIBRARY_PATH="$LD_LIBRARY_PATH"
+                export XDG_DATA_DIRS="${releaseUnpacked}/squashfs-root/usr/share:''${XDG_DATA_DIRS:-}"
+                exec "${releaseUnpacked}/squashfs-root/AppRun" "$@"
+              '';
+            }
+          else
+            pkgs.writeShellApplication {
+              name = "donut-release-start";
+              text = ''
+                echo "Release launcher is supported only on Linux (x86_64/aarch64)."
+                exit 1
+              '';
+            };
+
+        mkApp = name: text:
+          let
+            app = pkgs.writeShellApplication {
+              inherit name;
+              runtimeInputs = with pkgs; [
+                bash
+                coreutils
+                findutils
+                git
+                gnugrep
+                gnused
+                curl
+                gcc
+                pkg-config
+                openssl
+                cargo
+                clippy
+                rustc
+                rustfmt
+                nodejs
+                pnpm
+                cargo-tauri
+              ];
+              text = ''
+                export NODE_ENV=development
+                export NIX_LD="${nixLd}"
+                export NIX_LD_LIBRARY_PATH="${runtimeLibPath}:''${NIX_LD_LIBRARY_PATH:-}"
+                export LD_LIBRARY_PATH="${runtimeLibPath}:''${LD_LIBRARY_PATH:-}"
+                export LIBRARY_PATH="${runtimeLibPath}:''${LIBRARY_PATH:-}"
+                export PKG_CONFIG_PATH="${pkgConfigPath}:''${PKG_CONFIG_PATH:-}"
+                export RUST_SRC_PATH="${pkgs.rustPlatform.rustLibSrc}"
+                ${text}
+              '';
+            };
+          in
+          {
+            type = "app";
+            program = "${app}/bin/${name}";
+          };
       in
       {
         devShells.default = pkgs.mkShell {
-          buildInputs = packages;
+          packages = with pkgs; [
+            nodejs
+            pnpm
+            cargo-tauri
+            pkg-config
+            openssl
+            git
+            bashInteractive
+            gnumake
+            clang
+            llvmPackages.bintools
+            python3
+            curl
+            wget
+            unzip
+            zip
+            xz
+            biome
+            docker
+          ] ++ rustPackages ++ commonLibs;
 
           shellHook = ''
-            export LD_LIBRARY_PATH=${pkgs.lib.makeLibraryPath libraries}:$LD_LIBRARY_PATH
-            export XDG_DATA_DIRS=${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}:${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}:$XDG_DATA_DIRS
-            
-            echo "🍩 Donut Browser Dev Environment Loaded!"
-            echo "Node: $(node --version)"
-            echo "Rust: $(rustc --version)"
-            echo "Tauri CLI: $(cargo-tauri --version)"
+            export NODE_ENV=development
+            export NIX_LD="${nixLd}"
+            export NIX_LD_LIBRARY_PATH="${runtimeLibPath}:''${NIX_LD_LIBRARY_PATH:-}"
+            export LD_LIBRARY_PATH="${runtimeLibPath}:''${LD_LIBRARY_PATH:-}"
+            export LIBRARY_PATH="${runtimeLibPath}:''${LIBRARY_PATH:-}"
+            export PKG_CONFIG_PATH="${pkgConfigPath}:''${PKG_CONFIG_PATH:-}"
+            export RUST_SRC_PATH="${pkgs.rustPlatform.rustLibSrc}"
+            export XDG_DATA_DIRS="${pkgs.gsettings-desktop-schemas}/share:${pkgs.gtk3}/share:''${XDG_DATA_DIRS:-}"
+
+            echo "Donut Browser dev shell ready."
+            echo "Quick start:"
+            echo "  nix run .#setup"
+            echo "  nix run .#tauri-dev"
+            echo "  nix run .#full-dev"
+            echo "  nix run .#build"
+            echo "  nix run .#test"
+            echo "  nix run .#release-start"
           '';
         };
-      }
-    );
+
+        apps.info = mkApp "donut-info" ''
+          set -euo pipefail
+          echo "Node: $(node --version)"
+          echo "pnpm: $(pnpm --version)"
+          echo "Rust: $(rustc --version)"
+          echo "Cargo: $(cargo --version)"
+          echo "Tauri CLI: $(cargo-tauri --version)"
+        '';
+
+        apps.deps = mkApp "donut-deps" ''
+          set -euo pipefail
+          pnpm install
+        '';
+
+        apps.dev = mkApp "donut-dev" ''
+          set -euo pipefail
+          pnpm dev
+        '';
+
+        apps."tauri-dev" = mkApp "donut-tauri-dev" ''
+          set -euo pipefail
+          pnpm tauri dev
+        '';
+
+        apps."full-dev" = mkApp "donut-full-dev" ''
+          set -euo pipefail
+          chmod +x ./scripts/dev.sh
+          ./scripts/dev.sh
+        '';
+
+        apps.build = mkApp "donut-build" ''
+          set -euo pipefail
+          pnpm build
+          (cd src-tauri && cargo build)
+        '';
+
+        apps.start = mkApp "donut-start" ''
+          set -euo pipefail
+          pnpm start
+        '';
+
+        apps.test = mkApp "donut-test" ''
+          set -euo pipefail
+          pnpm format && pnpm lint && pnpm test
+        '';
+
+        apps.setup = mkApp "donut-setup" ''
+          set -euo pipefail
+
+          if [ ! -f "package.json" ]; then
+            echo "package.json not found. Run this from the donutbrowser repo root."
+            exit 1
+          fi
+
+          pnpm install
+          pnpm copy-proxy-binary
+
+          echo "Setup complete."
+          echo "Run the app with:"
+          echo "  nix run .#tauri-dev"
+          echo "Or run full local stack (sync + minio + tauri):"
+          echo "  nix run .#full-dev"
+        '';
+
+        apps."release-start" = {
+          type = "app";
+          program = "${releaseLauncher}/bin/donut-release-start";
+        };
+
+        apps.default = self.apps.${system}.setup;
+      });
 }

package.json

@@ -51,21 +51,21 @@
     "@tauri-apps/plugin-fs": "~2.4.5",
     "@tauri-apps/plugin-log": "^2.8.0",
     "@tauri-apps/plugin-opener": "^2.5.3",
-    "ahooks": "^3.9.6",
+    "ahooks": "^3.9.7",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "cmdk": "^1.1.1",
     "color": "^5.0.3",
     "flag-icons": "^7.5.0",
-    "i18next": "^25.8.18",
+    "i18next": "^25.10.5",
     "lucide-react": "^0.577.0",
-    "motion": "^12.36.0",
-    "next": "^16.1.7",
+    "motion": "^12.38.0",
+    "next": "^16.2.1",
     "next-themes": "^0.4.6",
     "radix-ui": "^1.4.3",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
-    "react-i18next": "^16.5.8",
+    "react-i18next": "^16.6.2",
     "react-icons": "^5.6.0",
     "recharts": "3.8.0",
     "sonner": "^2.0.7",
@@ -73,17 +73,17 @@
     "tauri-plugin-macos-permissions-api": "^2.3.0"
   },
   "devDependencies": {
-    "@biomejs/biome": "2.4.7",
-    "@tailwindcss/postcss": "^4.2.1",
+    "@biomejs/biome": "2.4.8",
+    "@tailwindcss/postcss": "^4.2.2",
     "@tauri-apps/cli": "~2.10.1",
-    "@types/color": "^4.2.0",
+    "@types/color": "^4.2.1",
     "@types/node": "^25.5.0",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",
     "husky": "^9.1.7",
-    "lint-staged": "^16.3.4",
-    "tailwindcss": "^4.2.1",
+    "lint-staged": "^16.4.0",
+    "tailwindcss": "^4.2.2",
     "ts-unused-exports": "^11.0.1",
     "tw-animate-css": "^1.4.0",
     "typescript": "~5.9.3"

src-tauri/Cargo.lock

@@ -122,21 +122,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "anstream"
-version = "0.6.21"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43d5b281e737544384e969a5ccad3f1cdd24b48086a0fc1b2a5262a26b8f4f4a"
-dependencies = [
- "anstyle",
- "anstyle-parse 0.2.7",
- "anstyle-query",
- "anstyle-wincon",
- "colorchoice",
- "is_terminal_polyfill",
- "utf8parse",
-]
-
 [[package]]
 name = "anstream"
 version = "1.0.0"
@@ -144,7 +129,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d"
 dependencies = [
  "anstyle",
- "anstyle-parse 1.0.0",
+ "anstyle-parse",
  "anstyle-query",
  "anstyle-wincon",
  "colorchoice",
@@ -158,15 +143,6 @@ version = "1.0.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"
 
-[[package]]
-name = "anstyle-parse"
-version = "0.2.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2"
-dependencies = [
- "utf8parse",
-]
-
 [[package]]
 name = "anstyle-parse"
 version = "1.0.0"
@@ -513,7 +489,7 @@ dependencies = [
  "sha1",
  "sync_wrapper",
  "tokio",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.28.0",
  "tower",
  "tower-layer",
  "tower-service",
@@ -709,19 +685,20 @@ dependencies = [
 
 [[package]]
 name = "borsh"
-version = "1.6.0"
+version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1da5ab77c1437701eeff7c88d968729e7766172279eab0676857b3d63af7a6f"
+checksum = "cfd1e3f8955a5d7de9fab72fc8373fade9fb8a703968cb200ae3dc6cf08e185a"
 dependencies = [
  "borsh-derive",
+ "bytes",
  "cfg_aliases",
 ]
 
 [[package]]
 name = "borsh-derive"
-version = "1.6.0"
+version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0686c856aa6aac0c4498f936d7d6a02df690f614c03e4d906d1018062b5c5e2c"
+checksum = "bfcfdc083699101d5a7965e49925975f2f55060f94f9a05e7187be95d530ca59"
 dependencies = [
  "once_cell",
  "proc-macro-crate 3.5.0",
@@ -843,6 +820,15 @@ dependencies = [
  "bzip2-sys",
 ]
 
+[[package]]
+name = "bzip2"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3a53fac24f34a81bc9954b5d6cfce0c21e18ec6959f44f56e8e90e4bb7c346c"
+dependencies = [
+ "libbz2-rs-sys",
+]
+
 [[package]]
 name = "bzip2-sys"
 version = "0.1.13+1.0.8"
@@ -1089,7 +1075,7 @@ version = "4.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
 dependencies = [
- "anstream 1.0.0",
+ "anstream",
  "anstyle",
  "clap_lex",
  "strsim",
@@ -1504,9 +1490,9 @@ checksum = "092966b41edc516079bdf31ec78a2e0588d1d0c08f78b91d8307215928642b2b"
 
 [[package]]
 name = "deflate64"
-version = "0.1.11"
+version = "0.1.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "807800ff3288b621186fe0a8f3392c4652068257302709c24efd918c3dffcdc2"
+checksum = "ac6b926516df9c60bfa16e107b21086399f8285a44ca9711344b9e553c5146e2"
 
 [[package]]
 name = "defmt"
@@ -1702,17 +1688,17 @@ dependencies = [
 
 [[package]]
 name = "dom_query"
-version = "0.25.1"
+version = "0.27.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d9c2e7f1d22d0f2ce07626d259b8a55f4a47cb0938d4006dd8ae037f17d585e"
+checksum = "521e380c0c8afb8d9a1e83a1822ee03556fc3e3e7dbc1fd30be14e37f9cb3f89"
 dependencies = [
  "bit-set",
  "cssparser 0.36.0",
  "foldhash 0.2.0",
- "html5ever 0.36.1",
+ "html5ever 0.38.0",
  "precomputed-hash",
- "selectors 0.35.0",
- "tendril",
+ "selectors 0.36.1",
+ "tendril 0.5.0",
 ]
 
 [[package]]
@@ -1728,7 +1714,7 @@ dependencies = [
  "base64 0.22.1",
  "blake3",
  "boringtun",
- "bzip2",
+ "bzip2 0.6.1",
  "cbc",
  "chrono",
  "chrono-tz",
@@ -1788,7 +1774,7 @@ dependencies = [
  "tempfile",
  "thiserror 2.0.18",
  "tokio",
- "tokio-tungstenite",
+ "tokio-tungstenite 0.29.0",
  "tokio-util",
  "tower",
  "tower-http",
@@ -1801,7 +1787,7 @@ dependencies = [
  "windows 0.62.2",
  "winreg 0.56.0",
  "wiremock",
- "zip 8.2.0",
+ "zip 8.4.0",
 ]
 
 [[package]]
@@ -1848,9 +1834,9 @@ checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
 
 [[package]]
 name = "embed-resource"
-version = "3.0.6"
+version = "3.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "55a075fc573c64510038d7ee9abc7990635863992f83ebc52c8b433b8411a02e"
+checksum = "47ec73ddcf6b7f23173d5c3c5a32b5507dc0a734de7730aa14abc5d5e296bb5f"
 dependencies = [
  "cc",
  "memchr",
@@ -1914,9 +1900,9 @@ dependencies = [
 
 [[package]]
 name = "env_filter"
-version = "1.0.0"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a1c3cc8e57274ec99de65301228b537f1e4eedc1b8e0f9411c6caac8ae7308f"
+checksum = "32e90c2accc4b07a8456ea0debdc2e7587bdd890680d71173a15d4ae604f6eef"
 dependencies = [
  "log",
  "regex",
@@ -1924,13 +1910,13 @@ dependencies = [
 
 [[package]]
 name = "env_logger"
-version = "0.11.9"
+version = "0.11.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b2daee4ea451f429a58296525ddf28b45a3b64f1acf6587e2067437bb11e218d"
+checksum = "0621c04f2196ac3f488dd583365b9c09be011a4ab8b9f37248ffcc8f6198b56a"
 dependencies = [
- "anstream 0.6.21",
+ "anstream",
  "anstyle",
- "env_filter 1.0.0",
+ "env_filter 1.0.1",
  "jiff",
  "log",
 ]
@@ -1984,9 +1970,9 @@ dependencies = [
 
 [[package]]
 name = "euclid"
-version = "0.22.13"
+version = "0.22.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df61bf483e837f88d5c2291dcf55c67be7e676b3a51acc48db3a7b163b91ed63"
+checksum = "f1a05365e3b1c6d1650318537c7460c6923f1abdd272ad6842baa2b509957a06"
 dependencies = [
  "num-traits",
 ]
@@ -2773,9 +2759,9 @@ dependencies = [
 
 [[package]]
 name = "heapless"
-version = "0.8.0"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bfb9eb618601c89945a70e254898da93b13be0388091d42117462b265bb3fad"
+checksum = "2af2455f757db2b292a9b1768c4b70186d443bcb3b316252d6b540aec1cd89ed"
 dependencies = [
  "hash32",
  "stable_deref_trait",
@@ -2828,12 +2814,12 @@ dependencies = [
 
 [[package]]
 name = "html5ever"
-version = "0.36.1"
+version = "0.38.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6452c4751a24e1b99c3260d505eaeee76a050573e61f30ac2c924ddc7236f01e"
+checksum = "1054432bae2f14e0061e33d23402fbaa67a921d319d56adc6bcf887ddad1cbc2"
 dependencies = [
  "log",
- "markup5ever 0.36.1",
+ "markup5ever 0.38.0",
 ]
 
 [[package]]
@@ -3251,9 +3237,9 @@ checksum = "cf370abdafd54d13e54a620e8c3e1145f28e46cc9d704bc6d94414559df41763"
 
 [[package]]
 name = "iri-string"
-version = "0.7.10"
+version = "0.7.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a"
+checksum = "d8e7418f59cc01c88316161279a7f665217ae316b388e58a0d10e29f54f1e5eb"
 dependencies = [
  "memchr",
  "serde",
@@ -3295,9 +3281,9 @@ dependencies = [
 
 [[package]]
 name = "itoa"
-version = "1.0.17"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 
 [[package]]
 name = "javascriptcore-rs"
@@ -3355,7 +3341,7 @@ dependencies = [
  "cesu8",
  "cfg-if",
  "combine",
- "jni-sys",
+ "jni-sys 0.3.1",
  "log",
  "thiserror 1.0.69",
  "walkdir",
@@ -3364,9 +3350,31 @@ dependencies = [
 
 [[package]]
 name = "jni-sys"
-version = "0.3.0"
+version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130"
+checksum = "41a652e1f9b6e0275df1f15b32661cf0d4b78d4d87ddec5e0c3c20f097433258"
+dependencies = [
+ "jni-sys 0.4.1",
+]
+
+[[package]]
+name = "jni-sys"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c6377a88cb3910bee9b0fa88d4f42e1d2da8e79915598f65fb0c7ee14c878af2"
+dependencies = [
+ "jni-sys-macros",
+]
+
+[[package]]
+name = "jni-sys-macros"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38c0b942f458fe50cdac086d2f946512305e5631e720728f2a61aabcd47a6264"
+dependencies = [
+ "quote",
+ "syn 2.0.117",
+]
 
 [[package]]
 name = "jobserver"
@@ -3486,6 +3494,12 @@ dependencies = [
  "once_cell",
 ]
 
+[[package]]
+name = "libbz2-rs-sys"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c4a545a15244c7d945065b5d392b2d2d7f21526fba56ce51467b06ed445e8f7"
+
 [[package]]
 name = "libc"
 version = "0.2.183"
@@ -3659,17 +3673,17 @@ dependencies = [
  "phf_codegen 0.11.3",
  "string_cache 0.8.9",
  "string_cache_codegen 0.5.4",
- "tendril",
+ "tendril 0.4.3",
 ]
 
 [[package]]
 name = "markup5ever"
-version = "0.36.1"
+version = "0.38.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c3294c4d74d0742910f8c7b466f44dda9eb2d5742c1e430138df290a1e8451c"
+checksum = "8983d30f2915feeaaab2d6babdd6bc7e9ed1a00b66b5e6d74df19aa9c0e91862"
 dependencies = [
  "log",
- "tendril",
+ "tendril 0.5.0",
  "web_atoms",
 ]
 
@@ -3860,7 +3874,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c3f42e7bbe13d351b6bead8286a43aac9534b82bd3cc43e47037f012ebfd62d4"
 dependencies = [
  "bitflags 2.11.0",
- "jni-sys",
+ "jni-sys 0.3.1",
  "log",
  "ndk-sys",
  "num_enum",
@@ -3880,7 +3894,7 @@ version = "0.6.0+11769913"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ee6cda3051665f1fb8d9e08fc35c96d5a244fb1be711a03b71118828afc9a873"
 dependencies = [
- "jni-sys",
+ "jni-sys 0.3.1",
 ]
 
 [[package]]
@@ -4011,9 +4025,9 @@ dependencies = [
 
 [[package]]
 name = "num_enum"
-version = "0.7.5"
+version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1207a7e20ad57b847bbddc6776b968420d38292bbfe2089accff5e19e82454c"
+checksum = "5d0bca838442ec211fa11de3a8b0e0e8f3a4522575b5c4c06ed722e005036f26"
 dependencies = [
  "num_enum_derive",
  "rustversion",
@@ -4021,9 +4035,9 @@ dependencies = [
 
 [[package]]
 name = "num_enum_derive"
-version = "0.7.5"
+version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff32365de1b6743cb203b710788263c44a03de03802daf96092f2da4fe6ba4d7"
+checksum = "680998035259dcfcafe653688bf2aa6d3e2dc05e98be6ab46afb089dc84f1df8"
 dependencies = [
  "proc-macro-crate 3.5.0",
  "proc-macro2",
@@ -4874,7 +4888,7 @@ version = "3.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f"
 dependencies = [
- "toml_edit 0.25.4+spec-1.1.0",
+ "toml_edit 0.25.8+spec-1.1.0",
 ]
 
 [[package]]
@@ -5813,9 +5827,9 @@ dependencies = [
 
 [[package]]
 name = "selectors"
-version = "0.35.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93fdfed56cd634f04fe8b9ddf947ae3dc493483e819593d2ba17df9ad05db8b2"
+checksum = "c5d9c0c92a92d33f08817311cf3f2c29a3538a8240e94a6a3c622ce652d7e00c"
 dependencies = [
  "bitflags 2.11.0",
  "cssparser 0.36.0",
@@ -5939,9 +5953,9 @@ dependencies = [
 
 [[package]]
 name = "serde_spanned"
-version = "1.0.4"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
+checksum = "876ac351060d4f882bb1032b6369eb0aef79ad9df1ea8bc404874d8cc3d0cd98"
 dependencies = [
  "serde_core",
 ]
@@ -6204,9 +6218,9 @@ checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
 
 [[package]]
 name = "smoltcp"
-version = "0.12.0"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dad095989c1533c1c266d9b1e8d70a1329dd3723c3edac6d03bbd67e7bf6f4bb"
+checksum = "ac729b0a77bd092a3f06ddaddc59fe0d67f48ba0de45a9abe707c2842c7f8767"
 dependencies = [
  "bitflags 1.3.2",
  "byteorder",
@@ -6493,9 +6507,9 @@ dependencies = [
 
 [[package]]
 name = "tao"
-version = "0.34.6"
+version = "0.34.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e06d52c379e63da659a483a958110bbde891695a0ecb53e48cc7786d5eda7bb"
+checksum = "9103edf55f2da3c82aea4c7fab7c4241032bfeea0e71fa557d98e00e7ce7cc20"
 dependencies = [
  "bitflags 2.11.0",
  "block2",
@@ -6974,6 +6988,16 @@ dependencies = [
  "utf-8",
 ]
 
+[[package]]
+name = "tendril"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4790fc369d5a530f4b544b094e31388b9b3a37c0f4652ade4505945f5660d24"
+dependencies = [
+ "new_debug_unreachable",
+ "utf-8",
+]
+
 [[package]]
 name = "thiserror"
 version = "1.0.69"
@@ -7186,13 +7210,25 @@ name = "tokio-tungstenite"
 version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d25a406cddcc431a75d3d9afc6a7c0f7428d4891dd973e4d54c56b46127bf857"
+dependencies = [
+ "futures-util",
+ "log",
+ "tokio",
+ "tungstenite 0.28.0",
+]
+
+[[package]]
+name = "tokio-tungstenite"
+version = "0.29.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f72a05e828585856dacd553fba484c242c46e391fb0e58917c942ee9202915c"
 dependencies = [
  "futures-util",
  "log",
  "native-tls",
  "tokio",
  "tokio-native-tls",
- "tungstenite",
+ "tungstenite 0.29.0",
 ]
 
 [[package]]
@@ -7228,7 +7264,7 @@ checksum = "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863"
 dependencies = [
  "indexmap 2.13.0",
  "serde_core",
- "serde_spanned 1.0.4",
+ "serde_spanned 1.1.0",
  "toml_datetime 0.7.5+spec-1.1.0",
  "toml_parser",
  "toml_writer",
@@ -7255,9 +7291,9 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "1.0.0+spec-1.1.0"
+version = "1.1.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32c2555c699578a4f59f0cc68e5116c8d7cabbd45e1409b989d4be085b53f13e"
+checksum = "97251a7c317e03ad83774a8752a7e81fb6067740609f75ea2b585b569a59198f"
 dependencies = [
  "serde_core",
 ]
@@ -7288,30 +7324,30 @@ dependencies = [
 
 [[package]]
 name = "toml_edit"
-version = "0.25.4+spec-1.1.0"
+version = "0.25.8+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7193cbd0ce53dc966037f54351dbbcf0d5a642c7f0038c382ef9e677ce8c13f2"
+checksum = "16bff38f1d86c47f9ff0647e6838d7bb362522bdf44006c7068c2b1e606f1f3c"
 dependencies = [
  "indexmap 2.13.0",
- "toml_datetime 1.0.0+spec-1.1.0",
+ "toml_datetime 1.1.0+spec-1.1.0",
  "toml_parser",
- "winnow 0.7.15",
+ "winnow 1.0.0",
 ]
 
 [[package]]
 name = "toml_parser"
-version = "1.0.9+spec-1.1.0"
+version = "1.1.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4"
+checksum = "2334f11ee363607eb04df9b8fc8a13ca1715a72ba8662a26ac285c98aabb4011"
 dependencies = [
- "winnow 0.7.15",
+ "winnow 1.0.0",
 ]
 
 [[package]]
 name = "toml_writer"
-version = "1.0.6+spec-1.1.0"
+version = "1.1.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab16f14aed21ee8bfd8ec22513f7287cd4a91aa92e44edfe2c17ddd004e92607"
+checksum = "d282ade6016312faf3e41e57ebbba0c073e4056dab1232ab1cb624199648f8ed"
 
 [[package]]
 name = "tower"
@@ -7449,13 +7485,29 @@ dependencies = [
  "http",
  "httparse",
  "log",
- "native-tls",
  "rand 0.9.2",
  "sha1",
  "thiserror 2.0.18",
  "utf-8",
 ]
 
+[[package]]
+name = "tungstenite"
+version = "0.29.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c01152af293afb9c7c2a57e4b559c5620b421f6d133261c60dd2d0cdb38e6b8"
+dependencies = [
+ "bytes",
+ "data-encoding",
+ "http",
+ "httparse",
+ "log",
+ "native-tls",
+ "rand 0.9.2",
+ "sha1",
+ "thiserror 2.0.18",
+]
+
 [[package]]
 name = "typed-path"
 version = "0.12.3"
@@ -8583,6 +8635,15 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "winnow"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a90e88e4667264a994d34e6d1ab2d26d398dcdca8b7f52bec8668957517fc7d8"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "winreg"
 version = "0.55.0"
@@ -8722,9 +8783,9 @@ checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
 
 [[package]]
 name = "wry"
-version = "0.54.3"
+version = "0.54.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a24eda84b5d488f99344e54b807138896cee8df0b2d16c793f1f6b80e6d8df1f"
+checksum = "e5a8135d8676225e5744de000d4dff5a082501bf7db6a1c1495034f8c314edbc"
 dependencies = [
  "base64 0.22.1",
  "block2",
@@ -8923,18 +8984,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.42"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
+checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.42"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
+checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -9023,7 +9084,7 @@ checksum = "fabe6324e908f85a1c52063ce7aa26b68dcb7eb6dbc83a2d148403c9bc3eba50"
 dependencies = [
  "aes",
  "arbitrary",
- "bzip2",
+ "bzip2 0.5.2",
  "constant_time_eq 0.3.1",
  "crc32fast",
  "crossbeam-utils",
@@ -9047,9 +9108,9 @@ dependencies = [
 
 [[package]]
 name = "zip"
-version = "8.2.0"
+version = "8.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b680f2a0cd479b4cff6e1233c483fdead418106eae419dc60200ae9850f6d004"
+checksum = "7756d0206d058333667493c4014f545f4b9603c4330ccd6d9b3f86dcab59f7d9"
 dependencies = [
  "crc32fast",
  "flate2",
@@ -9121,9 +9182,9 @@ dependencies = [
 
 [[package]]
 name = "zune-jpeg"
-version = "0.5.13"
+version = "0.5.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec5f41c76397b7da451efd19915684f727d7e1d516384ca6bd0ec43ec94de23c"
+checksum = "0b7a1c0af6e5d8d1363f4994b7a091ccf963d8b694f7da5b0b9cceb82da2c0a6"
 dependencies = [
  "zune-core",
 ]

src-tauri/Cargo.toml

@@ -95,7 +95,7 @@ async-socks5 = "0.6"
 playwright = { git = "https://github.com/sctg-development/playwright-rust", branch = "master" }
 
 # Wayfern CDP integration
-tokio-tungstenite = { version = "0.28", features = ["native-tls"] }
+tokio-tungstenite = { version = "0.29", features = ["native-tls"] }
 rusqlite = { version = "0.39", features = ["bundled"] }
 serde_yaml = "0.9"
 thiserror = "2.0"
@@ -106,7 +106,7 @@ quick-xml = { version = "0.39", features = ["serialize"] }
 
 # VPN support
 boringtun = "0.7"
-smoltcp = { version = "0.12", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }
+smoltcp = { version = "0.13", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }
 
 # Daemon dependencies (tray icon)
 tray-icon = "0.21"

src-tauri/src/browser.rs

@@ -689,7 +689,6 @@ impl Browser for WayfernBrowser {
       "--disable-session-crashed-bubble".to_string(),
       "--hide-crash-restore-bubble".to_string(),
       "--disable-infobars".to_string(),
-      "--disable-quic".to_string(),
       // Wayfern-specific args for automation
       "--disable-features=DialMediaRouteProvider".to_string(),
       "--use-mock-keychain".to_string(),
@@ -1166,6 +1165,67 @@ mod tests {
     assert_eq!(deserialized.host, proxy.host, "Host should match");
     assert_eq!(deserialized.port, proxy.port, "Port should match");
   }
+
+  #[test]
+  fn test_wayfern_config_has_no_executable_path() {
+    // Verify WayfernConfig does not store executable_path
+    let config = crate::wayfern_manager::WayfernConfig::default();
+    let json = serde_json::to_value(&config).unwrap();
+    assert!(
+      json.get("executable_path").is_none(),
+      "WayfernConfig should not have executable_path field"
+    );
+  }
+
+  #[test]
+  fn test_camoufox_config_has_no_executable_path() {
+    // Verify CamoufoxConfig does not store executable_path
+    let config = crate::camoufox_manager::CamoufoxConfig::default();
+    let json = serde_json::to_value(&config).unwrap();
+    assert!(
+      json.get("executable_path").is_none(),
+      "CamoufoxConfig should not have executable_path field"
+    );
+  }
+
+  #[test]
+  fn test_profile_data_path_is_dynamic() {
+    use crate::profile::BrowserProfile;
+    let profiles_dir = std::path::PathBuf::from("/fake/profiles");
+    let profile = BrowserProfile {
+      id: uuid::Uuid::parse_str("12345678-1234-1234-1234-123456789abc").unwrap(),
+      name: "test".to_string(),
+      browser: "wayfern".to_string(),
+      version: "1.0.0".to_string(),
+      proxy_id: None,
+      vpn_id: None,
+      process_id: None,
+      last_launch: None,
+      release_type: "stable".to_string(),
+      camoufox_config: None,
+      wayfern_config: None,
+      group_id: None,
+      tags: Vec::new(),
+      note: None,
+      sync_mode: crate::profile::types::SyncMode::Disabled,
+      encryption_salt: None,
+      last_sync: None,
+      host_os: None,
+      ephemeral: false,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
+    };
+
+    let path = profile.get_profile_data_path(&profiles_dir);
+    assert_eq!(
+      path,
+      profiles_dir
+        .join("12345678-1234-1234-1234-123456789abc")
+        .join("profile")
+    );
+  }
 }
 
 // Global singleton instance

src-tauri/src/camoufox_manager.rs

@@ -21,7 +21,6 @@ pub struct CamoufoxConfig {
   pub block_images: Option<bool>,
   pub block_webrtc: Option<bool>,
   pub block_webgl: Option<bool>,
-  pub executable_path: Option<String>,
   pub fingerprint: Option<String>, // JSON string of the complete fingerprint config
   pub randomize_fingerprint_on_launch: Option<bool>, // Generate new fingerprint on every launch
   pub os: Option<String>, // Operating system for fingerprint generation: "windows", "macos", or "linux"
@@ -39,7 +38,6 @@ impl Default for CamoufoxConfig {
       block_images: None,
       block_webrtc: None,
       block_webgl: None,
-      executable_path: None,
       fingerprint: None,
       randomize_fingerprint_on_launch: None,
       os: None,
@@ -129,21 +127,9 @@ impl CamoufoxManager {
     config: &CamoufoxConfig,
   ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
     // Get executable path
-    let executable_path = if let Some(path) = &config.executable_path {
-      let p = PathBuf::from(path);
-      if p.exists() {
-        p
-      } else {
-        log::warn!("Stored Camoufox executable path does not exist: {path}, falling back to dynamic resolution");
-        BrowserRunner::instance()
-          .get_browser_executable_path(profile)
-          .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
-      }
-    } else {
-      BrowserRunner::instance()
-        .get_browser_executable_path(profile)
-        .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
-    };
+    let executable_path = BrowserRunner::instance()
+      .get_browser_executable_path(profile)
+      .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?;
 
     // Build the config using CamoufoxConfigBuilder
     let mut builder = CamoufoxConfigBuilder::new()
@@ -230,21 +216,9 @@ impl CamoufoxManager {
     };
 
     // Get executable path
-    let executable_path = if let Some(path) = &config.executable_path {
-      let p = PathBuf::from(path);
-      if p.exists() {
-        p
-      } else {
-        log::warn!("Stored Camoufox executable path does not exist: {path}, falling back to dynamic resolution");
-        BrowserRunner::instance()
-          .get_browser_executable_path(profile)
-          .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
-      }
-    } else {
-      BrowserRunner::instance()
-        .get_browser_executable_path(profile)
-        .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?
-    };
+    let executable_path = BrowserRunner::instance()
+      .get_browser_executable_path(profile)
+      .map_err(|e| format!("Failed to get Camoufox executable path: {e}"))?;
 
     // Parse the fingerprint config JSON
     let fingerprint_config: HashMap<String, serde_json::Value> =

src-tauri/src/cookie_manager.rs

@@ -10,7 +10,7 @@ use tauri::AppHandle;
 /// Chromium cookie encryption/decryption support.
 /// On macOS: uses "Chromium Safe Storage" key from Keychain with PBKDF2 + AES-128-CBC.
 /// On Linux: uses os_crypt_key file from profile directory with PBKDF2 + AES-128-CBC.
-mod chrome_decrypt {
+pub mod chrome_decrypt {
   use aes::cipher::{block_padding::Pkcs7, BlockDecryptMut, BlockEncryptMut, KeyIvInit};
   use std::path::Path;
 

src-tauri/src/downloader.rs

@@ -323,9 +323,10 @@ impl Downloader {
       existing_size = meta.len();
     }
 
-    // Build request, add Range only if we have bytes. If the server responds with 416 (Range Not
-    // Satisfiable), delete the partial file and retry once without the Range header.
-    let response = {
+    // Build request with retry logic for transient network errors.
+    let max_retries = 3u32;
+    let mut response: Option<reqwest::Response> = None;
+    for attempt in 0..=max_retries {
       let mut request = self
         .client
         .get(&download_url)
@@ -338,33 +339,43 @@ impl Downloader {
         request = request.header("Range", format!("bytes={existing_size}-"));
       }
 
-      log::info!("Sending download request...");
-      let first = request.send().await?;
-      log::info!(
-        "Download response received: status={}, content-length={:?}",
-        first.status(),
-        first.content_length()
-      );
-
-      if first.status().as_u16() == 416 && existing_size > 0 {
-        // Partial file on disk is not acceptable to the server — remove it and retry from scratch
-        let _ = std::fs::remove_file(&file_path);
-        existing_size = 0;
-
-        let retry = self
-          .client
-          .get(&download_url)
-          .header(
-            "User-Agent",
-            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36",
-          )
-          .send()
-          .await?;
-        retry
-      } else {
-        first
+      log::info!("Sending download request (attempt {})...", attempt + 1);
+      match request.send().await {
+        Ok(resp) => {
+          log::info!(
+            "Download response received: status={}, content-length={:?}",
+            resp.status(),
+            resp.content_length()
+          );
+          if resp.status().as_u16() == 416 && existing_size > 0 {
+            let _ = std::fs::remove_file(&file_path);
+            existing_size = 0;
+            log::warn!("Download returned 416, retrying without Range header");
+            continue;
+          }
+          response = Some(resp);
+          break;
+        }
+        Err(e) => {
+          let is_retryable = e.is_connect() || e.is_timeout() || e.is_request();
+          if is_retryable && attempt < max_retries {
+            let delay = 2u64.pow(attempt);
+            log::warn!(
+              "Download attempt {} failed ({}), retrying in {}s...",
+              attempt + 1,
+              e,
+              delay
+            );
+            tokio::time::sleep(std::time::Duration::from_secs(delay)).await;
+          } else {
+            return Err(format!("Download failed after {} attempts: {}", attempt + 1, e).into());
+          }
+        }
       }
-    };
+    }
+    let response = response.ok_or_else(|| -> Box<dyn std::error::Error + Send + Sync> {
+      "Download failed: no response received".into()
+    })?;
 
     // Check if the response is successful (200 OK or 206 Partial Content)
     if !(response.status().is_success() || response.status().as_u16() == 206) {

src-tauri/src/ephemeral_dirs.rs

@@ -283,6 +283,9 @@ mod tests {
   #[test]
   #[serial_test::serial]
   fn test_ephemeral_dir_lifecycle() {
+    // Clear global state to avoid interference from other tests
+    EPHEMERAL_DIRS.lock().unwrap().clear();
+
     let profile_id = uuid::Uuid::new_v4();
     let id_str = profile_id.to_string();
 

src-tauri/src/extension_manager.rs

@@ -1091,12 +1091,6 @@ lazy_static::lazy_static! {
 
 #[tauri::command]
 pub async fn list_extensions() -> Result<Vec<Extension>, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .list_extensions()
@@ -1115,12 +1109,6 @@ pub async fn add_extension(
   file_name: String,
   file_data: Vec<u8>,
 ) -> Result<Extension, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .add_extension(name, file_name, file_data)
@@ -1134,12 +1122,6 @@ pub async fn update_extension(
   file_name: Option<String>,
   file_data: Option<Vec<u8>>,
 ) -> Result<Extension, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .update_extension(&extension_id, name, file_name, file_data)
@@ -1151,12 +1133,6 @@ pub async fn delete_extension(
   app_handle: tauri::AppHandle,
   extension_id: String,
 ) -> Result<(), String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .delete_extension(&app_handle, &extension_id)
@@ -1165,12 +1141,6 @@ pub async fn delete_extension(
 
 #[tauri::command]
 pub async fn list_extension_groups() -> Result<Vec<ExtensionGroup>, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .list_groups()
@@ -1179,12 +1149,6 @@ pub async fn list_extension_groups() -> Result<Vec<ExtensionGroup>, String> {
 
 #[tauri::command]
 pub async fn create_extension_group(name: String) -> Result<ExtensionGroup, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .create_group(name)
@@ -1197,12 +1161,6 @@ pub async fn update_extension_group(
   name: Option<String>,
   extension_ids: Option<Vec<String>>,
 ) -> Result<ExtensionGroup, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .update_group(&group_id, name, extension_ids)
@@ -1214,12 +1172,6 @@ pub async fn delete_extension_group(
   app_handle: tauri::AppHandle,
   group_id: String,
 ) -> Result<(), String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .delete_group(&app_handle, &group_id)
@@ -1231,12 +1183,6 @@ pub async fn add_extension_to_group(
   group_id: String,
   extension_id: String,
 ) -> Result<ExtensionGroup, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .add_extension_to_group(&group_id, &extension_id)
@@ -1248,12 +1194,6 @@ pub async fn remove_extension_from_group(
   group_id: String,
   extension_id: String,
 ) -> Result<ExtensionGroup, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
   let mgr = EXTENSION_MANAGER.lock().unwrap();
   mgr
     .remove_extension_from_group(&group_id, &extension_id)
@@ -1265,13 +1205,6 @@ pub async fn assign_extension_group_to_profile(
   profile_id: String,
   extension_group_id: Option<String>,
 ) -> Result<crate::profile::BrowserProfile, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Extension management requires an active Pro subscription".to_string());
-  }
-
   // Validate compatibility if assigning a group
   if let Some(ref group_id) = extension_group_id {
     let profile_manager = crate::profile::ProfileManager::instance();

src-tauri/src/extraction.rs

@@ -207,6 +207,20 @@ impl Extractor {
 
     match extraction_result {
       Ok(path) => {
+        // Remove quarantine attributes on macOS to prevent
+        // "app was prevented from modifying data" prompts
+        #[cfg(target_os = "macos")]
+        {
+          let _ = tokio::process::Command::new("xattr")
+            .args([
+              "-dr",
+              "com.apple.quarantine",
+              dest_dir.to_str().unwrap_or("."),
+            ])
+            .output()
+            .await;
+        }
+
         log::info!(
           "Successfully extracted {} {} to: {}",
           browser_type.as_str(),

src-tauri/src/lib.rs

@@ -356,12 +356,6 @@ async fn copy_profile_cookies(
   app_handle: tauri::AppHandle,
   request: cookie_manager::CookieCopyRequest,
 ) -> Result<Vec<cookie_manager::CookieCopyResult>, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Cookie copying requires an active Pro subscription".to_string());
-  }
   let target_ids = request.target_profile_ids.clone();
   let results = cookie_manager::CookieManager::copy_cookies(&app_handle, request).await?;
 
@@ -397,12 +391,6 @@ async fn import_cookies_from_file(
   profile_id: String,
   content: String,
 ) -> Result<cookie_manager::CookieImportResult, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Cookie import requires an active Pro subscription".to_string());
-  }
   let result =
     cookie_manager::CookieManager::import_cookies(&app_handle, &profile_id, &content).await?;
 
@@ -426,12 +414,6 @@ async fn import_cookies_from_file(
 
 #[tauri::command]
 async fn export_profile_cookies(profile_id: String, format: String) -> Result<String, String> {
-  if !crate::cloud_auth::CLOUD_AUTH
-    .has_active_paid_subscription()
-    .await
-  {
-    return Err("Cookie export requires an active Pro subscription".to_string());
-  }
   cookie_manager::CookieManager::export_cookies(&profile_id, &format)
 }
 

src-tauri/src/profile/manager.rs

@@ -94,29 +94,6 @@ impl ProfileManager {
         crate::camoufox_manager::CamoufoxConfig::default()
       });
 
-      // Always ensure executable_path is set to the user's binary location
-      if config.executable_path.is_none() {
-        let mut browser_dir = self.get_binaries_dir();
-        browser_dir.push(browser);
-        browser_dir.push(version);
-
-        #[cfg(target_os = "macos")]
-        let binary_path = browser_dir
-          .join("Camoufox.app")
-          .join("Contents")
-          .join("MacOS")
-          .join("camoufox");
-
-        #[cfg(target_os = "windows")]
-        let binary_path = browser_dir.join("camoufox.exe");
-
-        #[cfg(target_os = "linux")]
-        let binary_path = browser_dir.join("camoufox");
-
-        config.executable_path = Some(binary_path.to_string_lossy().to_string());
-        log::info!("Set Camoufox executable path: {:?}", config.executable_path);
-      }
-
       // Pass upstream proxy information to config for fingerprint generation
       if let Some(proxy_id_ref) = &proxy_id {
         if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_ref) {
@@ -219,28 +196,6 @@ impl ProfileManager {
       });
 
       // Always ensure executable_path is set to the user's binary location
-      if config.executable_path.is_none() {
-        let mut browser_dir = self.get_binaries_dir();
-        browser_dir.push(browser);
-        browser_dir.push(version);
-
-        #[cfg(target_os = "macos")]
-        let binary_path = browser_dir
-          .join("Chromium.app")
-          .join("Contents")
-          .join("MacOS")
-          .join("Chromium");
-
-        #[cfg(target_os = "windows")]
-        let binary_path = browser_dir.join("chrome.exe");
-
-        #[cfg(target_os = "linux")]
-        let binary_path = browser_dir.join("chrome");
-
-        config.executable_path = Some(binary_path.to_string_lossy().to_string());
-        log::info!("Set Wayfern executable path: {:?}", config.executable_path);
-      }
-
       // Pass upstream proxy information to config for fingerprint generation
       if let Some(proxy_id_ref) = &proxy_id {
         if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_ref) {

src-tauri/src/profile_importer.rs

@@ -532,27 +532,6 @@ impl ProfileImporter {
     let final_camoufox_config = if mapped == "camoufox" {
       let mut config = camoufox_config.unwrap_or_default();
 
-      if config.executable_path.is_none() {
-        let mut browser_dir = self.profile_manager.get_binaries_dir();
-        browser_dir.push(mapped);
-        browser_dir.push(&version);
-
-        #[cfg(target_os = "macos")]
-        let binary_path = browser_dir
-          .join("Camoufox.app")
-          .join("Contents")
-          .join("MacOS")
-          .join("camoufox");
-
-        #[cfg(target_os = "windows")]
-        let binary_path = browser_dir.join("camoufox.exe");
-
-        #[cfg(target_os = "linux")]
-        let binary_path = browser_dir.join("camoufox");
-
-        config.executable_path = Some(binary_path.to_string_lossy().to_string());
-      }
-
       if let Some(ref proxy_id_val) = proxy_id {
         if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_val) {
           let proxy_url = if let (Some(username), Some(password)) =
@@ -631,27 +610,6 @@ impl ProfileImporter {
     let final_wayfern_config = if mapped == "wayfern" {
       let mut config = wayfern_config.unwrap_or_default();
 
-      if config.executable_path.is_none() {
-        let mut browser_dir = self.profile_manager.get_binaries_dir();
-        browser_dir.push(mapped);
-        browser_dir.push(&version);
-
-        #[cfg(target_os = "macos")]
-        let binary_path = browser_dir
-          .join("Chromium.app")
-          .join("Contents")
-          .join("MacOS")
-          .join("Chromium");
-
-        #[cfg(target_os = "windows")]
-        let binary_path = browser_dir.join("chrome.exe");
-
-        #[cfg(target_os = "linux")]
-        let binary_path = browser_dir.join("chrome");
-
-        config.executable_path = Some(binary_path.to_string_lossy().to_string());
-      }
-
       if let Some(ref proxy_id_val) = proxy_id {
         if let Some(proxy_settings) = PROXY_MANAGER.get_proxy_settings_by_id(proxy_id_val) {
           let proxy_url = if let (Some(username), Some(password)) =

src-tauri/src/sync/engine.rs

@@ -332,11 +332,11 @@ impl SyncEngine {
   ) -> SyncResult<()> {
     if profile.is_cross_os() {
       log::info!(
-        "Skipping file sync for cross-OS profile: {} ({})",
+        "Cross-OS profile: {} ({}) — syncing metadata only",
         profile.name,
         profile.id
       );
-      return Ok(());
+      return self.sync_cross_os_metadata(app_handle, profile).await;
     }
 
     // Skip team profiles for self-hosted sync
@@ -727,6 +727,63 @@ impl SyncEngine {
     Ok(profile)
   }
 
+  /// Sync only metadata for cross-OS profiles (tags, notes, proxies, groups).
+  /// No browser files are synced.
+  async fn sync_cross_os_metadata(
+    &self,
+    app_handle: &tauri::AppHandle,
+    profile: &BrowserProfile,
+  ) -> SyncResult<()> {
+    let profile_id = profile.id.to_string();
+    let key_prefix = Self::get_team_key_prefix(profile).await;
+    let profile_manager = ProfileManager::instance();
+
+    // Upload our metadata
+    self
+      .upload_profile_metadata(&profile_id, profile, &key_prefix)
+      .await?;
+
+    // Download remote metadata and merge if remote has changes
+    let remote_metadata_key = format!("{}profiles/{}/metadata.json", key_prefix, profile_id);
+    if let Ok(remote_meta) = self.download_profile_metadata(&remote_metadata_key).await {
+      let mut updated = profile.clone();
+      updated.name = remote_meta.name;
+      updated.tags = remote_meta.tags;
+      updated.note = remote_meta.note;
+      updated.proxy_id = remote_meta.proxy_id;
+      updated.vpn_id = remote_meta.vpn_id;
+      updated.group_id = remote_meta.group_id;
+      updated.last_sync = Some(
+        std::time::SystemTime::now()
+          .duration_since(std::time::UNIX_EPOCH)
+          .unwrap()
+          .as_secs(),
+      );
+      let _ = profile_manager.save_profile(&updated);
+    }
+
+    // Sync associated entities
+    if let Some(proxy_id) = &profile.proxy_id {
+      let _ = self.sync_proxy(proxy_id, Some(app_handle)).await;
+    }
+    if let Some(group_id) = &profile.group_id {
+      let _ = self.sync_group(group_id, Some(app_handle)).await;
+    }
+
+    let _ = events::emit("profiles-changed", ());
+    let _ = events::emit(
+      "profile-sync-status",
+      serde_json::json!({
+        "profile_id": profile_id,
+        "profile_name": profile.name,
+        "status": "synced"
+      }),
+    );
+
+    log::info!("Cross-OS profile {} metadata synced", profile_id);
+    Ok(())
+  }
+
   async fn upload_profile_metadata(
     &self,
     profile_id: &str,
@@ -2284,6 +2341,42 @@ impl SyncEngine {
         .await?;
     }
 
+    // Verify critical files after download
+    let os_crypt_key_path = profile_dir.join("profile").join("os_crypt_key");
+    let cookies_path = profile_dir.join("profile").join("Default").join("Cookies");
+    if os_crypt_key_path.exists() {
+      let key_data = fs::read(&os_crypt_key_path).unwrap_or_default();
+      log::info!(
+        "Profile {} sync: os_crypt_key present ({} bytes, sha256: {:x})",
+        profile_id,
+        key_data.len(),
+        {
+          use std::hash::{Hash, Hasher};
+          let mut h = std::collections::hash_map::DefaultHasher::new();
+          key_data.hash(&mut h);
+          h.finish()
+        }
+      );
+    } else {
+      log::warn!(
+        "Profile {} sync: os_crypt_key NOT FOUND after download",
+        profile_id
+      );
+    }
+    if cookies_path.exists() {
+      let cookies_meta = fs::metadata(&cookies_path).unwrap_or_else(|_| fs::metadata(".").unwrap());
+      log::info!(
+        "Profile {} sync: Cookies present ({} bytes)",
+        profile_id,
+        cookies_meta.len()
+      );
+    } else {
+      log::warn!(
+        "Profile {} sync: Cookies NOT FOUND after download",
+        profile_id
+      );
+    }
+
     // Set sync mode and save profile
     if profile.sync_mode == SyncMode::Disabled {
       profile.sync_mode = if manifest.encrypted {
@@ -2815,15 +2908,8 @@ pub async fn set_profile_sync_mode(
     }
   }
 
-  // If switching to Encrypted, verify eligibility, password, and generate salt
+  // If switching to Encrypted, verify password is set and generate salt
   if new_mode == SyncMode::Encrypted {
-    // Only pro users and team owners can enable encryption
-    if let Some(state) = crate::cloud_auth::CLOUD_AUTH.get_user().await {
-      if state.user.plan == "team" && state.user.team_role.as_deref() != Some("owner") {
-        return Err("Profile encryption is available for Pro users and team owners.".to_string());
-      }
-    }
-
     if !encryption::has_e2e_password() {
       return Err("E2E password not set. Please set a password in Settings first.".to_string());
     }

src-tauri/src/sync/manifest.rs

@@ -13,7 +13,6 @@ use super::types::{SyncError, SyncResult};
 /// Patterns use `**/` prefix to match at any directory depth, since the sync
 /// engine scans from `profiles/{uuid}/` which contains `profile/Default/...`.
 pub const DEFAULT_EXCLUDE_PATTERNS: &[&str] = &[
-  // Chromium caches (re-downloadable / re-generated)
   "**/Cache/**",
   "**/Code Cache/**",
   "**/GPUCache/**",
@@ -23,7 +22,6 @@ pub const DEFAULT_EXCLUDE_PATTERNS: &[&str] = &[
   "**/DawnGraphiteCache/**",
   "**/Service Worker/CacheStorage/**",
   "**/Service Worker/ScriptCache/**",
-  // Chromium transient / volatile data
   "**/Session Storage/**",
   "**/blob_storage/**",
   "**/Crashpad/**",
@@ -32,21 +30,26 @@ pub const DEFAULT_EXCLUDE_PATTERNS: &[&str] = &[
   "**/optimization_guide_model_store/**",
   "**/Safe Browsing/**",
   "**/component_crx_cache/**",
-  // Firefox/Camoufox caches (re-downloadable / re-generated)
   "**/cache2/**",
   "**/startupCache/**",
   "**/safebrowsing/**",
   "**/storage/temporary/**",
   "**/crashes/**",
   "**/minidumps/**",
-  // Common volatile files
-  "*.log",
   "*.tmp",
   "**/LOG",
   "**/LOG.old",
   "**/LOCK",
   "**/*-journal",
   "**/*-wal",
+  "**/SingletonLock",
+  "**/SingletonSocket",
+  "**/SingletonCookie",
+  "**/Secure Preferences",
+  "**/GraphiteDawnCache/**",
+  "**/DawnWebGPUCache/**",
+  "**/BrowserMetrics*",
+  "**/.DS_Store",
   ".donut-sync/**",
 ];
 

src-tauri/src/sync/scheduler.rs

@@ -264,7 +264,7 @@ impl SyncScheduler {
 
     let sync_enabled_profiles: Vec<_> = profiles
       .into_iter()
-      .filter(|p| p.is_sync_enabled() && !p.is_cross_os())
+      .filter(|p| p.is_sync_enabled())
       .collect();
 
     if sync_enabled_profiles.is_empty() {
@@ -418,7 +418,7 @@ impl SyncScheduler {
           profile_manager.list_profiles().ok().and_then(|profiles| {
             profiles
               .into_iter()
-              .find(|p| p.id.to_string() == profile_id && p.is_sync_enabled() && !p.is_cross_os())
+              .find(|p| p.id.to_string() == profile_id && p.is_sync_enabled())
           })
         };
 

src-tauri/src/wayfern_manager.rs

@@ -37,8 +37,6 @@ pub struct WayfernConfig {
   pub block_webrtc: Option<bool>,
   #[serde(default)]
   pub block_webgl: Option<bool>,
-  #[serde(default)]
-  pub executable_path: Option<String>,
   #[serde(default, skip_serializing)]
   pub proxy: Option<String>,
 }
@@ -212,21 +210,9 @@ impl WayfernManager {
     profile: &BrowserProfile,
     config: &WayfernConfig,
   ) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
-    let executable_path = if let Some(path) = &config.executable_path {
-      let p = PathBuf::from(path);
-      if p.exists() {
-        p
-      } else {
-        log::warn!("Stored Wayfern executable path does not exist: {path}, falling back to dynamic resolution");
-        BrowserRunner::instance()
-          .get_browser_executable_path(profile)
-          .map_err(|e| format!("Failed to get Wayfern executable path: {e}"))?
-      }
-    } else {
-      BrowserRunner::instance()
-        .get_browser_executable_path(profile)
-        .map_err(|e| format!("Failed to get Wayfern executable path: {e}"))?
-    };
+    let executable_path = BrowserRunner::instance()
+      .get_browser_executable_path(profile)
+      .map_err(|e| format!("Failed to get Wayfern executable path: {e}"))?;
 
     let port = Self::find_free_port().await?;
     log::info!("Launching headless Wayfern on port {port} for fingerprint generation");
@@ -247,9 +233,15 @@ impl WayfernManager {
       .arg("--disable-background-mode")
       .arg("--use-mock-keychain")
       .arg("--password-store=basic")
-      .arg("--disable-features=DialMediaRouteProvider")
-      .stdout(Stdio::null())
-      .stderr(Stdio::null());
+      .arg("--disable-features=DialMediaRouteProvider");
+
+    #[cfg(target_os = "linux")]
+    cmd
+      .arg("--no-sandbox")
+      .arg("--disable-setuid-sandbox")
+      .arg("--disable-dev-shm-usage");
+
+    cmd.stdout(Stdio::null()).stderr(Stdio::null());
 
     let child = cmd.spawn()?;
     let child_id = child.id();
@@ -456,21 +448,9 @@ impl WayfernManager {
     extension_paths: &[String],
     remote_debugging_port: Option<u16>,
   ) -> Result<WayfernLaunchResult, Box<dyn std::error::Error + Send + Sync>> {
-    let executable_path = if let Some(path) = &config.executable_path {
-      let p = PathBuf::from(path);
-      if p.exists() {
-        p
-      } else {
-        log::warn!("Stored Wayfern executable path does not exist: {path}, falling back to dynamic resolution");
-        BrowserRunner::instance()
-          .get_browser_executable_path(profile)
-          .map_err(|e| format!("Failed to get Wayfern executable path: {e}"))?
-      }
-    } else {
-      BrowserRunner::instance()
-        .get_browser_executable_path(profile)
-        .map_err(|e| format!("Failed to get Wayfern executable path: {e}"))?
-    };
+    let executable_path = BrowserRunner::instance()
+      .get_browser_executable_path(profile)
+      .map_err(|e| format!("Failed to get Wayfern executable path: {e}"))?;
 
     let port = match remote_debugging_port {
       Some(p) => p,
@@ -478,6 +458,84 @@ impl WayfernManager {
     };
     log::info!("Launching Wayfern on CDP port {port}");
 
+    // Diagnostic: verify critical profile files and test cookie decryption
+    {
+      let profile_path_buf = std::path::PathBuf::from(profile_path);
+      let key_path = profile_path_buf.join("os_crypt_key");
+      let cookies_path = profile_path_buf.join("Default").join("Cookies");
+
+      if key_path.exists() {
+        let key_text = std::fs::read_to_string(&key_path).unwrap_or_default();
+        log::info!(
+          "Pre-launch: os_crypt_key present ({} bytes, content: '{}')",
+          key_text.len(),
+          key_text.trim()
+        );
+      } else {
+        log::warn!("Pre-launch: os_crypt_key NOT FOUND");
+      }
+
+      if cookies_path.exists() {
+        // Try to open Cookies DB and check if encrypted cookies can be decrypted
+        if let Ok(conn) = rusqlite::Connection::open_with_flags(
+          &cookies_path,
+          rusqlite::OpenFlags::SQLITE_OPEN_READ_ONLY,
+        ) {
+          let cookie_count: i64 = conn
+            .query_row(
+              "SELECT COUNT(*) FROM cookies WHERE length(encrypted_value) > 0",
+              [],
+              |r| r.get(0),
+            )
+            .unwrap_or(0);
+          let total_count: i64 = conn
+            .query_row("SELECT COUNT(*) FROM cookies", [], |r| r.get(0))
+            .unwrap_or(0);
+          log::info!(
+            "Pre-launch: Cookies DB has {} total cookies, {} encrypted",
+            total_count,
+            cookie_count
+          );
+
+          // Try decrypting one cookie using the cookie_manager
+          if let Some(encryption_key) =
+            crate::cookie_manager::chrome_decrypt::get_encryption_key(&profile_path_buf)
+          {
+            if let Ok(mut stmt) = conn.prepare(
+              "SELECT name, host_key, encrypted_value FROM cookies WHERE length(encrypted_value) > 0 LIMIT 1",
+            ) {
+              if let Ok(mut rows) = stmt.query([]) {
+                if let Ok(Some(row)) = rows.next() {
+                  let name: String = row.get(0).unwrap_or_default();
+                  let host: String = row.get(1).unwrap_or_default();
+                  let encrypted: Vec<u8> = row.get(2).unwrap_or_default();
+                  let decrypted =
+                    crate::cookie_manager::chrome_decrypt::decrypt(
+                      &encrypted,
+                      &encryption_key,
+                    );
+                  match decrypted {
+                    Some(val) => log::info!(
+                      "Pre-launch: Cookie decryption SUCCEEDED for '{}' (host: {}, decrypted {} bytes)",
+                      name, host, val.len()
+                    ),
+                    None => log::error!(
+                      "Pre-launch: Cookie decryption FAILED for '{}' (host: {}, encrypted {} bytes)",
+                      name, host, encrypted.len()
+                    ),
+                  }
+                }
+              }
+            }
+          } else {
+            log::error!("Pre-launch: Failed to derive encryption key from os_crypt_key");
+          }
+        }
+      } else {
+        log::warn!("Pre-launch: Cookies NOT FOUND");
+      }
+    }
+
     let mut args = vec![
       format!("--remote-debugging-port={port}"),
       "--remote-debugging-address=127.0.0.1".to_string(),
@@ -492,12 +550,18 @@ impl WayfernManager {
       "--disable-session-crashed-bubble".to_string(),
       "--hide-crash-restore-bubble".to_string(),
       "--disable-infobars".to_string(),
-      "--disable-quic".to_string(),
       "--disable-features=DialMediaRouteProvider".to_string(),
       "--use-mock-keychain".to_string(),
       "--password-store=basic".to_string(),
     ];
 
+    #[cfg(target_os = "linux")]
+    {
+      args.push("--no-sandbox".to_string());
+      args.push("--disable-setuid-sandbox".to_string());
+      args.push("--disable-dev-shm-usage".to_string());
+    }
+
     if let Some(proxy) = proxy_url {
       args.push(format!("--proxy-server={proxy}"));
     }

src/components/home-header.tsx

@@ -22,7 +22,6 @@ import {
   DropdownMenuTrigger,
 } from "./ui/dropdown-menu";
 import { Input } from "./ui/input";
-import { ProBadge } from "./ui/pro-badge";
 import { Tooltip, TooltipContent, TooltipTrigger } from "./ui/tooltip";
 
 const CLICK_THRESHOLD = 5;
@@ -301,15 +300,12 @@ const HomeHeader = ({
               {t("header.menu.groups")}
             </DropdownMenuItem>
             <DropdownMenuItem
-              disabled={!crossOsUnlocked}
-              className={cn(!crossOsUnlocked && "opacity-50")}
               onClick={() => {
                 onExtensionManagementDialogOpen(true);
               }}
             >
               <LuPuzzle className="mr-2 w-4 h-4" />
               {t("header.menu.extensions")}
-              {!crossOsUnlocked && <ProBadge className="ml-auto" />}
             </DropdownMenuItem>
             <DropdownMenuItem
               onClick={() => {

src/components/profile-data-table.tsx

@@ -1802,8 +1802,11 @@ export function ProfilesDataTable({
           const isLaunching = meta.launchingProfiles.has(profile.id);
           const isStopping = meta.stoppingProfiles.has(profile.id);
           const isLockedByAnother = meta.isProfileLockedByAnother(profile.id);
+          const isSyncing = meta.syncStatuses[profile.id]?.status === "syncing";
           const canLaunch =
-            meta.browserState.canLaunchProfile(profile) && !isLockedByAnother;
+            meta.browserState.canLaunchProfile(profile) &&
+            !isLockedByAnother &&
+            !isSyncing;
           const lockEmail = meta.getProfileLockEmail(profile.id);
           const tooltipContent = isLockedByAnother
             ? meta.t("sync.team.cannotLaunchLocked", { email: lockEmail })
@@ -1831,13 +1834,14 @@ export function ProfilesDataTable({
             );
             try {
               await meta.onLaunchProfile(profile);
-            } catch (error) {
+            } finally {
+              // Always clear launching state — the running state is tracked
+              // separately via profile-running-changed events
               meta.setLaunchingProfiles((prev: Set<string>) => {
                 const next = new Set(prev);
                 next.delete(profile.id);
                 return next;
               });
-              throw error;
             }
           };
 
@@ -2665,40 +2669,20 @@ export function ProfilesDataTable({
         )}
         {onBulkExtensionGroupAssignment && (
           <DataTableActionBarAction
-            tooltip={
-              crossOsUnlocked
-                ? "Assign Extension Group"
-                : "Assign Extension Group (Pro)"
-            }
+            tooltip="Assign Extension Group"
             onClick={onBulkExtensionGroupAssignment}
             size="icon"
-            disabled={!crossOsUnlocked}
           >
-            <span className="relative">
-              <LuPuzzle />
-              {!crossOsUnlocked && (
-                <span className="absolute -bottom-1.5 left-1/2 -translate-x-1/2 text-[6px] font-bold leading-none bg-primary text-primary-foreground px-0.5 rounded-sm">
-                  PRO
-                </span>
-              )}
-            </span>
+            <LuPuzzle />
           </DataTableActionBarAction>
         )}
         {onBulkCopyCookies && (
           <DataTableActionBarAction
-            tooltip={crossOsUnlocked ? "Copy Cookies" : "Copy Cookies (Pro)"}
+            tooltip="Copy Cookies"
             onClick={onBulkCopyCookies}
             size="icon"
-            disabled={!crossOsUnlocked}
           >
-            <span className="relative">
-              <LuCookie />
-              {!crossOsUnlocked && (
-                <span className="absolute -bottom-1.5 left-1/2 -translate-x-1/2 text-[6px] font-bold leading-none bg-primary text-primary-foreground px-0.5 rounded-sm">
-                  PRO
-                </span>
-              )}
-            </span>
+            <LuCookie />
           </DataTableActionBarAction>
         )}
         {onBulkDelete && (

src/components/profile-info-dialog.tsx

@@ -266,9 +266,8 @@ export function ProfileInfoDialog({
       icon: <LuCopy className="w-4 h-4" />,
       label: t("profiles.actions.copyCookiesToProfile"),
       onClick: () => handleAction(() => onCopyCookiesToProfile?.(profile)),
-      disabled: isDisabled || !crossOsUnlocked,
-      proBadge: !crossOsUnlocked,
-      runningBadge: isRunning && crossOsUnlocked,
+      disabled: isDisabled,
+      runningBadge: isRunning,
       hidden:
         !isCamoufoxOrWayfern ||
         profile.ephemeral === true ||
@@ -278,9 +277,8 @@ export function ProfileInfoDialog({
       icon: <LuCookie className="w-4 h-4" />,
       label: t("profileInfo.actions.manageCookies"),
       onClick: () => handleAction(() => onOpenCookieManagement?.(profile)),
-      disabled: isDisabled || !crossOsUnlocked,
-      proBadge: !crossOsUnlocked,
-      runningBadge: isRunning && crossOsUnlocked,
+      disabled: isDisabled,
+      runningBadge: isRunning,
       hidden:
         !isCamoufoxOrWayfern ||
         profile.ephemeral === true ||

src/components/profile-sync-dialog.tsx

@@ -41,10 +41,11 @@ export function ProfileSyncDialog({
     cloudUser.plan !== "free" &&
     (cloudUser.subscriptionStatus === "active" ||
       cloudUser.planPeriod === "lifetime");
+  // Encryption available to everyone except team members who aren't owners
   const canUseEncryption =
-    isCloudSyncEligible &&
-    cloudUser != null &&
-    (cloudUser.plan !== "team" || cloudUser.teamRole === "owner");
+    cloudUser == null ||
+    cloudUser.plan !== "team" ||
+    cloudUser.teamRole === "owner";
   const [isSaving, setIsSaving] = useState(false);
   const [isSyncing, setIsSyncing] = useState(false);
   const [syncMode, setSyncMode] = useState<SyncMode>(

src/components/settings-dialog.tsx

@@ -134,12 +134,11 @@ export function SettingsDialog({
   } = usePermissions();
   const { trialStatus } = useCommercialTrial();
   const { user: cloudUser } = useCloudAuth();
+  // Encryption is available to everyone except team members who aren't owners
   const canUseEncryption =
-    cloudUser != null &&
-    cloudUser.plan !== "free" &&
-    (cloudUser.subscriptionStatus === "active" ||
-      cloudUser.planPeriod === "lifetime") &&
-    (cloudUser.plan !== "team" || cloudUser.teamRole === "owner");
+    cloudUser == null ||
+    cloudUser.plan !== "team" ||
+    cloudUser.teamRole === "owner";
   const {
     currentLanguage,
     changeLanguage,

src/components/sync-config-dialog.tsx

@@ -67,7 +67,9 @@ export function SyncConfigDialog({ isOpen, onClose }: SyncConfigDialogProps) {
   const [isVerifying, setIsVerifying] = useState(false);
 
   const [activeTab, setActiveTab] = useState<string>("cloud");
-  const [liveProxyUsage, setLiveProxyUsage] = useState<ProxyUsage | null>(null);
+  const [_liveProxyUsage, setLiveProxyUsage] = useState<ProxyUsage | null>(
+    null,
+  );
 
   const [connectionStatus, setConnectionStatus] = useState<
     "unknown" | "testing" | "connected" | "error"
@@ -300,40 +302,6 @@ export function SyncConfigDialog({ isOpen, onClose }: SyncConfigDialogProps) {
                   })}
                 </span>
               </div>
-              {liveProxyUsage && (
-                <>
-                  <div className="flex justify-between">
-                    <span className="text-muted-foreground">
-                      Recurring Proxy Bandwidth
-                    </span>
-                    <span>
-                      {Math.max(
-                        0,
-                        liveProxyUsage.recurring_limit_mb -
-                          liveProxyUsage.used_mb,
-                      )}{" "}
-                      / {liveProxyUsage.recurring_limit_mb} MB remaining
-                    </span>
-                  </div>
-                  <div className="flex justify-between">
-                    <span className="text-muted-foreground">
-                      Extra Proxy Bandwidth
-                    </span>
-                    <span>
-                      {Math.max(
-                        0,
-                        liveProxyUsage.remaining_mb -
-                          Math.max(
-                            0,
-                            liveProxyUsage.recurring_limit_mb -
-                              liveProxyUsage.used_mb,
-                          ),
-                      )}{" "}
-                      / {liveProxyUsage.extra_limit_mb} MB remaining
-                    </span>
-                  </div>
-                </>
-              )}
               {user.teamName && (
                 <>
                   <div className="flex justify-between">