refactor: wayfern launch

feat: shadowsocks
chore: proper formatting
2026-06-11 17:27:54 +02:00 · 2026-04-13 02:47:16 +04:00 · 2026-04-12 13:54:50 +04:00 · 2026-04-12 13:54:50 +04:00 · 2026-04-12 13:54:50 +04:00 · 2026-04-12 13:54:50 +04:00
161 changed files with 11227 additions and 4547 deletions
@@ -197,6 +197,7 @@ These are frequently overlooked issues that make UI look unprofessional:
 Before delivering UI code, verify these items:

 ### Visual Quality
+
 - [ ] No emojis used as icons (use SVG instead)
 - [ ] All icons from consistent icon set (Heroicons/Lucide)
 - [ ] Brand logos are correct (verified from Simple Icons)
@@ -204,24 +205,28 @@ Before delivering UI code, verify these items:
 - [ ] Use theme colors directly (bg-primary) not var() wrapper

 ### Interaction
+
 - [ ] All clickable elements have `cursor-pointer`
 - [ ] Hover states provide clear visual feedback
 - [ ] Transitions are smooth (150-300ms)
 - [ ] Focus states visible for keyboard navigation

 ### Light/Dark Mode
+
 - [ ] Light mode text has sufficient contrast (4.5:1 minimum)
 - [ ] Glass/transparent elements visible in light mode
 - [ ] Borders visible in both modes
 - [ ] Test both modes before delivery

 ### Layout
+
 - [ ] Floating elements have proper spacing from edges
 - [ ] No content hidden behind fixed navbars
 - [ ] Responsive at 320px, 768px, 1024px, 1440px
 - [ ] No horizontal scroll on mobile

 ### Accessibility
+
 - [ ] All images have alt text
 - [ ] Form inputs have labels
 - [ ] Color is not the only indicator
@@ -10,4 +10,11 @@

 - [ ] Read [CONTRIBUTING.md](https://github.com/zhom/donutbrowser/blob/main/CONTRIBUTING.md)
 - [ ] Ran `pnpm format && pnpm lint && pnpm test` locally and it passes
+- [ ] I tested the changes myself by running the app locally
 - [ ] Updated translations in all locale files (if UI text changed)
+
+## AI usage
+
+- [ ] I used AI to help write this PR
+
+<!-- If you checked the box above, briefly explain how AI was used (e.g. "generated the test", "wrote the initial implementation", "full PR"). -->
@@ -31,10 +31,10 @@ jobs:
            build-mode: none
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb #v6.0.0
        with:
          run_install: false

@@ -22,7 +22,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
      - name: Contribute List
        uses: akhilmhdh/contributors-readme-action@83ea0b4f1ac928fbfe88b9e8460a932a528eb79f #v2.3.11
        env:
@@ -13,7 +13,7 @@ jobs:
  security-scan:
    name: Security Vulnerability Scan
    if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]'
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -69,7 +69,7 @@ jobs:
    steps:
      - name: Dependabot metadata
        id: metadata
-        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a #v2.5.0
+        uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 #v3.0.0
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for minor and patch updates
@@ -1,12 +1,16 @@
 name: Build and Push donut-sync Docker Image

 on:
-  release:
-    types: [published]
  push:
    branches: [main]
    paths:
      - "donut-sync/**"
+  workflow_call:
+    inputs:
+      tag:
+        description: "Docker tag (e.g., v1.0.0)"
+        required: true
+        type: string
  workflow_dispatch:
    inputs:
      tag:
@@ -26,13 +30,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0

      - name: Log in to Docker Hub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 #v3
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -41,26 +45,24 @@ jobs:
        id: tags
        run: |
          TAGS=""
+          INPUT_TAG="${{ inputs.tag }}"

-          if [ "${{ github.event_name }}" = "release" ]; then
-            # Stable release: tag with version and latest
-            VERSION="${{ github.event.release.tag_name }}"
-            TAGS="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}"
+          if [ -n "$INPUT_TAG" ]; then
+            # Called from release workflow or manual dispatch
+            TAGS="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${INPUT_TAG}"
            TAGS="${TAGS},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
          elif [ "${{ github.event_name }}" = "push" ]; then
            # Push to main (nightly): tag with nightly and commit SHA
            SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
            TAGS="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly"
            TAGS="${TAGS},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly-${SHORT_SHA}"
-          elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            TAGS="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.tag }}"
          fi

          echo "tags=${TAGS}" >> "$GITHUB_OUTPUT"
          echo "Tags: ${TAGS}"

      - name: Build and push Docker image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 #v6
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f #v7.1.0
        with:
          context: .
          file: ./donut-sync/Dockerfile
@@ -26,7 +26,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Install Nix
        uses: cachix/install-nix-action@a6f7623b2e2401f485f1eead77ced45bd99b09b0 #v31
@@ -21,15 +21,18 @@ jobs:
    if: github.repository == 'zhom/donutbrowser' && github.event_name == 'issues'
    runs-on: ubuntu-latest
    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+
      - name: Check if first-time contributor
        id: check-first-time
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
        run: |
-          ISSUE_COUNT=$(gh api "/repos/${{ github.repository }}/issues" \
-            --jq "map(select(.user.login == \"$ISSUE_AUTHOR\" and .number != ${{ github.event.issue.number }})) | length" \
-            --paginate || echo "0")
+          ISSUE_COUNT=$(gh api "/repos/${{ github.repository }}/issues?state=all&creator=$ISSUE_AUTHOR&per_page=100" \
+            --jq "[.[] | select(.number != ${{ github.event.issue.number }}) ] | length" \
+            || echo "0")

          if [ "$ISSUE_COUNT" = "0" ]; then
            echo "is_first_time=true" >> $GITHUB_OUTPUT
@@ -37,6 +40,67 @@ jobs:
            echo "is_first_time=false" >> $GITHUB_OUTPUT
          fi

+      - name: Build repo context and find related files
+        env:
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_BODY: ${{ github.event.issue.body }}
+        run: |
+          # Read project guidelines (contains repo structure)
+          cp CLAUDE.md /tmp/repo-context.txt
+
+          printf '%s' "$ISSUE_TITLE" > /tmp/issue-title.txt
+          printf '%s' "${ISSUE_BODY:-}" > /tmp/issue-body.txt
+
+          # List all source files for the AI to pick from
+          find . -type f \( -name "*.rs" -o -name "*.ts" -o -name "*.tsx" \) \
+            ! -path "*/node_modules/*" ! -path "*/target/*" ! -path "*/.next/*" ! -path "*/dist/*" \
+            ! -path "*/.git/*" ! -path "*/gen/*" ! -path "*/data/*" \
+            | sed 's|^\./||' | sort > /tmp/all-source-files.txt
+
+      - name: Select relevant files with AI
+        env:
+          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
+        run: |
+          PAYLOAD=$(jq -n \
+            --rawfile title /tmp/issue-title.txt \
+            --rawfile body /tmp/issue-body.txt \
+            --rawfile files /tmp/all-source-files.txt \
+            '{
+              model: "anthropic/claude-opus-4.6",
+              messages: [
+                {
+                  role: "system",
+                  content: "You are a file selector for Donut Browser (Tauri + Next.js + Rust anti-detect browser). Given an issue and a list of source files, output ONLY the 10 most likely relevant file paths, one per line. No explanations, no numbering, just paths."
+                },
+                {
+                  role: "user",
+                  content: ("Issue: " + $title + "\n\n" + $body + "\n\nFiles:\n" + $files)
+                }
+              ]
+            }')
+
+          RESPONSE=$(curl -fsSL https://openrouter.ai/api/v1/chat/completions \
+            -H "Authorization: Bearer $OPENROUTER_API_KEY" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD")
+
+          jq -r '.choices[0].message.content // empty' <<< "$RESPONSE" > /tmp/selected-files.txt
+
+          # Read the selected files in full (skip binary files)
+          echo "" > /tmp/file-contents.txt
+          while IFS= read -r filepath; do
+            filepath=$(echo "$filepath" | xargs)
+            [ -z "$filepath" ] && continue
+            if [ -f "$filepath" ] && file --mime "$filepath" | grep -q "text/"; then
+              echo "=== $filepath ===" >> /tmp/file-contents.txt
+              cat "$filepath" >> /tmp/file-contents.txt
+              echo "" >> /tmp/file-contents.txt
+            fi
+          done < /tmp/selected-files.txt
+
+          # Cap total context at 100KB
+          head -c 100000 /tmp/file-contents.txt > /tmp/file-context.txt
+
      - name: Analyze issue with AI
        env:
          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
@@ -50,25 +114,24 @@ jobs:
            GREETING='This is a first-time contributor. Start your comment with: "Thanks for opening your first issue!"'
          fi

-          # Write all user content to files to avoid shell escaping issues
          printf '%s' "$ISSUE_TITLE" > /tmp/issue-title.txt
          printf '%s' "${ISSUE_BODY:-}" > /tmp/issue-body.txt
          printf '%s' "$ISSUE_AUTHOR" > /tmp/issue-author.txt
          printf '%s' "$GREETING" > /tmp/greeting.txt

-          # Build the JSON payload entirely in jq — never interpolate user content in shell
          PAYLOAD=$(jq -n \
            --rawfile title /tmp/issue-title.txt \
            --rawfile body /tmp/issue-body.txt \
            --rawfile author /tmp/issue-author.txt \
            --rawfile greeting /tmp/greeting.txt \
+            --rawfile repo_context /tmp/repo-context.txt \
+            --rawfile context /tmp/file-context.txt \
            '{
-              model: "z-ai/glm-5",
-              max_tokens: 1024,
+              model: "anthropic/claude-opus-4.6",
              messages: [
                {
                  role: "system",
-                  content: "You are a triage bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).\n\nAnalyze the issue and produce a single concise comment. Format:\n\n1. One sentence acknowledging what the user wants.\n2. A short **Action items** list - what specific info is missing or what the user should do next. Only include items that are actually missing. If the issue is complete, say so and skip this section.\n3. Suggest a label at the very end of your response on its own line in the exact format: Label: bug OR Label: enhancement\n\nRules:\n- Be brief. No filler, no generic tips, no templates.\n- If it is a bug report, check for: reproduction steps, OS/version, error messages. Only ask for what is actually missing.\n- If it is a feature request, check for: clear description of desired behavior, use case. Only ask for what is actually missing.\n- If the issue already has everything needed, just acknowledge it.\n- Never exceed 6 items total."
+                  content: ("You are a triage bot for Donut Browser, an open-source anti-detect browser (Tauri desktop app: Rust backend + Next.js frontend).\n\nProject guidelines and structure:\n" + $repo_context + "\n\nYou have access to relevant source files for context.\n\nAnalyze the issue and produce a single comment. Your job is to collect missing information needed to diagnose the issue, NOT to guess the cause.\n\nFormat:\n\n1. One sentence acknowledging the issue.\n2. **Missing information** - Ask specific questions about what is missing from the report. Focus on reproducing the issue. Do NOT speculate about root causes or mention internal code/files — you will almost certainly be wrong without logs. Instead, ask for:\n   - Exact steps to reproduce (if not provided)\n   - Expected vs actual behavior (if unclear)\n   - Error messages or screenshots (if not provided)\n   - OS and app version (if not provided)\n   - For bug reports: if logs are needed, tell the user EXACTLY how to get them:\n     - macOS app logs: `~/Library/Logs/Donut Browser/`\n     - Linux app logs: `~/.local/share/DonutBrowser/logs/`\n     - Windows app logs: `%APPDATA%\\DonutBrowser\\logs\\`\n     - Sync server logs: `docker logs <container>` or check the server console\n     - Provide a ready-to-run shell command when possible.\n   - For self-hosted sync issues: check if the user is using the latest Docker image (`docker pull donutbrowser/donut-sync:latest`).\n   - Only ask for information that is actually missing. If the issue is already detailed, just acknowledge it.\n3. Suggest a label: `Label: bug` or `Label: enhancement` on its own line.\n\nRules:\n- Do NOT include a \"Possible cause\" section. Do not speculate about what code might be causing the issue.\n- Be brief and focused on collecting actionable information from the reporter.\n- If the issue already has everything needed (steps to reproduce, logs, version, OS), just acknowledge it.\n- Never exceed 15 lines.")
                },
                {
                  role: "user",
@@ -76,7 +139,8 @@ jobs:
                    (if ($greeting | length) > 0 then $greeting + "\n\n" else "" end) +
                    "Analyze this issue:\n\nTitle: " + $title +
                    "\nAuthor: " + $author +
-                    "\n\nBody:\n" + $body
+                    "\n\nBody:\n" + $body +
+                    "\n\nRelevant source files:\n" + $context
                  )
                }
              ]
@@ -87,7 +151,6 @@ jobs:
            -H "Content-Type: application/json" \
            -d "$PAYLOAD")

-          # Extract the comment using jq — never parse AI output in shell
          jq -r '.choices[0].message.content // empty' <<< "$RESPONSE" > /tmp/ai-comment.txt

          if [ ! -s /tmp/ai-comment.txt ]; then
@@ -102,7 +165,6 @@ jobs:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ISSUE_NUMBER: ${{ github.event.issue.number }}
        run: |
-          # Extract and strip the label line before posting
          LABEL=$(grep -oP '^Label:\s*\K.*' /tmp/ai-comment.txt | tail -1 | tr '[:upper:]' '[:lower:]' | xargs)
          sed -i '/^Label:/d' /tmp/ai-comment.txt

@@ -118,6 +180,9 @@ jobs:
    if: github.repository == 'zhom/donutbrowser' && github.event_name == 'pull_request_target' && github.actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+
      - name: Check if first-time contributor
        id: check-first-time
        env:
@@ -134,6 +199,40 @@ jobs:
            echo "is_first_time=false" >> $GITHUB_OUTPUT
          fi

+      - name: Gather PR context
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          # Get changed files list
+          gh api "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files" \
+            --jq '.[] | "- \(.filename) (\(.status)) +\(.additions)/-\(.deletions)"' \
+            > /tmp/pr-files.txt
+
+          # Get the actual diff
+          gh api "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER" \
+            --header "Accept: application/vnd.github.diff" \
+            > /tmp/pr-diff-full.txt 2>/dev/null || true
+          head -c 20000 /tmp/pr-diff-full.txt > /tmp/pr-diff.txt
+
+          # Get CONTRIBUTING.md and README.md for context
+          cat CONTRIBUTING.md > /tmp/contributing.txt 2>/dev/null || echo "Not found" > /tmp/contributing.txt
+          head -50 README.md > /tmp/readme.txt 2>/dev/null || echo "Not found" > /tmp/readme.txt
+
+          # Read project guidelines (contains repo structure)
+          cp CLAUDE.md /tmp/repo-context.txt
+
+          # Read full contents of all changed files (skip binary)
+          echo "" > /tmp/related-file-contents.txt
+          gh api "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files" --jq '.[].filename' | while IFS= read -r filepath; do
+            if [ -f "$filepath" ] && file --mime "$filepath" | grep -q "text/"; then
+              echo "=== $filepath (full file) ===" >> /tmp/related-file-contents.txt
+              cat "$filepath" >> /tmp/related-file-contents.txt
+              echo "" >> /tmp/related-file-contents.txt
+            fi
+          done
+          head -c 100000 /tmp/related-file-contents.txt > /tmp/pr-file-context.txt
+
      - name: Analyze PR with AI
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -151,7 +250,6 @@ jobs:
            GREETING='This is a first-time contributor. Start your comment with: "Thanks for your first PR!"'
          fi

-          # Write all user content to files to avoid shell escaping issues
          printf '%s' "$PR_TITLE" > /tmp/pr-title.txt
          printf '%s' "${PR_BODY:-}" > /tmp/pr-body.txt
          printf '%s' "$PR_AUTHOR" > /tmp/pr-author.txt
@@ -159,11 +257,6 @@ jobs:
          printf '%s' "$PR_HEAD" > /tmp/pr-head.txt
          printf '%s' "$GREETING" > /tmp/greeting.txt

-          gh api "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files" \
-            --jq '.[] | "- \(.filename) (\(.status)) +\(.additions)/-\(.deletions)"' \
-            > /tmp/pr-files.txt
-
-          # Build the JSON payload entirely in jq — never interpolate user content in shell
          PAYLOAD=$(jq -n \
            --rawfile title /tmp/pr-title.txt \
            --rawfile body /tmp/pr-body.txt \
@@ -171,14 +264,17 @@ jobs:
            --rawfile base /tmp/pr-base.txt \
            --rawfile head /tmp/pr-head.txt \
            --rawfile files /tmp/pr-files.txt \
+            --rawfile diff /tmp/pr-diff.txt \
            --rawfile greeting /tmp/greeting.txt \
+            --rawfile repo_context /tmp/repo-context.txt \
+            --rawfile contributing /tmp/contributing.txt \
+            --rawfile file_context /tmp/pr-file-context.txt \
            '{
-              model: "z-ai/glm-5",
-              max_tokens: 1024,
+              model: "anthropic/claude-opus-4.6",
              messages: [
                {
                  role: "system",
-                  content: "You are a review bot for Donut Browser (open-source anti-detect browser, Tauri + Next.js + Rust).\n\nReview this PR and produce a single concise comment. Format:\n\n1. One sentence summarizing what this PR does.\n2. **Action items** - only list things that actually need to be fixed or addressed. If the PR looks good, say so and skip this section.\n\nRules:\n- Be brief. No filler, no praise padding.\n- Focus on: bugs, security issues, missing edge cases, breaking changes.\n- If the PR touches UI text or adds new strings, remind to update translation files in src/i18n/locales/.\n- If the PR modifies Tauri commands, remind to check the unused-commands test.\n- Do not nitpick style or formatting - the project has automated linting.\n- Never exceed 8 lines total."
+                  content: ("You are a code review bot for Donut Browser, an open-source anti-detect browser (Tauri desktop app: Rust backend + Next.js frontend).\n\nProject guidelines and structure:\n" + $repo_context + "\n\nContributing guidelines:\n" + $contributing + "\n\nYou have access to the full changed files and the diff. Use them to give a substantive review.\n\nReview this PR and produce a single comment. Format:\n\n1. One sentence summarizing what this PR does and whether the approach is sound.\n2. **Code review** - Specific observations about the actual code changes. Mention file names and what you see in the diff. Look for:\n   - Bugs or logic errors in the changed code\n   - Security issues (SQL injection, path traversal, XSS, command injection)\n   - Missing error handling or edge cases\n   - Breaking changes to existing APIs or behavior\n   - If UI text was added/changed, check if all 7 translation files (en, es, fr, ja, pt, ru, zh) in src/i18n/locales/ were updated\n   - If Tauri commands were added/removed, the unused-commands test in lib.rs needs updating\n3. **Suggestions** - Concrete improvements if any. Skip if the PR looks good.\n\nRules:\n- Be substantive. Review the actual diff, not just the description.\n- Do NOT nitpick formatting or style — the project has automated linting (biome + clippy + rustfmt).\n- Do NOT just summarize the PR description back to the user — they wrote it, they know what it says.\n- If the PR is good, say so briefly.\n- Never exceed 20 lines.")
                },
                {
                  role: "user",
@@ -188,7 +284,9 @@ jobs:
                    "\nAuthor: " + $author +
                    "\nBase: " + $base + " <- Head: " + $head +
                    "\n\nDescription:\n" + $body +
-                    "\n\nChanged files:\n" + $files
+                    "\n\nChanged files:\n" + $files +
+                    "\n\nDiff:\n" + $diff +
+                    "\n\nFull file contents:\n" + $file_context
                  )
                }
              ]
@@ -199,7 +297,6 @@ jobs:
            -H "Content-Type: application/json" \
            -d "$PAYLOAD")

-          # Extract the comment using jq — never parse AI output in shell
          jq -r '.choices[0].message.content // empty' <<< "$RESPONSE" > /tmp/ai-comment.txt

          if [ ! -s /tmp/ai-comment.txt ]; then
@@ -227,10 +324,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Run opencode
-        uses: anomalyco/opencode/github@4ee426ba549131c4903a71dfb6259200467aca81 #v1.2.27
+        uses: anomalyco/opencode/github@877be7e8e04142cd8fbebcb5e6c4b9617bf28cce #v1.4.3
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -34,10 +34,10 @@ jobs:
        run: git config --global core.autocrlf false

      - name: Checkout repository code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb #v6.0.0
        with:
          run_install: false

@@ -41,10 +41,10 @@ jobs:
        run: git config --global core.autocrlf false

      - name: Checkout repository code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Set up pnpm package manager
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb #v6.0.0
        with:
          run_install: false

@@ -67,7 +67,7 @@ jobs:
        if: matrix.os == 'ubuntu-22.04'
        run: |
          sudo apt-get update
-          sudo apt install libwebkit2gtk-4.1-dev build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev
+          sudo apt install libwebkit2gtk-4.1-dev build-essential curl wget file libxdo-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev openvpn

      - name: Install frontend dependencies
        run: pnpm install --frozen-lockfile
@@ -113,12 +113,8 @@ jobs:
        run: cargo clippy --all-targets --all-features -- -D warnings -D clippy::all
        working-directory: src-tauri

-      - name: Run Rust unit tests
-        run: cargo test --lib && cargo test --test donut_proxy_integration && cargo test --test vpn_integration
-        working-directory: src-tauri
-
-      - name: Run Rust sync e2e tests
-        run: node scripts/sync-test-harness.mjs
+      - name: Run test suite
+        run: pnpm test

      - name: Run cargo audit security check
        run: cargo audit
@@ -46,7 +46,7 @@ jobs:
  scan-scheduled:
    name: Scheduled Security Scan
    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -58,7 +58,7 @@ jobs:
  scan-pr:
    name: PR Security Scan
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -29,7 +29,7 @@ jobs:
  security-scan:
    name: Security Vulnerability Scan
    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -0,0 +1,221 @@
+name: Publish Linux Repos
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag (e.g. v0.18.1). Leave empty for latest."
+        required: false
+        type: string
+  workflow_run:
+    workflows: ["Release"]
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+jobs:
+  publish-repos:
+    if: >
+      github.repository == 'zhom/donutbrowser' &&
+      (github.event_name == 'workflow_dispatch' ||
+       github.event.workflow_run.conclusion == 'success')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Determine release tag
+        id: tag
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_TAG: ${{ inputs.tag }}
+        run: |
+          if [[ -n "${INPUT_TAG:-}" ]]; then
+            echo "tag=${INPUT_TAG}" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            # The Release workflow is triggered by a tag push (v*),
+            # so head_branch is the tag name
+            echo "tag=${{ github.event.workflow_run.head_branch }}" >> "$GITHUB_OUTPUT"
+          else
+            TAG=$(gh release view --repo "${{ github.repository }}" --json tagName -q .tagName)
+            echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Configure aws-cli for R2
+        # aws-cli v2.23+ sends integrity checksums by default; Cloudflare R2
+        # rejects those headers with `Unauthorized` on ListObjectsV2.
+        # Also normalise the endpoint URL (must start with https://).
+        # Both values propagate to later steps via $GITHUB_ENV.
+        env:
+          RAW_ENDPOINT: ${{ secrets.R2_ENDPOINT_URL }}
+        run: |
+          endpoint="$RAW_ENDPOINT"
+          if [[ "$endpoint" != https://* && "$endpoint" != http://* ]]; then
+            endpoint="https://$endpoint"
+          fi
+          echo "R2_ENDPOINT=$endpoint" >> "$GITHUB_ENV"
+          echo "AWS_REQUEST_CHECKSUM_CALCULATION=WHEN_REQUIRED" >> "$GITHUB_ENV"
+          echo "AWS_RESPONSE_CHECKSUM_VALIDATION=WHEN_REQUIRED" >> "$GITHUB_ENV"
+
+      - name: Install tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y dpkg-dev createrepo-c python3-pip
+          # Remove pre-installed aws-cli v2 — it sends CRC64NVME checksums
+          # that Cloudflare R2 rejects with Unauthorized, and the s3transfer
+          # lib has a confirmed bug where WHEN_REQUIRED is silently ignored
+          # (boto/s3transfer#327). Install aws-cli v1 via pip instead.
+          sudo rm -f /usr/local/bin/aws /usr/local/bin/aws_completer
+          sudo rm -rf /usr/local/aws-cli
+          pip3 install --break-system-packages awscli
+          # Ensure pip-installed aws is on PATH (pip may install to ~/.local/bin)
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+          aws --version
+
+      - name: Download packages from GitHub release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ steps.tag.outputs.tag }}
+        run: |
+          mkdir -p /tmp/packages
+          gh release download "$TAG" \
+            --repo "${{ github.repository }}" \
+            --pattern "*.deb" \
+            --dir /tmp/packages
+          gh release download "$TAG" \
+            --repo "${{ github.repository }}" \
+            --pattern "*.rpm" \
+            --dir /tmp/packages
+          echo "Downloaded packages:"
+          ls -lh /tmp/packages/
+
+      - name: Build DEB repository
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          DEB_DIR="/tmp/repo/deb"
+          mkdir -p "$DEB_DIR/pool/main"
+          mkdir -p "$DEB_DIR/dists/stable/main/binary-amd64"
+          mkdir -p "$DEB_DIR/dists/stable/main/binary-arm64"
+
+          # Sync existing pool from R2 (incremental)
+          aws s3 sync "s3://${R2_BUCKET}/deb/pool" "$DEB_DIR/pool" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || true
+
+          # Copy new .deb files into pool
+          cp /tmp/packages/*.deb "$DEB_DIR/pool/main/" 2>/dev/null || true
+
+          # Generate Packages and Packages.gz for each arch
+          for arch in amd64 arm64; do
+            BINARY_DIR="$DEB_DIR/dists/stable/main/binary-${arch}"
+            (cd "$DEB_DIR" && dpkg-scanpackages --arch "$arch" pool/main) \
+              > "$BINARY_DIR/Packages"
+            gzip -9c "$BINARY_DIR/Packages" > "$BINARY_DIR/Packages.gz"
+            echo "  $arch: $(grep -c '^Package:' "$BINARY_DIR/Packages" 2>/dev/null || echo 0) package(s)"
+          done
+
+          # Generate Release file
+          {
+            echo "Origin: Donut Browser"
+            echo "Label: Donut Browser"
+            echo "Suite: stable"
+            echo "Codename: stable"
+            echo "Architectures: amd64 arm64"
+            echo "Components: main"
+            echo "Date: $(date -u '+%a, %d %b %Y %H:%M:%S UTC')"
+            echo "MD5Sum:"
+            for arch in amd64 arm64; do
+              for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+                filepath="$DEB_DIR/dists/stable/$file"
+                if [[ -f "$filepath" ]]; then
+                  size=$(wc -c < "$filepath")
+                  md5=$(md5sum "$filepath" | awk '{print $1}')
+                  printf " %s %8d %s\n" "$md5" "$size" "$file"
+                fi
+              done
+            done
+            echo "SHA256:"
+            for arch in amd64 arm64; do
+              for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+                filepath="$DEB_DIR/dists/stable/$file"
+                if [[ -f "$filepath" ]]; then
+                  size=$(wc -c < "$filepath")
+                  sha256=$(sha256sum "$filepath" | awk '{print $1}')
+                  printf " %s %8d %s\n" "$sha256" "$size" "$file"
+                fi
+              done
+            done
+          } > "$DEB_DIR/dists/stable/Release"
+
+          echo "DEB Release file created."
+
+      - name: Build RPM repository
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          RPM_DIR="/tmp/repo/rpm"
+          mkdir -p "$RPM_DIR/x86_64"
+          mkdir -p "$RPM_DIR/aarch64"
+
+          # Sync existing RPMs from R2 (incremental)
+          aws s3 sync "s3://${R2_BUCKET}/rpm/x86_64" "$RPM_DIR/x86_64" \
+            --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+          aws s3 sync "s3://${R2_BUCKET}/rpm/aarch64" "$RPM_DIR/aarch64" \
+            --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+
+          # Copy new .rpm files into arch directories
+          for rpm in /tmp/packages/*.rpm; do
+            [[ -f "$rpm" ]] || continue
+            filename=$(basename "$rpm")
+            if [[ "$filename" == *x86_64* ]]; then
+              cp "$rpm" "$RPM_DIR/x86_64/"
+            elif [[ "$filename" == *aarch64* ]]; then
+              cp "$rpm" "$RPM_DIR/aarch64/"
+            fi
+          done
+
+          # Generate repodata
+          createrepo_c --update "$RPM_DIR"
+          echo "RPM repodata created."
+
+      - name: Upload to R2
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+        run: |
+          echo "Uploading DEB repository..."
+          aws s3 sync /tmp/repo/deb/dists "s3://${R2_BUCKET}/deb/dists" \
+            --endpoint-url "$R2_ENDPOINT" --delete
+          aws s3 sync /tmp/repo/deb/pool "s3://${R2_BUCKET}/deb/pool" \
+            --endpoint-url "$R2_ENDPOINT"
+
+          echo "Uploading RPM repository..."
+          aws s3 sync /tmp/repo/rpm "s3://${R2_BUCKET}/rpm" \
+            --endpoint-url "$R2_ENDPOINT"
+
+      - name: Verify upload
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: auto
+          R2_BUCKET: ${{ secrets.R2_BUCKET_NAME }}
+          TAG: ${{ steps.tag.outputs.tag }}
+        run: |
+          echo "Published repos for $TAG"
+          echo ""
+          echo "DEB dists/stable/:"
+          aws s3 ls "s3://${R2_BUCKET}/deb/dists/stable/" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty)"
+          echo "DEB pool/main/:"
+          aws s3 ls "s3://${R2_BUCKET}/deb/pool/main/" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty)"
+          echo "RPM repodata/:"
+          aws s3 ls "s3://${R2_BUCKET}/rpm/repodata/" \
+            --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty)"
@@ -17,7 +17,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          fetch-depth: 0

@@ -20,7 +20,7 @@ jobs:
  security-scan:
    if: github.repository == 'zhom/donutbrowser'
    name: Security Vulnerability Scan
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -105,10 +105,10 @@ jobs:

    runs-on: ${{ matrix.platform }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb #v6.0.0
        with:
          run_install: false

@@ -139,6 +139,10 @@ jobs:
        run: pnpm install --frozen-lockfile

      - name: Build frontend
+        # NEXT_PUBLIC_* vars are inlined at build time and must be forwarded
+        # from secrets explicitly — they are NOT inherited from the job env.
+        env:
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        run: pnpm exec next build

      - name: Verify frontend dist exists
@@ -216,6 +220,12 @@ jobs:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          # tauri-action invokes `pnpm tauri build`, which runs
+          # `beforeBuildCommand` from tauri.conf.json. That rebuilds the
+          # frontend in its own subprocess, so the env var MUST be forwarded
+          # here or the inner `next build` inlines an empty string and
+          # overwrites the dist the explicit "Build frontend" step produced.
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        with:
          projectPath: ./src-tauri
          tagName: ${{ github.ref_name }}
@@ -225,6 +235,44 @@ jobs:
          prerelease: false
          args: ${{ matrix.args }}

+      - name: Create portable Windows ZIP
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG#v}"
+          PORTABLE_DIR="Donut-Portable"
+          mkdir -p "$PORTABLE_DIR"
+
+          # Copy main executable
+          cp "src-tauri/target/${{ matrix.target }}/release/donutbrowser.exe" "$PORTABLE_DIR/Donut.exe"
+
+          # Copy sidecar binaries
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe" "$PORTABLE_DIR/"
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe" "$PORTABLE_DIR/"
+
+          # Copy WebView2Loader if present
+          if [ -f "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" ]; then
+            cp "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" "$PORTABLE_DIR/"
+          fi
+
+          # Create .portable marker
+          touch "$PORTABLE_DIR/.portable"
+
+          # Create ZIP
+          7z a "Donut_${VERSION}_x64-portable.zip" "$PORTABLE_DIR"
+
+      - name: Upload portable ZIP to release
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          VERSION="${TAG#v}"
+          gh release upload "$TAG" "Donut_${VERSION}_x64-portable.zip" --clobber
+
      - name: Clean up Apple certificate
        if: matrix.platform == 'macos-latest' && always()
        run: |
@@ -237,8 +285,9 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: write
+      pull-requests: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          ref: main
          fetch-depth: 0
@@ -345,7 +394,7 @@ jobs:

          ### Windows

-          [Download Windows Installer (x64)](${BASE}/Donut_${VERSION}_x64-setup.exe)
+          [Download Windows Installer (x64)](${BASE}/Donut_${VERSION}_x64-setup.exe) · [Portable (x64)](${BASE}/Donut_${VERSION}_x64-portable.zip)

          ### Linux

@@ -368,16 +417,28 @@ jobs:
            /<!-- install-links-end -->/!d
          }' README.md

-      - name: Commit release docs
+      - name: Create release docs PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
        run: |
+          VERSION="${TAG#v}"
+          BRANCH="docs/release-${VERSION}"
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH"
          git add CHANGELOG.md README.md
          if git diff --cached --quiet; then
            echo "No changes to commit"
          else
-            git commit -m "docs: update CHANGELOG.md and README.md for ${{ github.ref_name }} [skip ci]"
-            git push origin main
+            git commit -m "docs: update CHANGELOG.md and README.md for ${TAG} [skip ci]"
+            git push origin "$BRANCH"
+            gh pr create \
+              --title "docs: release notes for ${TAG}" \
+              --body "Automated update of CHANGELOG.md and README.md download links for ${TAG}." \
+              --base main \
+              --head "$BRANCH"
+            gh pr merge "$BRANCH" --squash --admin
          fi

      - name: Update release notes
@@ -389,36 +450,108 @@ jobs:

  notify-discord:
    if: github.repository == 'zhom/donutbrowser'
-    needs: [release]
+    needs: [release, changelog]
    runs-on: ubuntu-latest
    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Generate changelog summary
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          PREV_TAG=$(git tag --sort=-version:refname \
+            | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
+            | grep -v "^${TAG}$" \
+            | head -n 1)
+          if [ -z "$PREV_TAG" ]; then
+            PREV_TAG=$(git rev-list --max-parents=0 HEAD)
+          fi
+
+          strip_prefix() { echo "$1" | sed -E 's/^[a-z]+(\([^)]*\))?: //'; }
+
+          CHANGES=""
+          while IFS= read -r msg; do
+            [ -z "$msg" ] && continue
+            case "$msg" in
+              feat\(*\):*|feat:*)   CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+              fix\(*\):*|fix:*)     CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+              refactor\(*\):*|refactor:*) CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+              perf\(*\):*|perf:*)   CHANGES="${CHANGES}• $(strip_prefix "$msg")\n" ;;
+            esac
+          done < <(git log --pretty=format:"%s" "${PREV_TAG}..${TAG}" --no-merges)
+
+          # Truncate to fit Discord embed (max 4096 chars)
+          if [ ${#CHANGES} -gt 3900 ]; then
+            CHANGES="${CHANGES:0:3900}\n..."
+          fi
+
+          if [ -z "$CHANGES" ]; then
+            CHANGES="See the full changelog on GitHub."
+          fi
+
+          printf '%b' "$CHANGES" > /tmp/discord-changes.txt
+
      - name: Send Discord notification
        env:
          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_STABLE_WEBHOOK_URL }}
+          TAG: ${{ github.ref_name }}
        run: |
-          VERSION="${GITHUB_REF_NAME}"
+          VERSION="${TAG}"
          RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/${VERSION}"
+          CHANGES=$(cat /tmp/discord-changes.txt)

-          curl -fsSL -H "Content-Type: application/json" \
-            -d "{
-              \"embeds\": [{
-                \"title\": \"Donut Browser ${VERSION} Released\",
-                \"url\": \"${RELEASE_URL}\",
-                \"description\": \"A new stable release of Donut Browser is available.\",
-                \"color\": 5814783
+          # Build JSON with jq to handle escaping
+          PAYLOAD=$(jq -n \
+            --arg title "Donut Browser ${VERSION} Released" \
+            --arg url "$RELEASE_URL" \
+            --arg changes "$CHANGES" \
+            --arg dl_mac_arm "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_aarch64.dmg" \
+            --arg dl_mac_intel "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_x64.dmg" \
+            --arg dl_win "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_x64-setup.exe" \
+            --arg dl_linux "https://github.com/'"${GITHUB_REPOSITORY}"'/releases/download/'"${VERSION}"'/Donut_'"${VERSION#v}"'_amd64.AppImage" \
+            '{
+              embeds: [{
+                title: $title,
+                url: $url,
+                description: $changes,
+                color: 5814783,
+                fields: [
+                  { name: "Download", value: ("[macOS (Apple Silicon)](" + $dl_mac_arm + ") · [macOS (Intel)](" + $dl_mac_intel + ")\n[Windows x64](" + $dl_win + ") · [Linux x64](" + $dl_linux + ")"), inline: false }
+                ],
+                footer: { text: "donutbrowser.com" }
              }]
-            }" \
-            "$DISCORD_WEBHOOK_URL"
+            }')
+
+          curl -fsSL -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL"
+
+  deploy-website:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [release]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Cloudflare Pages deployment
+        run: curl -fsSL -X POST "${{ secrets.CLOUDFLARE_WEB_DEPLOYMENT_HOOK }}"
+
+  docker:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [release]
+    uses: ./.github/workflows/docker-sync.yml
+    with:
+      tag: ${{ github.ref_name }}
+    secrets: inherit

  update-flake:
    if: github.repository == 'zhom/donutbrowser'
-    needs: [release]
+    needs: [release, changelog]
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          ref: main

@@ -435,19 +568,13 @@ jobs:

          echo "Downloading x86_64 AppImage..."
          curl -fsSL -o /tmp/amd64.AppImage "$AMD64_URL" || { echo "x86_64 AppImage not found"; exit 1; }
-          AMD64_HASH=$(nix-hash --type sha256 --base32 --flat /tmp/amd64.AppImage 2>/dev/null || sha256sum /tmp/amd64.AppImage | awk '{print $1}')

          echo "Downloading aarch64 AppImage..."
          curl -fsSL -o /tmp/aarch64.AppImage "$AARCH64_URL" || { echo "aarch64 AppImage not found"; exit 1; }
-          AARCH64_HASH=$(nix-hash --type sha256 --base32 --flat /tmp/aarch64.AppImage 2>/dev/null || sha256sum /tmp/aarch64.AppImage | awk '{print $1}')

-          # Convert to SRI format (sha256-<base64>) if we got hex
-          if echo "$AMD64_HASH" | grep -qE '^[0-9a-f]{64}$'; then
-            AMD64_HASH="sha256-$(echo "$AMD64_HASH" | xxd -r -p | base64 | tr -d '\n')"
-          fi
-          if echo "$AARCH64_HASH" | grep -qE '^[0-9a-f]{64}$'; then
-            AARCH64_HASH="sha256-$(echo "$AARCH64_HASH" | xxd -r -p | base64 | tr -d '\n')"
-          fi
+          # Compute SRI hashes (sha256-<base64>)
+          AMD64_HASH="sha256-$(sha256sum /tmp/amd64.AppImage | awk '{print $1}' | xxd -r -p | base64 | tr -d '\n')"
+          AARCH64_HASH="sha256-$(sha256sum /tmp/aarch64.AppImage | awk '{print $1}' | xxd -r -p | base64 | tr -d '\n')"

          echo "AMD64_HASH=${AMD64_HASH}" >> "$GITHUB_ENV"
          echo "AARCH64_HASH=${AARCH64_HASH}" >> "$GITHUB_ENV"
@@ -493,4 +620,4 @@ jobs:
            --body "Automated update of flake.nix with new AppImage hashes for v${VERSION}." \
            --base main \
            --head "$BRANCH"
-          gh pr merge "$BRANCH" --auto --squash
+          gh pr merge "$BRANCH" --squash --admin
@@ -19,7 +19,7 @@ jobs:
  security-scan:
    if: github.repository == 'zhom/donutbrowser'
    name: Security Vulnerability Scan
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c5996e0193a3df57d695c1b8a1dec2a4c62e8730" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5
    with:
      scan-args: |-
        -r
@@ -104,10 +104,10 @@ jobs:

    runs-on: ${{ matrix.platform }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb #v6.0.0
        with:
          run_install: false

@@ -138,6 +138,10 @@ jobs:
        run: pnpm install --frozen-lockfile

      - name: Build frontend
+        # NEXT_PUBLIC_* vars are inlined at build time and must be forwarded
+        # from secrets explicitly — they are NOT inherited from the job env.
+        env:
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        run: pnpm exec next build

      - name: Verify frontend dist exists
@@ -226,6 +230,9 @@ jobs:
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          # tauri-action's inner `pnpm tauri build` re-runs beforeBuildCommand
+          # which rebuilds dist/ in a subprocess. The env var must be here too.
+          NEXT_PUBLIC_TURNSTILE: ${{ secrets.NEXT_PUBLIC_TURNSTILE }}
        with:
          projectPath: ./src-tauri
          tagName: "nightly-${{ steps.timestamp.outputs.timestamp }}"
@@ -235,6 +242,34 @@ jobs:
          prerelease: true
          args: ${{ matrix.args }}

+      - name: Create portable Windows ZIP
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        run: |
+          PORTABLE_DIR="Donut-Portable"
+          mkdir -p "$PORTABLE_DIR"
+
+          cp "src-tauri/target/${{ matrix.target }}/release/donutbrowser.exe" "$PORTABLE_DIR/Donut.exe"
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-proxy.exe" "$PORTABLE_DIR/"
+          cp "src-tauri/target/${{ matrix.target }}/release/donut-daemon.exe" "$PORTABLE_DIR/"
+
+          if [ -f "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" ]; then
+            cp "src-tauri/target/${{ matrix.target }}/release/WebView2Loader.dll" "$PORTABLE_DIR/"
+          fi
+
+          touch "$PORTABLE_DIR/.portable"
+
+          7z a "Donut_x64-portable.zip" "$PORTABLE_DIR"
+
+      - name: Upload portable ZIP to release
+        if: matrix.platform == 'windows-latest'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NIGHTLY_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}"
+        run: |
+          gh release upload "$NIGHTLY_TAG" "Donut_x64-portable.zip" --clobber
+
      - name: Clean up Apple certificate
        if: matrix.platform == 'macos-latest' && always()
        run: |
@@ -248,7 +283,7 @@ jobs:
    permissions:
      contents: write
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2

      - name: Generate nightly tag
        id: tag
@@ -345,6 +380,14 @@ jobs:
            --notes-file /tmp/nightly-notes.md \
            --prerelease

+  deploy-website:
+    if: github.repository == 'zhom/donutbrowser'
+    needs: [update-nightly-release]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Cloudflare Pages deployment
+        run: curl -fsSL -X POST "${{ secrets.CLOUDFLARE_WEB_DEPLOYMENT_HOOK }}"
+
  notify-discord:
    if: github.repository == 'zhom/donutbrowser'
    needs: [update-nightly-release]
@@ -356,14 +399,24 @@ jobs:
        run: |
          COMMIT_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
          RELEASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/tag/nightly"
+          COMMIT_URL="https://github.com/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}"

-          curl -fsSL -H "Content-Type: application/json" \
-            -d "{
-              \"embeds\": [{
-                \"title\": \"Donut Browser Nightly Updated\",
-                \"url\": \"${RELEASE_URL}\",
-                \"description\": \"A new nightly build is available (${COMMIT_SHORT}).\",
-                \"color\": 16752128
+          PAYLOAD=$(jq -n \
+            --arg title "Donut Browser Nightly (${COMMIT_SHORT})" \
+            --arg url "$RELEASE_URL" \
+            --arg commit_url "$COMMIT_URL" \
+            --arg commit_short "$COMMIT_SHORT" \
+            '{
+              embeds: [{
+                title: $title,
+                url: $url,
+                color: 16752128,
+                fields: [
+                  { name: "Commit", value: ("[" + $commit_short + "](" + $commit_url + ")"), inline: true },
+                  { name: "Download", value: ("[Nightly Release](" + $url + ")"), inline: true }
+                ],
+                footer: { text: "donutbrowser.com" }
              }]
-            }" \
-            "$DISCORD_WEBHOOK_URL"
+            }')
+
+          curl -fsSL -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL"
@@ -21,6 +21,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Actions Repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
      - name: Spell Check Repo
-        uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d #v1.44.0
+        uses: crate-ci/typos@02ea592e44b3a53c302f697cddca7641cd051c3d #v1.45.0
@@ -16,7 +16,9 @@ jobs:
      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          stale-issue-message: "This issue has been inactive for 60 days. Please respond to keep it open."
-          stale-pr-message: "This pull request has been inactive for 60 days. Please respond to keep it open."
+          stale-issue-message: "This issue has been inactive for 30 days. Please respond to keep it open."
+          stale-pr-message: "This pull request has been inactive for 30 days. Please respond to keep it open."
          stale-issue-label: "stale"
          stale-pr-label: "stale"
+          days-before-stale: 30
+          days-before-close: 7
@@ -32,10 +32,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2

      - name: Install pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb #v6.0.0
        with:
          run_install: false

@@ -73,7 +73,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2

      - name: Start MinIO
        run: |
@@ -85,7 +85,7 @@ jobs:

          # Wait for MinIO to be ready
          for i in {1..30}; do
-            if curl -sf http://localhost:8987/minio/health/live; then
+            if curl -sf http://127.0.0.1:8987/minio/health/live; then
              echo "MinIO is ready"
              break
            fi
@@ -94,7 +94,7 @@ jobs:
          done

      - name: Install pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 #v4.4.0
+        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb #v6.0.0
        with:
          run_install: false

@@ -111,7 +111,7 @@ jobs:
        working-directory: donut-sync
        env:
          SYNC_TOKEN: test-sync-token
-          S3_ENDPOINT: http://localhost:8987
+          S3_ENDPOINT: http://127.0.0.1:8987
          S3_ACCESS_KEY_ID: minioadmin
          S3_SECRET_ACCESS_KEY: minioadmin
          S3_BUCKET: donut-sync-test
@@ -37,6 +37,7 @@
    "codesign",
    "codesigning",
    "commitish",
+    "coreutils",
    "Crashpad",
    "CTYPE",
    "daijro",
@@ -58,6 +59,7 @@
    "doctest",
    "doesn",
    "domcontentloaded",
+    "dont",
    "donutbrowser",
    "doorhanger",
    "dpkg",
@@ -70,21 +72,31 @@
    "esbuild",
    "etree",
    "fetchurl",
+    "findutils",
    "firstrun",
    "flate",
+    "fontconfig",
+    "freetype",
+    "fribidi",
    "frontmost",
+    "fsprogs",
    "geoip",
    "getcwd",
    "gettimezone",
    "gifs",
    "globset",
+    "gnugrep",
+    "gnumake",
+    "gnused",
    "GOPATH",
    "gsettings",
+    "harfbuzz",
    "healthreport",
    "hiddenimports",
    "hkcu",
    "hooksconfig",
    "hookspath",
+    "hostable",
    "Hoverable",
    "icns",
    "idlelib",
@@ -110,13 +122,33 @@
    "libayatana",
    "libc",
    "libcairo",
+    "libdrm",
    "libfuse",
+    "libgbm",
    "libgdk",
    "libglib",
+    "libglvnd",
+    "libgpg",
    "libpango",
    "librsvg",
+    "libsoup",
    "libwebkit",
+    "libx",
+    "libxcb",
+    "libxcomposite",
+    "libxcursor",
+    "libxdamage",
    "libxdo",
+    "libxext",
+    "libxfixes",
+    "libxi",
+    "libxinerama",
+    "libxkbcommon",
+    "libxrandr",
+    "libxrender",
+    "libxscrnsaver",
+    "libxshmfence",
+    "libxtst",
    "localtime",
    "lpdw",
    "lxml",
@@ -134,6 +166,8 @@
    "msys",
    "muda",
    "mypy",
+    "nixos",
+    "nixpkgs",
    "noarchive",
    "nobrowse",
    "noconfirm",
@@ -143,9 +177,11 @@
    "nomount",
    "norestart",
    "NSIS",
+    "nspr",
    "ntfs",
    "ntlm",
    "numpy",
+    "numtide",
    "objc",
    "oneshot",
    "opencode",
@@ -156,6 +192,7 @@
    "oscpu",
    "outpath",
    "OVPN",
+    "pango",
    "passout",
    "patchelf",
    "pathex",
@@ -163,12 +200,14 @@
    "peerconnection",
    "PHANDLER",
    "pids",
+    "pipefail",
    "pixbuf",
    "pkexec",
    "pkgs",
    "pkill",
    "plasmohq",
    "platformdirs",
+    "pname",
    "prefs",
    "presign",
    "PRIO",
@@ -1,5 +1,53 @@
 # Project Guidelines

+> **NOTE**: CLAUDE.md is a symlink to AGENTS.md — editing either file updates both.
+> After significant changes (new modules, renamed files, new directories), re-evaluate the Repository Structure below and update it if needed.
+
+## Repository Structure
+
+```
+donutbrowser/
+├── src/                              # Next.js frontend
+│   ├── app/                          # App router (page.tsx, layout.tsx)
+│   ├── components/                   # 50+ React components (dialogs, tables, UI)
+│   ├── hooks/                        # Event-driven React hooks
+│   ├── i18n/locales/                 # Translations (en, es, fr, ja, pt, ru, zh)
+│   ├── lib/                          # Utilities (themes, toast, browser-utils)
+│   └── types.ts                      # Shared TypeScript interfaces
+├── src-tauri/                        # Rust backend (Tauri)
+│   ├── src/
+│   │   ├── lib.rs                    # Tauri command registration (100+ commands)
+│   │   ├── browser_runner.rs         # Profile launch/kill orchestration
+│   │   ├── browser.rs               # Browser trait & launch logic
+│   │   ├── profile/                  # Profile CRUD (manager.rs, types.rs)
+│   │   ├── proxy_manager.rs         # Proxy lifecycle & connection testing
+│   │   ├── proxy_server.rs          # Local proxy binary (donut-proxy)
+│   │   ├── proxy_storage.rs         # Proxy config persistence (JSON files)
+│   │   ├── api_server.rs            # REST API (utoipa + axum)
+│   │   ├── mcp_server.rs            # MCP protocol server
+│   │   ├── sync/                    # Cloud sync (engine, encryption, manifest, scheduler)
+│   │   ├── vpn/                     # WireGuard & OpenVPN tunnels
+│   │   ├── camoufox/                # Camoufox fingerprint engine (Bayesian network)
+│   │   ├── wayfern_manager.rs       # Wayfern (Chromium) browser management
+│   │   ├── camoufox_manager.rs      # Camoufox (Firefox) browser management
+│   │   ├── downloader.rs           # Browser binary downloader
+│   │   ├── extraction.rs           # Archive extraction (zip, tar, dmg, msi)
+│   │   ├── settings_manager.rs     # App settings persistence
+│   │   ├── cookie_manager.rs       # Cookie import/export
+│   │   ├── extension_manager.rs    # Browser extension management
+│   │   ├── group_manager.rs        # Profile group management
+│   │   ├── synchronizer.rs         # Real-time profile synchronizer
+│   │   ├── daemon/                 # Background daemon + tray icon (currently disabled)
+│   │   └── cloud_auth.rs           # Cloud authentication
+│   ├── tests/                      # Integration tests
+│   └── Cargo.toml                  # Rust dependencies
+├── donut-sync/                     # NestJS sync server (self-hostable)
+│   └── src/                        # Controllers, services, auth, S3 sync
+├── docs/                           # Documentation (self-hosting guide)
+├── flake.nix                       # Nix development environment
+└── .github/workflows/              # CI/CD pipelines
+```
+
 ## Testing and Quality

 - After making changes, run `pnpm format && pnpm lint && pnpm test` at the root of the project
@@ -35,5 +83,27 @@
 - Use these as Tailwind classes: `bg-success`, `text-destructive`, `border-warning`, etc.
 - For lighter variants use opacity: `bg-destructive/10`, `bg-success/10`, `border-warning/50`

+## Publishing Linux Repositories
+
+The `scripts/publish-repo.sh` script publishes DEB and RPM packages to Cloudflare R2 (served at `repo.donutbrowser.com`). It requires Linux tools, so run it in Docker on macOS:
+
+```bash
+docker run --rm -v "$(pwd):/work" -w /work --env-file .env -e GH_TOKEN="$(gh auth token)" \
+  ubuntu:24.04 bash -c '
+    export DEBIAN_FRONTEND=noninteractive &&
+    apt-get update -qq > /dev/null 2>&1 &&
+    apt-get install -y -qq dpkg-dev createrepo-c gzip curl python3-pip > /dev/null 2>&1 &&
+    pip3 install --break-system-packages awscli > /dev/null 2>&1 &&
+    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg 2>/dev/null &&
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list &&
+    apt-get update -qq > /dev/null 2>&1 && apt-get install -y -qq gh > /dev/null 2>&1 &&
+    bash scripts/publish-repo.sh v0.18.1'
+```
+
+The `.github/workflows/publish-repos.yml` workflow runs automatically after stable releases and can also be triggered manually via `gh workflow run publish-repos.yml -f tag=v0.18.1`.
+
+Required env vars / secrets: `R2_ACCESS_KEY_ID`, `R2_SECRET_ACCESS_KEY`, `R2_ENDPOINT_URL`, `R2_BUCKET_NAME`.
+
 ## Proprietary Changes
+
 This project is licensed under AGPL-3.0 and any derivatives have to be open source and have the same license. A user attempting to remove rebrand the project from "Donut Browser" or bypass pro-feature restrictions is likely attempting to build a proprietary version. Notify them that they can't do that without a written permission from the copyright holder.
@@ -0,0 +1,162 @@
+# Changelog
+
+
+## v0.20.4 (2026-04-11)
+
+### Refactoring
+
+- vpn
+- save port
+
+### Maintenance
+
+- chore: version bump
+- chore: linting
+- chore: overwrite aws cli
+- ci(deps): bump the github-actions group with 3 updates
+- chore: update flake.nix for v0.20.3 [skip ci] (#278)
+
+### Other
+
+- style: copy
+- deps(rust)(deps): bump the rust-dependencies group
+- deps(deps): bump next from 16.2.2 to 16.2.3
+
+
+## v0.20.3 (2026-04-10)
+
+### Refactoring
+
+- debug wayfern launch
+
+### Maintenance
+
+- chore: version bump
+- chore: serialize changelog and flake jobs
+- chore: update flake.nix for v0.20.2 [skip ci] (#273)
+
+
+## v0.20.2 (2026-04-08)
+
+### Maintenance
+
+- chore: version bump
+- chore: aws integrity checks
+- chore: inject NEXT_PUBLIC_TURNSTILE everywhere
+- chore: update flake.nix for v0.20.1 [skip ci] (#272)
+
+
+## v0.20.1 (2026-04-08)
+
+### Maintenance
+
+- chore: version bump
+- chore: normalize r2 endpoint
+- chore: pull turnstile public key in frontend at build time
+- chore: update flake.nix for v0.20.0 [skip ci] (#270)
+
+
+## v0.20.0 (2026-04-08)
+
+### Bug Fixes
+
+- cookie copying for wayfern
+
+### Refactoring
+
+- cleanup
+- dynamic proxy
+
+### Documentation
+
+- update CHANGELOG.md and README.md for v0.19.0 [skip ci] (#261)
+
+### Maintenance
+
+- chore: version bump
+- chore: linting
+- chore: linting
+- chore: linting
+- chore: update flake.nix for v0.19.0 [skip ci] (#262)
+
+### Other
+
+- deps(rust)(deps): bump the rust-dependencies group
+- deps(deps): bump the frontend-dependencies group with 19 updates
+
+
+## v0.19.0 (2026-04-04)
+
+### Features
+
+- captcha on email input
+- dns block lists
+- portable build
+
+### Bug Fixes
+
+- follow latest MCP spec
+- wayfern initial connection on macos doesn't timeout
+
+### Refactoring
+
+- linux auto updates
+- more robust vpn handling
+- don't allow portable build to be set as the default browser
+- show app version in settings
+
+### Documentation
+
+- remove codacy badge
+- agents
+- contrib-readme-action has updated readme
+- update CHANGELOG.md and README.md for v0.18.1 [skip ci]
+- cleanup
+
+### Maintenance
+
+- test: simplify
+- chore: preserve cargo
+- chore: version bump
+- chore: linting
+- chore: update dependencies
+- chore: repo publish workflow
+- chore: copy and backlink
+- test: serialize
+- chore: copy correct file
+- chore: linting
+- chore: do not provide possible cause
+- chore: linting
+- chore: linting
+- chore: linting
+- chore: linting
+- ci(deps): bump the github-actions group with 8 updates
+- chore: commit doc changes directly and pretty discord notifications
+- chore: update flake.nix for v0.18.1 [skip ci]
+- chore: fix linting and formatting
+
+### Other
+
+- deps(deps): bump the frontend-dependencies group with 35 updates
+- deps(rust)(deps): bump the rust-dependencies group
+
+## v0.18.1 (2026-03-24)
+
+### Refactoring
+
+- run docker workflow on release
+
+### Documentation
+
+- agents.md
+
+### Maintenance
+
+- chore: version bump
+- chore: require ai disclosure
+- chore: redeploy web on new release
+- chore: fix e2e in pr requests
+- chore: issues get stale after 30 days
+- chore: better issue validation
+- chore: update flake.nix for v0.18.0 [skip ci] (#247)
+
@@ -1,39 +0,0 @@
-# Project Guidelines
-
-## Testing and Quality
-
- After making changes, run `pnpm format && pnpm lint && pnpm test` at the root of the project
- Always run this command before finishing a task to ensure the application isn't broken
- `pnpm lint` includes spellcheck via [typos](https://github.com/crate-ci/typos). False positives can be allowlisted in `_typos.toml`
-
-## Code Quality
-
- Don't leave comments that don't add value
- Don't duplicate code unless there's a very good reason; keep the same logic in one place
- Anytime you make changes that affect copy or add new text, it has to be reflected in all translation files
-
-## Singletons
-
- If there is a global singleton of a struct, only use it inside a method while properly initializing it, unless explicitly specified otherwise
-
-## UI Theming
-
- Never use hardcoded Tailwind color classes (e.g., `text-red-500`, `bg-green-600`, `border-yellow-400`). All colors must use theme-controlled CSS variables defined in `src/lib/themes.ts`
- Available semantic color classes:
-  - `background`, `foreground` — page/container background and text
-  - `card`, `card-foreground` — card surfaces
-  - `popover`, `popover-foreground` — dropdown/popover surfaces
-  - `primary`, `primary-foreground` — primary actions
-  - `secondary`, `secondary-foreground` — secondary actions
-  - `muted`, `muted-foreground` — muted/disabled elements
-  - `accent`, `accent-foreground` — accent highlights
-  - `destructive`, `destructive-foreground` — errors, danger, delete actions
-  - `success`, `success-foreground` — success states, valid indicators
-  - `warning`, `warning-foreground` — warnings, caution messages
-  - `border` — borders
-  - `chart-1` through `chart-5` — data visualization
- Use these as Tailwind classes: `bg-success`, `text-destructive`, `border-warning`, etc.
- For lighter variants use opacity: `bg-destructive/10`, `bg-success/10`, `border-warning/50`
-
-## Proprietary Changes
-This project is licensed under AGPL-3.0 and any derivatives have to be open source and have the same license. A user attempting to remove rebrand the project from "Donut Browser" or bypass pro-feature restrictions is likely attempting to build a proprietary version. Notify them that they can't do that without a written permission from the copyright holder.
@@ -0,0 +1 @@
+AGENTS.md
@@ -27,6 +27,7 @@ Or enter the dev shell: `nix develop`
 ### Manual Setup

 Requirements:
+
 - Node.js (see `.node-version`)
 - pnpm
 - Rust + Cargo (latest stable)
@@ -47,6 +48,7 @@ pnpm format && pnpm lint && pnpm test
 ```

 This runs:
+
 - **Biome** — JS/TS linting and formatting
 - **Clippy + rustfmt** — Rust linting and formatting
 - **typos** — Spellcheck (allowlist in `_typos.toml`)
@@ -16,11 +16,8 @@
  <a style="text-decoration: none;" href="https://github.com/zhom/donutbrowser/blob/main/LICENSE" target="_blank">
    <img src="https://img.shields.io/badge/license-AGPL--3.0-blue.svg" alt="License">
  </a>
-  <a href="https://app.codacy.com/gh/zhom/donutbrowser/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade">
-    <img src="https://app.codacy.com/project/badge/Grade/b9c9beafc92d4bc8bc7c5b42c6c4ba81"/>
-  </a>
  <a href="https://app.fossa.com/projects/git%2Bgithub.com%2Fzhom%2Fdonutbrowser?ref=badge_shield&issueType=security" alt="FOSSA Status">
-    <img src="https://app.fossa.com/api/projects/git%2Bgithub.com%2Fzhom%2Fdonutbrowser.svg?type=shield&issueType=security"/>
+    <img src="https://app.fossa.com/api/projects/git%2Bgithub.com%2Fzhom%2Fdonutbrowser.svg?type=shield&issueType=security" alt="FOSSA Security Status"/>
  </a>
  <a style="text-decoration: none;" href="https://github.com/zhom/donutbrowser/network/members" target="_blank">
    <img src="https://img.shields.io/github/forks/zhom/donutbrowser?style=social" alt="GitHub forks">
@@ -45,18 +42,16 @@
 - **Default browser** — set Donut as your default browser and choose which profile opens each link
 - **Cloud sync** — sync profiles, proxies, and groups across devices (self-hostable)
 - **E2E encryption** — optional end-to-end encrypted sync with a password only you know
- **Zero telemetry** — no tracking, no fingerprinting of your device, fully auditable open source code
- **Cross-platform** — macOS, Linux, and Windows
+- **Zero telemetry** — no tracking or device fingerprinting

 ## Install

 <!-- install-links-start -->
-
 ### macOS

 | | Apple Silicon | Intel |
 |---|---|---|
-| **DMG** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.17.6/Donut_0.17.6_aarch64.dmg) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.17.6/Donut_0.17.6_x64.dmg) |
+| **DMG** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_aarch64.dmg) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_x64.dmg) |

 Or install via Homebrew:

@@ -66,16 +61,15 @@ brew install --cask donut

 ### Windows

-[Download Windows Installer (x64)](https://github.com/zhom/donutbrowser/releases/download/v0.17.6/Donut_0.17.6_x64-setup.exe)
+[Download Windows Installer (x64)](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_x64-setup.exe) · [Portable (x64)](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_x64-portable.zip)

 ### Linux

 | Format | x86_64 | ARM64 |
 |---|---|---|
-| **deb** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.17.6/Donut_0.17.6_amd64.deb) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.17.6/Donut_0.17.6_arm64.deb) |
-| **rpm** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.17.6/Donut-0.17.6-1.x86_64.rpm) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.17.6/Donut-0.17.6-1.aarch64.rpm) |
-| **AppImage** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.17.6/Donut_0.17.6_amd64.AppImage) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.17.6/Donut_0.17.6_aarch64.AppImage) |
-
+| **deb** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_amd64.deb) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_arm64.deb) |
+| **rpm** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut-0.20.4-1.x86_64.rpm) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut-0.20.4-1.aarch64.rpm) |
+| **AppImage** | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_amd64.AppImage) | [Download](https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_aarch64.AppImage) |
 <!-- install-links-end -->

 Or install via package manager:
@@ -118,11 +112,11 @@ See [CONTRIBUTING.md](CONTRIBUTING.md).

 ## Star History

-<a href="https://www.star-history.com/#zhom/donutbrowser&Date">
+<a href="https://www.star-history.com/?repos=zhom%2Fdonutbrowser&type=date&legend=top-left">
 <picture>
-   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=zhom/donutbrowser&type=Date&theme=dark" />
-   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=zhom/donutbrowser&type=Date" />
-   <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=zhom/donutbrowser&type=Date" />
+   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/image?repos=zhom/donutbrowser&type=date&theme=dark&legend=top-left" />
+   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/image?repos=zhom/donutbrowser&type=date&legend=top-left" />
+   <img alt="Star History Chart" src="https://api.star-history.com/image?repos=zhom/donutbrowser&type=date&legend=top-left" />
 </picture>
 </a>

@@ -146,6 +140,13 @@ See [CONTRIBUTING.md](CONTRIBUTING.md).
                    <sub><b>Hassiy</b></sub>
                </a>
            </td>
+            <td align="center">
+                <a href="https://github.com/yb403">
+                    <img src="https://avatars.githubusercontent.com/u/87396571?v=4" width="100;" alt="yb403"/>
+                    <br />
+                    <sub><b>yb403</b></sub>
+                </a>
+            </td>
            <td align="center">
                <a href="https://github.com/drunkod">
                    <img src="https://avatars.githubusercontent.com/u/9677471?v=4" width="100;" alt="drunkod"/>
@@ -1,12 +1,21 @@
+FROM node:22-alpine AS builder
+
+WORKDIR /build
+COPY donut-sync/package.json donut-sync/tsconfig.json donut-sync/tsconfig.build.json ./
+COPY donut-sync/src/ src/
+RUN npm install
+RUN npm run build
+RUN npm prune --omit=dev
+
 FROM node:22-alpine

 WORKDIR /app
-
-COPY package.json .
-COPY dist/ dist/
-COPY node_modules/ node_modules/
+COPY --from=builder /build/package.json .
+COPY --from=builder /build/dist/ dist/
+COPY --from=builder /build/node_modules/ node_modules/

 ENV NODE_ENV=production
 EXPOSE 12342

+USER node
 CMD ["node", "dist/main"]
@@ -2,8 +2,6 @@
  <a href="http://nestjs.com/" target="blank"><img src="https://nestjs.com/img/logo-small.svg" width="120" alt="Nest Logo" /></a>
 </p>

-[circleci-image]: https://img.shields.io/circleci/build/github/nestjs/nest/master?token=abc123def456
-[circleci-url]: https://circleci.com/gh/nestjs/nest

  <p align="center">A progressive <a href="http://nodejs.org" target="_blank">Node.js</a> framework for building efficient and scalable server-side applications.</p>
    <p align="center">
@@ -28,33 +26,33 @@
 ## Project setup

 ```bash
-$ pnpm install
+pnpm install
 ```

 ## Compile and run the project

 ```bash
 # development
-$ pnpm run start
+pnpm run start

 # watch mode
-$ pnpm run start:dev
+pnpm run start:dev

 # production mode
-$ pnpm run start:prod
+pnpm run start:prod
 ```

 ## Run tests

 ```bash
 # unit tests
-$ pnpm run test
+pnpm run test

 # e2e tests
-$ pnpm run test:e2e
+pnpm run test:e2e

 # test coverage
-$ pnpm run test:cov
+pnpm run test:cov
 ```

 ## Deployment
@@ -64,8 +62,8 @@ When you're ready to deploy your NestJS application to production, there are som
 If you are looking for a cloud-based platform to deploy your NestJS application, check out [Mau](https://mau.nestjs.com), our official platform for deploying NestJS applications on AWS. Mau makes deployment straightforward and fast, requiring just a few simple steps:

 ```bash
-$ pnpm install -g @nestjs/mau
-$ mau deploy
+pnpm install -g @nestjs/mau
+mau deploy
 ```

 With Mau, you can deploy your application in just a few clicks, allowing you to focus on building features rather than managing infrastructure.
@@ -18,4 +18,3 @@ services:

 volumes:
  minio_data:
-
@@ -15,36 +15,36 @@
    "test:watch": "jest --watch",
    "test:cov": "jest --coverage",
    "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "test:e2e": "jest --config ./test/jest-e2e.json"
+    "test:e2e": "NODE_OPTIONS='--experimental-vm-modules' jest --config ./test/jest-e2e.json"
  },
  "dependencies": {
-    "@aws-sdk/client-s3": "^3.1015.0",
-    "@aws-sdk/s3-request-presigner": "^3.1015.0",
-    "@nestjs/common": "^11.1.17",
+    "@aws-sdk/client-s3": "^3.1024.0",
+    "@aws-sdk/s3-request-presigner": "^3.1024.0",
+    "@nestjs/common": "^11.1.18",
    "@nestjs/config": "^4.0.3",
-    "@nestjs/core": "^11.1.17",
-    "@nestjs/platform-express": "^11.1.17",
+    "@nestjs/core": "^11.1.18",
+    "@nestjs/platform-express": "^11.1.18",
    "jsonwebtoken": "^9.0.3",
    "reflect-metadata": "^0.2.2",
    "rxjs": "^7.8.2"
  },
  "devDependencies": {
-    "@nestjs/cli": "^11.0.16",
-    "@nestjs/schematics": "^11.0.9",
-    "@nestjs/testing": "^11.1.17",
+    "@nestjs/cli": "^11.0.17",
+    "@nestjs/schematics": "^11.0.10",
+    "@nestjs/testing": "^11.1.18",
    "@types/express": "^5.0.6",
    "@types/jest": "^30.0.0",
    "@types/jsonwebtoken": "^9.0.10",
-    "@types/node": "^25.5.0",
+    "@types/node": "^25.5.2",
    "@types/supertest": "^7.2.0",
    "jest": "^30.3.0",
    "source-map-support": "^0.5.21",
    "supertest": "^7.2.2",
-    "ts-jest": "^29.4.6",
-    "ts-loader": "^9.5.4",
+    "ts-jest": "^29.4.9",
+    "ts-loader": "^9.5.7",
    "ts-node": "^10.9.2",
    "tsconfig-paths": "^4.2.0",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.2"
  },
  "jest": {
    "moduleFileExtensions": [
@@ -27,7 +27,7 @@ export class AuthGuard implements CanActivate {
    const request = context.switchToHttp().getRequest<Request>();
    const authHeader = request.headers.authorization;

-    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    if (!authHeader?.startsWith("Bearer ")) {
      throw new UnauthorizedException(
        "Missing or invalid authorization header",
      );
@@ -38,7 +38,7 @@ export class AuthGuard implements CanActivate {
    // Try SYNC_TOKEN first (self-hosted mode)
    const expectedToken = this.configService.get<string>("SYNC_TOKEN");
    if (expectedToken && token === expectedToken) {
-      (request as any).user = {
+      (request as unknown as Record<string, unknown>).user = {
        mode: "self-hosted",
        prefix: "",
        teamPrefix: null,
@@ -55,7 +55,7 @@ export class AuthGuard implements CanActivate {
          algorithms: ["RS256"],
        }) as jwt.JwtPayload;

-        (request as any).user = {
+        (request as unknown as Record<string, unknown>).user = {
          mode: "cloud",
          prefix: decoded.prefix || `users/${decoded.sub}/`,
          teamPrefix: decoded.teamPrefix || null,
@@ -39,7 +39,7 @@ export class SyncController {
  constructor(private readonly syncService: SyncService) {}

  private getUserContext(req: Request): UserContext {
-    return (req as any).user as UserContext;
+    return (req as unknown as Record<string, unknown>).user as UserContext;
  }

  @Post("stat")
@@ -2,18 +2,29 @@ import { INestApplication } from "@nestjs/common";
 import { Test, TestingModule } from "@nestjs/testing";
 import request from "supertest";
 import { App } from "supertest/types";
-import { AppModule } from "./../src/app.module.js";
+import { AppController } from "./../src/app.controller.js";
+import { AppService } from "./../src/app.service.js";
+import { SyncService } from "./../src/sync/sync.service.js";

 describe("AppController (e2e)", () => {
  let app: INestApplication<App>;

  beforeEach(async () => {
    const moduleFixture: TestingModule = await Test.createTestingModule({
-      imports: [AppModule],
+      controllers: [AppController],
+      providers: [
+        AppService,
+        {
+          provide: SyncService,
+          useValue: {
+            checkS3Connectivity: async () => true,
+          },
+        },
+      ],
    }).compile();

    app = moduleFixture.createNestApplication();
-    await app.init();
+    await app.listen(0);
  });

  afterEach(async () => {
@@ -1,10 +1,16 @@
 {
  "moduleFileExtensions": ["js", "json", "ts"],
  "rootDir": ".",
+  "maxWorkers": 1,
  "testEnvironment": "node",
  "testRegex": ".e2e-spec.ts$",
  "transform": {
-    "^.+\\.(t|j)s$": "ts-jest"
+    "^.+\\.(t|j)s$": [
+      "ts-jest",
+      {
+        "tsconfig": "<rootDir>/tsconfig.json"
+      }
+    ]
  },
  "moduleNameMapper": {
    "^(\\.{1,2}/.*)\\.js$": "$1"
@@ -1,3 +1,5 @@
+import type { Server } from "node:http";
+import type { AddressInfo } from "node:net";
 import { INestApplication } from "@nestjs/common";
 import { ConfigModule } from "@nestjs/config";
 import { Test, TestingModule } from "@nestjs/testing";
@@ -6,6 +8,11 @@ import { App } from "supertest/types";
 import { AppController } from "./../src/app.controller.js";
 import { AppService } from "./../src/app.service.js";
 import { SyncModule } from "./../src/sync/sync.module.js";
+import {
+  configureTestEnv,
+  TEST_SYNC_TOKEN,
+  waitForTestS3,
+} from "./test-env.js";

 interface PresignResponse {
  url: string;
@@ -29,26 +36,12 @@ interface StatResponse {
  lastModified?: string;
 }

-interface SSEError {
-  code?: string;
-  timeout?: boolean;
-  response?: { status: number };
-}
-
-const TEST_TOKEN = "test-sync-token";
-
 describe("SyncController (e2e)", () => {
  let app: INestApplication<App>;

  beforeAll(async () => {
-    process.env.SYNC_TOKEN = TEST_TOKEN;
-    process.env.S3_ENDPOINT =
-      process.env.S3_ENDPOINT || "http://localhost:8987";
-    process.env.S3_ACCESS_KEY_ID = process.env.S3_ACCESS_KEY_ID || "minioadmin";
-    process.env.S3_SECRET_ACCESS_KEY =
-      process.env.S3_SECRET_ACCESS_KEY || "minioadmin";
-    process.env.S3_BUCKET = "donut-sync-test";
-    process.env.S3_FORCE_PATH_STYLE = "true";
+    configureTestEnv();
+    await waitForTestS3();

    const moduleFixture: TestingModule = await Test.createTestingModule({
      imports: [
@@ -62,7 +55,7 @@ describe("SyncController (e2e)", () => {
    }).compile();

    app = moduleFixture.createNestApplication();
-    await app.init();
+    await app.listen(0);
  });

  afterAll(async () => {
@@ -88,7 +81,7 @@ describe("SyncController (e2e)", () => {
    it("should accept requests with valid token", () => {
      return request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "nonexistent-key" })
        .expect(200)
        .expect({ exists: false });
@@ -99,7 +92,7 @@ describe("SyncController (e2e)", () => {
    it("should return exists: false for non-existent key", () => {
      return request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "does-not-exist" })
        .expect(200)
        .expect({ exists: false });
@@ -110,7 +103,7 @@ describe("SyncController (e2e)", () => {
    it("should return a presigned upload URL", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/presign-upload")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "test/upload-key.txt", contentType: "text/plain" })
        .expect(200);

@@ -125,7 +118,7 @@ describe("SyncController (e2e)", () => {
    it("should return a presigned download URL", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/presign-download")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: "test/download-key.txt" })
        .expect(200);

@@ -140,7 +133,7 @@ describe("SyncController (e2e)", () => {
    it("should list objects with prefix", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/list")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ prefix: "profiles/" })
        .expect(200);

@@ -155,7 +148,7 @@ describe("SyncController (e2e)", () => {
    it("should delete object and create tombstone", async () => {
      const response = await request(app.getHttpServer())
        .post("/v1/objects/delete")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({
          key: "test/to-delete.txt",
          tombstoneKey: "tombstones/test/to-delete.json",
@@ -176,7 +169,7 @@ describe("SyncController (e2e)", () => {
    it("should complete full upload/download cycle with presigned URLs", async () => {
      const uploadResponse = await request(app.getHttpServer())
        .post("/v1/objects/presign-upload")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey, contentType: "text/plain" })
        .expect(200);

@@ -192,7 +185,7 @@ describe("SyncController (e2e)", () => {

      const statResponse = await request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

@@ -202,7 +195,7 @@ describe("SyncController (e2e)", () => {

      const downloadResponse = await request(app.getHttpServer())
        .post("/v1/objects/presign-download")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

@@ -215,13 +208,13 @@ describe("SyncController (e2e)", () => {

      await request(app.getHttpServer())
        .post("/v1/objects/delete")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

      const finalStatResponse = await request(app.getHttpServer())
        .post("/v1/objects/stat")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
+        .set("Authorization", `Bearer ${TEST_SYNC_TOKEN}`)
        .send({ key: testKey })
        .expect(200);

@@ -238,20 +231,28 @@ describe("SyncController (e2e)", () => {
    });

    it("should return SSE stream with valid token", async () => {
-      const response = await request(app.getHttpServer())
-        .get("/v1/objects/subscribe")
-        .set("Authorization", `Bearer ${TEST_TOKEN}`)
-        .set("Accept", "text/event-stream")
-        .buffer(true)
-        .timeout(3000)
-        .catch((err: SSEError) => {
-          if (err.code === "ECONNABORTED" || err.timeout) {
-            return err.response ?? { status: 200 };
-          }
-          throw err;
-        });
+      const address = (
+        app.getHttpServer() as Server
+      ).address() as AddressInfo | null;
+      if (!address || typeof address === "string") {
+        throw new Error("Expected app to be listening on a TCP port");
+      }
+
+      const response = await fetch(
+        `http://127.0.0.1:${address.port}/v1/objects/subscribe`,
+        {
+          headers: {
+            Accept: "text/event-stream",
+            Authorization: `Bearer ${TEST_SYNC_TOKEN}`,
+          },
+        },
+      );

      expect(response.status).toBe(200);
+      expect(response.headers.get("content-type")).toContain(
+        "text/event-stream",
+      );
+      await response.body?.cancel();
    });
  });
 });
@@ -0,0 +1,37 @@
+import { ListBucketsCommand, S3Client } from "@aws-sdk/client-s3";
+
+export const TEST_SYNC_TOKEN = "test-sync-token";
+export const TEST_S3_ENDPOINT = "http://127.0.0.1:8987";
+
+export function configureTestEnv() {
+  process.env.SYNC_TOKEN ||= TEST_SYNC_TOKEN;
+  process.env.S3_ENDPOINT ||= TEST_S3_ENDPOINT;
+  process.env.S3_ACCESS_KEY_ID ||= "minioadmin";
+  process.env.S3_SECRET_ACCESS_KEY ||= "minioadmin";
+  process.env.S3_BUCKET ||= "donut-sync-test";
+  process.env.S3_FORCE_PATH_STYLE ||= "true";
+}
+
+export async function waitForTestS3(timeoutMs = 30_000) {
+  const deadline = Date.now() + timeoutMs;
+  const s3Client = new S3Client({
+    endpoint: TEST_S3_ENDPOINT,
+    region: "us-east-1",
+    credentials: {
+      accessKeyId: "minioadmin",
+      secretAccessKey: "minioadmin",
+    },
+    forcePathStyle: true,
+  });
+
+  while (Date.now() < deadline) {
+    try {
+      await s3Client.send(new ListBucketsCommand({}));
+      return;
+    } catch {}
+
+    await new Promise((resolve) => setTimeout(resolve, 500));
+  }
+
+  throw new Error(`Timed out waiting for S3 at ${TEST_S3_ENDPOINT}`);
+}
@@ -0,0 +1,6 @@
+{
+  "extends": "../tsconfig.json",
+  "compilerOptions": {
+    "rootDir": ".."
+  }
+}
@@ -1,4 +1,7 @@
 {
  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "rootDir": "./src"
+  },
  "exclude": ["node_modules", "test", "dist", "**/*spec.ts"]
 }
@@ -13,10 +13,11 @@
    "target": "ES2023",
    "sourceMap": true,
    "outDir": "./dist",
-    "baseUrl": "./",
    "incremental": true,
    "skipLibCheck": true,
    "strictNullChecks": true,
+    "strictPropertyInitialization": false,
+    "types": ["jest", "node"],
    "forceConsistentCasingInFileNames": true,
    "noImplicitAny": false,
    "strictBindCallApply": false,
@@ -94,17 +94,17 @@
        pkgConfigPath = lib.makeSearchPath "lib/pkgconfig" (
          pkgConfigLibs ++ map lib.getDev pkgConfigLibs
        );
-        releaseVersion = "0.17.6";
+        releaseVersion = "0.20.4";
        releaseAppImage =
          if system == "x86_64-linux" then
            pkgs.fetchurl {
-              url = "https://github.com/zhom/donutbrowser/releases/download/v${releaseVersion}/Donut_0.17.6_amd64.AppImage";
-              hash = "sha256-Bmqmb0zgaC02DKC9gcyI/St9wfwFWTEoYybOb1LXiS0=";
+              url = "https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_amd64.AppImage";
+              hash = "sha256-Ag+MmIc2VqTpbUpd1MPq0DPn+npzguE9pp3Hq4RQERM=";
            }
          else if system == "aarch64-linux" then
            pkgs.fetchurl {
-              url = "https://github.com/zhom/donutbrowser/releases/download/v${releaseVersion}/Donut_0.17.6_aarch64.AppImage";
-              hash = "sha256-FOV0PlYw59gY1QSoFrUcixtUcnFt27EYAzZE/KNQUrM=";
+              url = "https://github.com/zhom/donutbrowser/releases/download/v0.20.4/Donut_0.20.4_aarch64.AppImage";
+              hash = "sha256-pYDaN445X2g7gNVTzbdie8Mv4V1vi3bREvRRBqZ50qA=";
            }
          else
            null;
@@ -1,6 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
-import "./.next/types/routes.d.ts";
+import "./dist/dev/types/routes.d.ts";

 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
@@ -2,15 +2,16 @@
  "name": "donutbrowser",
  "private": true,
  "license": "AGPL-3.0",
-  "version": "0.18.0",
+  "version": "0.20.4",
  "type": "module",
  "scripts": {
    "dev": "next dev --turbopack -p 12341",
    "build": "next build",
    "start": "next start",
-    "test": "pnpm test:rust:unit && pnpm test:sync-e2e",
+    "test": "pnpm test:rust:unit && pnpm test:openvpn-e2e && pnpm test:sync-e2e",
+    "test:openvpn-e2e": "node scripts/openvpn-test-harness.mjs",
    "test:rust": "cd src-tauri && cargo test",
-    "test:rust:unit": "cd src-tauri && cargo test --lib && cargo test --test donut_proxy_integration",
+    "test:rust:unit": "cd src-tauri && cargo test --lib && cargo test --test donut_proxy_integration && cargo test --test vpn_integration",
    "test:sync-e2e": "node scripts/sync-test-harness.mjs",
    "lint": "pnpm lint:js && pnpm lint:rust && pnpm lint:spell",
    "lint:js": "biome check src/ && tsc --noEmit && cd donut-sync && biome check src/ && tsc --noEmit",
@@ -47,8 +48,8 @@
    "@tanstack/react-table": "^8.21.3",
    "@tauri-apps/api": "~2.10.1",
    "@tauri-apps/plugin-deep-link": "^2.4.7",
-    "@tauri-apps/plugin-dialog": "^2.6.0",
-    "@tauri-apps/plugin-fs": "~2.4.5",
+    "@tauri-apps/plugin-dialog": "^2.7.0",
+    "@tauri-apps/plugin-fs": "~2.5.0",
    "@tauri-apps/plugin-log": "^2.8.0",
    "@tauri-apps/plugin-opener": "^2.5.3",
    "ahooks": "^3.9.7",
@@ -57,27 +58,27 @@
    "cmdk": "^1.1.1",
    "color": "^5.0.3",
    "flag-icons": "^7.5.0",
-    "i18next": "^25.10.5",
-    "lucide-react": "^0.577.0",
+    "i18next": "^26.0.3",
+    "lucide-react": "^1.7.0",
    "motion": "^12.38.0",
-    "next": "^16.2.1",
+    "next": "^16.2.3",
    "next-themes": "^0.4.6",
    "radix-ui": "^1.4.3",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
-    "react-i18next": "^16.6.2",
+    "react-i18next": "^17.0.2",
    "react-icons": "^5.6.0",
-    "recharts": "3.8.0",
+    "recharts": "3.8.1",
    "sonner": "^2.0.7",
    "tailwind-merge": "^3.5.0",
    "tauri-plugin-macos-permissions-api": "^2.3.0"
  },
  "devDependencies": {
-    "@biomejs/biome": "2.4.8",
+    "@biomejs/biome": "2.4.10",
    "@tailwindcss/postcss": "^4.2.2",
    "@tauri-apps/cli": "~2.10.1",
    "@types/color": "^4.2.1",
-    "@types/node": "^25.5.0",
+    "@types/node": "^25.5.2",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
    "@vitejs/plugin-react": "^6.0.1",
@@ -86,9 +87,15 @@
    "tailwindcss": "^4.2.2",
    "ts-unused-exports": "^11.0.1",
    "tw-animate-css": "^1.4.0",
-    "typescript": "~5.9.3"
+    "typescript": "~6.0.2"
  },
-  "packageManager": "pnpm@10.30.1",
+  "pnpm": {
+    "overrides": {
+      "picomatch@>=4.0.0 <4.0.4": ">=4.0.4",
+      "path-to-regexp@>=8.0.0 <8.4.0": ">=8.4.0"
+    }
+  },
+  "packageManager": "pnpm@10.33.0",
  "lint-staged": {
    "**/*.{js,jsx,ts,tsx,json,css}": [
      "biome check --fix"
@@ -81,7 +81,7 @@ echo -e "${YELLOW}Waiting for MinIO to be healthy...${NC}"
 MAX_RETRIES=30
 RETRY_COUNT=0
 while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
-  if curl -sf http://localhost:8987/minio/health/live > /dev/null 2>&1; then
+  if curl -sf http://127.0.0.1:8987/minio/health/live > /dev/null 2>&1; then
    echo -e "${GREEN}MinIO is ready!${NC}"
    break
  fi
@@ -0,0 +1,161 @@
+#!/usr/bin/env node
+/**
+ * OpenVPN E2E Test Harness
+ *
+ * This script:
+ * 1. Skips unless explicitly enabled via DONUTBROWSER_RUN_OPENVPN_E2E=1
+ * 2. Builds the Rust vpn_integration test binary without running it
+ * 3. Runs the OpenVPN e2e test binary under sudo
+ *
+ * Usage: DONUTBROWSER_RUN_OPENVPN_E2E=1 node scripts/openvpn-test-harness.mjs
+ */
+
+import { spawn } from "child_process";
+import path from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ROOT_DIR = path.resolve(__dirname, "..");
+const SRC_TAURI_DIR = path.join(ROOT_DIR, "src-tauri");
+const TEST_NAME = "test_openvpn_traffic_flows_through_donut_proxy";
+
+function log(message) {
+  console.log(`[openvpn-harness] ${message}`);
+}
+
+function error(message) {
+  console.error(`[openvpn-harness] ERROR: ${message}`);
+}
+
+function shouldRun() {
+  if (process.env.DONUTBROWSER_RUN_OPENVPN_E2E !== "1") {
+    log("Skipping OpenVPN e2e test because DONUTBROWSER_RUN_OPENVPN_E2E is not set");
+    return false;
+  }
+
+  if (process.platform !== "linux") {
+    log(`Skipping OpenVPN e2e test on unsupported platform: ${process.platform}`);
+    return false;
+  }
+
+  return true;
+}
+
+async function buildTestBinary() {
+  log("Building OpenVPN e2e test binary...");
+
+  return new Promise((resolve, reject) => {
+    let executablePath = "";
+    let stdoutBuffer = "";
+
+    const proc = spawn(
+      "cargo",
+      [
+        "test",
+        "--test",
+        "vpn_integration",
+        TEST_NAME,
+        "--no-run",
+        "--message-format=json",
+      ],
+      {
+        cwd: SRC_TAURI_DIR,
+        env: process.env,
+        stdio: ["ignore", "pipe", "pipe"],
+      }
+    );
+
+    const parseBuffer = (flush = false) => {
+      const lines = stdoutBuffer.split("\n");
+      const completeLines = flush ? lines : lines.slice(0, -1);
+      stdoutBuffer = flush ? "" : lines.at(-1) ?? "";
+
+      for (const line of completeLines.filter(Boolean)) {
+        try {
+          const message = JSON.parse(line);
+          if (message.reason === "compiler-artifact" && message.executable) {
+            executablePath = message.executable;
+          }
+        } catch {
+          // Ignore non-JSON lines.
+        }
+      }
+    };
+
+    proc.stdout.on("data", (data) => {
+      stdoutBuffer += data.toString();
+      parseBuffer();
+    });
+
+    proc.stderr.on("data", (data) => {
+      process.stderr.write(data);
+    });
+
+    proc.on("error", (err) => {
+      reject(err);
+    });
+
+    proc.on("close", (code) => {
+      parseBuffer(true);
+
+      if (code !== 0) {
+        reject(new Error(`cargo test --no-run exited with code ${code}`));
+        return;
+      }
+
+      if (!executablePath) {
+        reject(new Error("Could not determine the vpn_integration test binary path"));
+        return;
+      }
+
+      resolve(path.isAbsolute(executablePath) ? executablePath : path.resolve(SRC_TAURI_DIR, executablePath));
+    });
+  });
+}
+
+async function runOpenVpnE2e(executablePath) {
+  log("Running OpenVPN e2e test under sudo...");
+
+  return new Promise((resolve, reject) => {
+    const proc = spawn(
+      "sudo",
+      [
+        "--preserve-env=CI,GITHUB_ACTIONS,VPN_TEST_OVPN_HOST,VPN_TEST_OVPN_PORT,DONUTBROWSER_RUN_OPENVPN_E2E",
+        executablePath,
+        TEST_NAME,
+        "--exact",
+        "--nocapture",
+      ],
+      {
+        cwd: SRC_TAURI_DIR,
+        env: process.env,
+        stdio: "inherit",
+      }
+    );
+
+    proc.on("error", (err) => {
+      reject(err);
+    });
+
+    proc.on("close", (code) => {
+      resolve(code ?? 1);
+    });
+  });
+}
+
+async function main() {
+  if (!shouldRun()) {
+    process.exit(0);
+  }
+
+  try {
+    const executablePath = await buildTestBinary();
+    const exitCode = await runOpenVpnE2e(executablePath);
+    process.exit(exitCode);
+  } catch (err) {
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+}
+
+main();
@@ -0,0 +1,240 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+WORK_DIR="$(mktemp -d)"
+trap 'rm -rf "$WORK_DIR"' EXIT
+
+GITHUB_REPO="zhom/donutbrowser"
+
+# Load .env if running locally
+if [[ -f "$REPO_ROOT/.env" ]]; then
+  set -a
+  # shellcheck disable=SC1091
+  source "$REPO_ROOT/.env"
+  set +a
+fi
+
+# Validate required env vars
+for var in R2_ACCESS_KEY_ID R2_SECRET_ACCESS_KEY R2_ENDPOINT_URL R2_BUCKET_NAME; do
+  if [[ -z "${!var:-}" ]]; then
+    echo "Error: $var is not set. Configure it in .env or export it."
+    exit 1
+  fi
+done
+
+# Export for AWS CLI
+export AWS_ACCESS_KEY_ID="$R2_ACCESS_KEY_ID"
+export AWS_SECRET_ACCESS_KEY="$R2_SECRET_ACCESS_KEY"
+export AWS_DEFAULT_REGION="auto"
+# aws-cli v2.23+ sends integrity checksums by default; R2 rejects them
+# with `Unauthorized` on ListObjectsV2. Disable.
+export AWS_REQUEST_CHECKSUM_CALCULATION="WHEN_REQUIRED"
+export AWS_RESPONSE_CHECKSUM_VALIDATION="WHEN_REQUIRED"
+
+# Ensure endpoint URL has https:// prefix
+R2_ENDPOINT="$R2_ENDPOINT_URL"
+if [[ "$R2_ENDPOINT" != https://* ]]; then
+  R2_ENDPOINT="https://$R2_ENDPOINT"
+fi
+
+# Determine version tag
+if [[ $# -ge 1 ]]; then
+  TAG="$1"
+else
+  echo "Fetching latest release tag..."
+  TAG=$(gh release view --repo "$GITHUB_REPO" --json tagName -q .tagName)
+  echo "Latest release: $TAG"
+fi
+
+VERSION="${TAG#v}"
+echo "Publishing repositories for version $VERSION"
+
+# Check required tools
+for cmd in aws gh dpkg-scanpackages gzip createrepo_c; do
+  if ! command -v "$cmd" &>/dev/null; then
+    echo "Error: $cmd is not installed."
+    case "$cmd" in
+      dpkg-scanpackages) echo "  Install with: sudo apt-get install dpkg-dev" ;;
+      createrepo_c) echo "  Install with: sudo apt-get install createrepo-c" ;;
+      aws) echo "  Install with: pip install awscli" ;;
+      gh) echo "  Install with: https://cli.github.com/" ;;
+    esac
+    exit 1
+  fi
+done
+
+PACKAGES_DIR="$WORK_DIR/packages"
+REPO_DIR="$WORK_DIR/repo"
+mkdir -p "$PACKAGES_DIR" "$REPO_DIR"
+
+# ---------------------------------------------------------------------------
+# Download .deb and .rpm from GitHub release
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Downloading packages from GitHub release $TAG..."
+gh release download "$TAG" \
+  --repo "$GITHUB_REPO" \
+  --pattern "*.deb" \
+  --dir "$PACKAGES_DIR"
+gh release download "$TAG" \
+  --repo "$GITHUB_REPO" \
+  --pattern "*.rpm" \
+  --dir "$PACKAGES_DIR"
+
+echo "Downloaded:"
+ls -lh "$PACKAGES_DIR/"
+
+# ---------------------------------------------------------------------------
+# DEB repository
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Building DEB repository..."
+
+DEB_DIR="$REPO_DIR/deb"
+mkdir -p "$DEB_DIR/pool/main"
+mkdir -p "$DEB_DIR/dists/stable/main/binary-amd64"
+mkdir -p "$DEB_DIR/dists/stable/main/binary-arm64"
+
+# Pull existing pool from R2 (incremental)
+echo "  Syncing existing DEB pool from R2..."
+aws s3 sync "s3://${R2_BUCKET_NAME}/deb/pool" "$DEB_DIR/pool" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || true
+
+# Copy new .deb files into pool
+for deb in "$PACKAGES_DIR"/*.deb; do
+  [[ -f "$deb" ]] || continue
+  cp "$deb" "$DEB_DIR/pool/main/"
+done
+
+# Generate Packages and Packages.gz for each arch
+for arch in amd64 arm64; do
+  echo "  Generating Packages for $arch..."
+  BINARY_DIR="$DEB_DIR/dists/stable/main/binary-${arch}"
+
+  # dpkg-scanpackages needs to run from the repo root
+  # and needs paths relative to that root
+  (cd "$DEB_DIR" && dpkg-scanpackages --arch "$arch" pool/main) \
+    > "$BINARY_DIR/Packages"
+
+  gzip -9c "$BINARY_DIR/Packages" > "$BINARY_DIR/Packages.gz"
+
+  echo "    $(grep -c '^Package:' "$BINARY_DIR/Packages" 2>/dev/null || echo 0) package(s)"
+done
+
+# Generate Release file
+echo "  Generating Release file..."
+{
+  echo "Origin: Donut Browser"
+  echo "Label: Donut Browser"
+  echo "Suite: stable"
+  echo "Codename: stable"
+  echo "Architectures: amd64 arm64"
+  echo "Components: main"
+  echo "Date: $(date -u '+%a, %d %b %Y %H:%M:%S UTC')"
+  echo "MD5Sum:"
+  for arch in amd64 arm64; do
+    for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+      filepath="$DEB_DIR/dists/stable/$file"
+      if [[ -f "$filepath" ]]; then
+        size=$(wc -c < "$filepath")
+        md5=$(md5sum "$filepath" | awk '{print $1}')
+        printf " %s %8d %s\n" "$md5" "$size" "$file"
+      fi
+    done
+  done
+  echo "SHA256:"
+  for arch in amd64 arm64; do
+    for file in "main/binary-${arch}/Packages" "main/binary-${arch}/Packages.gz"; do
+      filepath="$DEB_DIR/dists/stable/$file"
+      if [[ -f "$filepath" ]]; then
+        size=$(wc -c < "$filepath")
+        sha256=$(sha256sum "$filepath" | awk '{print $1}')
+        printf " %s %8d %s\n" "$sha256" "$size" "$file"
+      fi
+    done
+  done
+} > "$DEB_DIR/dists/stable/Release"
+
+echo "  DEB Release file created."
+
+# ---------------------------------------------------------------------------
+# RPM repository
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Building RPM repository..."
+
+RPM_DIR="$REPO_DIR/rpm"
+mkdir -p "$RPM_DIR/x86_64"
+mkdir -p "$RPM_DIR/aarch64"
+
+# Pull existing RPMs from R2 (incremental)
+echo "  Syncing existing RPM packages from R2..."
+aws s3 sync "s3://${R2_BUCKET_NAME}/rpm/x86_64" "$RPM_DIR/x86_64" \
+  --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+aws s3 sync "s3://${R2_BUCKET_NAME}/rpm/aarch64" "$RPM_DIR/aarch64" \
+  --endpoint-url "$R2_ENDPOINT" --exclude "repodata/*" 2>/dev/null || true
+
+# Copy new .rpm files into arch directories
+for rpm in "$PACKAGES_DIR"/*.rpm; do
+  [[ -f "$rpm" ]] || continue
+  filename=$(basename "$rpm")
+  if [[ "$filename" == *x86_64* ]]; then
+    cp "$rpm" "$RPM_DIR/x86_64/"
+  elif [[ "$filename" == *aarch64* ]]; then
+    cp "$rpm" "$RPM_DIR/aarch64/"
+  fi
+done
+
+# Generate repodata using createrepo_c
+# We point createrepo_c at the top-level rpm dir so it indexes all subdirs
+echo "  Generating RPM repodata..."
+createrepo_c --update "$RPM_DIR"
+
+echo "  RPM repodata created."
+
+# ---------------------------------------------------------------------------
+# Upload to R2
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Uploading DEB repository to R2..."
+aws s3 sync "$DEB_DIR/dists" "s3://${R2_BUCKET_NAME}/deb/dists" \
+  --endpoint-url "$R2_ENDPOINT" --delete
+aws s3 sync "$DEB_DIR/pool" "s3://${R2_BUCKET_NAME}/deb/pool" \
+  --endpoint-url "$R2_ENDPOINT"
+
+echo "==> Uploading RPM repository to R2..."
+aws s3 sync "$RPM_DIR" "s3://${R2_BUCKET_NAME}/rpm" \
+  --endpoint-url "$R2_ENDPOINT"
+
+# ---------------------------------------------------------------------------
+# Verify
+# ---------------------------------------------------------------------------
+echo ""
+echo "==> Verifying upload..."
+echo "DEB dists/stable/:"
+aws s3 ls "s3://${R2_BUCKET_NAME}/deb/dists/stable/" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty or not accessible)"
+echo "DEB pool/main/:"
+aws s3 ls "s3://${R2_BUCKET_NAME}/deb/pool/main/" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty or not accessible)"
+echo "RPM repodata/:"
+aws s3 ls "s3://${R2_BUCKET_NAME}/rpm/repodata/" \
+  --endpoint-url "$R2_ENDPOINT" 2>/dev/null || echo "  (empty or not accessible)"
+
+echo ""
+echo "Done! Repository published for $TAG"
+echo ""
+echo "Users can add the DEB repo with:"
+echo "  echo 'deb [trusted=yes] https://repo.donutbrowser.com/deb stable main' | sudo tee /etc/apt/sources.list.d/donutbrowser.list"
+echo "  sudo apt update && sudo apt install donut"
+echo ""
+echo "Users can add the RPM repo with:"
+echo "  sudo tee /etc/yum.repos.d/donutbrowser.repo << 'EOF'"
+echo "  [donutbrowser]"
+echo "  name=Donut Browser"
+echo "  baseurl=https://repo.donutbrowser.com/rpm"
+echo "  enabled=1"
+echo "  gpgcheck=0"
+echo "  EOF"
+echo "  sudo dnf install Donut"
@@ -1,6 +1,6 @@
 [package]
 name = "donutbrowser"
-version = "0.18.0"
+version = "0.20.4"
 description = "Simple Yet Powerful Anti-Detect Browser"
 authors = ["zhom@github"]
 edition = "2021"
@@ -64,7 +64,7 @@ flate2 = "1"
 lzma-rs = "0"
 msi-extract = "0"

-uuid = { version = "1.20", features = ["v4", "serde"] }
+uuid = { version = "1.23", features = ["v4", "serde"] }
 url = "2.5"
 blake3 = "1"
 globset = "0.4"
@@ -81,10 +81,11 @@ utoipa = { version = "5", features = ["axum_extras", "chrono"] }
 utoipa-axum = "0.2"
 argon2 = "0.5"
 aes-gcm = "0.10"
-aes = "0.8"
-cbc = "0.1"
-pbkdf2 = "0.12"
-sha1 = "0.10"
+aes = "0.9"
+cbc = "0.2"
+ring = "0.17"
+sha2 = "0.11"
+shadowsocks = { version = "1.24", default-features = false, features = ["aead-cipher"] }
 hyper = { version = "1.8", features = ["full"] }
 hyper-util = { version = "0.1", features = ["full"] }
 http-body-util = "0.1"
@@ -109,9 +110,9 @@ boringtun = "0.7"
 smoltcp = { version = "0.13", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }

 # Daemon dependencies (tray icon)
-tray-icon = "0.21"
+tray-icon = "0.22"
 muda = "0.17"
-tao = "0.34"
+tao = "0.35"
 image = "0.25"
 dirs = "6"
 crossbeam-channel = "0.5"
@@ -31,6 +31,7 @@ pub struct ApiProfile {
  pub browser: String,
  pub version: String,
  pub proxy_id: Option<String>,
+  pub launch_hook: Option<String>,
  pub process_id: Option<u32>,
  pub last_launch: Option<u64>,
  pub release_type: String,
@@ -59,6 +60,7 @@ pub struct CreateProfileRequest {
  pub browser: String,
  pub version: String,
  pub proxy_id: Option<String>,
+  pub launch_hook: Option<String>,
  pub release_type: Option<String>,
  #[schema(value_type = Object)]
  pub camoufox_config: Option<serde_json::Value>,
@@ -74,6 +76,7 @@ pub struct UpdateProfileRequest {
  pub browser: Option<String>,
  pub version: Option<String>,
  pub proxy_id: Option<String>,
+  pub launch_hook: Option<String>,
  pub release_type: Option<String>,
  #[schema(value_type = Object)]
  pub camoufox_config: Option<serde_json::Value>,
@@ -111,17 +114,13 @@ struct ApiProxyResponse {
  name: String,
  #[schema(value_type = Object)]
  proxy_settings: ProxySettings,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
 }

 #[derive(Debug, Deserialize, ToSchema)]
 struct CreateProxyRequest {
  name: String,
  #[schema(value_type = Object)]
-  proxy_settings: Option<ProxySettings>,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
+  proxy_settings: ProxySettings,
 }

 #[derive(Debug, Deserialize, ToSchema)]
@@ -129,8 +128,6 @@ struct UpdateProxyRequest {
  name: Option<String>,
  #[schema(value_type = Object)]
  proxy_settings: Option<ProxySettings>,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
 }

 #[derive(Debug, Deserialize, ToSchema)]
@@ -486,6 +483,7 @@ async fn get_profiles() -> Result<Json<ApiProfilesResponse>, StatusCode> {
          browser: profile.browser.clone(),
          version: profile.version.clone(),
          proxy_id: profile.proxy_id.clone(),
+          launch_hook: profile.launch_hook.clone(),
          process_id: profile.process_id,
          last_launch: profile.last_launch,
          release_type: profile.release_type.clone(),
@@ -541,6 +539,7 @@ async fn get_profile(
            browser: profile.browser.clone(),
            version: profile.version.clone(),
            proxy_id: profile.proxy_id.clone(),
+            launch_hook: profile.launch_hook.clone(),
            process_id: profile.process_id,
            last_launch: profile.last_launch,
            release_type: profile.release_type.clone(),
@@ -611,6 +610,8 @@ async fn create_profile(
      wayfern_config,
      request.group_id.clone(),
      false,
+      None,
+      request.launch_hook.clone(),
    )
    .await
  {
@@ -640,6 +641,7 @@ async fn create_profile(
          browser: profile.browser,
          version: profile.version,
          proxy_id: profile.proxy_id,
+          launch_hook: profile.launch_hook,
          process_id: profile.process_id,
          last_launch: profile.last_launch,
          release_type: profile.release_type,
@@ -713,6 +715,21 @@ async fn update_profile(
    }
  }

+  if let Some(launch_hook) = request.launch_hook {
+    let normalized = if launch_hook.trim().is_empty() {
+      None
+    } else {
+      Some(launch_hook)
+    };
+
+    if profile_manager
+      .update_profile_launch_hook(&state.app_handle, &id, normalized)
+      .is_err()
+    {
+      return Err(StatusCode::BAD_REQUEST);
+    }
+  }
+
  if let Some(camoufox_config) = request.camoufox_config {
    let config: Result<CamoufoxConfig, _> = serde_json::from_value(camoufox_config);
    match config {
@@ -1034,8 +1051,6 @@ async fn get_proxies(
      .map(|p| ApiProxyResponse {
        id: p.id,
        name: p.name,
-        dynamic_proxy_url: p.dynamic_proxy_url,
-        dynamic_proxy_format: p.dynamic_proxy_format,
        proxy_settings: p.proxy_settings,
      })
      .collect(),
@@ -1069,8 +1084,6 @@ async fn get_proxy(
      id: proxy.id,
      name: proxy.name,
      proxy_settings: proxy.proxy_settings,
-      dynamic_proxy_url: proxy.dynamic_proxy_url,
-      dynamic_proxy_format: proxy.dynamic_proxy_format,
    }))
  } else {
    Err(StatusCode::NOT_FOUND)
@@ -1096,27 +1109,16 @@ async fn create_proxy(
  State(state): State<ApiServerState>,
  Json(request): Json<CreateProxyRequest>,
 ) -> Result<Json<ApiProxyResponse>, StatusCode> {
-  let result = if let (Some(url), Some(format)) =
-    (&request.dynamic_proxy_url, &request.dynamic_proxy_format)
-  {
-    PROXY_MANAGER.create_dynamic_proxy(
-      &state.app_handle,
-      request.name.clone(),
-      url.clone(),
-      format.clone(),
-    )
-  } else if let Some(settings) = request.proxy_settings {
-    PROXY_MANAGER.create_stored_proxy(&state.app_handle, request.name.clone(), settings)
-  } else {
-    return Err(StatusCode::BAD_REQUEST);
-  };
+  let result = PROXY_MANAGER.create_stored_proxy(
+    &state.app_handle,
+    request.name.clone(),
+    request.proxy_settings,
+  );

  match result {
    Ok(proxy) => Ok(Json(ApiProxyResponse {
      id: proxy.id,
      name: proxy.name,
-      dynamic_proxy_url: proxy.dynamic_proxy_url,
-      dynamic_proxy_format: proxy.dynamic_proxy_format,
      proxy_settings: proxy.proxy_settings,
    })),
    Err(_) => Err(StatusCode::BAD_REQUEST),
@@ -1147,26 +1149,13 @@ async fn update_proxy(
  State(state): State<ApiServerState>,
  Json(request): Json<UpdateProxyRequest>,
 ) -> Result<Json<ApiProxyResponse>, StatusCode> {
-  let is_dynamic = PROXY_MANAGER.is_dynamic_proxy(&id) || request.dynamic_proxy_url.is_some();
-
-  let result = if is_dynamic {
-    PROXY_MANAGER.update_dynamic_proxy(
-      &state.app_handle,
-      &id,
-      request.name,
-      request.dynamic_proxy_url,
-      request.dynamic_proxy_format,
-    )
-  } else {
-    PROXY_MANAGER.update_stored_proxy(&state.app_handle, &id, request.name, request.proxy_settings)
-  };
+  let result =
+    PROXY_MANAGER.update_stored_proxy(&state.app_handle, &id, request.name, request.proxy_settings);

  match result {
    Ok(proxy) => Ok(Json(ApiProxyResponse {
      id: proxy.id,
      name: proxy.name,
-      dynamic_proxy_url: proxy.dynamic_proxy_url,
-      dynamic_proxy_format: proxy.dynamic_proxy_format,
      proxy_settings: proxy.proxy_settings,
    })),
    Err(_) => Err(StatusCode::NOT_FOUND),
@@ -109,6 +109,8 @@ pub struct AppUpdateInfo {
  pub published_at: String,
  pub manual_update_required: bool,
  pub release_page_url: Option<String>,
+  /// True when a system package manager repo is configured (apt/dnf/zypper)
+  pub repo_update: bool,
 }

 pub struct AppAutoUpdater {
@@ -212,11 +214,12 @@ impl AppAutoUpdater {
      // Find the appropriate asset for current platform
      let download_url = self.get_download_url_for_platform(&latest_release.assets);

-      // On Linux, we show the update notification even if auto-update is disabled
-      // Users can manually download from the release page
+      // On Linux, when a package repo is configured, notify users to update via
+      // their package manager instead of auto-downloading from GitHub.
      #[cfg(target_os = "linux")]
      {
-        let manual_update_required = download_url.is_none();
+        let repo_update = self.is_repo_configured();
+        let manual_update_required = download_url.is_none() || repo_update;
        let update_info = AppUpdateInfo {
          current_version,
          new_version: latest_release.tag_name.clone(),
@@ -226,13 +229,15 @@ impl AppAutoUpdater {
          published_at: latest_release.published_at.clone(),
          manual_update_required,
          release_page_url: Some(release_page_url),
+          repo_update,
        };

        log::info!(
-          "Update info prepared: {} -> {} (manual_update_required: {})",
+          "Update info prepared: {} -> {} (manual_update_required: {}, repo_update: {})",
          update_info.current_version,
          update_info.new_version,
-          update_info.manual_update_required
+          update_info.manual_update_required,
+          update_info.repo_update
        );
        return Ok(Some(update_info));
      }
@@ -249,6 +254,7 @@ impl AppAutoUpdater {
            published_at: latest_release.published_at.clone(),
            manual_update_required: false,
            release_page_url: Some(release_page_url),
+            repo_update: false,
          };

          log::info!(
@@ -455,6 +461,30 @@ impl AppAutoUpdater {
    LinuxInstallationMethod::Unknown
  }

+  /// Check if the APT repository is configured
+  #[cfg(target_os = "linux")]
+  fn is_deb_repo_configured() -> bool {
+    Path::new("/etc/apt/sources.list.d/donutbrowser.list").exists()
+  }
+
+  /// Check if an RPM repository is configured (yum/dnf or zypper)
+  #[cfg(target_os = "linux")]
+  fn is_rpm_repo_configured() -> bool {
+    Path::new("/etc/yum.repos.d/donutbrowser.repo").exists()
+      || Path::new("/etc/zypp/repos.d/donutbrowser.repo").exists()
+  }
+
+  /// Check if a system package manager repo is configured for this installation.
+  #[cfg(target_os = "linux")]
+  fn is_repo_configured(&self) -> bool {
+    let installation_method = self.detect_linux_installation_method();
+    match installation_method {
+      LinuxInstallationMethod::Deb => Self::is_deb_repo_configured(),
+      LinuxInstallationMethod::Rpm => Self::is_rpm_repo_configured(),
+      _ => false,
+    }
+  }
+
  /// Get the appropriate download URL for the current platform
  fn get_download_url_for_platform(&self, assets: &[AppReleaseAsset]) -> Option<String> {
    let arch = if cfg!(target_arch = "aarch64") {
@@ -958,6 +988,10 @@ impl AppAutoUpdater {
            &format!("{}.log", installer_path.to_str().unwrap()),
          ]);

+          use std::os::windows::process::CommandExt;
+          const CREATE_NO_WINDOW: u32 = 0x08000000;
+          cmd.creation_flags(CREATE_NO_WINDOW);
+
          let output = cmd.output()?;

          if !output.status.success() {
@@ -1148,41 +1182,7 @@ impl AppAutoUpdater {
    deb_path: &Path,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    log::info!("Installing DEB package: {}", deb_path.display());
-
-    // Try different package managers in order of preference
-    let package_managers = [
-      ("dpkg", vec!["-i", deb_path.to_str().unwrap()]),
-      ("apt", vec!["install", "-y", deb_path.to_str().unwrap()]),
-    ];
-
-    let mut last_error = String::new();
-
-    for (manager, args) in &package_managers {
-      // Check if package manager exists
-      if Command::new("which").arg(manager).output().is_ok() {
-        log::info!("Trying to install with {manager}");
-
-        let output = Command::new("pkexec").arg(manager).args(args).output();
-
-        match output {
-          Ok(output) if output.status.success() => {
-            log::info!("DEB installation completed successfully with {manager}");
-            return Ok(());
-          }
-          Ok(output) => {
-            let error_msg = String::from_utf8_lossy(&output.stderr);
-            last_error = format!("{manager} failed: {error_msg}");
-            log::info!("Installation failed with {manager}: {error_msg}");
-          }
-          Err(e) => {
-            last_error = format!("Failed to execute {manager}: {e}");
-            log::info!("Failed to execute {manager}: {e}");
-          }
-        }
-      }
-    }
-
-    Err(format!("DEB installation failed. Last error: {last_error}").into())
+    Self::install_linux_package_with_privileges(deb_path, "dpkg", "-i")
  }

  /// Install Linux RPM package
@@ -1192,43 +1192,121 @@ impl AppAutoUpdater {
    rpm_path: &Path,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    log::info!("Installing RPM package: {}", rpm_path.display());
+    Self::install_linux_package_with_privileges(rpm_path, "rpm", "-Uvh")
+  }

-    // Try different package managers in order of preference
-    let package_managers = [
-      ("rpm", vec!["-Uvh", rpm_path.to_str().unwrap()]),
-      ("dnf", vec!["install", "-y", rpm_path.to_str().unwrap()]),
-      ("yum", vec!["install", "-y", rpm_path.to_str().unwrap()]),
-      ("zypper", vec!["install", "-y", rpm_path.to_str().unwrap()]),
-    ];
+  /// Install a Linux package with privilege escalation, using a fallback chain:
+  /// 1. pkexec (graphical PolicyKit prompt — most common on desktop Linux)
+  /// 2. zenity/kdialog password dialog → sudo -S (graphical sudo experience)
+  /// 3. sudo (terminal fallback — works in TTY sessions)
+  #[cfg(target_os = "linux")]
+  fn install_linux_package_with_privileges(
+    pkg_path: &Path,
+    install_cmd: &str,
+    install_arg: &str,
+  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    let pkg = pkg_path.to_str().unwrap_or_default();

-    let mut last_error = String::new();
+    // 1. Try pkexec (graphical PolicyKit prompt)
+    if let Ok(status) = Command::new("pkexec")
+      .args([install_cmd, install_arg, pkg])
+      .status()
+    {
+      if status.success() {
+        log::info!("Installed {pkg} with pkexec");
+        return Ok(());
+      }
+    }

-    for (manager, args) in &package_managers {
-      // Check if package manager exists
-      if Command::new("which").arg(manager).output().is_ok() {
-        log::info!("Trying to install with {manager}");
+    // 2. Try graphical password dialog → sudo -S
+    if let Some(password) = Self::get_password_graphically() {
+      if Self::install_with_sudo_stdin(pkg_path, &password, install_cmd, install_arg) {
+        log::info!("Installed {pkg} with graphical sudo");
+        return Ok(());
+      }
+    }

-        let output = Command::new("pkexec").arg(manager).args(args).output();
+    // 3. Terminal sudo fallback
+    if let Ok(status) = Command::new("sudo")
+      .args([install_cmd, install_arg, pkg])
+      .status()
+    {
+      if status.success() {
+        log::info!("Installed {pkg} with sudo");
+        return Ok(());
+      }
+    }

-        match output {
-          Ok(output) if output.status.success() => {
-            log::info!("RPM installation completed successfully with {manager}");
-            return Ok(());
-          }
-          Ok(output) => {
-            let error_msg = String::from_utf8_lossy(&output.stderr);
-            last_error = format!("{manager} failed: {error_msg}");
-            log::info!("Installation failed with {manager}: {error_msg}");
-          }
-          Err(e) => {
-            last_error = format!("Failed to execute {manager}: {e}");
-            log::info!("Failed to execute {manager}: {e}");
-          }
+    Err(format!("Failed to install {pkg} — all privilege escalation methods failed").into())
+  }
+
+  /// Try zenity then kdialog to get a password graphically.
+  #[cfg(target_os = "linux")]
+  fn get_password_graphically() -> Option<String> {
+    // Try zenity
+    if let Ok(output) = Command::new("zenity")
+      .args([
+        "--password",
+        "--title=Authentication Required",
+        "--text=Enter your password to install the update:",
+      ])
+      .output()
+    {
+      if output.status.success() {
+        let pw = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if !pw.is_empty() {
+          return Some(pw);
        }
      }
    }

-    Err(format!("RPM installation failed. Last error: {last_error}").into())
+    // Fall back to kdialog
+    if let Ok(output) = Command::new("kdialog")
+      .args(["--password", "Enter your password to install the update:"])
+      .output()
+    {
+      if output.status.success() {
+        let pw = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if !pw.is_empty() {
+          return Some(pw);
+        }
+      }
+    }
+
+    None
+  }
+
+  /// Pipe a password to `sudo -S <install_cmd> <install_arg> <pkg>`.
+  #[cfg(target_os = "linux")]
+  fn install_with_sudo_stdin(
+    pkg_path: &Path,
+    password: &str,
+    install_cmd: &str,
+    install_arg: &str,
+  ) -> bool {
+    use std::io::Write;
+
+    let child = Command::new("sudo")
+      .args([
+        "-S",
+        install_cmd,
+        install_arg,
+        pkg_path.to_str().unwrap_or_default(),
+      ])
+      .stdin(std::process::Stdio::piped())
+      .stdout(std::process::Stdio::piped())
+      .stderr(std::process::Stdio::piped())
+      .spawn();
+
+    match child {
+      Ok(mut child) => {
+        if let Some(mut stdin) = child.stdin.take() {
+          let _ = writeln!(stdin, "{password}");
+        }
+        child.wait().map(|s| s.success()).unwrap_or(false)
+      }
+      Err(_) => false,
+    }
  }

  /// Install Linux AppImage
@@ -1444,96 +1522,121 @@ rm "{}"

    #[cfg(target_os = "windows")]
    {
-      let app_path = self.get_current_app_path()?;
-      let current_pid = std::process::id();
+      use std::ffi::OsStr;
+      use std::os::windows::ffi::OsStrExt;
+
      let pending = PENDING_INSTALLER_PATH.lock().unwrap().take();

-      let temp_dir = std::env::temp_dir();
-      let script_path = temp_dir.join("donut_restart.bat");
-      let update_temp_dir = temp_dir.join("donut_app_update");
-
-      let script_content = if let Some(installer_path) = pending {
+      if let Some(installer_path) = pending {
+        // Use ShellExecuteW to run the installer directly — no batch script,
+        // no cmd.exe console window. The NSIS/MSI installer handles killing the
+        // old process and restarting the app natively (via /UPDATE and
+        // AUTOLAUNCHAPP flags).
        let ext = installer_path
          .extension()
          .and_then(|e| e.to_str())
          .unwrap_or("")
          .to_lowercase();
-        let install_cmd = match ext.as_str() {
-          "msi" => format!(
-            "msiexec /i \"{}\" /quiet /norestart REBOOT=ReallySuppress",
-            installer_path.to_str().unwrap()
-          ),
-          "exe" => format!("\"{}\" /S", installer_path.to_str().unwrap()),
-          _ => String::new(),
+
+        let (file, parameters) = match ext.as_str() {
+          "exe" => {
+            // NSIS installer: /S for silent, /UPDATE tells it this is an update
+            let file = installer_path.as_os_str().to_os_string();
+            let params = std::ffi::OsString::from("/S /UPDATE");
+            (file, params)
+          }
+          "msi" => {
+            // MSI: run msiexec.exe with the package
+            let msiexec = std::env::var("SYSTEMROOT")
+              .map(|p| format!("{p}\\System32\\msiexec.exe"))
+              .unwrap_or_else(|_| "msiexec.exe".to_string());
+            let file = std::ffi::OsString::from(msiexec);
+            let params = std::ffi::OsString::from(format!(
+              "/i {} /quiet /norestart /promptrestart AUTOLAUNCHAPP=True",
+              installer_path
+                .to_str()
+                .map(|p| format!("\"{p}\""))
+                .unwrap_or_default()
+            ));
+            (file, params)
+          }
+          _ => {
+            return Err("Unsupported Windows installer format for restart".into());
+          }
        };

-        format!(
-          r#"@echo off
-rem Wait for the current process to exit
-:wait_loop
-tasklist /fi "PID eq {pid}" >nul 2>&1
-if %errorlevel% equ 0 (
-    timeout /t 1 /nobreak >nul
-    goto wait_loop
-)
+        fn encode_wide(s: impl AsRef<OsStr>) -> Vec<u16> {
+          s.as_ref().encode_wide().chain(std::iter::once(0)).collect()
+        }

-rem Wait a bit more to ensure clean exit
-timeout /t 2 /nobreak >nul
+        let file_w = encode_wide(&file);
+        let params_w = encode_wide(&parameters);

-rem Run the installer
-{install_cmd}
+        log::info!(
+          "Running installer via ShellExecuteW: {:?} {:?}",
+          file,
+          parameters
+        );

-rem Wait for installation to complete
-timeout /t 3 /nobreak >nul
+        // windows-sys is not a direct dep, so use the raw FFI via the
+        // windows crate that Tauri pulls in. ShellExecuteW returns an
+        // HINSTANCE > 32 on success.
+        #[link(name = "shell32")]
+        extern "system" {
+          fn ShellExecuteW(
+            hwnd: *mut std::ffi::c_void,
+            operation: *const u16,
+            file: *const u16,
+            parameters: *const u16,
+            directory: *const u16,
+            show_cmd: i32,
+          ) -> isize;
+        }
+        const SW_SHOWNORMAL: i32 = 1;
+        let open: Vec<u16> = "open\0".encode_utf16().collect();

-rem Start the new application
-start "" "{app_path}"
+        let result = unsafe {
+          ShellExecuteW(
+            std::ptr::null_mut(),
+            open.as_ptr(),
+            file_w.as_ptr(),
+            params_w.as_ptr(),
+            std::ptr::null(),
+            SW_SHOWNORMAL,
+          )
+        };

-rem Clean up installer temp files
-rmdir /s /q "{update_temp}"
-
-rem Clean up this script
-del "%~f0"
-"#,
-          pid = current_pid,
-          install_cmd = install_cmd,
-          app_path = app_path.to_str().unwrap(),
-          update_temp = update_temp_dir.to_str().unwrap(),
-        )
+        if result as usize <= 32 {
+          return Err(format!("ShellExecuteW failed with code {result}").into());
+        }
      } else {
-        format!(
-          r#"@echo off
-rem Wait for the current process to exit
-:wait_loop
-tasklist /fi "PID eq {}" >nul 2>&1
-if %errorlevel% equ 0 (
-    timeout /t 1 /nobreak >nul
-    goto wait_loop
-)
+        // No pending installer — just restart the app. Use a minimal
+        // detached process to relaunch after we exit.
+        let app_path = self.get_current_app_path()?;
+        let current_pid = std::process::id();
+        let temp_dir = std::env::temp_dir();
+        let script_path = temp_dir.join("donut_restart.bat");

-rem Wait a bit more to ensure clean exit
-timeout /t 2 /nobreak >nul
+        let script_content = format!(
+          "@echo off\n\
+           :w\n\
+           tasklist /fi \"PID eq {current_pid}\" 2>nul | find \"{current_pid}\" >nul && (timeout /t 1 /nobreak >nul & goto w)\n\
+           timeout /t 1 /nobreak >nul\n\
+           start \"\" \"{app}\"\n\
+           del \"%~f0\"\n",
+          app = app_path.to_str().unwrap(),
+        );
+        fs::write(&script_path, script_content)?;

-rem Start the new application
-start "" "{}"
-
-rem Clean up this script
-del "%~f0"
-"#,
-          current_pid,
-          app_path.to_str().unwrap()
-        )
-      };
-
-      fs::write(&script_path, script_content)?;
-
-      let mut cmd = Command::new("cmd");
-      cmd.args(["/C", script_path.to_str().unwrap()]);
-
-      let _child = cmd.spawn()?;
+        use std::os::windows::process::CommandExt;
+        const CREATE_NO_WINDOW: u32 = 0x08000000;
+        let _child = Command::new("cmd")
+          .args(["/C", script_path.to_str().unwrap()])
+          .creation_flags(CREATE_NO_WINDOW)
+          .spawn()?;
+      }

      tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
-
      std::process::exit(0);
    }

@@ -1604,6 +1707,10 @@ rm "{}"

 #[tauri::command]
 pub async fn check_for_app_updates() -> Result<Option<AppUpdateInfo>, String> {
+  if crate::app_dirs::is_portable() {
+    log::info!("App auto-updates disabled in portable mode");
+    return Ok(None);
+  }
  // The disable_auto_updates setting controls app self-updates only
  let disabled = crate::settings_manager::SettingsManager::instance()
    .load_settings()
@@ -2001,6 +2108,15 @@ mod tests {
      // If url is None, it means AppImage was detected and auto-updates are disabled
    }
  }
+
+  #[test]
+  #[cfg(target_os = "linux")]
+  fn test_repo_detection_returns_bool() {
+    // These just verify the functions run without panicking.
+    // Actual values depend on the host system configuration.
+    let _deb = AppAutoUpdater::is_deb_repo_configured();
+    let _rpm = AppAutoUpdater::is_rpm_repo_configured();
+  }
 }

 // Global singleton instance
@@ -3,11 +3,29 @@ use std::path::PathBuf;
 use std::sync::OnceLock;

 static BASE_DIRS: OnceLock<BaseDirs> = OnceLock::new();
+static PORTABLE_DIR: OnceLock<Option<PathBuf>> = OnceLock::new();

 fn base_dirs() -> &'static BaseDirs {
  BASE_DIRS.get_or_init(|| BaseDirs::new().expect("Failed to get base directories"))
 }

+/// Returns the portable base directory if a `.portable` marker exists next to the executable.
+fn portable_dir() -> Option<&'static PathBuf> {
+  PORTABLE_DIR
+    .get_or_init(|| {
+      std::env::current_exe()
+        .ok()
+        .and_then(|exe| exe.parent().map(|p| p.to_path_buf()))
+        .filter(|dir| dir.join(".portable").exists())
+    })
+    .as_ref()
+}
+
+/// Returns true if the app is running in portable mode.
+pub fn is_portable() -> bool {
+  portable_dir().is_some()
+}
+
 pub fn app_name() -> &'static str {
  if cfg!(debug_assertions) {
    "DonutBrowserDev"
@@ -28,6 +46,10 @@ pub fn data_dir() -> PathBuf {
    return PathBuf::from(dir);
  }

+  if let Some(dir) = portable_dir() {
+    return dir.join("data");
+  }
+
  base_dirs().data_local_dir().join(app_name())
 }

@@ -43,6 +65,10 @@ pub fn cache_dir() -> PathBuf {
    return PathBuf::from(dir);
  }

+  if let Some(dir) = portable_dir() {
+    return dir.join("cache");
+  }
+
  base_dirs().cache_dir().join(app_name())
 }

@@ -78,6 +104,10 @@ pub fn extensions_dir() -> PathBuf {
  data_dir().join("extensions")
 }

+pub fn dns_blocklist_dir() -> PathBuf {
+  cache_dir().join("dns_blocklists")
+}
+
 #[cfg(test)]
 thread_local! {
  static TEST_DATA_DIR: std::cell::RefCell<Option<PathBuf>> = const { std::cell::RefCell::new(None) };
@@ -162,6 +192,7 @@ mod tests {
    assert!(proxy_workers_dir().ends_with("proxy_workers"));
    assert!(vpn_dir().ends_with("vpn"));
    assert!(extensions_dir().ends_with("extensions"));
+    assert!(dns_blocklist_dir().ends_with("dns_blocklists"));
  }

  #[test]
@@ -683,6 +683,7 @@ mod tests {
      process_id: None,
      proxy_id: None,
      vpn_id: None,
+      launch_hook: None,
      last_launch: None,
      release_type: "stable".to_string(),
      camoufox_config: None,
@@ -699,6 +700,7 @@ mod tests {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    }
  }

@@ -121,7 +121,7 @@ async fn main() {
            .arg(
              Arg::new("type")
                .long("type")
-                .help("Proxy type (http, https, socks4, socks5)"),
+                .help("Proxy type (http, https, socks4, socks5, ss)"),
            )
            .arg(Arg::new("username").long("username").help("Proxy username"))
            .arg(Arg::new("password").long("password").help("Proxy password"))
@@ -152,6 +152,11 @@ async fn main() {
              Arg::new("bypass-rules")
                .long("bypass-rules")
                .help("JSON array of bypass rules (hostnames, IPs, or regex patterns)"),
+            )
+            .arg(
+              Arg::new("blocklist-file")
+                .long("blocklist-file")
+                .help("Path to DNS blocklist file (one domain per line)"),
            ),
        )
        .subcommand(
@@ -235,8 +240,17 @@ async fn main() {
        .get_one::<String>("bypass-rules")
        .and_then(|s| serde_json::from_str(s).ok())
        .unwrap_or_default();
+      let blocklist_file = start_matches.get_one::<String>("blocklist-file").cloned();

-      match start_proxy_process_with_profile(upstream_url, port, profile_id, bypass_rules).await {
+      match start_proxy_process_with_profile(
+        upstream_url,
+        port,
+        profile_id,
+        bypass_rules,
+        blocklist_file,
+      )
+      .await
+      {
        Ok(config) => {
          // Output the configuration as JSON for the Rust side to parse
          // Use println! here because this needs to go to stdout for parsing
@@ -1199,6 +1199,7 @@ mod tests {
      version: "1.0.0".to_string(),
      proxy_id: None,
      vpn_id: None,
+      launch_hook: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
@@ -1216,6 +1217,7 @@ mod tests {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    };

    let path = profile.get_profile_data_path(&profiles_dir);
@@ -9,7 +9,7 @@ use crate::proxy_manager::PROXY_MANAGER;
 use crate::wayfern_manager::{WayfernConfig, WayfernManager};
 use serde::Serialize;
 use std::path::PathBuf;
-use std::time::{SystemTime, UNIX_EPOCH};
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use sysinfo::System;
 pub struct BrowserRunner {
  pub profile_manager: &'static ProfileManager,
@@ -38,10 +38,28 @@ impl BrowserRunner {
    crate::app_dirs::binaries_dir()
  }

+  /// Resolve the DNS blocklist level to a cached file path.
+  /// If a level is set but the cache is missing, fetches on demand (blocks until done).
+  async fn resolve_blocklist_file(
+    profile: &crate::profile::BrowserProfile,
+  ) -> Result<Option<String>, String> {
+    let Some(ref level_str) = profile.dns_blocklist else {
+      return Ok(None);
+    };
+    let Some(level) = crate::dns_blocklist::BlocklistLevel::parse_level(level_str) else {
+      return Ok(None);
+    };
+    if level == crate::dns_blocklist::BlocklistLevel::None {
+      return Ok(None);
+    }
+    let path = crate::dns_blocklist::BlocklistManager::ensure_cached(level)
+      .await
+      .map_err(|e| format!("Failed to fetch DNS blocklist: {e}"))?;
+    Ok(Some(path.to_string_lossy().to_string()))
+  }
+
  /// Refresh cloud proxy credentials if the profile uses a cloud or cloud-derived proxy,
  /// then resolve the proxy settings with profile-specific sid for sticky sessions.
-  /// Resolve proxy settings for a profile, returning an error for dynamic proxy failures.
-  /// Returns Ok(None) when no proxy is configured, Ok(Some) on success, Err on dynamic fetch failure.
  async fn resolve_proxy_with_refresh(
    &self,
    proxy_id: Option<&String>,
@@ -52,13 +70,6 @@ impl BrowserRunner {
      None => return Ok(None),
    };

-    // Handle dynamic proxies: fetch from URL at launch time
-    if PROXY_MANAGER.is_dynamic_proxy(proxy_id) {
-      log::info!("Fetching dynamic proxy settings for proxy {proxy_id}");
-      let settings = PROXY_MANAGER.resolve_dynamic_proxy(proxy_id).await?;
-      return Ok(Some(settings));
-    }
-
    if PROXY_MANAGER.is_cloud_or_derived(proxy_id) {
      log::info!("Refreshing cloud proxy credentials before launch for proxy {proxy_id}");
      CLOUD_AUTH.sync_cloud_proxy().await;
@@ -72,6 +83,38 @@ impl BrowserRunner {
    Ok(PROXY_MANAGER.get_proxy_settings_by_id(proxy_id))
  }

+  async fn resolve_launch_hook_proxy(
+    &self,
+    profile: &BrowserProfile,
+  ) -> Result<Option<ProxySettings>, String> {
+    let Some(url) = profile.launch_hook.as_deref() else {
+      return Ok(None);
+    };
+
+    log::info!(
+      "Calling launch hook for profile {} (ID: {})",
+      profile.name,
+      profile.id
+    );
+
+    PROXY_MANAGER
+      .fetch_proxy_from_url(url, Duration::from_millis(500))
+      .await
+  }
+
+  async fn resolve_launch_proxy(
+    &self,
+    profile: &BrowserProfile,
+  ) -> Result<Option<ProxySettings>, String> {
+    if let Some(proxy_settings) = self.resolve_launch_hook_proxy(profile).await? {
+      return Ok(Some(proxy_settings));
+    }
+
+    self
+      .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
+      .await
+  }
+
  /// Get the executable path for a browser profile
  /// This is a common helper to eliminate code duplication across the codebase
  pub fn get_browser_executable_path(
@@ -127,9 +170,8 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Camoufox (for traffic monitoring and geoip support)
-      // Refresh cloud proxy credentials if needed before resolving
      let mut upstream_proxy = self
-        .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
+        .resolve_launch_proxy(profile)
        .await
        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;

@@ -168,6 +210,7 @@ impl BrowserRunner {
      // Start the proxy and get local proxy settings
      // If proxy startup fails, DO NOT launch Camoufox - it requires local proxy
      let profile_id_str = profile.id.to_string();
+      let blocklist_file = Self::resolve_blocklist_file(profile).await?;
      let local_proxy = PROXY_MANAGER
        .start_proxy(
          app_handle.clone(),
@@ -175,6 +218,7 @@ impl BrowserRunner {
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
          profile.proxy_bypass_rules.clone(),
+          blocklist_file,
        )
        .await
        .map_err(|e| {
@@ -386,9 +430,8 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Wayfern (for traffic monitoring and geoip support)
-      // Refresh cloud proxy credentials if needed before resolving
      let mut upstream_proxy = self
-        .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
+        .resolve_launch_proxy(profile)
        .await
        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;

@@ -427,6 +470,7 @@ impl BrowserRunner {
      // Start the proxy and get local proxy settings
      // If proxy startup fails, DO NOT launch Wayfern - it requires local proxy
      let profile_id_str = profile.id.to_string();
+      let blocklist_file = Self::resolve_blocklist_file(profile).await?;
      let local_proxy = PROXY_MANAGER
        .start_proxy(
          app_handle.clone(),
@@ -434,6 +478,7 @@ impl BrowserRunner {
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
          profile.proxy_bypass_rules.clone(),
+          blocklist_file,
        )
        .await
        .map_err(|e| {
@@ -739,10 +784,8 @@ impl BrowserRunner {
    headless: bool,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error + Send + Sync>> {
    // Always start a local proxy for API launches
-    // Determine upstream proxy if configured; otherwise use DIRECT
-    // Refresh cloud proxy credentials before resolving
    let upstream_proxy = self
-      .resolve_proxy_with_refresh(profile.proxy_id.as_ref(), Some(&profile.id.to_string()))
+      .resolve_launch_proxy(profile)
      .await
      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;

@@ -751,6 +794,9 @@ impl BrowserRunner {
    let profile_id_str = profile.id.to_string();

    // Start local proxy - if this fails, DO NOT launch browser
+    let blocklist_file = Self::resolve_blocklist_file(profile)
+      .await
+      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> { e.into() })?;
    let internal_proxy = PROXY_MANAGER
      .start_proxy(
        app_handle.clone(),
@@ -758,6 +804,7 @@ impl BrowserRunner {
        temp_pid,
        Some(&profile_id_str),
        profile.proxy_bypass_rules.clone(),
+        blocklist_file,
      )
      .await
      .map_err(|e| {
@@ -2245,10 +2292,7 @@ pub async fn launch_browser_profile(
    // Determine upstream proxy if configured; otherwise use DIRECT (no upstream)
    // Refresh cloud proxy credentials and inject profile-specific sid
    let mut upstream_proxy = BrowserRunner::instance()
-      .resolve_proxy_with_refresh(
-        profile_for_launch.proxy_id.as_ref(),
-        Some(&profile_for_launch.id.to_string()),
-      )
+      .resolve_launch_proxy(&profile_for_launch)
      .await?;

    // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
@@ -2280,6 +2324,7 @@ pub async fn launch_browser_profile(

    // Always start a local proxy, even if there's no upstream proxy
    // This allows for traffic monitoring and future features
+    let blocklist_file = BrowserRunner::resolve_blocklist_file(&profile_for_launch).await?;
    match PROXY_MANAGER
      .start_proxy(
        app_handle.clone(),
@@ -2287,6 +2332,7 @@ pub async fn launch_browser_profile(
        temp_pid,
        Some(&profile_id_str),
        profile_for_launch.proxy_bypass_rules.clone(),
+        blocklist_file,
      )
      .await
    {
@@ -362,12 +362,12 @@ impl CloudAuthManager {

  // --- API methods ---

-  pub async fn request_otp(&self, email: &str) -> Result<String, String> {
+  pub async fn request_otp(&self, email: &str, captcha_token: &str) -> Result<String, String> {
    let url = format!("{CLOUD_API_URL}/api/auth/otp/request");
    let response = self
      .client
      .post(&url)
-      .json(&serde_json::json!({ "email": email }))
+      .json(&serde_json::json!({ "email": email, "captchaToken": captcha_token }))
      .send()
      .await
      .map_err(|e| format!("Failed to request OTP: {e}"))?;
@@ -1100,8 +1100,8 @@ impl CloudAuthManager {
 // --- Tauri commands ---

 #[tauri::command]
-pub async fn cloud_request_otp(email: String) -> Result<String, String> {
-  CLOUD_AUTH.request_otp(&email).await
+pub async fn cloud_request_otp(email: String, captcha_token: String) -> Result<String, String> {
+  CLOUD_AUTH.request_otp(&email, &captcha_token).await
 }

 #[tauri::command]
@@ -340,6 +340,9 @@ pub fn is_autostart_enabled() -> bool {
 }

 pub fn get_data_dir() -> Option<PathBuf> {
+  if crate::app_dirs::is_portable() {
+    return Some(crate::app_dirs::data_dir());
+  }
  if let Some(proj_dirs) = ProjectDirs::from("com", "donutbrowser", "Donut Browser") {
    Some(proj_dirs.data_dir().to_path_buf())
  } else {
@@ -0,0 +1,343 @@
+use serde::{Deserialize, Serialize};
+use std::path::PathBuf;
+use std::time::{Duration, SystemTime};
+
+use crate::app_dirs;
+
+const REFRESH_INTERVAL: Duration = Duration::from_secs(43200); // 12 hours
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum BlocklistLevel {
+  #[default]
+  None,
+  Light,
+  Normal,
+  Pro,
+  ProPlus,
+  Ultimate,
+}
+
+impl BlocklistLevel {
+  pub fn parse_level(s: &str) -> Option<Self> {
+    match s {
+      "light" => Some(Self::Light),
+      "normal" => Some(Self::Normal),
+      "pro" => Some(Self::Pro),
+      "pro_plus" => Some(Self::ProPlus),
+      "ultimate" => Some(Self::Ultimate),
+      "none" => Some(Self::None),
+      _ => None,
+    }
+  }
+
+  pub fn as_str(&self) -> &'static str {
+    match self {
+      Self::None => "none",
+      Self::Light => "light",
+      Self::Normal => "normal",
+      Self::Pro => "pro",
+      Self::ProPlus => "pro_plus",
+      Self::Ultimate => "ultimate",
+    }
+  }
+
+  pub fn display_name(&self) -> &'static str {
+    match self {
+      Self::None => "None",
+      Self::Light => "Light",
+      Self::Normal => "Normal",
+      Self::Pro => "Pro",
+      Self::ProPlus => "Pro++",
+      Self::Ultimate => "Ultimate",
+    }
+  }
+
+  pub fn url(&self) -> Option<&'static str> {
+    match self {
+      Self::None => None,
+      Self::Light => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/light.txt")
+      }
+      Self::Normal => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/multi.txt")
+      }
+      Self::Pro => Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/pro.txt"),
+      Self::ProPlus => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/pro.plus.txt")
+      }
+      Self::Ultimate => {
+        Some("https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/ultimate.txt")
+      }
+    }
+  }
+
+  pub fn filename(&self) -> Option<&'static str> {
+    match self {
+      Self::None => None,
+      Self::Light => Some("light.txt"),
+      Self::Normal => Some("multi.txt"),
+      Self::Pro => Some("pro.txt"),
+      Self::ProPlus => Some("pro.plus.txt"),
+      Self::Ultimate => Some("ultimate.txt"),
+    }
+  }
+
+  pub fn all_downloadable() -> &'static [BlocklistLevel] {
+    &[
+      Self::Light,
+      Self::Normal,
+      Self::Pro,
+      Self::ProPlus,
+      Self::Ultimate,
+    ]
+  }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct BlocklistCacheStatus {
+  pub level: String,
+  pub display_name: String,
+  pub entry_count: usize,
+  pub file_size_bytes: u64,
+  pub last_updated: Option<u64>,
+  pub is_fresh: bool,
+  pub is_cached: bool,
+}
+
+pub struct BlocklistManager;
+
+lazy_static::lazy_static! {
+  static ref HTTP_CLIENT: reqwest::Client = reqwest::Client::builder()
+    .timeout(Duration::from_secs(60))
+    .build()
+    .expect("Failed to create HTTP client");
+}
+
+impl BlocklistManager {
+  pub fn instance() -> &'static BlocklistManager {
+    &BLOCKLIST_MANAGER
+  }
+
+  fn cache_dir() -> PathBuf {
+    app_dirs::dns_blocklist_dir()
+  }
+
+  pub fn cached_file_path(level: BlocklistLevel) -> Option<PathBuf> {
+    level.filename().map(|f| Self::cache_dir().join(f))
+  }
+
+  pub fn is_cache_fresh(level: BlocklistLevel) -> bool {
+    let Some(path) = Self::cached_file_path(level) else {
+      return false;
+    };
+    if !path.exists() {
+      return false;
+    }
+    match std::fs::metadata(&path).and_then(|m| m.modified()) {
+      Ok(modified) => SystemTime::now()
+        .duration_since(modified)
+        .map(|age| age < REFRESH_INTERVAL)
+        .unwrap_or(false),
+      Err(_) => false,
+    }
+  }
+
+  pub async fn fetch_blocklist(level: BlocklistLevel) -> Result<PathBuf, String> {
+    let url = level
+      .url()
+      .ok_or_else(|| format!("No URL for level {:?}", level))?;
+    let path =
+      Self::cached_file_path(level).ok_or_else(|| format!("No filename for level {:?}", level))?;
+
+    let cache_dir = Self::cache_dir();
+    std::fs::create_dir_all(&cache_dir).map_err(|e| format!("Failed to create cache dir: {e}"))?;
+
+    log::info!(
+      "[dns-blocklist] Fetching {} from {}",
+      level.display_name(),
+      url
+    );
+
+    let response = HTTP_CLIENT
+      .get(url)
+      .send()
+      .await
+      .map_err(|e| format!("Failed to fetch blocklist: {e}"))?;
+
+    if !response.status().is_success() {
+      return Err(format!("HTTP {} when fetching {}", response.status(), url));
+    }
+
+    let body = response
+      .text()
+      .await
+      .map_err(|e| format!("Failed to read response body: {e}"))?;
+
+    // Write atomically: write to temp file, then rename
+    let tmp_path = path.with_extension("tmp");
+    std::fs::write(&tmp_path, &body).map_err(|e| format!("Failed to write blocklist: {e}"))?;
+    std::fs::rename(&tmp_path, &path).map_err(|e| format!("Failed to rename blocklist: {e}"))?;
+
+    let entry_count = body
+      .lines()
+      .filter(|l| !l.starts_with('#') && !l.trim().is_empty())
+      .count();
+    log::info!(
+      "[dns-blocklist] Cached {} ({} domains)",
+      level.display_name(),
+      entry_count
+    );
+
+    Ok(path)
+  }
+
+  pub async fn ensure_cached(level: BlocklistLevel) -> Result<PathBuf, String> {
+    if let Some(path) = Self::cached_file_path(level) {
+      if path.exists() {
+        return Ok(path);
+      }
+    }
+    Self::fetch_blocklist(level).await
+  }
+
+  pub async fn refresh_all_stale(&self) {
+    for &level in BlocklistLevel::all_downloadable() {
+      if !Self::is_cache_fresh(level) {
+        if let Err(e) = Self::fetch_blocklist(level).await {
+          log::error!(
+            "[dns-blocklist] Failed to refresh {}: {e}",
+            level.display_name()
+          );
+          let _ = crate::events::emit(
+            "dns-blocklist-refresh-failed",
+            serde_json::json!({
+              "level": level.as_str(),
+              "error": e,
+            }),
+          );
+        }
+      }
+    }
+  }
+
+  pub fn get_blocklist_file_path(level: BlocklistLevel) -> Option<PathBuf> {
+    Self::cached_file_path(level).filter(|p| p.exists())
+  }
+
+  pub fn get_cache_status() -> Vec<BlocklistCacheStatus> {
+    BlocklistLevel::all_downloadable()
+      .iter()
+      .map(|&level| {
+        let path = Self::cached_file_path(level);
+        let metadata = path.as_ref().and_then(|p| std::fs::metadata(p).ok());
+        let is_cached = metadata.is_some();
+
+        let entry_count = if is_cached {
+          path
+            .as_ref()
+            .and_then(|p| std::fs::read_to_string(p).ok())
+            .map(|content| {
+              content
+                .lines()
+                .filter(|l| !l.starts_with('#') && !l.trim().is_empty())
+                .count()
+            })
+            .unwrap_or(0)
+        } else {
+          0
+        };
+
+        let file_size_bytes = metadata.as_ref().map(|m| m.len()).unwrap_or(0);
+
+        let last_updated = metadata
+          .as_ref()
+          .and_then(|m| m.modified().ok())
+          .and_then(|t| t.duration_since(SystemTime::UNIX_EPOCH).ok())
+          .map(|d| d.as_secs());
+
+        BlocklistCacheStatus {
+          level: level.as_str().to_string(),
+          display_name: level.display_name().to_string(),
+          entry_count,
+          file_size_bytes,
+          last_updated,
+          is_fresh: Self::is_cache_fresh(level),
+          is_cached,
+        }
+      })
+      .collect()
+  }
+}
+
+lazy_static::lazy_static! {
+  static ref BLOCKLIST_MANAGER: BlocklistManager = BlocklistManager;
+}
+
+// Tauri commands
+
+#[tauri::command]
+pub async fn get_dns_blocklist_cache_status() -> Result<Vec<BlocklistCacheStatus>, String> {
+  Ok(BlocklistManager::get_cache_status())
+}
+
+#[tauri::command]
+pub async fn refresh_dns_blocklists() -> Result<(), String> {
+  for &level in BlocklistLevel::all_downloadable() {
+    BlocklistManager::fetch_blocklist(level).await?;
+  }
+  Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn test_level_roundtrip() {
+    for &level in BlocklistLevel::all_downloadable() {
+      let s = level.as_str();
+      let parsed = BlocklistLevel::parse_level(s);
+      assert_eq!(parsed, Some(level), "Roundtrip failed for {s}");
+    }
+    assert_eq!(
+      BlocklistLevel::parse_level("none"),
+      Some(BlocklistLevel::None)
+    );
+  }
+
+  #[test]
+  fn test_level_urls_all_present() {
+    for &level in BlocklistLevel::all_downloadable() {
+      assert!(
+        level.url().is_some(),
+        "{} should have a URL",
+        level.as_str()
+      );
+      assert!(
+        level.filename().is_some(),
+        "{} should have a filename",
+        level.as_str()
+      );
+    }
+    assert!(BlocklistLevel::None.url().is_none());
+    assert!(BlocklistLevel::None.filename().is_none());
+  }
+
+  #[test]
+  fn test_cache_status_returns_all_levels() {
+    let statuses = BlocklistManager::get_cache_status();
+    assert_eq!(statuses.len(), 5);
+    assert_eq!(statuses[0].level, "light");
+    assert_eq!(statuses[1].level, "normal");
+    assert_eq!(statuses[2].level, "pro");
+    assert_eq!(statuses[3].level, "pro_plus");
+    assert_eq!(statuses[4].level, "ultimate");
+  }
+
+  #[test]
+  fn test_cache_fresh_returns_false_when_missing() {
+    assert!(!BlocklistManager::is_cache_fresh(BlocklistLevel::Light));
+    assert!(!BlocklistManager::is_cache_fresh(BlocklistLevel::None));
+  }
+}
@@ -260,6 +260,7 @@ mod tests {
      version: "1.0".to_string(),
      proxy_id: None,
      vpn_id: None,
+      launch_hook: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
@@ -277,6 +278,7 @@ mod tests {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    }
  }

@@ -313,6 +315,7 @@ mod tests {
  }

  #[test]
+  #[serial_test::serial]
  fn test_recover_ephemeral_dirs() {
    let base = get_ephemeral_base_dir().unwrap();
    let test_id = uuid::Uuid::new_v4().to_string();
@@ -55,6 +55,7 @@ pub async fn fetch_public_ip(proxy: Option<&str>) -> Result<String, IpError> {
    let proxy = reqwest::Proxy::all(proxy_url)
      .map_err(|e| IpError::Network(format!("Invalid proxy: {}", e)))?;
    client_builder
+      .no_proxy()
      .proxy(proxy)
      .build()
      .map_err(|e| IpError::Network(e.to_string()))?
@@ -64,7 +65,7 @@ pub async fn fetch_public_ip(proxy: Option<&str>) -> Result<String, IpError> {
      .map_err(|e| IpError::Network(e.to_string()))?
  };

-  let mut last_error = None;
+  let mut errors = Vec::new();

  for url in &urls {
    match client.get(*url).send().await {
@@ -76,21 +77,29 @@ pub async fn fetch_public_ip(proxy: Option<&str>) -> Result<String, IpError> {
          }
        }
        Err(e) => {
-          last_error = Some(format!("Failed to read response from {}: {}", url, e));
+          errors.push(format!("{}: {}", url, e));
        }
      },
      Ok(response) => {
-        last_error = Some(format!("HTTP {} from {}", response.status(), url));
+        errors.push(format!("{}: HTTP {}", url, response.status()));
      }
      Err(e) => {
-        last_error = Some(format!("Request to {} failed: {}", url, e));
+        errors.push(format!("{}: {}", url, e));
      }
    }
  }

-  Err(IpError::Network(last_error.unwrap_or_else(|| {
-    "Failed to fetch public IP from any endpoint".to_string()
-  })))
+  if errors.is_empty() {
+    Err(IpError::Network(
+      "Failed to fetch public IP from any endpoint".to_string(),
+    ))
+  } else {
+    Err(IpError::Network(format!(
+      "All {} endpoints failed: {}",
+      errors.len(),
+      errors.join("; ")
+    )))
+  }
 }

 #[cfg(test)]
@@ -19,6 +19,7 @@ mod browser_version_manager;
 pub mod camoufox;
 mod camoufox_manager;
 mod default_browser;
+pub mod dns_blocklist;
 mod downloaded_browsers_registry;
 mod downloader;
 mod ephemeral_dirs;
@@ -65,8 +66,9 @@ use browser_runner::{

 use profile::manager::{
  check_browser_status, clone_profile, create_browser_profile_new, delete_profile,
-  list_browser_profiles, rename_profile, update_camoufox_config, update_profile_note,
-  update_profile_proxy, update_profile_proxy_bypass_rules, update_profile_tags, update_profile_vpn,
+  list_browser_profiles, rename_profile, update_camoufox_config, update_profile_dns_blocklist,
+  update_profile_launch_hook, update_profile_note, update_profile_proxy,
+  update_profile_proxy_bypass_rules, update_profile_tags, update_profile_vpn,
  update_wayfern_config,
 };

@@ -85,7 +87,7 @@ use downloader::{cancel_download, download_browser};

 use settings_manager::{
  decline_launch_on_login, dismiss_window_resize_warning, enable_launch_on_login, get_app_settings,
-  get_sync_settings, get_system_language, get_table_sorting_settings,
+  get_sync_settings, get_system_info, get_system_language, get_table_sorting_settings,
  get_window_resize_warning_dismissed, save_app_settings, save_sync_settings,
  save_table_sorting_settings, should_show_launch_on_login_prompt,
 };
@@ -211,19 +213,13 @@ async fn create_stored_proxy(
  app_handle: tauri::AppHandle,
  name: String,
  proxy_settings: Option<crate::browser::ProxySettings>,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
 ) -> Result<crate::proxy_manager::StoredProxy, String> {
-  if let (Some(url), Some(format)) = (&dynamic_proxy_url, &dynamic_proxy_format) {
-    crate::proxy_manager::PROXY_MANAGER
-      .create_dynamic_proxy(&app_handle, name, url.clone(), format.clone())
-      .map_err(|e| format!("Failed to create dynamic proxy: {e}"))
-  } else if let Some(settings) = proxy_settings {
+  if let Some(settings) = proxy_settings {
    crate::proxy_manager::PROXY_MANAGER
      .create_stored_proxy(&app_handle, name, settings)
      .map_err(|e| format!("Failed to create stored proxy: {e}"))
  } else {
-    Err("Either proxy_settings or dynamic proxy URL and format are required".to_string())
+    Err("proxy_settings is required".to_string())
  }
 }

@@ -238,26 +234,10 @@ async fn update_stored_proxy(
  proxy_id: String,
  name: Option<String>,
  proxy_settings: Option<crate::browser::ProxySettings>,
-  dynamic_proxy_url: Option<String>,
-  dynamic_proxy_format: Option<String>,
 ) -> Result<crate::proxy_manager::StoredProxy, String> {
-  // Check if this is a dynamic proxy update
-  let is_dynamic = crate::proxy_manager::PROXY_MANAGER.is_dynamic_proxy(&proxy_id);
-  if is_dynamic || dynamic_proxy_url.is_some() {
-    crate::proxy_manager::PROXY_MANAGER
-      .update_dynamic_proxy(
-        &app_handle,
-        &proxy_id,
-        name,
-        dynamic_proxy_url,
-        dynamic_proxy_format,
-      )
-      .map_err(|e| format!("Failed to update dynamic proxy: {e}"))
-  } else {
-    crate::proxy_manager::PROXY_MANAGER
-      .update_stored_proxy(&app_handle, &proxy_id, name, proxy_settings)
-      .map_err(|e| format!("Failed to update stored proxy: {e}"))
-  }
+  crate::proxy_manager::PROXY_MANAGER
+    .update_stored_proxy(&app_handle, &proxy_id, name, proxy_settings)
+    .map_err(|e| format!("Failed to update stored proxy: {e}"))
 }

 #[tauri::command]
@@ -272,13 +252,8 @@ async fn check_proxy_validity(
  proxy_id: String,
  proxy_settings: Option<crate::browser::ProxySettings>,
 ) -> Result<crate::proxy_manager::ProxyCheckResult, String> {
-  // For dynamic proxies, fetch settings first
  let settings = if let Some(s) = proxy_settings {
    s
-  } else if crate::proxy_manager::PROXY_MANAGER.is_dynamic_proxy(&proxy_id) {
-    crate::proxy_manager::PROXY_MANAGER
-      .resolve_dynamic_proxy(&proxy_id)
-      .await?
  } else {
    crate::proxy_manager::PROXY_MANAGER
      .get_proxy_settings_by_id(&proxy_id)
@@ -289,24 +264,6 @@ async fn check_proxy_validity(
    .await
 }

-#[tauri::command]
-async fn fetch_dynamic_proxy(
-  url: String,
-  format: String,
-) -> Result<crate::browser::ProxySettings, String> {
-  let settings = crate::proxy_manager::PROXY_MANAGER
-    .fetch_dynamic_proxy(&url, &format)
-    .await?;
-
-  // Validate the proxy actually works by connecting through it
-  crate::proxy_manager::PROXY_MANAGER
-    .check_proxy_validity("_dynamic_test", &settings)
-    .await
-    .map_err(|e| format!("Proxy resolved but connection failed: {e}"))?;
-
-  Ok(settings)
-}
-
 #[tauri::command]
 fn get_cached_proxy_check(proxy_id: String) -> Option<crate::proxy_manager::ProxyCheckResult> {
  crate::proxy_manager::PROXY_MANAGER.get_cached_proxy_check(&proxy_id)
@@ -812,6 +769,42 @@ async fn download_geoip_database(app_handle: tauri::AppHandle) -> Result<(), Str
 }

 // VPN commands
+#[derive(serde::Serialize)]
+#[serde(rename_all = "camelCase")]
+struct VpnDependencyStatus {
+  is_available: bool,
+  requires_external_install: bool,
+  missing_binary: bool,
+  missing_windows_adapter: bool,
+  dependency_check_failed: bool,
+}
+
+#[tauri::command]
+async fn get_vpn_dependency_status(vpn_type: vpn::VpnType) -> Result<VpnDependencyStatus, String> {
+  match vpn_type {
+    vpn::VpnType::WireGuard => Ok(VpnDependencyStatus {
+      is_available: true,
+      requires_external_install: false,
+      missing_binary: false,
+      missing_windows_adapter: false,
+      dependency_check_failed: false,
+    }),
+    vpn::VpnType::OpenVPN => {
+      let status = crate::vpn::openvpn_socks5::OpenVpnSocks5Server::dependency_status();
+      let is_available =
+        status.binary_found && !status.missing_windows_adapter && !status.dependency_check_failed;
+
+      Ok(VpnDependencyStatus {
+        is_available,
+        requires_external_install: true,
+        missing_binary: !status.binary_found,
+        missing_windows_adapter: status.missing_windows_adapter,
+        dependency_check_failed: status.dependency_check_failed,
+      })
+    }
+  }
+}
+
 #[tauri::command]
 async fn import_vpn_config(
  content: String,
@@ -985,45 +978,81 @@ async fn check_vpn_validity(
    .unwrap_or_default()
    .as_secs();

-  // Start a temporary VPN worker to send real traffic
+  let had_existing_worker = vpn_worker_storage::find_vpn_worker_by_vpn_id(&vpn_id).is_some();
+
  let vpn_worker = vpn_worker_runner::start_vpn_worker(&vpn_id)
    .await
    .map_err(|e| format!("Failed to start VPN worker: {e}"))?;

-  let socks_url = format!("socks5://127.0.0.1:{}", vpn_worker.local_port.unwrap_or(0));
+  let socks_url = format!(
+    "socks5://127.0.0.1:{}",
+    vpn_worker.local_port.unwrap_or_default()
+  );

-  // Fetch public IP through the VPN SOCKS5 proxy
-  let result = match ip_utils::fetch_public_ip(Some(&socks_url)).await {
-    Ok(ip) => {
-      let (city, country, country_code) =
-        crate::proxy_manager::ProxyManager::get_ip_geolocation(&ip)
-          .await
-          .unwrap_or_default();
-
-      crate::proxy_manager::ProxyCheckResult {
-        ip,
-        city,
-        country,
-        country_code,
-        timestamp: now,
-        is_valid: true,
-      }
-    }
-    Err(e) => {
-      log::warn!("VPN check failed to fetch public IP: {e}");
-      crate::proxy_manager::ProxyCheckResult {
-        ip: String::new(),
-        city: None,
-        country: None,
-        country_code: None,
-        timestamp: now,
-        is_valid: false,
+  let local_proxy = crate::proxy_runner::start_proxy_process(Some(socks_url), None)
+    .await
+    .map_err(|error| error.to_string());
+  let local_proxy = match local_proxy {
+    Ok(proxy) => proxy,
+    Err(error_message) => {
+      if !had_existing_worker {
+        let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
      }
+      return Err(format!("Failed to start validation proxy: {error_message}"));
    }
  };

-  // Stop the temporary VPN worker
-  let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
+  let local_proxy_url = format!(
+    "http://127.0.0.1:{}",
+    local_proxy.local_port.unwrap_or_default()
+  );
+
+  let mut result = None;
+  for attempt in 0..3 {
+    if attempt > 0 {
+      tokio::time::sleep(std::time::Duration::from_secs(1)).await;
+    }
+
+    match ip_utils::fetch_public_ip(Some(&local_proxy_url)).await {
+      Ok(ip) => {
+        let (city, country, country_code) =
+          crate::proxy_manager::ProxyManager::get_ip_geolocation(&ip)
+            .await
+            .unwrap_or_default();
+
+        result = Some(crate::proxy_manager::ProxyCheckResult {
+          ip,
+          city,
+          country,
+          country_code,
+          timestamp: now,
+          is_valid: true,
+        });
+        break;
+      }
+      Err(error) => {
+        log::warn!(
+          "VPN validation attempt {} failed to fetch public IP through donut-proxy: {}",
+          attempt + 1,
+          error
+        );
+      }
+    }
+  }
+
+  let _ = crate::proxy_runner::stop_proxy_process(&local_proxy.id).await;
+  if !had_existing_worker {
+    let _ = vpn_worker_runner::stop_vpn_worker(&vpn_worker.id).await;
+  }
+
+  let result = result.unwrap_or(crate::proxy_manager::ProxyCheckResult {
+    ip: String::new(),
+    city: None,
+    country: None,
+    country_code: None,
+    timestamp: now,
+    is_valid: false,
+  });

  Ok(result)
 }
@@ -1116,6 +1145,7 @@ async fn generate_sample_fingerprint(
    process_id: None,
    proxy_id: None,
    vpn_id: None,
+    launch_hook: None,
    last_launch: None,
    release_type: "stable".to_string(),
    camoufox_config: None,
@@ -1132,6 +1162,7 @@ async fn generate_sample_fingerprint(
    proxy_bypass_rules: Vec::new(),
    created_by_id: None,
    created_by_email: None,
+    dns_blocklist: None,
  };

  if browser == "camoufox" {
@@ -1462,6 +1493,17 @@ pub fn run() {
        }
      });

+      // DNS blocklist refresh task (every 12 hours)
+      tauri::async_runtime::spawn(async move {
+        let manager = dns_blocklist::BlocklistManager::instance();
+        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(43200));
+        interval.tick().await; // Skip the immediate first tick
+        loop {
+          interval.tick().await;
+          manager.refresh_all_stale().await;
+        }
+      });
+
      tauri::async_runtime::spawn(async move {
        let updater = app_auto_updater::AppAutoUpdater::instance();
        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(3 * 60 * 60));
@@ -1495,7 +1537,7 @@ pub fn run() {
      let _app_handle_cleanup = app.handle().clone();
      tauri::async_runtime::spawn(async move {
        let camoufox_manager = crate::camoufox_manager::CamoufoxManager::instance();
-        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(5));
+        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(60));

        loop {
          interval.tick().await;
@@ -1569,19 +1611,27 @@ pub fn run() {
        }
      });

-      // Periodically broadcast browser running status to the frontend
+      // Periodically broadcast browser running status to the frontend.
+      // When no profiles have stored PIDs (nothing was ever launched this
+      // session), we use a long interval (30s) to avoid burning CPU on
+      // full process-table scans via sysinfo. Once any profile is running
+      // we switch to the fast interval (5s) for responsive UI updates.
      let app_handle_status = app.handle().clone();
      tauri::async_runtime::spawn(async move {
-        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(5));
+        const FAST_INTERVAL_SECS: u64 = 5;
+        const IDLE_INTERVAL_SECS: u64 = 30;
+
+        let mut interval =
+          tokio::time::interval(tokio::time::Duration::from_secs(FAST_INTERVAL_SECS));
        interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
        let mut last_running_states: std::collections::HashMap<String, bool> =
          std::collections::HashMap::new();
+        let mut current_interval_secs = FAST_INTERVAL_SECS;

        loop {
          interval.tick().await;

          let runner = crate::browser_runner::BrowserRunner::instance();
-          // If listing profiles fails, skip this tick
          let profiles = match runner.profile_manager.list_profiles() {
            Ok(p) => p,
            Err(e) => {
@@ -1590,6 +1640,30 @@ pub fn run() {
            }
          };

+          // If no profile has a stored PID and we have no previously-known
+          // running states, there's nothing to check — skip the expensive
+          // process scan entirely.
+          let any_has_pid = profiles.iter().any(|p| p.process_id.is_some());
+          let any_was_running = last_running_states.values().any(|&v| v);
+
+          if !any_has_pid && !any_was_running {
+            // Switch to the idle interval to reduce CPU
+            if current_interval_secs != IDLE_INTERVAL_SECS {
+              current_interval_secs = IDLE_INTERVAL_SECS;
+              interval =
+                tokio::time::interval(tokio::time::Duration::from_secs(IDLE_INTERVAL_SECS));
+              interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
+            }
+            continue;
+          }
+
+          // At least one profile might be running — use the fast interval
+          if current_interval_secs != FAST_INTERVAL_SECS {
+            current_interval_secs = FAST_INTERVAL_SECS;
+            interval = tokio::time::interval(tokio::time::Duration::from_secs(FAST_INTERVAL_SECS));
+            interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
+          }
+
          for profile in profiles {
            // Check browser status and track changes
            match runner
@@ -1804,7 +1878,9 @@ pub fn run() {
      update_profile_vpn,
      update_profile_tags,
      update_profile_note,
+      update_profile_launch_hook,
      update_profile_proxy_bypass_rules,
+      update_profile_dns_blocklist,
      check_browser_status,
      kill_browser_profile,
      rename_profile,
@@ -1816,6 +1892,7 @@ pub fn run() {
      get_table_sorting_settings,
      save_table_sorting_settings,
      get_system_language,
+      get_system_info,
      dismiss_window_resize_warning,
      get_window_resize_warning_dismissed,
      clear_all_version_cache_and_refetch,
@@ -1842,7 +1919,6 @@ pub fn run() {
      update_stored_proxy,
      delete_stored_proxy,
      check_proxy_validity,
-      fetch_dynamic_proxy,
      get_cached_proxy_check,
      export_proxies,
      import_proxies_json,
@@ -1917,6 +1993,7 @@ pub fn run() {
      add_mcp_to_claude_code,
      remove_mcp_from_claude_code,
      // VPN commands
+      get_vpn_dependency_status,
      import_vpn_config,
      list_vpn_configs,
      get_vpn_config,
@@ -1951,6 +2028,9 @@ pub fn run() {
      synchronizer::stop_sync_session,
      synchronizer::remove_sync_follower,
      synchronizer::get_sync_sessions,
+      // DNS blocklist commands
+      dns_blocklist::get_dns_blocklist_cache_status,
+      dns_blocklist::refresh_dns_blocklists,
    ])
    .build(tauri::generate_context!())
    .expect("error while building tauri application")
@@ -26,6 +26,7 @@ use crate::settings_manager::SettingsManager;
 use crate::wayfern_terms::WayfernTermsManager;

 #[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
 pub struct McpTool {
  pub name: String,
  pub description: String,
@@ -507,6 +508,10 @@ impl McpServer {
              "type": "string",
              "description": "Optional proxy UUID to assign"
            },
+            "launch_hook": {
+              "type": "string",
+              "description": "Optional HTTP(S) URL to call before launch for transient proxy overrides"
+            },
            "group_id": {
              "type": "string",
              "description": "Optional group UUID to assign"
@@ -538,6 +543,10 @@ impl McpServer {
              "type": "string",
              "description": "Proxy UUID to assign (empty string to remove)"
            },
+            "launch_hook": {
+              "type": "string",
+              "description": "Launch hook URL to assign (empty string to remove)"
+            },
            "group_id": {
              "type": "string",
              "description": "Group UUID to assign (empty string to remove)"
@@ -712,7 +721,7 @@ impl McpServer {
      },
      McpTool {
        name: "create_proxy".to_string(),
-        description: "Create a new proxy configuration. For regular proxies, provide proxy_type/host/port. For dynamic proxies, provide dynamic_proxy_url and dynamic_proxy_format instead.".to_string(),
+        description: "Create a new proxy configuration.".to_string(),
        input_schema: serde_json::json!({
          "type": "object",
          "properties": {
@@ -740,18 +749,9 @@ impl McpServer {
            "password": {
              "type": "string",
              "description": "Optional password for authentication (for regular proxies)"
-            },
-            "dynamic_proxy_url": {
-              "type": "string",
-              "description": "URL to fetch proxy settings from (for dynamic proxies)"
-            },
-            "dynamic_proxy_format": {
-              "type": "string",
-              "enum": ["json", "text"],
-              "description": "Format of the dynamic proxy response: 'json' for JSON object or 'text' for text like host:port:user:pass (for dynamic proxies)"
            }
          },
-          "required": ["name"]
+          "required": ["name", "proxy_type", "host", "port"]
        }),
      },
      McpTool {
@@ -788,15 +788,6 @@ impl McpServer {
            "password": {
              "type": "string",
              "description": "Optional password for authentication (for regular proxies)"
-            },
-            "dynamic_proxy_url": {
-              "type": "string",
-              "description": "URL to fetch proxy settings from (for dynamic proxies)"
-            },
-            "dynamic_proxy_format": {
-              "type": "string",
-              "enum": ["json", "text"],
-              "description": "Format of the dynamic proxy response (for dynamic proxies)"
            }
          },
          "required": ["proxy_id"]
@@ -1008,6 +999,36 @@ impl McpServer {
          "required": ["profile_id", "rules"]
        }),
      },
+      McpTool {
+        name: "update_profile_dns_blocklist".to_string(),
+        description:
+          "Update the DNS blocklist level for a profile. Blocks ads, trackers, and malware domains at the proxy level."
+            .to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": {
+              "type": "string",
+              "description": "The UUID of the profile to update"
+            },
+            "level": {
+              "type": "string",
+              "enum": ["none", "light", "normal", "pro", "pro_plus", "ultimate"],
+              "description": "DNS blocklist level. 'none' disables blocking."
+            }
+          },
+          "required": ["profile_id", "level"]
+        }),
+      },
+      McpTool {
+        name: "get_dns_blocklist_status".to_string(),
+        description: "Get the cache status of all DNS blocklist tiers including entry counts and freshness.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {},
+          "required": []
+        }),
+      },
      McpTool {
        name: "list_extensions".to_string(),
        description: "List all managed browser extensions. Requires Pro subscription.".to_string(),
@@ -1481,6 +1502,9 @@ impl McpServer {
          .handle_update_profile_proxy_bypass_rules(&arguments)
          .await
      }
+      // DNS blocklist management
+      "update_profile_dns_blocklist" => self.handle_update_profile_dns_blocklist(&arguments).await,
+      "get_dns_blocklist_status" => self.handle_get_dns_blocklist_status().await,
      // Extension management
      "list_extensions" => self.handle_list_extensions().await,
      "list_extension_groups" => self.handle_list_extension_groups().await,
@@ -1775,6 +1799,10 @@ impl McpServer {
      .get("proxy_id")
      .and_then(|v| v.as_str())
      .map(|s| s.to_string());
+    let launch_hook = arguments
+      .get("launch_hook")
+      .and_then(|v| v.as_str())
+      .map(|s| s.to_string());
    let group_id = arguments
      .get("group_id")
      .and_then(|v| v.as_str())
@@ -1804,7 +1832,19 @@ impl McpServer {

    let mut profile = ProfileManager::instance()
      .create_profile_with_group(
-        app_handle, name, browser, version, "stable", proxy_id, None, None, None, group_id, false,
+        app_handle,
+        name,
+        browser,
+        version,
+        "stable",
+        proxy_id,
+        None,
+        None,
+        None,
+        group_id,
+        false,
+        None,
+        launch_hook,
      )
      .await
      .map_err(|e| McpError {
@@ -1872,6 +1912,19 @@ impl McpServer {
        })?;
    }

+    if let Some(launch_hook) = arguments.get("launch_hook").and_then(|v| v.as_str()) {
+      let normalized = if launch_hook.is_empty() {
+        None
+      } else {
+        Some(launch_hook.to_string())
+      };
+      pm.update_profile_launch_hook(app_handle, profile_id, normalized)
+        .map_err(|e| McpError {
+          code: -32000,
+          message: format!("Failed to update launch hook: {e}"),
+        })?;
+    }
+
    if let Some(group_id) = arguments.get("group_id").and_then(|v| v.as_str()) {
      let gid = if group_id.is_empty() {
        None
@@ -2326,74 +2379,54 @@ impl McpServer {
      message: "MCP server not properly initialized".to_string(),
    })?;

-    // Check if this is a dynamic proxy creation
-    let dynamic_url = arguments.get("dynamic_proxy_url").and_then(|v| v.as_str());
-    let dynamic_format = arguments
-      .get("dynamic_proxy_format")
-      .and_then(|v| v.as_str());
+    let proxy_type = arguments
+      .get("proxy_type")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing proxy_type".to_string(),
+      })?;

-    let proxy = if let (Some(url), Some(format)) = (dynamic_url, dynamic_format) {
-      PROXY_MANAGER
-        .create_dynamic_proxy(
-          app_handle,
-          name.to_string(),
-          url.to_string(),
-          format.to_string(),
-        )
-        .map_err(|e| McpError {
-          code: -32000,
-          message: format!("Failed to create dynamic proxy: {e}"),
-        })?
-    } else {
-      let proxy_type = arguments
-        .get("proxy_type")
-        .and_then(|v| v.as_str())
-        .ok_or_else(|| McpError {
-          code: -32602,
-          message: "Missing proxy_type (required for regular proxies)".to_string(),
-        })?;
+    let host = arguments
+      .get("host")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing host".to_string(),
+      })?;

-      let host = arguments
-        .get("host")
-        .and_then(|v| v.as_str())
-        .ok_or_else(|| McpError {
-          code: -32602,
-          message: "Missing host (required for regular proxies)".to_string(),
-        })?;
+    let port = arguments
+      .get("port")
+      .and_then(|v| v.as_u64())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing port".to_string(),
+      })? as u16;

-      let port = arguments
-        .get("port")
-        .and_then(|v| v.as_u64())
-        .ok_or_else(|| McpError {
-          code: -32602,
-          message: "Missing port (required for regular proxies)".to_string(),
-        })? as u16;
+    let username = arguments
+      .get("username")
+      .and_then(|v| v.as_str())
+      .map(|s| s.to_string());
+    let password = arguments
+      .get("password")
+      .and_then(|v| v.as_str())
+      .map(|s| s.to_string());

-      let username = arguments
-        .get("username")
-        .and_then(|v| v.as_str())
-        .map(|s| s.to_string());
-      let password = arguments
-        .get("password")
-        .and_then(|v| v.as_str())
-        .map(|s| s.to_string());
-
-      let proxy_settings = ProxySettings {
-        proxy_type: proxy_type.to_string(),
-        host: host.to_string(),
-        port,
-        username,
-        password,
-      };
-
-      PROXY_MANAGER
-        .create_stored_proxy(app_handle, name.to_string(), proxy_settings)
-        .map_err(|e| McpError {
-          code: -32000,
-          message: format!("Failed to create proxy: {e}"),
-        })?
+    let proxy_settings = ProxySettings {
+      proxy_type: proxy_type.to_string(),
+      host: host.to_string(),
+      port,
+      username,
+      password,
    };

+    let proxy = PROXY_MANAGER
+      .create_stored_proxy(app_handle, name.to_string(), proxy_settings)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to create proxy: {e}"),
+      })?;
+
    Ok(serde_json::json!({
      "content": [{
        "type": "text",
@@ -2482,32 +2515,12 @@ impl McpServer {
      message: "MCP server not properly initialized".to_string(),
    })?;

-    // Check for dynamic proxy fields
-    let dynamic_url = arguments
-      .get("dynamic_proxy_url")
-      .and_then(|v| v.as_str())
-      .map(|s| s.to_string());
-    let dynamic_format = arguments
-      .get("dynamic_proxy_format")
-      .and_then(|v| v.as_str())
-      .map(|s| s.to_string());
-    let is_dynamic = PROXY_MANAGER.is_dynamic_proxy(proxy_id) || dynamic_url.is_some();
-
-    let proxy = if is_dynamic {
-      PROXY_MANAGER
-        .update_dynamic_proxy(app_handle, proxy_id, name, dynamic_url, dynamic_format)
-        .map_err(|e| McpError {
-          code: -32000,
-          message: format!("Failed to update dynamic proxy: {e}"),
-        })?
-    } else {
-      PROXY_MANAGER
-        .update_stored_proxy(app_handle, proxy_id, name, proxy_settings)
-        .map_err(|e| McpError {
-          code: -32000,
-          message: format!("Failed to update proxy: {e}"),
-        })?
-    };
+    let proxy = PROXY_MANAGER
+      .update_stored_proxy(app_handle, proxy_id, name, proxy_settings)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to update proxy: {e}"),
+      })?;

    Ok(serde_json::json!({
      "content": [{
@@ -3118,6 +3131,61 @@ impl McpServer {
    }))
  }

+  async fn handle_update_profile_dns_blocklist(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing profile_id".to_string(),
+      })?;
+
+    let level = arguments
+      .get("level")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing level".to_string(),
+      })?;
+
+    let dns_blocklist = if level == "none" {
+      None
+    } else {
+      Some(level.to_string())
+    };
+
+    let profile = ProfileManager::instance()
+      .update_profile_dns_blocklist(profile_id, dns_blocklist)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to update DNS blocklist: {e}"),
+      })?;
+
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": format!(
+          "DNS blocklist updated for profile '{}': {}",
+          profile.name,
+          level
+        )
+      }]
+    }))
+  }
+
+  async fn handle_get_dns_blocklist_status(&self) -> Result<serde_json::Value, McpError> {
+    let statuses = crate::dns_blocklist::BlocklistManager::get_cache_status();
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": serde_json::to_string_pretty(&statuses).unwrap_or_default()
+      }]
+    }))
+  }
+
  async fn handle_list_extensions(&self) -> Result<serde_json::Value, McpError> {
    if !CLOUD_AUTH.has_active_paid_subscription().await {
      return Err(McpError {
@@ -89,96 +89,17 @@ pub mod macos {
      }
    }

-    // Fallback: Use AppleScript
-    let escaped_url = url
-      .replace("\"", "\\\"")
-      .replace("\\", "\\\\")
-      .replace("'", "\\'");
-
-    let script = format!(
-      r#"
-try
-  tell application "System Events"
-    -- Find the exact process by PID
-    set targetProcess to (first application process whose unix id is {pid})
-    
-    -- Verify the process exists
-    if not (exists targetProcess) then
-      error "No process found with PID {pid}"
-    end if
-    
-    -- Get the process name for verification
-    set processName to name of targetProcess
-    
-    -- Bring the process to the front first
-    set frontmost of targetProcess to true
-    delay 1.0
-    
-    -- Check if the process has any visible windows
-    set windowList to windows of targetProcess
-    set hasVisibleWindow to false
-    repeat with w in windowList
-      if visible of w is true then
-        set hasVisibleWindow to true
-        exit repeat
-      end if
-    end repeat
-    
-    if not hasVisibleWindow then
-      -- No visible windows, create a new one
-      tell targetProcess
-        keystroke "n" using command down
-        delay 2.0
-      end tell
-    end if
-    
-    -- Ensure the process is frontmost again
-    set frontmost of targetProcess to true
-    delay 0.5
-    
-    -- Focus on the address bar and open URL
-    tell targetProcess
-      -- Open a new tab
-      keystroke "t" using command down
-      delay 1.5
-      
-      -- Focus address bar (Cmd+L)
-      keystroke "l" using command down
-      delay 0.5
-      
-      -- Type the URL
-      keystroke "{escaped_url}"
-      delay 0.5
-      
-      -- Press Enter to navigate
-      keystroke return
-    end tell
-    
-    return "Successfully opened URL in " & processName & " (PID: {pid})"
-  end tell
-on error errMsg number errNum
-  return "AppleScript failed: " & errMsg & " (Error " & errNum & ")"
-end try
-      "#
-    );
-
-    log::info!("Executing AppleScript fallback for Firefox-based browser (PID: {pid})...");
-    let output = Command::new("osascript").args(["-e", &script]).output()?;
-
-    if !output.status.success() {
-      let error_msg = String::from_utf8_lossy(&output.stderr);
-      log::info!("AppleScript failed: {error_msg}");
-      return Err(
-        format!(
-          "Both Firefox remote command and AppleScript failed. AppleScript error: {error_msg}"
-        )
-        .into(),
-      );
-    } else {
-      log::info!("AppleScript succeeded");
-    }
-
-    Ok(())
+    // The Firefox `-new-tab` remote command failed. We intentionally do NOT
+    // fall back to an AppleScript `System Events` keystroke path: that would
+    // send Apple Events to another application and trigger the macOS TCC
+    // "<Donut> wants control of <Browser>" / "prevented from modifying other
+    // apps" prompts. Donut must never touch other apps on the user's Mac.
+    Err(
+      format!(
+        "Firefox remote command failed for PID {pid}; cannot open URL in existing window without touching other apps"
+      )
+      .into(),
+    )
  }

  pub async fn kill_browser_process_impl(
@@ -378,93 +299,18 @@ end try
      }
    }

-    // Fallback to AppleScript
-    let escaped_url = url
-      .replace("\"", "\\\"")
-      .replace("\\", "\\\\")
-      .replace("'", "\\'");
-
-    let script = format!(
-      r#"
-try
-  tell application "System Events"
-    -- Find the exact process by PID
-    set targetProcess to (first application process whose unix id is {pid})
-    
-    -- Verify the process exists
-    if not (exists targetProcess) then
-      error "No process found with PID {pid}"
-    end if
-    
-    -- Get the process name for verification
-    set processName to name of targetProcess
-    
-    -- Bring the process to the front first
-    set frontmost of targetProcess to true
-    delay 1.0
-    
-    -- Check if the process has any visible windows
-    set windowList to windows of targetProcess
-    set hasVisibleWindow to false
-    repeat with w in windowList
-      if visible of w is true then
-        set hasVisibleWindow to true
-        exit repeat
-      end if
-    end repeat
-    
-    if not hasVisibleWindow then
-      -- No visible windows, create a new one
-      tell targetProcess
-        keystroke "n" using command down
-        delay 2.0
-      end tell
-    end if
-    
-    -- Ensure the process is frontmost again
-    set frontmost of targetProcess to true
-    delay 0.5
-    
-    -- Focus on the address bar and open URL
-    tell targetProcess
-      -- Open a new tab
-      keystroke "t" using command down
-      delay 1.5
-      
-      -- Focus address bar (Cmd+L)
-      keystroke "l" using command down
-      delay 0.5
-      
-      -- Type the URL
-      keystroke "{escaped_url}"
-      delay 0.5
-      
-      -- Press Enter to navigate
-      keystroke return
-    end tell
-    
-    return "Successfully opened URL in " & processName & " (PID: {pid})"
-  end tell
-on error errMsg number errNum
-  return "AppleScript failed: " & errMsg & " (Error " & errNum & ")"
-end try
-      "#
-    );
-
-    log::info!("Executing AppleScript for Chromium-based browser (PID: {pid})...");
-    let output = Command::new("osascript").args(["-e", &script]).output()?;
-
-    if !output.status.success() {
-      let error_msg = String::from_utf8_lossy(&output.stderr);
-      log::info!("AppleScript failed: {error_msg}");
-      return Err(
-        format!("Failed to open URL in existing Chromium-based browser: {error_msg}").into(),
-      );
-    } else {
-      log::info!("AppleScript succeeded");
-    }
-
-    Ok(())
+    // The Chromium `--user-data-dir=<path> <url>` remote command failed.
+    // We intentionally do NOT fall back to an AppleScript `System Events`
+    // keystroke path: that would send Apple Events to another application
+    // and trigger the macOS TCC "<Donut> wants control of <Browser>" /
+    // "prevented from modifying other apps" prompts. Donut must never touch
+    // other apps on the user's Mac.
+    Err(
+      format!(
+        "Chromium remote command failed for PID {pid}; cannot open URL in existing window without touching other apps"
+      )
+      .into(),
+    )
  }
 }

@@ -10,6 +10,7 @@ use crate::wayfern_manager::WayfernConfig;
 use std::fs::{self, create_dir_all};
 use std::path::{Path, PathBuf};
 use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};
+use url::Url;

 pub struct ProfileManager {
  camoufox_manager: &'static crate::camoufox_manager::CamoufoxManager,
@@ -36,6 +37,25 @@ impl ProfileManager {
    crate::app_dirs::binaries_dir()
  }

+  fn normalize_launch_hook(
+    launch_hook: Option<String>,
+  ) -> Result<Option<String>, Box<dyn std::error::Error>> {
+    let Some(raw) = launch_hook else {
+      return Ok(None);
+    };
+
+    let trimmed = raw.trim();
+    if trimmed.is_empty() {
+      return Ok(None);
+    }
+
+    let parsed = Url::parse(trimmed).map_err(|e| format!("Invalid launch hook URL: {e}"))?;
+    match parsed.scheme() {
+      "http" | "https" => Ok(Some(parsed.to_string())),
+      _ => Err("Launch hook URL must use http or https".into()),
+    }
+  }
+
  #[allow(clippy::too_many_arguments)]
  pub async fn create_profile_with_group(
    &self,
@@ -50,11 +70,15 @@ impl ProfileManager {
    wayfern_config: Option<WayfernConfig>,
    group_id: Option<String>,
    ephemeral: bool,
+    dns_blocklist: Option<String>,
+    launch_hook: Option<String>,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
    if proxy_id.is_some() && vpn_id.is_some() {
      return Err("Cannot set both proxy_id and vpn_id".into());
    }

+    let launch_hook = Self::normalize_launch_hook(launch_hook)?;
+
    // Sync cloud proxy credentials if the profile uses a cloud or cloud-derived proxy
    if let Some(ref pid) = proxy_id {
      if PROXY_MANAGER.is_cloud_or_derived(pid) || pid == crate::proxy_manager::CLOUD_PROXY_ID {
@@ -141,6 +165,7 @@ impl ProfileManager {
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: launch_hook.clone(),
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -158,6 +183,7 @@ impl ProfileManager {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -240,6 +266,7 @@ impl ProfileManager {
          version: version.to_string(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: launch_hook.clone(),
          process_id: None,
          last_launch: None,
          release_type: release_type.to_string(),
@@ -257,6 +284,7 @@ impl ProfileManager {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -293,6 +321,7 @@ impl ProfileManager {
      version: version.to_string(),
      proxy_id: proxy_id.clone(),
      vpn_id: vpn_id.clone(),
+      launch_hook,
      process_id: None,
      last_launch: None,
      release_type: release_type.to_string(),
@@ -310,6 +339,7 @@ impl ProfileManager {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist,
    };

    // Save profile info
@@ -735,6 +765,35 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_launch_hook(
+    &self,
+    _app_handle: &tauri::AppHandle,
+    profile_id: &str,
+    launch_hook: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.launch_hook = Self::normalize_launch_hook(launch_hook)?;
+
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit("profile-updated", &profile) {
+      log::warn!("Warning: Failed to emit profile update event: {e}");
+    }
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub fn update_profile_proxy_bypass_rules(
    &self,
    _app_handle: &tauri::AppHandle,
@@ -760,6 +819,30 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_dns_blocklist(
+    &self,
+    profile_id: &str,
+    dns_blocklist: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.dns_blocklist = dns_blocklist;
+
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub fn delete_multiple_profiles(
    &self,
    app_handle: &tauri::AppHandle,
@@ -885,6 +968,7 @@ impl ProfileManager {
      version: source.version,
      proxy_id: source.proxy_id,
      vpn_id: source.vpn_id,
+      launch_hook: source.launch_hook,
      process_id: None,
      last_launch: None,
      release_type: source.release_type,
@@ -902,6 +986,7 @@ impl ProfileManager {
      proxy_bypass_rules: source.proxy_bypass_rules,
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: source.dns_blocklist,
    };

    self.save_profile(&new_profile)?;
@@ -1941,6 +2026,36 @@ mod tests {
      "PAC URL should percent-encode spaces: {pac_line}"
    );
  }
+
+  #[test]
+  fn test_normalize_launch_hook_accepts_http_and_https() {
+    let http =
+      ProfileManager::normalize_launch_hook(Some(" http://localhost:3000/hook ".to_string()))
+        .unwrap();
+    let https = ProfileManager::normalize_launch_hook(Some(
+      "https://example.com/hooks/profile-launch".to_string(),
+    ))
+    .unwrap();
+
+    assert_eq!(http.as_deref(), Some("http://localhost:3000/hook"));
+    assert_eq!(
+      https.as_deref(),
+      Some("https://example.com/hooks/profile-launch")
+    );
+  }
+
+  #[test]
+  fn test_normalize_launch_hook_clears_empty_values() {
+    let result = ProfileManager::normalize_launch_hook(Some("   ".to_string())).unwrap();
+    assert!(result.is_none());
+  }
+
+  #[test]
+  fn test_normalize_launch_hook_rejects_invalid_scheme() {
+    let err = ProfileManager::normalize_launch_hook(Some("ftp://example.com/hook".to_string()))
+      .unwrap_err();
+    assert!(err.to_string().contains("http or https"));
+  }
 }

 #[allow(clippy::too_many_arguments)]
@@ -1957,6 +2072,8 @@ pub async fn create_browser_profile_with_group(
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
  ephemeral: bool,
+  dns_blocklist: Option<String>,
+  launch_hook: Option<String>,
 ) -> Result<BrowserProfile, String> {
  let profile_manager = ProfileManager::instance();
  profile_manager
@@ -1972,6 +2089,8 @@ pub async fn create_browser_profile_with_group(
      wayfern_config,
      group_id,
      ephemeral,
+      dns_blocklist,
+      launch_hook,
    )
    .await
    .map_err(|e| format!("Failed to create profile: {e}"))
@@ -2035,6 +2154,18 @@ pub fn update_profile_note(
    .map_err(|e| format!("Failed to update profile note: {e}"))
 }

+#[tauri::command]
+pub fn update_profile_launch_hook(
+  app_handle: tauri::AppHandle,
+  profile_id: String,
+  launch_hook: Option<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_launch_hook(&app_handle, &profile_id, launch_hook)
+    .map_err(|e| format!("Failed to update profile launch hook: {e}"))
+}
+
 #[tauri::command]
 pub fn update_profile_proxy_bypass_rules(
  app_handle: tauri::AppHandle,
@@ -2047,6 +2178,17 @@ pub fn update_profile_proxy_bypass_rules(
    .map_err(|e| format!("Failed to update proxy bypass rules: {e}"))
 }

+#[tauri::command]
+pub fn update_profile_dns_blocklist(
+  profile_id: String,
+  dns_blocklist: Option<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_dns_blocklist(&profile_id, dns_blocklist)
+    .map_err(|e| format!("Failed to update DNS blocklist: {e}"))
+}
+
 #[tauri::command]
 pub async fn check_browser_status(
  app_handle: tauri::AppHandle,
@@ -2085,6 +2227,8 @@ pub async fn create_browser_profile_new(
  wayfern_config: Option<WayfernConfig>,
  group_id: Option<String>,
  ephemeral: Option<bool>,
+  dns_blocklist: Option<String>,
+  launch_hook: Option<String>,
 ) -> Result<BrowserProfile, String> {
  let fingerprint_os = camoufox_config
    .as_ref()
@@ -2112,6 +2256,8 @@ pub async fn create_browser_profile_new(
    wayfern_config,
    group_id,
    ephemeral.unwrap_or(false),
+    dns_blocklist,
+    launch_hook,
  )
  .await
 }
@@ -21,7 +21,7 @@ pub enum SyncMode {
  Encrypted,
 }

-#[derive(Debug, Serialize, Deserialize, Clone)]
+#[derive(Debug, Serialize, Deserialize, Clone, Default)]
 pub struct BrowserProfile {
  pub id: uuid::Uuid,
  pub name: String,
@@ -32,6 +32,8 @@ pub struct BrowserProfile {
  #[serde(default)]
  pub vpn_id: Option<String>, // Reference to stored VPN config
  #[serde(default)]
+  pub launch_hook: Option<String>,
+  #[serde(default)]
  pub process_id: Option<u32>,
  #[serde(default)]
  pub last_launch: Option<u64>,
@@ -65,6 +67,8 @@ pub struct BrowserProfile {
  pub created_by_id: Option<String>,
  #[serde(default)]
  pub created_by_email: Option<String>,
+  #[serde(default)]
+  pub dns_blocklist: Option<String>,
 }

 pub fn default_release_type() -> String {
@@ -565,6 +565,7 @@ impl ProfileImporter {
          version: version.clone(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: None,
          process_id: None,
          last_launch: None,
          release_type: "stable".to_string(),
@@ -582,6 +583,7 @@ impl ProfileImporter {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -643,6 +645,7 @@ impl ProfileImporter {
          version: version.clone(),
          proxy_id: proxy_id.clone(),
          vpn_id: None,
+          launch_hook: None,
          process_id: None,
          last_launch: None,
          release_type: "stable".to_string(),
@@ -660,6 +663,7 @@ impl ProfileImporter {
          proxy_bypass_rules: Vec::new(),
          created_by_id: None,
          created_by_email: None,
+          dns_blocklist: None,
        };

        match self
@@ -692,6 +696,7 @@ impl ProfileImporter {
      version,
      proxy_id,
      vpn_id: None,
+      launch_hook: None,
      process_id: None,
      last_launch: None,
      release_type: "stable".to_string(),
@@ -709,6 +714,7 @@ impl ProfileImporter {
      proxy_bypass_rules: Vec::new(),
      created_by_id: None,
      created_by_email: None,
+      dns_blocklist: None,
    };

    self.profile_manager.save_profile(&profile)?;
@@ -77,6 +77,7 @@ pub struct ProxyInfo {
  pub local_port: u16,
  // Optional profile ID to which this proxy instance is logically tied
  pub profile_id: Option<String>,
+  pub blocklist_file: Option<String>,
 }

 // Proxy check result cache
@@ -144,10 +145,6 @@ impl StoredProxy {
    }
  }

-  pub fn is_dynamic(&self) -> bool {
-    self.dynamic_proxy_url.is_some()
-  }
-
  /// Migrate legacy geo_state to geo_region
  pub fn migrate_geo_fields(&mut self) {
    if self.geo_region.is_none() && self.geo_state.is_some() {
@@ -1065,20 +1062,13 @@ impl ProxyManager {
    self.load_proxy_check_cache(proxy_id)
  }

-  // Check if a stored proxy is dynamic
-  pub fn is_dynamic_proxy(&self, proxy_id: &str) -> bool {
-    let stored_proxies = self.stored_proxies.lock().unwrap();
-    stored_proxies.get(proxy_id).is_some_and(|p| p.is_dynamic())
-  }
-
-  // Fetch proxy settings from a dynamic proxy URL
-  pub async fn fetch_dynamic_proxy(
+  pub async fn fetch_proxy_from_url(
    &self,
    url: &str,
-    format: &str,
-  ) -> Result<ProxySettings, String> {
+    timeout: std::time::Duration,
+  ) -> Result<Option<ProxySettings>, String> {
    let client = reqwest::Client::builder()
-      .timeout(std::time::Duration::from_secs(15))
+      .timeout(timeout)
      .build()
      .map_err(|e| format!("Failed to create HTTP client: {e}"))?;

@@ -1086,33 +1076,39 @@ impl ProxyManager {
      .get(url)
      .send()
      .await
-      .map_err(|e| format!("Failed to fetch dynamic proxy: {e}"))?;
+      .map_err(|e| format!("Failed to fetch launch hook: {e}"))?;
+
+    if response.status() == reqwest::StatusCode::NO_CONTENT {
+      return Ok(None);
+    }

    if !response.status().is_success() {
-      return Err(format!(
-        "Dynamic proxy URL returned status {}",
-        response.status()
-      ));
+      return Err(format!("Launch hook returned status {}", response.status()));
    }

    let body = response
      .text()
      .await
-      .map_err(|e| format!("Failed to read dynamic proxy response: {e}"))?;
+      .map_err(|e| format!("Failed to read launch hook response: {e}"))?;

    let body = body.trim();
    if body.is_empty() {
-      return Err("Dynamic proxy URL returned empty response".to_string());
+      return Err("Launch hook returned empty response".to_string());
    }

-    match format {
-      "json" => Self::parse_dynamic_proxy_json(body),
-      "text" => Self::parse_dynamic_proxy_text(body),
-      _ => Err(format!("Unsupported dynamic proxy format: {format}")),
+    if let Ok(settings) = Self::parse_dynamic_proxy_json(body) {
+      return Ok(Some(settings));
+    }
+
+    match Self::parse_dynamic_proxy_text(body) {
+      Ok(settings) => Ok(Some(settings)),
+      Err(text_error) => Err(format!(
+        "Failed to parse launch hook response: {text_error}"
+      )),
    }
  }

-  // Parse JSON format: { "ip"/"host": "...", "port": ..., "username": "...", "password": "..." }
+  // Parse JSON proxy payload: { "ip"/"host": "...", "port": ..., "username": "...", "password": "..." }
  fn parse_dynamic_proxy_json(body: &str) -> Result<ProxySettings, String> {
    let json: serde_json::Value =
      serde_json::from_str(body).map_err(|e| format!("Invalid JSON response: {e}"))?;
@@ -1178,7 +1174,7 @@ impl ProxyManager {
    })
  }

-  // Parse text format using the same logic as proxy import
+  // Parse plain text proxy payload using the same logic as proxy import
  fn parse_dynamic_proxy_text(body: &str) -> Result<ProxySettings, String> {
    let line = body
      .lines()
@@ -1209,136 +1205,6 @@ impl ProxyManager {
    }
  }

-  // Resolve dynamic proxy: fetch from URL and return settings
-  pub async fn resolve_dynamic_proxy(&self, proxy_id: &str) -> Result<ProxySettings, String> {
-    let (url, format) = {
-      let stored_proxies = self.stored_proxies.lock().unwrap();
-      let proxy = stored_proxies
-        .get(proxy_id)
-        .ok_or_else(|| format!("Proxy '{proxy_id}' not found"))?;
-
-      match (&proxy.dynamic_proxy_url, &proxy.dynamic_proxy_format) {
-        (Some(url), Some(format)) => (url.clone(), format.clone()),
-        _ => return Err("Proxy is not a dynamic proxy".to_string()),
-      }
-    };
-
-    self.fetch_dynamic_proxy(&url, &format).await
-  }
-
-  // Create a dynamic stored proxy
-  pub fn create_dynamic_proxy(
-    &self,
-    _app_handle: &tauri::AppHandle,
-    name: String,
-    url: String,
-    format: String,
-  ) -> Result<StoredProxy, String> {
-    {
-      let stored_proxies = self.stored_proxies.lock().unwrap();
-      if stored_proxies.values().any(|p| p.name == name) {
-        return Err(format!("Proxy with name '{name}' already exists"));
-      }
-    }
-
-    let placeholder_settings = ProxySettings {
-      proxy_type: "http".to_string(),
-      host: "dynamic".to_string(),
-      port: 0,
-      username: None,
-      password: None,
-    };
-
-    let mut stored_proxy = StoredProxy::new(name, placeholder_settings);
-    stored_proxy.dynamic_proxy_url = Some(url);
-    stored_proxy.dynamic_proxy_format = Some(format);
-
-    {
-      let mut stored_proxies = self.stored_proxies.lock().unwrap();
-      stored_proxies.insert(stored_proxy.id.clone(), stored_proxy.clone());
-    }
-
-    if let Err(e) = self.save_proxy(&stored_proxy) {
-      log::warn!("Failed to save proxy: {e}");
-    }
-
-    if let Err(e) = events::emit_empty("proxies-changed") {
-      log::error!("Failed to emit proxies-changed event: {e}");
-    }
-
-    if stored_proxy.sync_enabled {
-      if let Some(scheduler) = crate::sync::get_global_scheduler() {
-        let id = stored_proxy.id.clone();
-        tauri::async_runtime::spawn(async move {
-          scheduler.queue_proxy_sync(id).await;
-        });
-      }
-    }
-
-    Ok(stored_proxy)
-  }
-
-  // Update a dynamic proxy's URL and format
-  pub fn update_dynamic_proxy(
-    &self,
-    _app_handle: &tauri::AppHandle,
-    proxy_id: &str,
-    name: Option<String>,
-    url: Option<String>,
-    format: Option<String>,
-  ) -> Result<StoredProxy, String> {
-    {
-      let stored_proxies = self.stored_proxies.lock().unwrap();
-      if !stored_proxies.contains_key(proxy_id) {
-        return Err(format!("Proxy with ID '{proxy_id}' not found"));
-      }
-      if let Some(ref new_name) = name {
-        if stored_proxies
-          .values()
-          .any(|p| p.id != proxy_id && p.name == *new_name)
-        {
-          return Err(format!("Proxy with name '{new_name}' already exists"));
-        }
-      }
-    }
-
-    let updated_proxy = {
-      let mut stored_proxies = self.stored_proxies.lock().unwrap();
-      let stored_proxy = stored_proxies.get_mut(proxy_id).unwrap();
-
-      if let Some(new_name) = name {
-        stored_proxy.update_name(new_name);
-      }
-      if let Some(new_url) = url {
-        stored_proxy.dynamic_proxy_url = Some(new_url);
-      }
-      if let Some(new_format) = format {
-        stored_proxy.dynamic_proxy_format = Some(new_format);
-      }
-
-      stored_proxy.clone()
-    };
-
-    if let Err(e) = self.save_proxy(&updated_proxy) {
-      log::warn!("Failed to save proxy: {e}");
-    }
-
-    if let Err(e) = events::emit_empty("proxies-changed") {
-      log::error!("Failed to emit proxies-changed event: {e}");
-    }
-
-    if updated_proxy.sync_enabled {
-      if let Some(scheduler) = crate::sync::get_global_scheduler() {
-        let id = updated_proxy.id.clone();
-        tauri::async_runtime::spawn(async move {
-          scheduler.queue_proxy_sync(id).await;
-        });
-      }
-    }
-
-    Ok(updated_proxy)
-  }
-
  // Export all proxies as JSON
  pub fn export_proxies_json(&self) -> Result<String, String> {
    let stored_proxies = self.stored_proxies.lock().unwrap();
@@ -1675,6 +1541,7 @@ impl ProxyManager {
    browser_pid: u32,
    profile_id: Option<&str>,
    bypass_rules: Vec<String>,
+    blocklist_file: Option<String>,
  ) -> Result<ProxySettings, String> {
    if let Some(name) = profile_id {
      // Check if we have an active proxy recorded for this profile
@@ -1802,6 +1669,11 @@ impl ProxyManager {
      proxy_cmd = proxy_cmd.arg("--bypass-rules").arg(rules_json);
    }

+    // Add blocklist file path if provided
+    if let Some(ref path) = blocklist_file {
+      proxy_cmd = proxy_cmd.arg("--blocklist-file").arg(path);
+    }
+
    // Execute the command and wait for it to complete
    // The donut-proxy binary should start the worker and then exit
    let output = proxy_cmd
@@ -1847,6 +1719,7 @@ impl ProxyManager {
        .unwrap_or_else(|| "DIRECT".to_string()),
      local_port,
      profile_id: profile_id.map(|s| s.to_string()),
+      blocklist_file: blocklist_file.clone(),
    };

    // Wait for the local proxy port to be ready to accept connections
@@ -2231,6 +2104,8 @@ mod tests {
  use hyper::Response;
  use hyper_util::rt::TokioIo;
  use tokio::net::TcpListener;
+  use wiremock::matchers::{method, path};
+  use wiremock::{Mock, MockServer, ResponseTemplate};

  // Helper function to build donut-proxy binary for testing
  async fn ensure_donut_proxy_binary() -> Result<PathBuf, Box<dyn std::error::Error>> {
@@ -2345,6 +2220,7 @@ mod tests {
          upstream_type: "http".to_string(),
          local_port: (8000 + i) as u16,
          profile_id: None,
+          blocklist_file: None,
        };

        // Add proxy
@@ -2671,6 +2547,7 @@ mod tests {
      upstream_type: "http".to_string(),
      local_port: port,
      profile_id: profile_id.map(|s| s.to_string()),
+      blocklist_file: None,
    }
  }

@@ -2898,6 +2775,7 @@ mod tests {
      pid: Some(live_pid),
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    };
    let dead_config = ProxyConfig {
      id: dead_id.clone(),
@@ -2908,6 +2786,7 @@ mod tests {
      pid: Some(dead_pid),
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    };

    save_proxy_config(&live_config).unwrap();
@@ -2946,6 +2825,7 @@ mod tests {
      pid: Some(12345),
      profile_id: Some("prof_abc".to_string()),
      bypass_rules: vec!["*.local".to_string(), "192.168.*".to_string()],
+      blocklist_file: None,
    };

    // Save
@@ -3064,6 +2944,7 @@ mod tests {
      upstream_type: "http".to_string(),
      local_port: 9201,
      profile_id: Some("profile_alpha".to_string()),
+      blocklist_file: None,
    };
    let info_b = ProxyInfo {
      id: "px_shared_b".to_string(),
@@ -3073,6 +2954,7 @@ mod tests {
      upstream_type: "http".to_string(),
      local_port: 9202,
      profile_id: Some("profile_beta".to_string()),
+      blocklist_file: None,
    };

    pm.insert_active_proxy(3001, info_a);
@@ -3260,6 +3142,7 @@ mod tests {
      pid: Some(dead_pid),
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    };
    save_proxy_config(&config).unwrap();

@@ -3432,6 +3315,7 @@ mod tests {
        upstream_type: ptype.to_string(),
        local_port: 9300 + i as u16,
        profile_id: Some(format!("profile_{ptype}")),
+        blocklist_file: None,
      };
      pm.insert_active_proxy(4000 + i as u32, info);
    }
@@ -3651,74 +3535,102 @@ mod tests {
    assert!(err.contains("Empty"));
  }

-  #[test]
-  fn test_stored_proxy_is_dynamic() {
-    let mut proxy = StoredProxy::new(
-      "test".to_string(),
-      ProxySettings {
-        proxy_type: "http".to_string(),
-        host: "h.com".to_string(),
-        port: 80,
-        username: None,
-        password: None,
-      },
-    );
-    assert!(!proxy.is_dynamic());
+  #[tokio::test]
+  async fn test_fetch_proxy_from_url_parses_json_response() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(
+        ResponseTemplate::new(200).set_body_string(
+          r#"{"host":"proxy.example.com","port":3128,"type":"socks5","username":"user","password":"pass"}"#,
+        ),
+      )
+      .mount(&server)
+      .await;

-    proxy.dynamic_proxy_url = Some("https://api.example.com/proxy".to_string());
-    assert!(proxy.is_dynamic());
-  }
-
-  #[test]
-  fn test_is_dynamic_proxy_via_manager() {
    let pm = ProxyManager::new();
+    let result = pm
+      .fetch_proxy_from_url(
+        &format!("{}/hook", server.uri()),
+        Duration::from_millis(500),
+      )
+      .await
+      .unwrap()
+      .unwrap();

-    let mut proxy = StoredProxy::new(
-      "DynTest".to_string(),
-      ProxySettings {
-        proxy_type: "http".to_string(),
-        host: "dynamic".to_string(),
-        port: 0,
-        username: None,
-        password: None,
-      },
-    );
-    proxy.dynamic_proxy_url = Some("https://api.example.com/proxy".to_string());
-    proxy.dynamic_proxy_format = Some("json".to_string());
-
-    let id = proxy.id.clone();
-    pm.stored_proxies.lock().unwrap().insert(id.clone(), proxy);
-
-    assert!(pm.is_dynamic_proxy(&id));
-    assert!(!pm.is_dynamic_proxy("nonexistent"));
+    assert_eq!(result.host, "proxy.example.com");
+    assert_eq!(result.port, 3128);
+    assert_eq!(result.proxy_type, "socks5");
+    assert_eq!(result.username.as_deref(), Some("user"));
+    assert_eq!(result.password.as_deref(), Some("pass"));
  }

  #[tokio::test]
-  async fn test_resolve_dynamic_proxy_not_dynamic() {
+  async fn test_fetch_proxy_from_url_parses_text_response() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(ResponseTemplate::new(200).set_body_string("socks5://user:pass@1.2.3.4:1080"))
+      .mount(&server)
+      .await;
+
    let pm = ProxyManager::new();
+    let result = pm
+      .fetch_proxy_from_url(
+        &format!("{}/hook", server.uri()),
+        Duration::from_millis(500),
+      )
+      .await
+      .unwrap()
+      .unwrap();

-    let proxy = StoredProxy::new(
-      "Regular".to_string(),
-      ProxySettings {
-        proxy_type: "http".to_string(),
-        host: "1.2.3.4".to_string(),
-        port: 8080,
-        username: None,
-        password: None,
-      },
-    );
-    let id = proxy.id.clone();
-    pm.stored_proxies.lock().unwrap().insert(id.clone(), proxy);
-
-    let err = pm.resolve_dynamic_proxy(&id).await.unwrap_err();
-    assert!(err.contains("not a dynamic proxy"));
+    assert_eq!(result.host, "1.2.3.4");
+    assert_eq!(result.port, 1080);
+    assert_eq!(result.proxy_type, "socks5");
+    assert_eq!(result.username.as_deref(), Some("user"));
+    assert_eq!(result.password.as_deref(), Some("pass"));
  }

  #[tokio::test]
-  async fn test_resolve_dynamic_proxy_not_found() {
-    let pm = ProxyManager::new();
+  async fn test_fetch_proxy_from_url_returns_none_for_no_content() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(ResponseTemplate::new(204))
+      .mount(&server)
+      .await;

-    let err = pm.resolve_dynamic_proxy("nonexistent").await.unwrap_err();
-    assert!(err.contains("not found"));
+    let pm = ProxyManager::new();
+    let result = pm
+      .fetch_proxy_from_url(
+        &format!("{}/hook", server.uri()),
+        Duration::from_millis(500),
+      )
+      .await
+      .unwrap();
+
+    assert!(result.is_none());
+  }
+
+  #[tokio::test]
+  async fn test_fetch_proxy_from_url_respects_timeout() {
+    let server = MockServer::start().await;
+    Mock::given(method("GET"))
+      .and(path("/hook"))
+      .respond_with(
+        ResponseTemplate::new(200)
+          .set_delay(Duration::from_millis(200))
+          .set_body_string(r#"{"host":"1.2.3.4","port":8080}"#),
+      )
+      .mount(&server)
+      .await;
+
+    let pm = ProxyManager::new();
+    let err = pm
+      .fetch_proxy_from_url(&format!("{}/hook", server.uri()), Duration::from_millis(50))
+      .await
+      .unwrap_err();
+
+    assert!(err.contains("Failed to fetch launch hook"));
  }
 }
@@ -2,17 +2,166 @@ use crate::proxy_storage::{
  delete_proxy_config, generate_proxy_id, get_proxy_config, is_process_running, list_proxy_configs,
  save_proxy_config, ProxyConfig,
 };
+use std::path::{Path, PathBuf};
 use std::process::Stdio;
 lazy_static::lazy_static! {
  static ref PROXY_PROCESSES: std::sync::Mutex<std::collections::HashMap<String, u32>> =
    std::sync::Mutex::new(std::collections::HashMap::new());
 }

+fn target_binary_name(base_name: &str) -> Option<String> {
+  let target = std::env::var("TARGET").ok()?;
+
+  #[cfg(windows)]
+  {
+    Some(format!("{base_name}-{target}.exe"))
+  }
+
+  #[cfg(not(windows))]
+  {
+    Some(format!("{base_name}-{target}"))
+  }
+}
+
+fn unsuffixed_binary_name(base_name: &str) -> String {
+  #[cfg(windows)]
+  {
+    match base_name {
+      "donut-proxy" => "donut-proxy.exe".to_string(),
+      "donut-daemon" => "donut-daemon.exe".to_string(),
+      _ => String::new(),
+    }
+  }
+
+  #[cfg(not(windows))]
+  {
+    base_name.to_string()
+  }
+}
+
+fn binary_matches_prefix(path: &Path, base_name: &str) -> bool {
+  let Some(file_name) = path.file_name().and_then(|name| name.to_str()) else {
+    return false;
+  };
+
+  #[cfg(windows)]
+  {
+    file_name.starts_with(&format!("{base_name}-")) && file_name.ends_with(".exe")
+  }
+
+  #[cfg(not(windows))]
+  {
+    file_name.starts_with(&format!("{base_name}-"))
+  }
+}
+
+fn push_candidate_dir(dirs: &mut Vec<PathBuf>, dir: Option<PathBuf>) {
+  if let Some(dir) = dir {
+    if !dirs.iter().any(|existing| existing == &dir) {
+      dirs.push(dir);
+    }
+  }
+}
+
+pub(crate) fn find_sidecar_executable(
+  base_name: &str,
+) -> Result<PathBuf, Box<dyn std::error::Error>> {
+  let current_exe = std::env::current_exe()?;
+  let current_dir = current_exe
+    .parent()
+    .ok_or("Failed to get parent directory of current executable")?;
+
+  if current_exe
+    .file_stem()
+    .and_then(|stem| stem.to_str())
+    .is_some_and(|stem| stem == base_name)
+  {
+    return Ok(current_exe);
+  }
+
+  let manifest_dir = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+  let mut search_dirs = Vec::new();
+
+  push_candidate_dir(&mut search_dirs, Some(current_dir.to_path_buf()));
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir.parent().map(std::path::Path::to_path_buf),
+  );
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir
+      .parent()
+      .and_then(|parent| parent.parent())
+      .map(Path::to_path_buf),
+  );
+  push_candidate_dir(&mut search_dirs, Some(current_dir.join("binaries")));
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir.parent().map(|parent| parent.join("binaries")),
+  );
+  push_candidate_dir(
+    &mut search_dirs,
+    current_dir
+      .parent()
+      .and_then(|parent| parent.parent())
+      .map(|parent| parent.join("binaries")),
+  );
+  push_candidate_dir(&mut search_dirs, Some(manifest_dir.join("binaries")));
+  push_candidate_dir(
+    &mut search_dirs,
+    Some(manifest_dir.join("target").join("debug")),
+  );
+  push_candidate_dir(
+    &mut search_dirs,
+    Some(manifest_dir.join("target").join("release")),
+  );
+
+  let mut exact_names = vec![unsuffixed_binary_name(base_name)];
+  if let Some(target_name) = target_binary_name(base_name) {
+    exact_names.push(target_name);
+  }
+
+  for dir in &search_dirs {
+    for name in &exact_names {
+      if name.is_empty() {
+        continue;
+      }
+
+      let candidate = dir.join(name);
+      if candidate.exists() {
+        return Ok(candidate);
+      }
+    }
+
+    if let Ok(entries) = std::fs::read_dir(dir) {
+      for entry in entries.flatten() {
+        let path = entry.path();
+        if path.is_file() && binary_matches_prefix(&path, base_name) {
+          return Ok(path);
+        }
+      }
+    }
+  }
+
+  Err(
+    format!(
+      "Failed to locate '{}' executable. Searched in: {}",
+      base_name,
+      search_dirs
+        .iter()
+        .map(|dir| dir.display().to_string())
+        .collect::<Vec<_>>()
+        .join(", ")
+    )
+    .into(),
+  )
+}
+
 pub async fn start_proxy_process(
  upstream_url: Option<String>,
  port: Option<u16>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
-  start_proxy_process_with_profile(upstream_url, port, None, Vec::new()).await
+  start_proxy_process_with_profile(upstream_url, port, None, Vec::new(), None).await
 }

 pub async fn start_proxy_process_with_profile(
@@ -20,6 +169,7 @@ pub async fn start_proxy_process_with_profile(
  port: Option<u16>,
  profile_id: Option<String>,
  bypass_rules: Vec<String>,
+  blocklist_file: Option<String>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
  let id = generate_proxy_id();
  let upstream = upstream_url.unwrap_or_else(|| "DIRECT".to_string());
@@ -33,7 +183,8 @@ pub async fn start_proxy_process_with_profile(

  let config = ProxyConfig::new(id.clone(), upstream, Some(local_port))
    .with_profile_id(profile_id.clone())
-    .with_bypass_rules(bypass_rules);
+    .with_bypass_rules(bypass_rules)
+    .with_blocklist_file(blocklist_file);
  save_proxy_config(&config)?;

  // Log profile_id for debugging
@@ -45,7 +196,7 @@ pub async fn start_proxy_process_with_profile(

  // Spawn proxy worker process in the background using std::process::Command
  // This ensures proper process detachment on Unix systems
-  let exe = std::env::current_exe()?;
+  let exe = find_sidecar_executable("donut-proxy")?;

  #[cfg(unix)]
  {
@@ -7,6 +7,7 @@ use hyper::service::service_fn;
 use hyper::{Method, Request, Response, StatusCode};
 use hyper_util::rt::TokioIo;
 use regex_lite::Regex;
+use std::collections::HashSet;
 use std::convert::Infallible;
 use std::io;
 use std::net::SocketAddr;
@@ -17,6 +18,13 @@ use std::task::{Context, Poll};
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt, ReadBuf};
 use tokio::net::TcpListener;
 use tokio::net::TcpStream;
+
+/// Combined read+write trait for tunnel target streams, allowing
+/// `handle_connect_from_buffer` to handle plain TCP, SOCKS, and
+/// Shadowsocks through the same bidirectional-copy path.
+trait AsyncStream: AsyncRead + AsyncWrite + Unpin + Send {}
+impl<T: AsyncRead + AsyncWrite + Unpin + Send> AsyncStream for T {}
+type BoxedAsyncStream = Box<dyn AsyncStream>;
 use url::Url;

 enum CompiledRule {
@@ -51,6 +59,58 @@ impl BypassMatcher {
  }
 }

+#[derive(Clone)]
+pub struct BlocklistMatcher {
+  domains: Arc<HashSet<String>>,
+}
+
+impl Default for BlocklistMatcher {
+  fn default() -> Self {
+    Self::new()
+  }
+}
+
+impl BlocklistMatcher {
+  pub fn new() -> Self {
+    Self {
+      domains: Arc::new(HashSet::new()),
+    }
+  }
+
+  pub fn from_file(path: &str) -> Result<Self, Box<dyn std::error::Error>> {
+    let content = std::fs::read_to_string(path)?;
+    let domains: HashSet<String> = content
+      .lines()
+      .filter(|line| !line.starts_with('#') && !line.trim().is_empty())
+      .map(|line| line.trim().to_lowercase())
+      .collect();
+    log::info!("[blocklist] Loaded {} domains from {}", domains.len(), path);
+    Ok(Self {
+      domains: Arc::new(domains),
+    })
+  }
+
+  pub fn is_blocked(&self, host: &str) -> bool {
+    if self.domains.is_empty() {
+      return false;
+    }
+    let host_lower = host.to_lowercase();
+    // Exact match
+    if self.domains.contains(host_lower.as_str()) {
+      return true;
+    }
+    // Suffix matching: check parent domains (like uBlock)
+    let mut start = 0;
+    while let Some(dot_pos) = host_lower[start..].find('.') {
+      start += dot_pos + 1;
+      if self.domains.contains(&host_lower[start..]) {
+        return true;
+      }
+    }
+    false
+  }
+}
+
 /// Wrapper stream that counts bytes read and written
 struct CountingStream<S> {
  inner: S,
@@ -167,20 +227,22 @@ async fn handle_request(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Handle CONNECT method for HTTPS tunneling
  if req.method() == Method::CONNECT {
-    return handle_connect(req, upstream_url, bypass_matcher).await;
+    return handle_connect(req, upstream_url, bypass_matcher, blocklist_matcher).await;
  }

  // Handle regular HTTP requests
-  handle_http(req, upstream_url, bypass_matcher).await
+  handle_http(req, upstream_url, bypass_matcher, blocklist_matcher).await
 }

 async fn handle_connect(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  let authority = req.uri().authority().cloned();

@@ -196,6 +258,14 @@ async fn handle_connect(
      (&target_addr[..], 443)
    };

+    // Block if domain is in the DNS blocklist (before any connection)
+    if blocklist_matcher.is_blocked(target_host) {
+      log::debug!("[blocklist] Blocked CONNECT to {}", target_host);
+      let mut response = Response::new(Full::new(Bytes::from("Blocked by DNS blocklist")));
+      *response.status_mut() = StatusCode::FORBIDDEN;
+      return Ok(response);
+    }
+
    // If no upstream proxy, or bypass rule matches, connect directly
    if upstream_url.is_none()
      || upstream_url
@@ -707,10 +777,132 @@ async fn handle_http_via_socks4(
  Ok(hyper_response)
 }

+/// Handle plain HTTP requests through a Shadowsocks upstream.
+/// reqwest doesn't support SS natively, so we connect through the SS tunnel
+/// manually and forward the HTTP request/response.
+async fn handle_http_via_shadowsocks(
+  req: Request<hyper::body::Incoming>,
+  upstream: &Url,
+) -> Result<Response<Full<Bytes>>, Infallible> {
+  let domain = req
+    .uri()
+    .host()
+    .map(|h| h.to_string())
+    .unwrap_or_else(|| "unknown".to_string());
+  let port = req.uri().port_u16().unwrap_or(80);
+
+  let ss_host = upstream.host_str().unwrap_or("127.0.0.1");
+  let ss_port = upstream.port().unwrap_or(8388);
+  let method_str = urlencoding::decode(upstream.username())
+    .unwrap_or_default()
+    .to_string();
+  let password = urlencoding::decode(upstream.password().unwrap_or(""))
+    .unwrap_or_default()
+    .to_string();
+
+  let cipher = match method_str.parse::<shadowsocks::crypto::CipherKind>() {
+    Ok(c) => c,
+    Err(_) => {
+      let mut resp = Response::new(Full::new(Bytes::from(format!(
+        "Bad SS cipher: {method_str}"
+      ))));
+      *resp.status_mut() = StatusCode::BAD_GATEWAY;
+      return Ok(resp);
+    }
+  };
+
+  let context = shadowsocks::context::Context::new_shared(shadowsocks::config::ServerType::Local);
+  let svr_cfg = match shadowsocks::config::ServerConfig::new(
+    shadowsocks::config::ServerAddr::from((ss_host.to_string(), ss_port)),
+    &password,
+    cipher,
+  ) {
+    Ok(c) => c,
+    Err(e) => {
+      let mut resp = Response::new(Full::new(Bytes::from(format!("SS config error: {e}"))));
+      *resp.status_mut() = StatusCode::BAD_GATEWAY;
+      return Ok(resp);
+    }
+  };
+
+  let target_addr = shadowsocks::relay::Address::DomainNameAddress(domain.clone(), port);
+
+  let mut stream = match shadowsocks::relay::tcprelay::proxy_stream::ProxyClientStream::connect(
+    context,
+    &svr_cfg,
+    target_addr,
+  )
+  .await
+  {
+    Ok(s) => s,
+    Err(e) => {
+      let mut resp = Response::new(Full::new(Bytes::from(format!("SS connect: {e}"))));
+      *resp.status_mut() = StatusCode::BAD_GATEWAY;
+      return Ok(resp);
+    }
+  };
+
+  // Build and send the HTTP request through the SS tunnel
+  let path = req
+    .uri()
+    .path_and_query()
+    .map(|pq| pq.as_str())
+    .unwrap_or("/");
+  let method = req.method().as_str();
+  let mut raw_req = format!("{method} {path} HTTP/1.1\r\nHost: {domain}\r\nConnection: close\r\n");
+  for (name, value) in req.headers() {
+    if name != "host" && name != "connection" {
+      raw_req.push_str(&format!("{}: {}\r\n", name, value.to_str().unwrap_or("")));
+    }
+  }
+  raw_req.push_str("\r\n");
+
+  use tokio::io::{AsyncReadExt, AsyncWriteExt};
+  if let Err(e) = stream.write_all(raw_req.as_bytes()).await {
+    let mut resp = Response::new(Full::new(Bytes::from(format!("SS write: {e}"))));
+    *resp.status_mut() = StatusCode::BAD_GATEWAY;
+    return Ok(resp);
+  }
+
+  let mut response_buf = Vec::new();
+  if let Err(e) = stream.read_to_end(&mut response_buf).await {
+    log::warn!("SS read error (may be partial): {e}");
+  }
+
+  if let Some(tracker) = get_traffic_tracker() {
+    tracker.record_request(&domain, raw_req.len() as u64, response_buf.len() as u64);
+  }
+
+  // Parse the raw HTTP response
+  let response_str = String::from_utf8_lossy(&response_buf);
+  let header_end = response_str.find("\r\n\r\n").unwrap_or(response_str.len());
+  let status_line = response_str
+    .lines()
+    .next()
+    .unwrap_or("HTTP/1.1 502 Bad Gateway");
+  let status_code: u16 = status_line
+    .split_whitespace()
+    .nth(1)
+    .and_then(|s| s.parse().ok())
+    .unwrap_or(502);
+  let body = if header_end + 4 < response_buf.len() {
+    &response_buf[header_end + 4..]
+  } else {
+    b""
+  };
+
+  let mut hyper_response = Response::new(Full::new(Bytes::from(body.to_vec())));
+  *hyper_response.status_mut() =
+    StatusCode::from_u16(status_code).unwrap_or(StatusCode::BAD_GATEWAY);
+
+  Ok(hyper_response)
+}
+
 async fn handle_http(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Extract domain for traffic tracking
  let domain = req
@@ -719,6 +911,14 @@ async fn handle_http(
    .map(|h| h.to_string())
    .unwrap_or_else(|| "unknown".to_string());

+  // Block if domain is in the DNS blocklist (before any connection)
+  if blocklist_matcher.is_blocked(&domain) {
+    log::debug!("[blocklist] Blocked HTTP request to {}", domain);
+    let mut response = Response::new(Full::new(Bytes::from("Blocked by DNS blocklist")));
+    *response.status_mut() = StatusCode::FORBIDDEN;
+    return Ok(response);
+  }
+
  log::error!(
    "DEBUG: Handling HTTP request: {} {} (host: {:?})",
    req.method(),
@@ -728,14 +928,19 @@ async fn handle_http(

  let should_bypass = bypass_matcher.should_bypass(&domain);

-  // Check if we need to handle SOCKS4 manually (reqwest doesn't support it)
+  // Handle proxy types that reqwest doesn't support natively
  if !should_bypass {
    if let Some(ref upstream) = upstream_url {
      if upstream != "DIRECT" {
        if let Ok(url) = Url::parse(upstream) {
-          if url.scheme() == "socks4" {
-            // Handle SOCKS4 manually for HTTP requests
-            return handle_http_via_socks4(req, upstream).await;
+          match url.scheme() {
+            "socks4" => {
+              return handle_http_via_socks4(req, upstream).await;
+            }
+            "ss" | "shadowsocks" => {
+              return handle_http_via_shadowsocks(req, &url).await;
+            }
+            _ => {}
          }
        }
      }
@@ -888,6 +1093,7 @@ pub async fn handle_proxy_connection(
  mut stream: tokio::net::TcpStream,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) {
  let _ = stream.set_nodelay(true);

@@ -942,8 +1148,14 @@ pub async fn handle_proxy_connection(
          }
        }

-        let _ =
-          handle_connect_from_buffer(stream, full_request, upstream_url, bypass_matcher).await;
+        let _ = handle_connect_from_buffer(
+          stream,
+          full_request,
+          upstream_url,
+          bypass_matcher,
+          blocklist_matcher,
+        )
+        .await;
        return;
      }

@@ -955,8 +1167,14 @@ pub async fn handle_proxy_connection(
        inner: stream,
      };
      let io = TokioIo::new(prepended_reader);
-      let service =
-        service_fn(move |req| handle_request(req, upstream_url.clone(), bypass_matcher.clone()));
+      let service = service_fn(move |req| {
+        handle_request(
+          req,
+          upstream_url.clone(),
+          bypass_matcher.clone(),
+          blocklist_matcher.clone(),
+        )
+      });

      let _ = http1::Builder::new().serve_connection(io, service).await;
    }
@@ -1128,6 +1346,17 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
  });

  let bypass_matcher = BypassMatcher::new(&config.bypass_rules);
+  let blocklist_matcher = if let Some(ref path) = config.blocklist_file {
+    match BlocklistMatcher::from_file(path) {
+      Ok(m) => m,
+      Err(e) => {
+        log::error!("[blocklist] Failed to load from {}: {}", path, e);
+        BlocklistMatcher::new()
+      }
+    }
+  } else {
+    BlocklistMatcher::new()
+  };

  // Keep the runtime alive with an infinite loop
  // This ensures the process doesn't exit even if there are no active connections
@@ -1136,8 +1365,9 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
      Ok((stream, _peer_addr)) => {
        let upstream = upstream_url.clone();
        let matcher = bypass_matcher.clone();
+        let blocker = blocklist_matcher.clone();
        tokio::task::spawn(async move {
-          handle_proxy_connection(stream, upstream, matcher).await;
+          handle_proxy_connection(stream, upstream, matcher, blocker).await;
        });
      }
      Err(e) => {
@@ -1155,6 +1385,7 @@ async fn handle_connect_from_buffer(
  request_buffer: Vec<u8>,
  upstream_url: Option<String>,
  bypass_matcher: BypassMatcher,
+  blocklist_matcher: BlocklistMatcher,
 ) -> Result<(), Box<dyn std::error::Error>> {
  // Parse the CONNECT request from the buffer
  let request_str = String::from_utf8_lossy(&request_buffer);
@@ -1185,43 +1416,56 @@ async fn handle_connect_from_buffer(
    (target, 443)
  };

+  // Block if domain is in the DNS blocklist (before any connection)
+  if blocklist_matcher.is_blocked(target_host) {
+    log::debug!("[blocklist] Blocked CONNECT tunnel to {}", target_host);
+    let _ = client_stream
+      .write_all(b"HTTP/1.1 403 Forbidden\r\nContent-Length: 24\r\n\r\nBlocked by DNS blocklist")
+      .await;
+    return Ok(());
+  }
+
  // Record domain access in traffic tracker
  let domain = target_host.to_string();
  if let Some(tracker) = get_traffic_tracker() {
    tracker.record_request(&domain, 0, 0);
  }

-  // Connect to target (directly or via upstream proxy)
+  // Connect to target (directly or via upstream proxy).
+  // Returns a BoxedAsyncStream so all upstream types (plain TCP, SOCKS,
+  // Shadowsocks) share the same bidirectional-copy tunnel code below.
  let should_bypass = bypass_matcher.should_bypass(target_host);
-  let target_stream = match upstream_url.as_ref() {
+  // Helper: configure outbound TCP to match browser TCP fingerprint
+  let configure_tcp = |stream: &TcpStream| {
+    let _ = stream.set_nodelay(true);
+  };
+  let target_stream: BoxedAsyncStream = match upstream_url.as_ref() {
    None => {
-      // Direct connection
-      TcpStream::connect((target_host, target_port)).await?
+      let s = TcpStream::connect((target_host, target_port)).await?;
+      configure_tcp(&s);
+      Box::new(s)
    }
    Some(url) if url == "DIRECT" => {
-      // Direct connection
-      TcpStream::connect((target_host, target_port)).await?
+      let s = TcpStream::connect((target_host, target_port)).await?;
+      configure_tcp(&s);
+      Box::new(s)
    }
    _ if should_bypass => {
-      // Bypass rule matched - connect directly
-      TcpStream::connect((target_host, target_port)).await?
+      let s = TcpStream::connect((target_host, target_port)).await?;
+      configure_tcp(&s);
+      Box::new(s)
    }
    Some(upstream_url_str) => {
-      // Connect via upstream proxy
      let upstream = Url::parse(upstream_url_str)?;
      let scheme = upstream.scheme();

      match scheme {
        "http" | "https" => {
-          // Connect via HTTP/HTTPS proxy CONNECT
-          // Note: HTTPS proxy URLs still use HTTP CONNECT method (CONNECT is always HTTP-based)
-          // For HTTPS proxies, reqwest handles TLS automatically in handle_http
-          // For manual CONNECT here, we use plain TCP - HTTPS proxy CONNECT typically works over plain TCP
          let proxy_host = upstream.host_str().unwrap_or("127.0.0.1");
          let proxy_port = upstream.port().unwrap_or(8080);
          let mut proxy_stream = TcpStream::connect((proxy_host, proxy_port)).await?;
+          configure_tcp(&proxy_stream);

-          // Add authentication if provided
          let mut connect_req = format!(
            "CONNECT {}:{} HTTP/1.1\r\nHost: {}:{}\r\n",
            target_host, target_port, target_host, target_port
@@ -1237,10 +1481,8 @@ async fn handle_connect_from_buffer(

          connect_req.push_str("\r\n");

-          // Send CONNECT request to upstream proxy
          proxy_stream.write_all(connect_req.as_bytes()).await?;

-          // Read response
          let mut buffer = [0u8; 4096];
          let n = proxy_stream.read(&mut buffer).await?;
          let response = String::from_utf8_lossy(&buffer[..n]);
@@ -1249,10 +1491,9 @@ async fn handle_connect_from_buffer(
            return Err(format!("Upstream proxy CONNECT failed: {}", response).into());
          }

-          proxy_stream
+          Box::new(proxy_stream)
        }
        "socks4" | "socks5" => {
-          // Connect via SOCKS proxy
          let socks_host = upstream.host_str().unwrap_or("127.0.0.1");
          let socks_port = upstream.port().unwrap_or(1080);
          let socks_addr = format!("{}:{}", socks_host, socks_port);
@@ -1260,7 +1501,7 @@ async fn handle_connect_from_buffer(
          let username = upstream.username();
          let password = upstream.password().unwrap_or("");

-          connect_via_socks(
+          let stream = connect_via_socks(
            &socks_addr,
            target_host,
            target_port,
@@ -1271,7 +1512,56 @@ async fn handle_connect_from_buffer(
              None
            },
          )
-          .await?
+          .await?;
+          Box::new(stream)
+        }
+        "ss" | "shadowsocks" => {
+          // Shadowsocks: URL format is ss://method:password@host:port
+          // where "method" is the cipher (e.g. aes-256-gcm, chacha20-ietf-poly1305)
+          // and "password" is the SS server password.
+          let ss_host = upstream.host_str().unwrap_or("127.0.0.1");
+          let ss_port = upstream.port().unwrap_or(8388);
+
+          // The "username" field carries the cipher method
+          let method_str = urlencoding::decode(upstream.username())
+            .unwrap_or_default()
+            .to_string();
+          let password = urlencoding::decode(upstream.password().unwrap_or(""))
+            .unwrap_or_default()
+            .to_string();
+
+          if method_str.is_empty() || password.is_empty() {
+            return Err(
+              "Shadowsocks requires method and password (URL: ss://method:password@host:port)"
+                .into(),
+            );
+          }
+
+          let cipher = method_str.parse::<shadowsocks::crypto::CipherKind>().map_err(|_| {
+            format!("Unsupported Shadowsocks cipher: {method_str}. Use e.g. aes-256-gcm, chacha20-ietf-poly1305, aes-128-gcm")
+          })?;
+
+          let context =
+            shadowsocks::context::Context::new_shared(shadowsocks::config::ServerType::Local);
+          let svr_cfg = shadowsocks::config::ServerConfig::new(
+            shadowsocks::config::ServerAddr::from((ss_host.to_string(), ss_port)),
+            &password,
+            cipher,
+          )
+          .map_err(|e| format!("Invalid Shadowsocks config: {e}"))?;
+
+          let target_addr =
+            shadowsocks::relay::Address::DomainNameAddress(target_host.to_string(), target_port);
+
+          let stream = shadowsocks::relay::tcprelay::proxy_stream::ProxyClientStream::connect(
+            context,
+            &svr_cfg,
+            target_addr,
+          )
+          .await
+          .map_err(|e| format!("Shadowsocks connection failed: {e}"))?;
+
+          Box::new(stream)
        }
        _ => {
          return Err(format!("Unsupported upstream proxy scheme: {}", scheme).into());
@@ -1280,8 +1570,9 @@ async fn handle_connect_from_buffer(
    }
  };

-  // Enable TCP_NODELAY on target stream for immediate data transfer
-  let _ = target_stream.set_nodelay(true);
+  // TCP_NODELAY is set per-stream where applicable (TcpStream paths).
+  // For encrypted streams (Shadowsocks), the underlying TCP connection
+  // is managed by the library and nodelay is handled internally.

  // Send 200 Connection Established response to client
  // CRITICAL: Must flush after writing to ensure response is sent before tunneling
@@ -1362,3 +1653,106 @@ async fn handle_connect_from_buffer(

  Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+  use std::io::Write;
+
+  #[test]
+  fn test_blocklist_exact_match() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    domains.insert("tracker.net".to_string());
+    matcher.domains = Arc::new(domains);
+
+    assert!(matcher.is_blocked("example.com"));
+    assert!(matcher.is_blocked("tracker.net"));
+    assert!(!matcher.is_blocked("safe.com"));
+  }
+
+  #[test]
+  fn test_blocklist_subdomain_match() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    matcher.domains = Arc::new(domains);
+
+    assert!(matcher.is_blocked("foo.example.com"));
+    assert!(matcher.is_blocked("bar.baz.example.com"));
+    assert!(matcher.is_blocked("a.b.c.example.com"));
+  }
+
+  #[test]
+  fn test_blocklist_no_false_positives() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    matcher.domains = Arc::new(domains);
+
+    // "notexample.com" should NOT match "example.com"
+    assert!(!matcher.is_blocked("notexample.com"));
+    assert!(!matcher.is_blocked("myexample.com"));
+    // But subdomain should
+    assert!(matcher.is_blocked("sub.example.com"));
+  }
+
+  #[test]
+  fn test_blocklist_empty_blocks_nothing() {
+    let matcher = BlocklistMatcher::new();
+    assert!(!matcher.is_blocked("anything.com"));
+    assert!(!matcher.is_blocked("example.com"));
+  }
+
+  #[test]
+  fn test_blocklist_case_insensitive() {
+    let mut matcher = BlocklistMatcher::new();
+    let mut domains = HashSet::new();
+    domains.insert("example.com".to_string());
+    matcher.domains = Arc::new(domains);
+
+    assert!(matcher.is_blocked("EXAMPLE.COM"));
+    assert!(matcher.is_blocked("Example.Com"));
+    assert!(matcher.is_blocked("FOO.EXAMPLE.COM"));
+  }
+
+  #[test]
+  fn test_blocklist_from_file() {
+    let mut tmpfile = tempfile::NamedTempFile::new().unwrap();
+    writeln!(tmpfile, "# This is a comment").unwrap();
+    writeln!(tmpfile).unwrap();
+    writeln!(tmpfile, "tracker.example.com").unwrap();
+    writeln!(tmpfile, "ads.network.com").unwrap();
+    writeln!(tmpfile, "# Another comment").unwrap();
+    writeln!(tmpfile, "malware.site").unwrap();
+    tmpfile.flush().unwrap();
+
+    let matcher = BlocklistMatcher::from_file(tmpfile.path().to_str().unwrap()).unwrap();
+
+    assert!(matcher.is_blocked("tracker.example.com"));
+    assert!(matcher.is_blocked("ads.network.com"));
+    assert!(matcher.is_blocked("malware.site"));
+    assert!(matcher.is_blocked("sub.malware.site"));
+    assert!(!matcher.is_blocked("safe.com"));
+    // Comments and empty lines should be skipped: 3 domains loaded
+    assert_eq!(matcher.domains.len(), 3);
+  }
+
+  #[test]
+  fn test_blocklist_comments_skipped() {
+    let mut tmpfile = tempfile::NamedTempFile::new().unwrap();
+    writeln!(tmpfile, "# Title: HaGeZi's Light DNS Blocklist").unwrap();
+    writeln!(tmpfile, "# Description: test").unwrap();
+    writeln!(tmpfile, "# Version: 2026.0330.0928.01").unwrap();
+    writeln!(tmpfile).unwrap();
+    writeln!(tmpfile, "domain1.com").unwrap();
+    writeln!(tmpfile, "domain2.com").unwrap();
+    tmpfile.flush().unwrap();
+
+    let matcher = BlocklistMatcher::from_file(tmpfile.path().to_str().unwrap()).unwrap();
+    assert_eq!(matcher.domains.len(), 2);
+    assert!(matcher.is_blocked("domain1.com"));
+    assert!(matcher.is_blocked("domain2.com"));
+  }
+}
@@ -14,6 +14,8 @@ pub struct ProxyConfig {
  pub profile_id: Option<String>,
  #[serde(default)]
  pub bypass_rules: Vec<String>,
+  #[serde(default)]
+  pub blocklist_file: Option<String>,
 }

 impl ProxyConfig {
@@ -27,6 +29,7 @@ impl ProxyConfig {
      pid: None,
      profile_id: None,
      bypass_rules: Vec::new(),
+      blocklist_file: None,
    }
  }

@@ -39,6 +42,11 @@ impl ProxyConfig {
    self.bypass_rules = bypass_rules;
    self
  }
+
+  pub fn with_blocklist_file(mut self, blocklist_file: Option<String>) -> Self {
+    self.blocklist_file = blocklist_file;
+    self
+  }
 }

 pub fn get_storage_dir() -> PathBuf {
@@ -945,6 +945,42 @@ pub fn get_system_language() -> String {
    .unwrap_or_else(|| "en".to_string())
 }

+#[derive(Debug, Serialize, Clone)]
+pub struct SystemInfo {
+  pub app_version: String,
+  pub os: String,
+  pub arch: String,
+  pub portable: bool,
+}
+
+#[tauri::command]
+pub fn get_system_info() -> SystemInfo {
+  let os = if cfg!(target_os = "macos") {
+    "macOS"
+  } else if cfg!(target_os = "windows") {
+    "Windows"
+  } else if cfg!(target_os = "linux") {
+    "Linux"
+  } else {
+    "Unknown"
+  };
+
+  let arch = if cfg!(target_arch = "x86_64") {
+    "x86_64"
+  } else if cfg!(target_arch = "aarch64") {
+    "aarch64"
+  } else {
+    "unknown"
+  };
+
+  SystemInfo {
+    app_version: crate::app_auto_updater::AppAutoUpdater::get_current_version(),
+    os: os.to_string(),
+    arch: arch.to_string(),
+    portable: crate::app_dirs::is_portable(),
+  }
+}
+
 // Global singleton instance
 lazy_static::lazy_static! {
  static ref SETTINGS_MANAGER: SettingsManager = SettingsManager::new();
@@ -793,6 +793,7 @@ impl SyncEngine {
    let mut sanitized = profile.clone();
    sanitized.process_id = None;
    sanitized.last_launch = None;
+    sanitized.last_sync = None; // Avoid triggering sync loop on timestamp change

    let json = serde_json::to_string_pretty(&sanitized)
      .map_err(|e| SyncError::SerializationError(format!("Failed to serialize profile: {e}")))?;
@@ -8,6 +8,7 @@ use std::path::Path;
 use std::time::SystemTime;

 use super::types::{SyncError, SyncResult};
+use crate::profile::types::BrowserProfile;

 /// Default exclude patterns for volatile browser profile files.
 /// Patterns use `**/` prefix to match at any directory depth, since the sync
@@ -209,6 +210,39 @@ fn hash_file(path: &Path) -> Result<Option<String>, SyncError> {
  Ok(Some(hasher.finalize().to_hex().to_string()))
 }

+/// Compute blake3 hash of metadata.json after sanitizing volatile fields.
+/// This prevents infinite sync loops where updating last_sync triggers a new sync.
+fn hash_sanitized_metadata(path: &Path) -> Result<Option<String>, SyncError> {
+  let content = match fs::read_to_string(path) {
+    Ok(c) => c,
+    Err(e) if e.kind() == std::io::ErrorKind::NotFound => return Ok(None),
+    Err(e) => {
+      return Err(SyncError::IoError(format!(
+        "Failed to read metadata at {}: {e}",
+        path.display()
+      )));
+    }
+  };
+
+  let mut profile: BrowserProfile = serde_json::from_str(&content).map_err(|e| {
+    SyncError::SerializationError(format!("Failed to parse metadata for hashing: {e}"))
+  })?;
+
+  // Sanitize volatile fields that should not trigger a re-sync
+  profile.last_sync = None;
+  profile.process_id = None;
+  profile.last_launch = None;
+
+  let sanitized_json = serde_json::to_string(&profile).map_err(|e| {
+    SyncError::SerializationError(format!("Failed to serialize sanitized metadata: {e}"))
+  })?;
+
+  let mut hasher = blake3::Hasher::new();
+  hasher.update(sanitized_json.as_bytes());
+
+  Ok(Some(hasher.finalize().to_hex().to_string()))
+}
+
 /// Get mtime as unix timestamp
 /// Returns None if the file doesn't exist (was deleted)
 fn get_mtime(path: &Path) -> Result<Option<i64>, SyncError> {
@@ -324,7 +358,19 @@ pub fn generate_manifest(
        *max_mtime = (*max_mtime).max(mtime);

        // Check cache for existing hash
-        let hash = if let Some(cached_hash) = cache.get(&relative_path, size, mtime) {
+        let hash = if relative_path == "metadata.json" {
+          // Special case: sanitize metadata.json before hashing to prevent sync loops
+          match hash_sanitized_metadata(&path)? {
+            Some(computed_hash) => computed_hash,
+            None => {
+              log::debug!(
+                "File disappeared during manifest generation, skipping: {}",
+                path.display()
+              );
+              continue;
+            }
+          }
+        } else if let Some(cached_hash) = cache.get(&relative_path, size, mtime) {
          cached_hash.to_string()
        } else {
          match hash_file(&path)? {
@@ -592,7 +638,12 @@ mod tests {
    fs::write(profile_dir.join("profile/Crashpad/report"), "exclude").unwrap();

    // metadata.json at root
-    fs::write(profile_dir.join("metadata.json"), "keep").unwrap();
+    let profile = BrowserProfile::default();
+    fs::write(
+      profile_dir.join("metadata.json"),
+      serde_json::to_string(&profile).unwrap(),
+    )
+    .unwrap();

    let mut cache = HashCache::default();
    let manifest = generate_manifest("test-profile", &profile_dir, &mut cache).unwrap();
@@ -800,4 +851,85 @@ mod tests {
    assert!(diff.files_to_delete_remote.is_empty());
    assert!(diff.files_to_delete_local.is_empty());
  }
+
+  #[test]
+  fn test_generate_manifest_sanitizes_metadata() {
+    let temp_dir = TempDir::new().unwrap();
+    let profile_dir = temp_dir.path().join("profile");
+    fs::create_dir_all(&profile_dir).unwrap();
+
+    let profile_id = uuid::Uuid::new_v4();
+    let metadata_path = profile_dir.join("metadata.json");
+
+    let profile = BrowserProfile {
+      id: profile_id,
+      name: "test-profile".to_string(),
+      last_sync: Some(100),
+      process_id: Some(1234),
+      ..Default::default()
+    };
+
+    fs::write(&metadata_path, serde_json::to_string(&profile).unwrap()).unwrap();
+
+    let mut cache = HashCache::default();
+    let manifest1 = generate_manifest(&profile_id.to_string(), &profile_dir, &mut cache).unwrap();
+    let hash1 = manifest1
+      .files
+      .iter()
+      .find(|f| f.path == "metadata.json")
+      .unwrap()
+      .hash
+      .clone();
+
+    // Update volatile fields
+    let profile2 = BrowserProfile {
+      id: profile_id,
+      name: "test-profile".to_string(),
+      last_sync: Some(200),
+      process_id: Some(5678),
+      ..Default::default()
+    };
+
+    fs::write(&metadata_path, serde_json::to_string(&profile2).unwrap()).unwrap();
+
+    let manifest2 = generate_manifest(&profile_id.to_string(), &profile_dir, &mut cache).unwrap();
+    let hash2 = manifest2
+      .files
+      .iter()
+      .find(|f| f.path == "metadata.json")
+      .unwrap()
+      .hash
+      .clone();
+
+    // Hash should be identical because volatile fields are sanitized
+    assert_eq!(
+      hash1, hash2,
+      "Metadata hash should be stable across last_sync/process_id updates"
+    );
+
+    // Change a non-volatile field
+    let profile3 = BrowserProfile {
+      id: profile_id,
+      name: "changed-name".to_string(),
+      last_sync: Some(200),
+      ..Default::default()
+    };
+
+    fs::write(&metadata_path, serde_json::to_string(&profile3).unwrap()).unwrap();
+
+    let manifest3 = generate_manifest(&profile_id.to_string(), &profile_dir, &mut cache).unwrap();
+    let hash3 = manifest3
+      .files
+      .iter()
+      .find(|f| f.path == "metadata.json")
+      .unwrap()
+      .hash
+      .clone();
+
+    // Hash should be different because name changed
+    assert_ne!(
+      hash1, hash3,
+      "Metadata hash should change when non-volatile fields change"
+    );
+  }
 }
@@ -344,7 +344,7 @@ impl SyncScheduler {
              }
            }
          }
-          _ = sleep(Duration::from_millis(500)) => {
+          _ = sleep(Duration::from_millis(2000)) => {
            scheduler.process_pending(&app_handle_clone).await;
          }
        }
@@ -716,29 +716,22 @@ impl SyncScheduler {
      match entity_type.as_str() {
        "profile" => {
          let profile_manager = ProfileManager::instance();
-          let profile_to_delete = {
+          let has_profile = {
            if let Ok(profiles) = profile_manager.list_profiles() {
              let profile_uuid = uuid::Uuid::parse_str(&entity_id).ok();
-              profile_uuid.and_then(|uuid| profiles.into_iter().find(|p| p.id == uuid))
+              profile_uuid.is_some_and(|uuid| profiles.iter().any(|p| p.id == uuid))
            } else {
-              None
+              false
            }
          };

-          if let Some(mut profile) = profile_to_delete {
+          if has_profile {
            log::info!(
-              "Profile {} was deleted remotely, disabling sync locally",
+              "Profile {} was deleted remotely, deleting locally",
              entity_id
            );
-            profile.sync_mode = crate::profile::types::SyncMode::Disabled;
-            if let Err(e) = profile_manager.save_profile(&profile) {
-              log::warn!("Failed to disable sync for profile {}: {}", entity_id, e);
-            } else {
-              log::info!(
-                "Profile {} sync disabled due to remote tombstone (local copy kept)",
-                entity_id
-              );
-              let _ = events::emit("profiles-changed", ());
+            if let Err(e) = profile_manager.delete_profile_local_only(&entity_id) {
+              log::warn!("Failed to delete tombstoned profile {}: {}", entity_id, e);
            }
          }
        }
@@ -303,6 +303,11 @@ impl SynchronizerManager {
  }

  /// Bring the leader browser window to front.
+  ///
+  /// On macOS this is a no-op on purpose: the only way to raise another
+  /// app's window from Rust is via `osascript` / Apple Events, which
+  /// triggers the TCC "prevented from modifying other apps" prompt. Donut
+  /// must never touch other apps on the user's Mac.
  async fn focus_leader_window(leader: &BrowserProfile) {
    let profile = match Self::get_profile(&leader.id.to_string()) {
      Ok(p) => p,
@@ -312,18 +317,6 @@ impl SynchronizerManager {
      return;
    };

-    #[cfg(target_os = "macos")]
-    {
-      let _ = tokio::process::Command::new("osascript")
-        .arg("-e")
-        .arg(format!(
-          "tell application \"System Events\" to set frontmost of (first process whose unix id is {}) to true",
-          pid
-        ))
-        .output()
-        .await;
-    }
-
    #[cfg(target_os = "linux")]
    {
      let _ = tokio::process::Command::new("xdotool")
@@ -338,7 +331,7 @@ impl SynchronizerManager {
        .await;
    }

-    #[cfg(target_os = "windows")]
+    #[cfg(not(target_os = "linux"))]
    {
      let _ = pid;
    }
@@ -580,7 +580,9 @@ impl LiveTrafficTracker {
      .profile_id
      .clone()
      .unwrap_or_else(|| self.proxy_id.clone());
-    let session_file = get_traffic_stats_dir().join(format!("{}.session.json", storage_key));
+    let storage_dir = get_traffic_stats_dir();
+    fs::create_dir_all(&storage_dir)?;
+    let session_file = storage_dir.join(format!("{}.session.json", storage_key));

    // Write atomically using a temp file
    let temp_file = session_file.with_extension("tmp");
@@ -761,9 +763,11 @@ impl LiveTrafficTracker {
      .profile_id
      .clone()
      .unwrap_or_else(|| self.proxy_id.clone());
+    let storage_dir = get_traffic_stats_dir();
+    fs::create_dir_all(&storage_dir)?;

    // Use file locking to prevent concurrent writes from multiple proxy processes
-    let lock_path = get_traffic_stats_dir().join(format!("{}.lock", storage_key));
+    let lock_path = storage_dir.join(format!("{}.lock", storage_key));
    let _lock = match acquire_file_lock(&lock_path) {
      Ok(lock) => lock,
      Err(e) => {
@@ -1,8 +1,24 @@
 use super::config::{OpenVpnConfig, VpnError};
-use std::path::PathBuf;
+use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+use std::path::{Path, PathBuf};
 use std::process::{Command, Stdio};
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::net::{TcpListener, TcpStream};
+use std::sync::Arc;
+use tokio::io::{AsyncBufReadExt, AsyncReadExt, AsyncWriteExt, BufReader};
+use tokio::net::{lookup_host, TcpListener, TcpSocket, TcpStream};
+
+const OPENVPN_CONNECT_TIMEOUT_SECS: u64 = 90;
+
+enum SocksTarget {
+  Address(SocketAddr),
+  Domain(String, u16),
+}
+
+#[derive(Debug, Clone, Copy)]
+pub(crate) struct OpenVpnDependencyStatus {
+  pub binary_found: bool,
+  pub missing_windows_adapter: bool,
+  pub dependency_check_failed: bool,
+}

 pub struct OpenVpnSocks5Server {
  config: OpenVpnConfig,
@@ -14,7 +30,168 @@ impl OpenVpnSocks5Server {
    Self { config, port }
  }

-  fn find_openvpn_binary() -> Result<PathBuf, VpnError> {
+  fn read_log_tail(path: &Path, lines: usize) -> String {
+    std::fs::read_to_string(path)
+      .unwrap_or_default()
+      .lines()
+      .rev()
+      .take(lines)
+      .collect::<Vec<_>>()
+      .into_iter()
+      .rev()
+      .collect::<Vec<_>>()
+      .join("\n")
+  }
+
+  fn extract_vpn_ip(line: &str) -> Option<Ipv4Addr> {
+    for field in line.split(',') {
+      let trimmed = field.trim();
+      if let Ok(ip) = trimmed.parse::<Ipv4Addr>() {
+        if ip.is_private() && !ip.is_loopback() {
+          return Some(ip);
+        }
+      }
+    }
+
+    None
+  }
+
+  fn log_indicates_connected(log_content: &str) -> bool {
+    log_content.contains("Initialization Sequence Completed")
+  }
+
+  fn log_indicates_failure(log_content: &str) -> bool {
+    log_content.contains("AUTH_FAILED")
+      || log_content.contains("Exiting due to fatal error")
+      || log_content.contains("Fatal error")
+      || log_content.contains("Options error")
+      || log_content.contains("Exiting")
+  }
+
+  fn has_config_directive(config: &str, directive: &str) -> bool {
+    config.lines().any(|line| {
+      let trimmed = line.trim();
+      !trimmed.is_empty()
+        && !trimmed.starts_with('#')
+        && !trimmed.starts_with(';')
+        && trimmed.starts_with(directive)
+    })
+  }
+
+  fn strip_config_directive(config: &str, directive: &str) -> String {
+    config
+      .lines()
+      .filter(|line| {
+        let trimmed = line.trim();
+        trimmed.is_empty()
+          || trimmed.starts_with('#')
+          || trimmed.starts_with(';')
+          || !trimmed.starts_with(directive)
+      })
+      .collect::<Vec<_>>()
+      .join("\n")
+  }
+
+  fn build_runtime_config(&self) -> String {
+    let mut runtime_config = self.config.raw_config.clone();
+
+    runtime_config = Self::strip_config_directive(&runtime_config, "redirect-gateway");
+    runtime_config = Self::strip_config_directive(&runtime_config, "block-outside-dns");
+    runtime_config = Self::strip_config_directive(&runtime_config, "dhcp-option");
+
+    if !runtime_config.contains("pull-filter ignore \"redirect-gateway\"") {
+      runtime_config.push_str("\npull-filter ignore \"redirect-gateway\"\n");
+    }
+    if !runtime_config.contains("pull-filter ignore \"block-outside-dns\"") {
+      runtime_config.push_str("pull-filter ignore \"block-outside-dns\"\n");
+    }
+    if !runtime_config.contains("pull-filter ignore \"dhcp-option\"") {
+      runtime_config.push_str("pull-filter ignore \"dhcp-option\"\n");
+    }
+
+    if !Self::has_config_directive(&runtime_config, "route 0.0.0.0") {
+      runtime_config.push_str("\nroute 0.0.0.0 0.0.0.0 vpn_gateway 9999\n");
+    }
+
+    #[cfg(windows)]
+    {
+      if Self::has_config_directive(&runtime_config, "dev-node") {
+        runtime_config = runtime_config
+          .lines()
+          .filter(|line| {
+            let trimmed = line.trim();
+            trimmed.is_empty()
+              || trimmed.starts_with('#')
+              || trimmed.starts_with(';')
+              || !trimmed.starts_with("dev-node")
+          })
+          .collect::<Vec<_>>()
+          .join("\n");
+      }
+
+      if !Self::has_config_directive(&runtime_config, "disable-dco") {
+        runtime_config.push_str("\ndisable-dco\n");
+      }
+
+      if self.config.dev_type.starts_with("tun")
+        && !Self::has_config_directive(&runtime_config, "windows-driver")
+      {
+        runtime_config.push_str("\nwindows-driver wintun\n");
+      }
+    }
+
+    runtime_config
+  }
+
+  pub(crate) fn dependency_status() -> OpenVpnDependencyStatus {
+    let Ok(openvpn_bin) = Self::find_openvpn_binary() else {
+      return OpenVpnDependencyStatus {
+        binary_found: false,
+        missing_windows_adapter: false,
+        dependency_check_failed: false,
+      };
+    };
+
+    #[cfg(windows)]
+    {
+      match Self::windows_openvpn_has_adapter(&openvpn_bin) {
+        Ok(has_adapter) => OpenVpnDependencyStatus {
+          binary_found: true,
+          missing_windows_adapter: !has_adapter,
+          dependency_check_failed: false,
+        },
+        Err(_) => OpenVpnDependencyStatus {
+          binary_found: true,
+          missing_windows_adapter: false,
+          dependency_check_failed: true,
+        },
+      }
+    }
+
+    #[cfg(not(windows))]
+    {
+      let _ = openvpn_bin;
+      OpenVpnDependencyStatus {
+        binary_found: true,
+        missing_windows_adapter: false,
+        dependency_check_failed: false,
+      }
+    }
+  }
+
+  pub(crate) fn find_openvpn_binary() -> Result<PathBuf, VpnError> {
+    if let Ok(path) = std::env::var("DONUTBROWSER_OPENVPN_BIN") {
+      let path = PathBuf::from(path);
+      if path.exists() {
+        return Ok(path);
+      }
+
+      return Err(VpnError::Connection(format!(
+        "Configured OpenVPN binary does not exist: {}",
+        path.display()
+      )));
+    }
+
    let locations = [
      "/usr/sbin/openvpn",
      "/usr/local/sbin/openvpn",
@@ -71,12 +248,300 @@ impl OpenVpnSocks5Server {
    ))
  }

+  fn openvpn_supports_management(openvpn_bin: &Path) -> bool {
+    let mut command = Command::new(openvpn_bin);
+    command.arg("--version");
+
+    #[cfg(windows)]
+    {
+      use std::os::windows::process::CommandExt;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
+      command.creation_flags(CREATE_NO_WINDOW);
+    }
+
+    let Ok(output) = command.output() else {
+      return true;
+    };
+
+    let version_text = format!(
+      "{}{}",
+      String::from_utf8_lossy(&output.stdout),
+      String::from_utf8_lossy(&output.stderr)
+    );
+
+    !version_text.contains("enable_management=no")
+  }
+
+  #[cfg(windows)]
+  pub(crate) fn windows_openvpn_has_adapter(openvpn_bin: &Path) -> Result<bool, VpnError> {
+    use std::os::windows::process::CommandExt;
+    const CREATE_NO_WINDOW: u32 = 0x08000000;
+
+    let output = Command::new(openvpn_bin)
+      .arg("--show-adapters")
+      .creation_flags(CREATE_NO_WINDOW)
+      .output()
+      .map_err(|e| VpnError::Connection(format!("Failed to inspect OpenVPN adapters: {e}")))?;
+
+    let text = format!(
+      "{}{}",
+      String::from_utf8_lossy(&output.stdout),
+      String::from_utf8_lossy(&output.stderr)
+    );
+
+    Ok(
+      text
+        .lines()
+        .map(str::trim)
+        .any(|line| !line.is_empty() && !line.starts_with("Available adapters")),
+    )
+  }
+
+  fn extract_vpn_ip_from_log(log_content: &str) -> Option<Ipv4Addr> {
+    for line in log_content.lines() {
+      if let Some(ip) = Self::extract_vpn_ip(line) {
+        return Some(ip);
+      }
+
+      if let Some(position) = line.find("ifconfig ") {
+        let after = &line[position + "ifconfig ".len()..];
+        if let Some(ip_str) = after
+          .split_whitespace()
+          .next()
+          .or_else(|| after.split(',').next())
+        {
+          if let Ok(ip) = ip_str.parse::<Ipv4Addr>() {
+            if ip.is_private() && !ip.is_loopback() {
+              return Some(ip);
+            }
+          }
+        }
+      }
+    }
+
+    None
+  }
+
+  async fn wait_for_openvpn_ready_via_management(
+    child: &mut std::process::Child,
+    mgmt_port: u16,
+    log_path: &Path,
+  ) -> Result<Option<Ipv4Addr>, VpnError> {
+    let deadline =
+      tokio::time::Instant::now() + tokio::time::Duration::from_secs(OPENVPN_CONNECT_TIMEOUT_SECS);
+
+    let mgmt_stream = loop {
+      if tokio::time::Instant::now() >= deadline {
+        return Err(VpnError::Connection(format!(
+          "Timed out connecting to OpenVPN management interface. Last OpenVPN output:\n{}",
+          Self::read_log_tail(log_path, 20)
+        )));
+      }
+
+      if let Ok(Some(status)) = child.try_wait() {
+        return Err(VpnError::Connection(format!(
+          "OpenVPN exited (status: {}) before the tunnel was established. Last output:\n{}",
+          status,
+          Self::read_log_tail(log_path, 20)
+        )));
+      }
+
+      match TcpStream::connect(("127.0.0.1", mgmt_port)).await {
+        Ok(stream) => break stream,
+        Err(_) => tokio::time::sleep(tokio::time::Duration::from_millis(500)).await,
+      }
+    };
+
+    let (mgmt_reader, mut mgmt_writer) = mgmt_stream.into_split();
+    let _ = mgmt_writer.write_all(b"state on\nstate\n").await;
+
+    let mut lines = BufReader::new(mgmt_reader).lines();
+    let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(1));
+    interval.tick().await;
+
+    let mut vpn_ip = None;
+
+    loop {
+      if tokio::time::Instant::now() >= deadline {
+        return Err(VpnError::Connection(format!(
+          "Timed out waiting for OpenVPN to reach CONNECTED state. Last OpenVPN output:\n{}",
+          Self::read_log_tail(log_path, 20)
+        )));
+      }
+
+      if let Ok(Some(status)) = child.try_wait() {
+        return Err(VpnError::Connection(format!(
+          "OpenVPN exited (status: {}) before connecting. Last output:\n{}",
+          status,
+          Self::read_log_tail(log_path, 20)
+        )));
+      }
+
+      tokio::select! {
+        line_result = lines.next_line() => {
+          match line_result {
+            Ok(Some(line)) => {
+              if let Some(ip) = Self::extract_vpn_ip(&line) {
+                vpn_ip = Some(ip);
+              }
+
+              if line.contains(",CONNECTED,") {
+                break;
+              }
+
+              if line.contains("AUTH_FAILED") {
+                return Err(VpnError::Connection(format!(
+                  "OpenVPN authentication failed. Last output:\n{}",
+                  Self::read_log_tail(log_path, 20)
+                )));
+              }
+
+              if line.contains(",EXITING,") || line.contains(">FATAL:") {
+                return Err(VpnError::Connection(format!(
+                  "OpenVPN is exiting. Last output:\n{}",
+                  Self::read_log_tail(log_path, 20)
+                )));
+              }
+            }
+            Ok(None) => {
+              return Err(VpnError::Connection(format!(
+                "OpenVPN management connection closed before CONNECTED state. Last output:\n{}",
+                Self::read_log_tail(log_path, 20)
+              )));
+            }
+            Err(_) => {}
+          }
+        }
+        _ = interval.tick() => {
+          let _ = mgmt_writer.write_all(b"state\n").await;
+
+          let log_path = log_path.to_path_buf();
+          let log_content = tokio::task::spawn_blocking(move || std::fs::read_to_string(log_path))
+            .await
+            .ok()
+            .and_then(Result::ok);
+
+          if let Some(content) = log_content {
+            if Self::log_indicates_connected(&content) {
+              break;
+            }
+          }
+        }
+      }
+    }
+
+    if vpn_ip.is_none() {
+      if let Ok(log_content) = std::fs::read_to_string(log_path) {
+        vpn_ip = Self::extract_vpn_ip_from_log(&log_content);
+      }
+    }
+
+    Ok(vpn_ip)
+  }
+
+  async fn wait_for_openvpn_ready_via_log(
+    child: &mut std::process::Child,
+    log_path: &Path,
+  ) -> Result<Option<Ipv4Addr>, VpnError> {
+    let deadline =
+      tokio::time::Instant::now() + tokio::time::Duration::from_secs(OPENVPN_CONNECT_TIMEOUT_SECS);
+
+    loop {
+      if tokio::time::Instant::now() >= deadline {
+        return Err(VpnError::Connection(format!(
+          "Timed out waiting for OpenVPN to connect. Last OpenVPN output:\n{}",
+          Self::read_log_tail(log_path, 40)
+        )));
+      }
+
+      if let Ok(Some(status)) = child.try_wait() {
+        return Err(VpnError::Connection(format!(
+          "OpenVPN exited (status: {}) before connecting. Last output:\n{}",
+          status,
+          Self::read_log_tail(log_path, 40)
+        )));
+      }
+
+      let log_path_buf = log_path.to_path_buf();
+      let log_content = tokio::task::spawn_blocking(move || std::fs::read_to_string(log_path_buf))
+        .await
+        .ok()
+        .and_then(Result::ok)
+        .unwrap_or_default();
+
+      if Self::log_indicates_connected(&log_content) {
+        return Ok(Self::extract_vpn_ip_from_log(&log_content));
+      }
+
+      if Self::log_indicates_failure(&log_content) {
+        return Err(VpnError::Connection(format!(
+          "OpenVPN reported a fatal error while connecting. Last output:\n{}",
+          Self::read_log_tail(log_path, 40)
+        )));
+      }
+
+      tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
+    }
+  }
+
+  async fn connect_target(
+    target: SocksTarget,
+    vpn_bind_ip: Ipv4Addr,
+  ) -> Result<(TcpStream, SocketAddr), Box<dyn std::error::Error + Send + Sync>> {
+    let mut addresses = match target {
+      SocksTarget::Address(addr) => vec![addr],
+      SocksTarget::Domain(host, port) => {
+        let mut resolved = lookup_host((host.as_str(), port))
+          .await?
+          .collect::<Vec<_>>();
+        resolved.sort_by_key(|addr| if addr.is_ipv4() { 0 } else { 1 });
+        resolved
+      }
+    };
+
+    if addresses.is_empty() {
+      return Err("No addresses resolved for SOCKS5 target".into());
+    }
+
+    let mut last_error = None;
+
+    for address in addresses.drain(..) {
+      let socket = if address.is_ipv4() {
+        let socket = TcpSocket::new_v4()?;
+        if !vpn_bind_ip.is_unspecified() {
+          socket.bind(SocketAddr::new(IpAddr::V4(vpn_bind_ip), 0))?;
+        }
+        socket
+      } else {
+        TcpSocket::new_v6()?
+      };
+
+      match socket.connect(address).await {
+        Ok(stream) => return Ok((stream, address)),
+        Err(error) => last_error = Some(error),
+      }
+    }
+
+    Err(
+      last_error
+        .map(|error| error.into())
+        .unwrap_or_else(|| "Failed to connect to any resolved SOCKS5 target".into()),
+    )
+  }
+
  pub async fn run(self, config_id: String) -> Result<(), VpnError> {
    let openvpn_bin = Self::find_openvpn_binary()?;
+    let supports_management = Self::openvpn_supports_management(&openvpn_bin);
+
+    #[cfg(windows)]
+    if !Self::windows_openvpn_has_adapter(&openvpn_bin)? {
+      return Err(VpnError::Connection(
+        "OpenVPN requires a TAP/Wintun/ovpn-dco adapter on Windows, but none were found. Install or provision an adapter before connecting.".to_string(),
+      ));
+    }

-    // Write config to temp file
    let config_path = std::env::temp_dir().join(format!("openvpn_{}.ovpn", config_id));
-    std::fs::write(&config_path, &self.config.raw_config).map_err(VpnError::Io)?;
+    std::fs::write(&config_path, self.build_runtime_config()).map_err(VpnError::Io)?;

    #[cfg(unix)]
    {
@@ -84,43 +549,74 @@ impl OpenVpnSocks5Server {
      let _ = std::fs::set_permissions(&config_path, std::fs::Permissions::from_mode(0o600));
    }

-    // Find a management port
-    let mgmt_listener = std::net::TcpListener::bind("127.0.0.1:0")
-      .map_err(|e| VpnError::Connection(format!("Failed to bind management port: {e}")))?;
-    let mgmt_port = mgmt_listener
-      .local_addr()
-      .map_err(|e| VpnError::Connection(format!("Failed to get management port: {e}")))?
-      .port();
-    drop(mgmt_listener);
+    let mgmt_port = if supports_management {
+      let mgmt_listener = std::net::TcpListener::bind("127.0.0.1:0")
+        .map_err(|e| VpnError::Connection(format!("Failed to bind management port: {e}")))?;
+      let port = mgmt_listener
+        .local_addr()
+        .map_err(|e| VpnError::Connection(format!("Failed to get management port: {e}")))?
+        .port();
+      drop(mgmt_listener);
+      Some(port)
+    } else {
+      log::info!(
+        "[vpn-worker] OpenVPN build does not support management; using log-based readiness"
+      );
+      None
+    };
+
+    let openvpn_log_path = std::env::temp_dir().join(format!("openvpn-{}.log", config_id));
+    let log_file = std::fs::OpenOptions::new()
+      .create(true)
+      .write(true)
+      .truncate(true)
+      .open(&openvpn_log_path)
+      .map_err(VpnError::Io)?;

-    // Start OpenVPN with SOCKS proxy mode
    let mut cmd = Command::new(&openvpn_bin);
+    cmd.arg("--config").arg(&config_path);
+    if let Some(mgmt_port) = mgmt_port {
+      cmd
+        .arg("--management")
+        .arg("127.0.0.1")
+        .arg(mgmt_port.to_string());
+    }
    cmd
-      .arg("--config")
-      .arg(&config_path)
-      .arg("--management")
-      .arg("127.0.0.1")
-      .arg(mgmt_port.to_string())
-      .arg("--socks-proxy")
-      .arg("127.0.0.1")
-      .arg(self.port.to_string())
      .arg("--verb")
      .arg("3")
-      .stdout(Stdio::piped())
-      .stderr(Stdio::piped());
+      .stdout(
+        log_file
+          .try_clone()
+          .map(Stdio::from)
+          .map_err(VpnError::Io)?,
+      )
+      .stderr(Stdio::from(log_file));
+
+    #[cfg(windows)]
+    {
+      use std::os::windows::process::CommandExt;
+      const CREATE_NO_WINDOW: u32 = 0x08000000;
+
+      cmd.arg("--disable-dco");
+      if self.config.dev_type.starts_with("tun") {
+        cmd.arg("--windows-driver").arg("wintun");
+      }
+      cmd.creation_flags(CREATE_NO_WINDOW);
+    }

    let mut child = cmd
      .spawn()
      .map_err(|e| VpnError::Connection(format!("Failed to start OpenVPN: {e}")))?;

-    // Wait for OpenVPN to start
-    tokio::time::sleep(tokio::time::Duration::from_secs(3)).await;
+    tokio::time::sleep(tokio::time::Duration::from_secs(2)).await;

    match child.try_wait() {
      Ok(Some(status)) => {
        let _ = std::fs::remove_file(&config_path);
        return Err(VpnError::Connection(format!(
-          "OpenVPN exited early with status: {status}. OpenVPN requires elevated privileges (sudo/admin)."
+          "OpenVPN exited immediately (status: {}). Last output:\n{}",
+          status,
+          Self::read_log_tail(&openvpn_log_path, 20)
        )));
      }
      Ok(None) => {}
@@ -132,8 +628,15 @@ impl OpenVpnSocks5Server {
      }
    }

-    // Start a basic SOCKS5 proxy that tunnels through the OpenVPN TUN interface
-    let listener = TcpListener::bind(format!("127.0.0.1:{}", self.port))
+    let vpn_bind_ip = if let Some(mgmt_port) = mgmt_port {
+      Self::wait_for_openvpn_ready_via_management(&mut child, mgmt_port, &openvpn_log_path).await?
+    } else {
+      Self::wait_for_openvpn_ready_via_log(&mut child, &openvpn_log_path).await?
+    }
+    .unwrap_or(Ipv4Addr::UNSPECIFIED);
+    let vpn_bind_ip = Arc::new(vpn_bind_ip);
+
+    let listener = TcpListener::bind(("127.0.0.1", self.port))
      .await
      .map_err(|e| VpnError::Connection(format!("Failed to bind SOCKS5: {e}")))?;

@@ -142,10 +645,10 @@ impl OpenVpnSocks5Server {
      .map_err(|e| VpnError::Connection(format!("Failed to get local addr: {e}")))?
      .port();

-    if let Some(mut wc) = crate::vpn_worker_storage::get_vpn_worker_config(&config_id) {
-      wc.local_port = Some(actual_port);
-      wc.local_url = Some(format!("socks5://127.0.0.1:{}", actual_port));
-      let _ = crate::vpn_worker_storage::save_vpn_worker_config(&wc);
+    if let Some(mut worker_config) = crate::vpn_worker_storage::get_vpn_worker_config(&config_id) {
+      worker_config.local_port = Some(actual_port);
+      worker_config.local_url = Some(format!("socks5://127.0.0.1:{}", actual_port));
+      let _ = crate::vpn_worker_storage::save_vpn_worker_config(&worker_config);
    }

    log::info!(
@@ -156,10 +659,13 @@ impl OpenVpnSocks5Server {
    loop {
      match listener.accept().await {
        Ok((client, _)) => {
-          tokio::spawn(Self::handle_socks5_client(client));
+          let bind_ip = vpn_bind_ip.clone();
+          tokio::spawn(async move {
+            let _ = Self::handle_socks5_client(client, bind_ip).await;
+          });
        }
-        Err(e) => {
-          log::warn!("[vpn-worker] Accept error: {e}");
+        Err(error) => {
+          log::warn!("[vpn-worker] Accept error: {error}");
        }
      }
    }
@@ -167,53 +673,119 @@ impl OpenVpnSocks5Server {

  async fn handle_socks5_client(
    mut client: TcpStream,
+    vpn_bind_ip: Arc<Ipv4Addr>,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-    // SOCKS5 greeting
-    let mut buf = [0u8; 256];
-    let n = client.read(&mut buf).await?;
-    if n < 3 || buf[0] != 0x05 {
+    let mut greeting = [0u8; 2];
+    if let Err(error) = client.read_exact(&mut greeting).await {
+      if error.kind() != std::io::ErrorKind::UnexpectedEof {
+        log::debug!("[socks5] Failed to read greeting header: {}", error);
+      }
      return Ok(());
    }
+
+    if greeting[0] != 0x05 {
+      return Ok(());
+    }
+
+    let mut methods = vec![0u8; greeting[1] as usize];
+    if let Err(error) = client.read_exact(&mut methods).await {
+      if error.kind() != std::io::ErrorKind::UnexpectedEof {
+        log::debug!("[socks5] Failed to read methods list: {}", error);
+      }
+      return Ok(());
+    }
+
    client.write_all(&[0x05, 0x00]).await?;

-    // SOCKS5 connect request
-    let n = client.read(&mut buf).await?;
-    if n < 10 || buf[0] != 0x05 || buf[1] != 0x01 {
+    let mut request_header = [0u8; 4];
+    if let Err(error) = client.read_exact(&mut request_header).await {
+      if error.kind() != std::io::ErrorKind::UnexpectedEof {
+        log::debug!("[socks5] Failed to read request header: {}", error);
+      }
      return Ok(());
    }

-    let dest_addr = match buf[3] {
+    if request_header[0] != 0x05 {
+      return Ok(());
+    }
+
+    if request_header[1] != 0x01 {
+      let _ = client
+        .write_all(&[0x05, 0x07, 0x00, 0x01, 0, 0, 0, 0, 0, 0])
+        .await;
+      return Ok(());
+    }
+
+    let target = match request_header[3] {
      0x01 => {
-        let ip = std::net::Ipv4Addr::new(buf[4], buf[5], buf[6], buf[7]);
-        let port = u16::from_be_bytes([buf[8], buf[9]]);
-        format!("{}:{}", ip, port)
+        let mut addr_port = [0u8; 6];
+        client.read_exact(&mut addr_port).await?;
+        SocksTarget::Address(SocketAddr::new(
+          IpAddr::V4(Ipv4Addr::new(
+            addr_port[0],
+            addr_port[1],
+            addr_port[2],
+            addr_port[3],
+          )),
+          u16::from_be_bytes([addr_port[4], addr_port[5]]),
+        ))
      }
      0x03 => {
-        let domain_len = buf[4] as usize;
-        let domain = String::from_utf8_lossy(&buf[5..5 + domain_len]).to_string();
-        let port_start = 5 + domain_len;
-        let port = u16::from_be_bytes([buf[port_start], buf[port_start + 1]]);
-        format!("{}:{}", domain, port)
+        let mut len = [0u8; 1];
+        client.read_exact(&mut len).await?;
+        if len[0] == 0 {
+          return Ok(());
+        }
+
+        let mut domain = vec![0u8; len[0] as usize];
+        client.read_exact(&mut domain).await?;
+
+        let mut port = [0u8; 2];
+        client.read_exact(&mut port).await?;
+
+        SocksTarget::Domain(
+          String::from_utf8_lossy(&domain).to_string(),
+          u16::from_be_bytes(port),
+        )
+      }
+      0x04 => {
+        let mut addr_port = [0u8; 18];
+        client.read_exact(&mut addr_port).await?;
+
+        let mut octets = [0u8; 16];
+        octets.copy_from_slice(&addr_port[..16]);
+
+        SocksTarget::Address(SocketAddr::new(
+          IpAddr::V6(std::net::Ipv6Addr::from(octets)),
+          u16::from_be_bytes([addr_port[16], addr_port[17]]),
+        ))
+      }
+      _ => {
+        let _ = client
+          .write_all(&[0x05, 0x08, 0x00, 0x01, 0, 0, 0, 0, 0, 0])
+          .await;
+        return Ok(());
      }
-      _ => return Ok(()),
    };

-    // Connect to destination through OpenVPN tunnel (OS routing handles it)
-    match TcpStream::connect(&dest_addr).await {
-      Ok(upstream) => {
+    match Self::connect_target(target, *vpn_bind_ip).await {
+      Ok((upstream, _address)) => {
        client
          .write_all(&[0x05, 0x00, 0x00, 0x01, 127, 0, 0, 1, 0, 0])
          .await?;

-        let (mut cr, mut cw) = client.into_split();
-        let (mut ur, mut uw) = upstream.into_split();
+        let (mut client_read, mut client_write) = client.into_split();
+        let (mut upstream_read, mut upstream_write) = upstream.into_split();

-        let c2u = tokio::io::copy(&mut cr, &mut uw);
-        let u2c = tokio::io::copy(&mut ur, &mut cw);
-
-        let _ = tokio::try_join!(c2u, u2c);
+        let client_to_upstream = tokio::io::copy(&mut client_read, &mut upstream_write);
+        let upstream_to_client = tokio::io::copy(&mut upstream_read, &mut client_write);
+        let _ = tokio::try_join!(client_to_upstream, upstream_to_client)?;
      }
-      Err(_) => {
+      Err(error) => {
+        log::debug!(
+          "[socks5] Failed to connect through OpenVPN tunnel: {}",
+          error
+        );
        client
          .write_all(&[0x05, 0x05, 0x00, 0x01, 0, 0, 0, 0, 0, 0])
          .await?;
@@ -240,58 +240,77 @@ impl WireGuardSocks5Server {
    socket: &UdpSocket,
    peer_addr: SocketAddr,
  ) -> Result<(), VpnError> {
-    let mut dst = vec![0u8; 2048];
-    let result = tunn.format_handshake_initiation(&mut dst, false);
-
-    match result {
-      TunnResult::WriteToNetwork(packet) => {
-        socket
-          .send_to(packet, peer_addr)
-          .map_err(|e| VpnError::Connection(format!("Failed to send handshake: {e}")))?;
-      }
-      TunnResult::Err(e) => {
-        return Err(VpnError::Tunnel(format!(
-          "Handshake initiation failed: {e:?}"
-        )));
-      }
-      _ => {}
-    }
-
    socket
-      .set_read_timeout(Some(std::time::Duration::from_secs(10)))
+      .set_read_timeout(Some(std::time::Duration::from_secs(5)))
      .map_err(|e| VpnError::Connection(format!("Failed to set timeout: {e}")))?;

-    let mut recv_buf = vec![0u8; 2048];
-    match socket.recv_from(&mut recv_buf) {
-      Ok((len, _)) => {
-        let result = tunn.decapsulate(None, &recv_buf[..len], &mut dst);
-        match result {
-          TunnResult::WriteToNetwork(response) => {
-            socket
-              .send_to(response, peer_addr)
-              .map_err(|e| VpnError::Connection(format!("Failed to send response: {e}")))?;
-          }
-          TunnResult::Done => {}
-          TunnResult::Err(e) => {
-            return Err(VpnError::Tunnel(format!(
-              "Handshake response failed: {e:?}"
-            )));
-          }
-          _ => {}
+    // WireGuard handshakes use UDP which can silently lose packets, especially
+    // through Docker port-forwarding layers. Retry the handshake initiation up
+    // to 5 times (25s total) before giving up — the protocol is designed for
+    // retransmission and peers handle duplicate initiations correctly.
+    let max_attempts = 5;
+    let mut last_error = String::from("no handshake attempt completed");
+
+    for attempt in 1..=max_attempts {
+      let mut dst = vec![0u8; 2048];
+      let result = tunn.format_handshake_initiation(&mut dst, false);
+
+      match result {
+        TunnResult::WriteToNetwork(packet) => {
+          socket
+            .send_to(packet, peer_addr)
+            .map_err(|e| VpnError::Connection(format!("Failed to send handshake: {e}")))?;
        }
+        TunnResult::Err(e) => {
+          return Err(VpnError::Tunnel(format!(
+            "Handshake initiation failed: {e:?}"
+          )));
+        }
+        _ => {}
      }
-      Err(e) => {
-        return Err(VpnError::Connection(format!(
-          "Handshake timeout or error: {e}"
-        )));
+
+      let mut recv_buf = vec![0u8; 2048];
+      match socket.recv_from(&mut recv_buf) {
+        Ok((len, _)) => {
+          let result = tunn.decapsulate(None, &recv_buf[..len], &mut dst);
+          match result {
+            TunnResult::WriteToNetwork(response) => {
+              socket
+                .send_to(response, peer_addr)
+                .map_err(|e| VpnError::Connection(format!("Failed to send response: {e}")))?;
+            }
+            TunnResult::Done => {}
+            TunnResult::Err(e) => {
+              last_error = format!("handshake response error: {e:?}");
+              log::warn!(
+                "[vpn-worker] Handshake attempt {attempt}/{max_attempts} failed: {last_error}"
+              );
+              continue;
+            }
+            _ => {}
+          }
+
+          socket
+            .set_read_timeout(None)
+            .map_err(|e| VpnError::Connection(format!("Failed to clear timeout: {e}")))?;
+          return Ok(());
+        }
+        Err(e) if attempt < max_attempts => {
+          log::warn!(
+            "[vpn-worker] Handshake attempt {attempt}/{max_attempts} timed out: {e}, retrying"
+          );
+          last_error = format!("timeout: {e}");
+          continue;
+        }
+        Err(e) => {
+          last_error = format!("timeout: {e}");
+        }
      }
    }

-    socket
-      .set_read_timeout(None)
-      .map_err(|e| VpnError::Connection(format!("Failed to clear timeout: {e}")))?;
-
-    Ok(())
+    Err(VpnError::Connection(format!(
+      "Handshake failed after {max_attempts} attempts: {last_error}"
+    )))
  }

  pub async fn run(self, config_id: String) -> Result<(), VpnError> {
@@ -370,6 +389,8 @@ impl WireGuardSocks5Server {
      smol_handle: SocketHandle,
      tcp_stream: TcpStream,
      socks_done: bool,
+      connecting: bool,
+      greeting_done: bool,
      read_buf: Vec<u8>,
      dest_addr: Option<SocketAddr>,
    }
@@ -391,6 +412,8 @@ impl WireGuardSocks5Server {
          smol_handle: handle,
          tcp_stream: stream,
          socks_done: false,
+          connecting: false,
+          greeting_done: false,
          read_buf: Vec::new(),
          dest_addr: None,
        });
@@ -409,7 +432,30 @@ impl WireGuardSocks5Server {
      // Process each connection
      let mut completed = Vec::new();
      for (idx, conn) in connections.iter_mut().enumerate() {
-        if !conn.socks_done {
+        if conn.connecting {
+          let socket = sockets.get_mut::<TcpSocket>(conn.smol_handle);
+          if socket.may_send() {
+            let _ = conn.tcp_stream.try_write(&[
+              0x05,
+              0x00,
+              0x00,
+              0x01,
+              127,
+              0,
+              0,
+              1,
+              (actual_port >> 8) as u8,
+              (actual_port & 0xff) as u8,
+            ]);
+            conn.connecting = false;
+            conn.socks_done = true;
+          } else if !socket.is_open() {
+            let _ = conn
+              .tcp_stream
+              .try_write(&[0x05, 0x05, 0x00, 0x01, 0, 0, 0, 0, 0, 0]);
+            completed.push(idx);
+          }
+        } else if !conn.socks_done {
          // Handle SOCKS5 handshake
          let mut buf = [0u8; 512];
          match conn.tcp_stream.try_read(&mut buf) {
@@ -427,19 +473,26 @@ impl WireGuardSocks5Server {
            }
          }

-          if conn.dest_addr.is_none() && conn.read_buf.len() >= 3 {
+          if !conn.greeting_done && conn.read_buf.len() >= 3 {
            // SOCKS5 greeting: version, nmethods, methods
            if conn.read_buf[0] != 0x05 {
              completed.push(idx);
              continue;
            }
-            // Reply: no auth required
-            let _ = conn.tcp_stream.try_write(&[0x05, 0x00]);
            let nmethods = conn.read_buf[1] as usize;
+            if conn.read_buf.len() < 2 + nmethods {
+              continue;
+            }
+            // Reply: no auth required
+            if conn.tcp_stream.try_write(&[0x05, 0x00]).is_err() {
+              completed.push(idx);
+              continue;
+            }
            conn.read_buf.drain(..2 + nmethods);
+            conn.greeting_done = true;
          }

-          if conn.dest_addr.is_none() && conn.read_buf.len() >= 10 {
+          if conn.greeting_done && conn.dest_addr.is_none() && conn.read_buf.len() >= 10 {
            // SOCKS5 connect request
            if conn.read_buf[0] != 0x05 || conn.read_buf[1] != 0x01 {
              completed.push(idx);
@@ -539,20 +592,7 @@ impl WireGuardSocks5Server {
              continue;
            }

-            // Send SOCKS5 success reply
-            let _ = conn.tcp_stream.try_write(&[
-              0x05,
-              0x00,
-              0x00,
-              0x01,
-              127,
-              0,
-              0,
-              1,
-              (actual_port >> 8) as u8,
-              (actual_port & 0xff) as u8,
-            ]);
-            conn.socks_done = true;
+            conn.connecting = true;
          }
        } else {
          // Data relay between SOCKS5 client and smoltcp socket
@@ -1,3 +1,4 @@
+use crate::proxy_runner::find_sidecar_executable;
 use crate::proxy_storage::is_process_running;
 use crate::vpn_worker_storage::{
  delete_vpn_worker_config, find_vpn_worker_by_vpn_id, generate_vpn_worker_id,
@@ -5,12 +6,124 @@ use crate::vpn_worker_storage::{
 };
 use std::process::Stdio;

+const VPN_WORKER_POLL_INTERVAL_MS: u64 = 100;
+const VPN_WORKER_STARTUP_TIMEOUT_MS: u64 = 30_000;
+const OPENVPN_WORKER_STARTUP_TIMEOUT_MS: u64 = 100_000;
+
+async fn vpn_worker_accepting_connections(config: &VpnWorkerConfig) -> bool {
+  let Some(port) = config.local_port else {
+    return false;
+  };
+
+  if config
+    .local_url
+    .as_ref()
+    .is_none_or(|local_url| local_url.is_empty())
+  {
+    return false;
+  }
+
+  matches!(
+    tokio::time::timeout(
+      tokio::time::Duration::from_millis(VPN_WORKER_POLL_INTERVAL_MS),
+      tokio::net::TcpStream::connect(("127.0.0.1", port)),
+    )
+    .await,
+    Ok(Ok(_))
+  )
+}
+
+fn worker_log_path(id: &str) -> std::path::PathBuf {
+  std::env::temp_dir().join(format!("donut-vpn-{}.log", id))
+}
+
+fn read_worker_log(id: &str) -> String {
+  std::fs::read_to_string(worker_log_path(id)).unwrap_or_else(|_| "No log available".to_string())
+}
+
+async fn wait_for_vpn_worker_ready(
+  id: &str,
+  vpn_type: &str,
+) -> Result<VpnWorkerConfig, Box<dyn std::error::Error>> {
+  let startup_timeout = if vpn_type == "openvpn" {
+    tokio::time::Duration::from_millis(OPENVPN_WORKER_STARTUP_TIMEOUT_MS)
+  } else {
+    tokio::time::Duration::from_millis(VPN_WORKER_STARTUP_TIMEOUT_MS)
+  };
+  let startup_deadline = tokio::time::Instant::now() + startup_timeout;
+
+  tokio::time::sleep(tokio::time::Duration::from_millis(
+    VPN_WORKER_POLL_INTERVAL_MS,
+  ))
+  .await;
+
+  let mut attempts = 0u32;
+
+  loop {
+    tokio::time::sleep(tokio::time::Duration::from_millis(
+      VPN_WORKER_POLL_INTERVAL_MS,
+    ))
+    .await;
+
+    if let Some(updated_config) = get_vpn_worker_config(id) {
+      let process_running = updated_config.pid.map(is_process_running).unwrap_or(false);
+
+      if !process_running && attempts > 2 {
+        let log_output = read_worker_log(id);
+        delete_vpn_worker_config(id);
+        return Err(format!("VPN worker process crashed. Log output:\n{}", log_output).into());
+      }
+
+      if vpn_worker_accepting_connections(&updated_config).await {
+        return Ok(updated_config);
+      }
+    }
+
+    attempts += 1;
+    if tokio::time::Instant::now() >= startup_deadline {
+      if let Some(config) = get_vpn_worker_config(id) {
+        let process_running = config.pid.map(is_process_running).unwrap_or(false);
+        let log_output = read_worker_log(id);
+        delete_vpn_worker_config(id);
+        return Err(
+          format!(
+            "VPN worker failed to start within {:.1}s. pid={:?}, process_running={}, local_url={:?}\n\nVPN worker log:\n{}",
+            startup_timeout.as_secs_f32(),
+            config.pid,
+            process_running,
+            config.local_url,
+            log_output
+          )
+          .into(),
+        );
+      }
+
+      delete_vpn_worker_config(id);
+      return Err("VPN worker config not found after spawn".into());
+    }
+  }
+}
+
 pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn std::error::Error>> {
+  for config in list_vpn_worker_configs() {
+    if let Some(pid) = config.pid {
+      if !is_process_running(pid) {
+        delete_vpn_worker_config(&config.id);
+      }
+    } else {
+      delete_vpn_worker_config(&config.id);
+    }
+  }
+
  // Check if a VPN worker for this vpn_id already exists and is running
  if let Some(existing) = find_vpn_worker_by_vpn_id(vpn_id) {
    if let Some(pid) = existing.pid {
      if is_process_running(pid) {
-        return Ok(existing);
+        if vpn_worker_accepting_connections(&existing).await {
+          return Ok(existing);
+        }
+
+        return wait_for_vpn_worker_ready(&existing.id, &existing.vpn_type).await;
      }
    }
    // Worker config exists but process is dead, clean up
@@ -63,7 +176,7 @@ pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn s
  save_vpn_worker_config(&config)?;

  // Spawn detached VPN worker process
-  let exe = std::env::current_exe()?;
+  let exe = find_sidecar_executable("donut-proxy")?;

  #[cfg(unix)]
  {
@@ -149,50 +262,7 @@ pub async fn start_vpn_worker(vpn_id: &str) -> Result<VpnWorkerConfig, Box<dyn s
    drop(child);
  }

-  // Wait for the worker to update config with local_url
-  tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
-
-  let mut attempts = 0;
-  let max_attempts = 100; // 10 seconds max
-
-  loop {
-    tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
-
-    if let Some(updated_config) = get_vpn_worker_config(&id) {
-      if let Some(ref local_url) = updated_config.local_url {
-        if !local_url.is_empty() {
-          if let Some(port) = updated_config.local_port {
-            if let Ok(Ok(_)) = tokio::time::timeout(
-              tokio::time::Duration::from_millis(100),
-              tokio::net::TcpStream::connect(("127.0.0.1", port)),
-            )
-            .await
-            {
-              return Ok(updated_config);
-            }
-          }
-        }
-      }
-    }
-
-    attempts += 1;
-    if attempts >= max_attempts {
-      if let Some(config) = get_vpn_worker_config(&id) {
-        let process_running = config.pid.map(is_process_running).unwrap_or(false);
-        // Clean up on failure
-        delete_vpn_worker_config(&id);
-        return Err(
-          format!(
-            "VPN worker failed to start in time. pid={:?}, process_running={}, local_url={:?}",
-            config.pid, process_running, config.local_url
-          )
-          .into(),
-        );
-      }
-      delete_vpn_worker_config(&id);
-      return Err("VPN worker config not found after spawn".into());
-    }
-  }
+  wait_for_vpn_worker_ready(&id, vpn_type_str).await
 }

 pub async fn stop_vpn_worker(id: &str) -> Result<bool, Box<dyn std::error::Error>> {
@@ -1,5 +1,6 @@
 use crate::browser_runner::BrowserRunner;
 use crate::profile::BrowserProfile;
+use playwright::api::Playwright;
 use reqwest::Client;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
@@ -53,14 +54,14 @@ pub struct WayfernLaunchResult {
  pub cdp_port: Option<u16>,
 }

-#[derive(Debug)]
 struct WayfernInstance {
-  #[allow(dead_code)]
  id: String,
  process_id: Option<u32>,
  profile_path: Option<String>,
  url: Option<String>,
  cdp_port: Option<u16>,
+  playwright_context: Option<playwright::api::BrowserContext>,
+  playwright_runtime: Option<Playwright>,
 }

 struct WayfernManagerInner {
@@ -86,10 +87,23 @@ impl WayfernManager {
      inner: Arc::new(AsyncMutex::new(WayfernManagerInner {
        instances: HashMap::new(),
      })),
-      http_client: Client::new(),
+      http_client: Client::builder()
+        .timeout(Duration::from_secs(2))
+        .build()
+        .expect("Failed to build reqwest client for wayfern_manager"),
    }
  }

+  async fn create_playwright(
+    &self,
+  ) -> Result<Playwright, Box<dyn std::error::Error + Send + Sync>> {
+    Playwright::initialize()
+      .await
+      .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
+        format!("Failed to initialize Playwright: {e}").into()
+      })
+  }
+
  pub fn instance() -> &'static WayfernManager {
    &WAYFERN_MANAGER
  }
@@ -136,22 +150,34 @@ impl WayfernManager {
    port: u16,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    let url = format!("http://127.0.0.1:{port}/json/version");
-    let max_attempts = 50;
-    let delay = Duration::from_millis(100);
+    // On first launch, macOS Gatekeeper verifies the binary which can take 30+ seconds.
+    // Use a generous timeout (60s) to handle this.
+    let max_attempts = 120;
+    let delay = Duration::from_millis(500);

+    let mut last_error: Option<String> = None;
    for attempt in 0..max_attempts {
      match self.http_client.get(&url).send().await {
        Ok(resp) if resp.status().is_success() => {
          log::info!("CDP ready on port {port} after {attempt} attempts");
          return Ok(());
        }
-        _ => {
+        Ok(resp) => {
+          last_error = Some(format!("HTTP {} from {url}", resp.status()));
+          tokio::time::sleep(delay).await;
+        }
+        Err(e) => {
+          last_error = Some(format!("request failed: {e}"));
          tokio::time::sleep(delay).await;
        }
      }
    }

-    Err(format!("CDP not ready after {max_attempts} attempts on port {port}").into())
+    let detail = last_error.unwrap_or_else(|| "no attempts completed".to_string());
+    // Log at error level so we can diagnose Windows/AV/firewall-induced CDP hangs
+    // in customer reports without needing them to reproduce in the moment.
+    log::error!("CDP not ready after {max_attempts} attempts on port {port}: {detail}");
+    Err(format!("CDP not ready after {max_attempts} attempts on port {port}: {detail}").into())
  }

  async fn get_cdp_targets(
@@ -241,9 +267,18 @@ impl WayfernManager {
      .arg("--disable-setuid-sandbox")
      .arg("--disable-dev-shm-usage");

-    cmd.stdout(Stdio::null()).stderr(Stdio::null());
+    cmd.stdout(Stdio::null()).stderr(Stdio::piped());

-    let child = cmd.spawn()?;
+    let child = cmd.spawn().map_err(|e| {
+      // OS error 14001 = SxS / missing Visual C++ Redistributable
+      let hint = if e.raw_os_error() == Some(14001) {
+        ". This usually means the Visual C++ Redistributable is not installed. \
+         Download it from https://aka.ms/vs/17/release/vc_redist.x64.exe"
+      } else {
+        ""
+      };
+      format!("Failed to spawn headless Wayfern: {e}{hint}")
+    })?;
    let child_id = child.id();

    let cleanup = || async {
@@ -268,6 +303,28 @@ impl WayfernManager {
    };

    if let Err(e) = self.wait_for_cdp_ready(port).await {
+      // Try to capture stderr from the failed process for diagnostics
+      let stderr_output = if let Some(id) = child_id {
+        // Check if process is still running
+        let is_running = sysinfo::System::new_with_specifics(
+          sysinfo::RefreshKind::nothing().with_processes(sysinfo::ProcessRefreshKind::nothing()),
+        )
+        .process(sysinfo::Pid::from(id as usize))
+        .is_some();
+
+        if !is_running {
+          // Process exited — try to read its stderr
+          String::from("(process exited before CDP became ready)")
+        } else {
+          String::from("(process still running but not responding on CDP)")
+        }
+      } else {
+        String::new()
+      };
+
+      log::error!(
+        "Fingerprint-generation Wayfern (headless, pid={child_id:?}) never became CDP-ready: {e}. {stderr_output}"
+      );
      cleanup().await;
      return Err(e);
    }
@@ -509,11 +566,11 @@ impl WayfernManager {
                  let name: String = row.get(0).unwrap_or_default();
                  let host: String = row.get(1).unwrap_or_default();
                  let encrypted: Vec<u8> = row.get(2).unwrap_or_default();
-                  let decrypted =
-                    crate::cookie_manager::chrome_decrypt::decrypt(
-                      &encrypted,
-                      &encryption_key,
-                    );
+                  let decrypted = crate::cookie_manager::chrome_decrypt::decrypt(
+                    &encrypted,
+                    &host,
+                    &encryption_key,
+                  );
                  match decrypted {
                    Some(val) => log::info!(
                      "Pre-launch: Cookie decryption SUCCEEDED for '{}' (host: {}, decrypted {} bytes)",
@@ -539,7 +596,6 @@ impl WayfernManager {
    let mut args = vec![
      format!("--remote-debugging-port={port}"),
      "--remote-debugging-address=127.0.0.1".to_string(),
-      format!("--user-data-dir={}", profile_path),
      "--no-first-run".to_string(),
      "--no-default-browser-check".to_string(),
      "--disable-background-mode".to_string(),
@@ -550,7 +606,7 @@ impl WayfernManager {
      "--disable-session-crashed-bubble".to_string(),
      "--hide-crash-restore-bubble".to_string(),
      "--disable-infobars".to_string(),
-      "--disable-features=DialMediaRouteProvider".to_string(),
+      "--disable-features=DialMediaRouteProvider,DnsOverHttps,AsyncDns".to_string(),
      "--use-mock-keychain".to_string(),
      "--password-store=basic".to_string(),
    ];
@@ -562,10 +618,6 @@ impl WayfernManager {
      args.push("--disable-dev-shm-usage".to_string());
    }

-    if let Some(proxy) = proxy_url {
-      args.push(format!("--proxy-server={proxy}"));
-    }
-
    if ephemeral {
      args.push("--disk-cache-size=1".to_string());
      args.push("--disable-breakpad".to_string());
@@ -578,8 +630,17 @@ impl WayfernManager {
      args.push(format!("--load-extension={}", extension_paths.join(",")));
    }

-    // Pass wayfern token as CLI flag so the browser can gate CDP features
-    let wayfern_token = crate::cloud_auth::CLOUD_AUTH.get_wayfern_token().await;
+    let mut wayfern_token = crate::cloud_auth::CLOUD_AUTH.get_wayfern_token().await;
+    if wayfern_token.is_none() {
+      log::info!("Wayfern token not ready, waiting...");
+      for _ in 0..15 {
+        tokio::time::sleep(Duration::from_secs(1)).await;
+        wayfern_token = crate::cloud_auth::CLOUD_AUTH.get_wayfern_token().await;
+        if wayfern_token.is_some() {
+          break;
+        }
+      }
+    }
    if let Some(ref token) = wayfern_token {
      args.push(format!("--wayfern-token={token}"));
      log::info!("Wayfern token passed as CLI flag (length: {})", token.len());
@@ -587,20 +648,61 @@ impl WayfernManager {
      log::warn!("No wayfern token available — CDP gated methods will be blocked");
    }

-    // Don't add URL to args - we'll navigate via CDP after setting fingerprint
-    // This ensures fingerprint is applied at navigation commit time
+    if let Some(proxy) = proxy_url {
+      let pac_data = format!(
+        "data:application/x-ns-proxy-autoconfig,function FindProxyForURL(url,host){{return \"PROXY {}\";}}",
+        proxy.trim_start_matches("http://").trim_start_matches("https://")
+      );
+      args.push(format!("--proxy-pac-url={pac_data}"));
+      args.push("--dns-prefetch-disable".to_string());
+    }

-    let mut cmd = TokioCommand::new(&executable_path);
-    cmd.args(&args);
-    cmd.stdout(Stdio::piped());
-    cmd.stderr(Stdio::piped());
+    let pw = self.create_playwright().await?;
+    let chromium = pw.chromium();
+    let profile_path_ref = std::path::Path::new(profile_path);
+    let mut launcher = chromium.persistent_context_launcher(profile_path_ref);
+    launcher = launcher.executable(executable_path.as_ref());
+    launcher = launcher.headless(false);
+    launcher = launcher.chromium_sandbox(true);
+    launcher = launcher.args(&args);
+    launcher = launcher.timeout(0.0);

-    let child = cmd.spawn()?;
-    let process_id = child.id();
+    let pw_context =
+      launcher
+        .launch()
+        .await
+        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
+          let hint = if format!("{e}").contains("14001") {
+            ". This usually means the Visual C++ Redistributable is not installed. \
+           Download it from https://aka.ms/vs/17/release/vc_redist.x64.exe"
+          } else {
+            ""
+          };
+          format!("Failed to launch Wayfern: {e}{hint}").into()
+        })?;

-    self.wait_for_cdp_ready(port).await?;
+    let process_id = {
+      use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+      let system = System::new_with_specifics(
+        RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+      );
+      let mut found: Option<u32> = None;
+      for (pid, process) in system.processes() {
+        let cmd_str = process
+          .cmd()
+          .iter()
+          .map(|s| s.to_string_lossy().to_string())
+          .collect::<Vec<_>>()
+          .join(" ");
+        if cmd_str.contains(&format!("--remote-debugging-port={port}")) {
+          found = Some(pid.as_u32());
+          break;
+        }
+      }
+      found
+    };
+    let pw_runtime = pw;

-    // Get CDP targets first - needed for both fingerprint and navigation
    let targets = self.get_cdp_targets(port).await?;
    log::info!("Found {} CDP targets", targets.len());

@@ -699,37 +801,7 @@ impl WayfernManager {
      log::warn!("No fingerprint found in config, browser will use default fingerprint");
    }

-    // Set geolocation override via CDP so navigator.geolocation.getCurrentPosition() matches
-    if let Some(fingerprint_json) = &config.fingerprint {
-      if let Ok(fp) = serde_json::from_str::<serde_json::Value>(fingerprint_json) {
-        let fp_obj = if fp.get("fingerprint").is_some() {
-          fp.get("fingerprint").unwrap()
-        } else {
-          &fp
-        };
-        if let (Some(lat), Some(lng)) = (
-          fp_obj.get("latitude").and_then(|v| v.as_f64()),
-          fp_obj.get("longitude").and_then(|v| v.as_f64()),
-        ) {
-          let accuracy = fp_obj
-            .get("accuracy")
-            .and_then(|v| v.as_f64())
-            .unwrap_or(100.0);
-          if let Some(target) = page_targets.first() {
-            if let Some(ws_url) = &target.websocket_debugger_url {
-              let _ = self
-                .send_cdp_command(
-                  ws_url,
-                  "Emulation.setGeolocationOverride",
-                  json!({ "latitude": lat, "longitude": lng, "accuracy": accuracy }),
-                )
-                .await;
-              log::info!("Set geolocation override: lat={lat}, lng={lng}");
-            }
-          }
-        }
-      }
-    }
+    // Geolocation is handled internally by the browser binary.

    // Navigate to URL via CDP - fingerprint will be applied at navigation commit time
    if let Some(url) = url {
@@ -754,6 +826,8 @@ impl WayfernManager {
      profile_path: Some(profile_path.to_string()),
      url: url.map(|s| s.to_string()),
      cdp_port: Some(port),
+      playwright_context: Some(pw_context),
+      playwright_runtime: Some(pw_runtime),
    };

    let mut inner = self.inner.lock().await;
@@ -775,6 +849,9 @@ impl WayfernManager {
    let mut inner = self.inner.lock().await;

    if let Some(instance) = inner.instances.remove(id) {
+      log::info!("Cleaning up Wayfern instance {}", instance.id);
+      drop(instance.playwright_context);
+      drop(instance.playwright_runtime);
      if let Some(pid) = instance.process_id {
        #[cfg(unix)]
        {
@@ -929,6 +1006,8 @@ impl WayfernManager {
          profile_path: Some(found_profile_path.clone()),
          url: None,
          cdp_port,
+          playwright_context: None,
+          playwright_runtime: None,
        },
      );

@@ -1,7 +1,7 @@
 {
  "$schema": "https://schema.tauri.app/config/2",
  "productName": "Donut",
-  "version": "0.18.0",
+  "version": "0.20.4",
  "identifier": "com.donutbrowser",
  "build": {
    "beforeDevCommand": "pnpm copy-proxy-binary && pnpm dev",
@@ -1298,3 +1298,134 @@ async fn test_local_proxy_with_socks5_upstream(

  Ok(())
 }
+
+/// Test proxying traffic through a real Shadowsocks server running in Docker.
+/// Verifies the full chain: client → donut-proxy → Shadowsocks → internet.
+#[tokio::test]
+#[serial]
+async fn test_local_proxy_with_shadowsocks_upstream(
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  // Check Docker availability
+  let docker_check = std::process::Command::new("docker").arg("version").output();
+  if docker_check.map(|o| !o.status.success()).unwrap_or(true) {
+    eprintln!("skipping Shadowsocks e2e test because Docker is unavailable");
+    return Ok(());
+  }
+
+  // Start a Shadowsocks server container
+  let ss_container = "donut-ss-test";
+  let ss_port = 18388u16;
+  let ss_password = "donut-test-password";
+  let ss_method = "aes-256-gcm";
+
+  // Clean up any previous container
+  let _ = std::process::Command::new("docker")
+    .args(["rm", "-f", ss_container])
+    .output();
+
+  let docker_start = std::process::Command::new("docker")
+    .args([
+      "run",
+      "-d",
+      "--name",
+      ss_container,
+      "-p",
+      &format!("{ss_port}:8388"),
+      "ghcr.io/shadowsocks/ssserver-rust:latest",
+      "ssserver",
+      "-s",
+      "[::]:8388",
+      "-k",
+      ss_password,
+      "-m",
+      ss_method,
+    ])
+    .output()?;
+
+  if !docker_start.status.success() {
+    let stderr = String::from_utf8_lossy(&docker_start.stderr);
+    eprintln!("skipping Shadowsocks e2e test: Docker run failed: {stderr}");
+    return Ok(());
+  }
+
+  // Wait for the SS server to be ready
+  for _ in 0..15 {
+    sleep(Duration::from_secs(1)).await;
+    if TcpStream::connect(("127.0.0.1", ss_port)).await.is_ok() {
+      break;
+    }
+  }
+
+  // Start donut-proxy with Shadowsocks upstream
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &ss_port.to_string(),
+      "--type",
+      "ss",
+      "--username",
+      ss_method,
+      "--password",
+      ss_password,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let _ = std::process::Command::new("docker")
+      .args(["rm", "-f", ss_container])
+      .output();
+    return Err(format!("Proxy start failed: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id);
+
+  // Wait for proxy to be fully ready
+  for _ in 0..20 {
+    sleep(Duration::from_millis(100)).await;
+    if TcpStream::connect(("127.0.0.1", local_port)).await.is_ok() {
+      break;
+    }
+  }
+  sleep(Duration::from_millis(500)).await;
+
+  // Test: HTTP request through donut-proxy → Shadowsocks → example.com
+  let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+  let request =
+    "GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n";
+  stream.write_all(request.as_bytes()).await?;
+
+  let mut response = vec![0u8; 16384];
+  let n = tokio::time::timeout(Duration::from_secs(15), stream.read(&mut response))
+    .await
+    .map_err(|_| "HTTP request through Shadowsocks timed out")?
+    .map_err(|e| format!("Read error: {e}"))?;
+  let response_str = String::from_utf8_lossy(&response[..n]);
+
+  assert!(
+    response_str.contains("Example Domain"),
+    "HTTP traffic through Shadowsocks should reach example.com, got: {}",
+    &response_str[..response_str.len().min(500)]
+  );
+  println!("Shadowsocks upstream proxy test passed");
+
+  // Cleanup
+  tracker.cleanup_all().await;
+  let _ = std::process::Command::new("docker")
+    .args(["rm", "-f", ss_container])
+    .output();
+
+  Ok(())
+}
@@ -16,12 +16,21 @@ const WIREGUARD_IMAGE: &str = "linuxserver/wireguard:latest";
 const OPENVPN_IMAGE: &str = "kylemanna/openvpn:latest";
 const WG_CONTAINER: &str = "donut-wg-test";
 const OVPN_CONTAINER: &str = "donut-ovpn-test";
+const OVPN_VOLUME: &str = "donut-ovpn-test-data";

 /// Check if running in CI environment
 pub fn is_ci() -> bool {
  std::env::var("CI").is_ok() || std::env::var("GITHUB_ACTIONS").is_ok()
 }

+fn has_external_wireguard_service() -> bool {
+  std::env::var("VPN_TEST_WG_HOST").is_ok()
+}
+
+fn has_external_openvpn_service() -> bool {
+  std::env::var("VPN_TEST_OVPN_HOST").is_ok()
+}
+
 /// Check if Docker is available
 pub fn is_docker_available() -> bool {
  Command::new("docker")
@@ -33,14 +42,10 @@ pub fn is_docker_available() -> bool {

 /// Start a WireGuard test server and return client config
 pub async fn start_wireguard_server() -> Result<WireGuardTestConfig, String> {
-  if is_ci() {
-    // In CI, use the service container configured in workflow
+  if has_external_wireguard_service() {
    let host = std::env::var("VPN_TEST_WG_HOST").unwrap_or_else(|_| "localhost".into());
    let port = std::env::var("VPN_TEST_WG_PORT").unwrap_or_else(|_| "51820".into());

-    // Wait for service to be ready
-    wait_for_service(&host, port.parse().unwrap_or(51820)).await?;
-
    return get_ci_wireguard_config(&host, &port);
  }

@@ -71,6 +76,8 @@ pub async fn start_wireguard_server() -> Result<WireGuardTestConfig, String> {
      "SERVERPORT=51820",
      "-e",
      "PEERDNS=auto",
+      "-e",
+      "INTERNAL_SUBNET=10.64.0.0",
      WIREGUARD_IMAGE,
    ])
    .output()
@@ -83,8 +90,40 @@ pub async fn start_wireguard_server() -> Result<WireGuardTestConfig, String> {
    ));
  }

-  // Wait for container to be ready and generate configs
-  sleep(Duration::from_secs(10)).await;
+  // Wait for container to generate configs and bring up the WireGuard interface.
+  // A fixed sleep is flaky — on busy machines the interface takes longer. Instead
+  // we poll `wg show` inside the container until it reports an active interface,
+  // with a generous upper bound.
+  let wg_ready_deadline = tokio::time::Instant::now() + Duration::from_secs(45);
+  loop {
+    sleep(Duration::from_secs(2)).await;
+
+    // Check if peer config file has been generated
+    let config_check = Command::new("docker")
+      .args(["exec", WG_CONTAINER, "cat", "/config/peer1/peer1.conf"])
+      .output();
+    let config_exists = config_check
+      .as_ref()
+      .map(|o| o.status.success())
+      .unwrap_or(false);
+
+    // Check if WireGuard interface is actually up and listening
+    let wg_check = Command::new("docker")
+      .args(["exec", WG_CONTAINER, "wg", "show"])
+      .output();
+    let wg_up = wg_check
+      .as_ref()
+      .map(|o| o.status.success() && String::from_utf8_lossy(&o.stdout).contains("listening port"))
+      .unwrap_or(false);
+
+    if config_exists && wg_up {
+      break;
+    }
+
+    if tokio::time::Instant::now() >= wg_ready_deadline {
+      return Err("WireGuard container did not become ready within 45s".to_string());
+    }
+  }

  // Extract client config from container
  let config_output = Command::new("docker")
@@ -100,19 +139,38 @@ pub async fn start_wireguard_server() -> Result<WireGuardTestConfig, String> {
  }

  let config_str = String::from_utf8_lossy(&config_output.stdout).to_string();
-  parse_wireguard_test_config(&config_str)
+  let mut config = parse_wireguard_test_config(&config_str)?;
+
+  // Start a lightweight HTTP server inside the container on the WireGuard
+  // interface so tests can verify traffic flows through the tunnel without
+  // depending on internet access (Docker Desktop for Mac can't reliably NAT
+  // WireGuard tunnel traffic to the internet). The linuxserver/wireguard
+  // image doesn't have python3 or busybox httpd, but it has nc (netcat).
+  let _ = Command::new("docker")
+    .args([
+      "exec",
+      "-d",
+      WG_CONTAINER,
+      "sh",
+      "-c",
+      r#"while true; do printf "HTTP/1.1 200 OK\r\nContent-Length: 13\r\nConnection: close\r\n\r\nWG-TUNNEL-OK\n" | nc -l -p 8080 2>/dev/null; done"#,
+    ])
+    .output();
+  // Give the nc loop a moment to start accepting
+  sleep(Duration::from_millis(500)).await;
+
+  // Extract the server's tunnel IP (first octet group from INTERNAL_SUBNET + .1)
+  config.server_tunnel_ip = "10.64.0.1".to_string();
+
+  Ok(config)
 }

 /// Start an OpenVPN test server and return client config
 pub async fn start_openvpn_server() -> Result<OpenVpnTestConfig, String> {
-  if is_ci() {
-    // In CI, use the service container configured in workflow
+  if has_external_openvpn_service() {
    let host = std::env::var("VPN_TEST_OVPN_HOST").unwrap_or_else(|_| "localhost".into());
    let port = std::env::var("VPN_TEST_OVPN_PORT").unwrap_or_else(|_| "1194".into());

-    // Wait for service to be ready
-    wait_for_service(&host, port.parse().unwrap_or(1194)).await?;
-
    return get_ci_openvpn_config(&host, &port);
  }

@@ -125,9 +183,139 @@ pub async fn start_openvpn_server() -> Result<OpenVpnTestConfig, String> {
    .args(["rm", "-f", OVPN_CONTAINER])
    .output();

-  // For OpenVPN, we need to initialize PKI first, which is complex
-  // For simplicity in tests, we'll use a pre-configured test config
-  Err("OpenVPN container setup requires pre-configured PKI. Use test fixtures instead.".to_string())
+  let _ = Command::new("docker")
+    .args(["volume", "rm", "-f", OVPN_VOLUME])
+    .output();
+
+  let create_volume = Command::new("docker")
+    .args(["volume", "create", OVPN_VOLUME])
+    .output()
+    .map_err(|e| format!("Failed to create OpenVPN test volume: {e}"))?;
+  if !create_volume.status.success() {
+    return Err(format!(
+      "Failed to create OpenVPN test volume: {}",
+      String::from_utf8_lossy(&create_volume.stderr)
+    ));
+  }
+
+  let genconfig = Command::new("docker")
+    .args([
+      "run",
+      "--rm",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      "-e",
+      "EASYRSA_BATCH=1",
+      OPENVPN_IMAGE,
+      "ovpn_genconfig",
+      "-u",
+      "udp://127.0.0.1",
+      "-s",
+      "10.9.0.0/24",
+    ])
+    .output()
+    .map_err(|e| format!("Failed to generate OpenVPN config: {e}"))?;
+  if !genconfig.status.success() {
+    return Err(format!(
+      "OpenVPN config generation failed: {}",
+      String::from_utf8_lossy(&genconfig.stderr)
+    ));
+  }
+
+  let init_pki = Command::new("docker")
+    .args([
+      "run",
+      "--rm",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      "-e",
+      "EASYRSA_BATCH=1",
+      OPENVPN_IMAGE,
+      "ovpn_initpki",
+      "nopass",
+    ])
+    .output()
+    .map_err(|e| format!("Failed to initialize OpenVPN PKI: {e}"))?;
+  if !init_pki.status.success() {
+    return Err(format!(
+      "OpenVPN PKI initialization failed: {}",
+      String::from_utf8_lossy(&init_pki.stderr)
+    ));
+  }
+
+  let build_client = Command::new("docker")
+    .args([
+      "run",
+      "--rm",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      "-e",
+      "EASYRSA_BATCH=1",
+      OPENVPN_IMAGE,
+      "easyrsa",
+      "build-client-full",
+      "donut-test-client",
+      "nopass",
+    ])
+    .output()
+    .map_err(|e| format!("Failed to build OpenVPN client certificate: {e}"))?;
+  if !build_client.status.success() {
+    return Err(format!(
+      "OpenVPN client certificate build failed: {}",
+      String::from_utf8_lossy(&build_client.stderr)
+    ));
+  }
+
+  let start_server = Command::new("docker")
+    .args([
+      "run",
+      "-d",
+      "--name",
+      OVPN_CONTAINER,
+      "--cap-add=NET_ADMIN",
+      "-p",
+      "1194:1194/udp",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      OPENVPN_IMAGE,
+    ])
+    .output()
+    .map_err(|e| format!("Failed to start OpenVPN container: {e}"))?;
+  if !start_server.status.success() {
+    return Err(format!(
+      "OpenVPN container start failed: {}",
+      String::from_utf8_lossy(&start_server.stderr)
+    ));
+  }
+
+  sleep(Duration::from_secs(10)).await;
+
+  let client_config = Command::new("docker")
+    .args([
+      "run",
+      "--rm",
+      "-v",
+      &format!("{OVPN_VOLUME}:/etc/openvpn"),
+      OPENVPN_IMAGE,
+      "ovpn_getclient",
+      "donut-test-client",
+    ])
+    .output()
+    .map_err(|e| format!("Failed to fetch OpenVPN client config: {e}"))?;
+  if !client_config.status.success() {
+    return Err(format!(
+      "Failed to read OpenVPN client config: {}",
+      String::from_utf8_lossy(&client_config.stderr)
+    ));
+  }
+
+  let raw_config = String::from_utf8_lossy(&client_config.stdout).to_string();
+  Ok(OpenVpnTestConfig {
+    raw_config,
+    remote_host: "127.0.0.1".to_string(),
+    remote_port: 1194,
+    protocol: "udp".to_string(),
+  })
 }

 /// Stop all VPN test servers
@@ -135,21 +323,9 @@ pub async fn stop_vpn_servers() {
  let _ = Command::new("docker")
    .args(["rm", "-f", WG_CONTAINER, OVPN_CONTAINER])
    .output();
-}
-
-/// Wait for a network service to be ready
-async fn wait_for_service(host: &str, port: u16) -> Result<(), String> {
-  let timeout = Duration::from_secs(30);
-  let start = std::time::Instant::now();
-
-  while start.elapsed() < timeout {
-    if std::net::TcpStream::connect(format!("{host}:{port}")).is_ok() {
-      return Ok(());
-    }
-    sleep(Duration::from_millis(500)).await;
-  }
-
-  Err(format!("Timeout waiting for service at {host}:{port}"))
+  let _ = Command::new("docker")
+    .args(["volume", "rm", "-f", OVPN_VOLUME])
+    .output();
 }

 /// WireGuard test configuration
@@ -160,6 +336,11 @@ pub struct WireGuardTestConfig {
  pub peer_public_key: String,
  pub peer_endpoint: String,
  pub allowed_ips: Vec<String>,
+  pub preshared_key: Option<String>,
+  /// IP of the WireGuard server on the tunnel interface (e.g. 10.64.0.1).
+  /// Tests use this to reach an HTTP server inside the container without
+  /// needing internet access from Docker.
+  pub server_tunnel_ip: String,
 }

 /// OpenVPN test configuration
@@ -178,6 +359,7 @@ fn parse_wireguard_test_config(content: &str) -> Result<WireGuardTestConfig, Str
  let mut peer_public_key = String::new();
  let mut peer_endpoint = String::new();
  let mut allowed_ips = vec!["0.0.0.0/0".to_string()];
+  let mut preshared_key = None;
  let mut current_section = "";

  for line in content.lines() {
@@ -205,6 +387,7 @@ fn parse_wireguard_test_config(content: &str) -> Result<WireGuardTestConfig, Str
        ("interface", "DNS") => dns = Some(value.to_string()),
        ("peer", "PublicKey") => peer_public_key = value.to_string(),
        ("peer", "Endpoint") => peer_endpoint = value.to_string(),
+        ("peer", "PresharedKey") => preshared_key = Some(value.to_string()),
        ("peer", "AllowedIPs") => {
          allowed_ips = value.split(',').map(|s| s.trim().to_string()).collect();
        }
@@ -230,12 +413,22 @@ fn parse_wireguard_test_config(content: &str) -> Result<WireGuardTestConfig, Str
    peer_public_key,
    peer_endpoint,
    allowed_ips,
+    preshared_key,
+    server_tunnel_ip: String::new(), // filled in by caller
  })
 }

 /// Get WireGuard config from CI environment
 fn get_ci_wireguard_config(host: &str, port: &str) -> Result<WireGuardTestConfig, String> {
-  // In CI, use environment variables or test fixtures
+  if std::env::var("VPN_TEST_WG_PRIVATE_KEY").is_err()
+    || std::env::var("VPN_TEST_WG_PUBLIC_KEY").is_err()
+  {
+    return Err(
+      "External WireGuard test service is configured, but VPN_TEST_WG_PRIVATE_KEY and VPN_TEST_WG_PUBLIC_KEY are missing"
+        .to_string(),
+    );
+  }
+
  let private_key =
    std::env::var("VPN_TEST_WG_PRIVATE_KEY").unwrap_or_else(|_| "test-private-key".to_string());
  let public_key =
@@ -248,11 +441,23 @@ fn get_ci_wireguard_config(host: &str, port: &str) -> Result<WireGuardTestConfig
    peer_public_key: public_key,
    peer_endpoint: format!("{host}:{port}"),
    allowed_ips: vec!["0.0.0.0/0".to_string()],
+    preshared_key: std::env::var("VPN_TEST_WG_PRESHARED_KEY").ok(),
+    server_tunnel_ip: std::env::var("VPN_TEST_WG_SERVER_IP")
+      .unwrap_or_else(|_| "10.0.0.1".to_string()),
  })
 }

 /// Get OpenVPN config from CI environment
 fn get_ci_openvpn_config(host: &str, port: &str) -> Result<OpenVpnTestConfig, String> {
+  if let Ok(raw_config) = std::env::var("VPN_TEST_OVPN_RAW_CONFIG") {
+    return Ok(OpenVpnTestConfig {
+      raw_config,
+      remote_host: host.to_string(),
+      remote_port: port.parse().unwrap_or(1194),
+      protocol: "udp".to_string(),
+    });
+  }
+
  let raw_config = format!(
    r#"
 client
@@ -3,13 +3,22 @@
 //! These tests verify VPN config parsing, storage, and tunnel functionality.
 //! Connection tests require Docker and are skipped if Docker is not available.

+mod common;
 mod test_harness;

+use common::TestUtils;
 use donutbrowser_lib::vpn::{
  detect_vpn_type, parse_openvpn_config, parse_wireguard_config, OpenVpnConfig, VpnConfig,
  VpnStorage, VpnType, WireGuardConfig,
 };
+use serde_json::Value;
 use serial_test::serial;
+use std::path::PathBuf;
+use std::sync::OnceLock;
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::TcpStream;
+use tokio::time::sleep;

 // ============================================================================
 // Config Parsing Tests
@@ -420,6 +429,523 @@ async fn test_tunnel_manager() {
  assert_eq!(manager.active_count(), 0);
 }

-// NOTE: Actual connection tests require Docker containers running.
-// These are meant to be run with the CI workflow that sets up service containers.
-// To run locally: docker run -d --cap-add=NET_ADMIN -p 51820:51820/udp -e PEERS=1 linuxserver/wireguard
+struct TestEnvGuard {
+  _root: PathBuf,
+  previous_data_dir: Option<String>,
+  previous_cache_dir: Option<String>,
+}
+
+impl TestEnvGuard {
+  fn new() -> Result<Self, Box<dyn std::error::Error + Send + Sync>> {
+    static TEST_RUNTIME_ROOT: OnceLock<PathBuf> = OnceLock::new();
+
+    let root = TEST_RUNTIME_ROOT
+      .get_or_init(|| {
+        std::env::temp_dir().join(format!("donutbrowser-vpn-e2e-{}", std::process::id()))
+      })
+      .clone();
+    let data_dir = root.join("data");
+    let cache_dir = root.join("cache");
+    let vpn_dir = data_dir.join("vpn");
+
+    let _ = std::fs::remove_dir_all(&data_dir);
+    let _ = std::fs::remove_dir_all(&cache_dir);
+    std::fs::create_dir_all(&vpn_dir)?;
+    std::fs::create_dir_all(&data_dir)?;
+    std::fs::create_dir_all(&cache_dir)?;
+
+    let previous_data_dir = std::env::var("DONUTBROWSER_DATA_DIR").ok();
+    let previous_cache_dir = std::env::var("DONUTBROWSER_CACHE_DIR").ok();
+
+    std::env::set_var("DONUTBROWSER_DATA_DIR", &data_dir);
+    std::env::set_var("DONUTBROWSER_CACHE_DIR", &cache_dir);
+
+    Ok(Self {
+      _root: root,
+      previous_data_dir,
+      previous_cache_dir,
+    })
+  }
+}
+
+impl Drop for TestEnvGuard {
+  fn drop(&mut self) {
+    if let Some(value) = &self.previous_data_dir {
+      std::env::set_var("DONUTBROWSER_DATA_DIR", value);
+    } else {
+      std::env::remove_var("DONUTBROWSER_DATA_DIR");
+    }
+
+    if let Some(value) = &self.previous_cache_dir {
+      std::env::set_var("DONUTBROWSER_CACHE_DIR", value);
+    } else {
+      std::env::remove_var("DONUTBROWSER_CACHE_DIR");
+    }
+  }
+}
+
+struct ProxyProcess {
+  id: String,
+  local_port: u16,
+}
+
+async fn ensure_donut_proxy_binary() -> Result<PathBuf, Box<dyn std::error::Error + Send + Sync>> {
+  let cargo_manifest_dir = std::env::var("CARGO_MANIFEST_DIR")?;
+  let project_root = PathBuf::from(cargo_manifest_dir)
+    .parent()
+    .unwrap()
+    .to_path_buf();
+
+  let proxy_binary_name = if cfg!(windows) {
+    "donut-proxy.exe"
+  } else {
+    "donut-proxy"
+  };
+  let proxy_binary = project_root
+    .join("src-tauri")
+    .join("target")
+    .join("debug")
+    .join(proxy_binary_name);
+
+  if !proxy_binary.exists() {
+    let build_status = tokio::process::Command::new("cargo")
+      .args(["build", "--bin", "donut-proxy"])
+      .current_dir(project_root.join("src-tauri"))
+      .status()
+      .await?;
+
+    if !build_status.success() {
+      return Err("Failed to build donut-proxy binary".into());
+    }
+  }
+
+  if !proxy_binary.exists() {
+    return Err("donut-proxy binary was not created successfully".into());
+  }
+
+  Ok(proxy_binary)
+}
+
+fn new_test_vpn_config(name: &str, vpn_type: VpnType, config_data: String) -> VpnConfig {
+  let created_at = SystemTime::now()
+    .duration_since(UNIX_EPOCH)
+    .unwrap_or_default()
+    .as_secs() as i64;
+
+  VpnConfig {
+    id: uuid::Uuid::new_v4().to_string(),
+    name: name.to_string(),
+    vpn_type,
+    config_data,
+    created_at,
+    last_used: None,
+    sync_enabled: false,
+    last_sync: None,
+  }
+}
+
+fn build_wireguard_config(config: &test_harness::WireGuardTestConfig) -> String {
+  format!(
+    "[Interface]\nPrivateKey = {}\nAddress = {}\n{}\n[Peer]\nPublicKey = {}\n{}Endpoint = {}\nAllowedIPs = {}\nPersistentKeepalive = 25\n",
+    config.private_key,
+    config.address,
+    config
+      .dns
+      .as_ref()
+      .map(|dns| format!("DNS = {dns}\n"))
+      .unwrap_or_default(),
+    config.peer_public_key,
+    config
+      .preshared_key
+      .as_ref()
+      .map(|key| format!("PresharedKey = {key}\n"))
+      .unwrap_or_default(),
+    config.peer_endpoint,
+    config.allowed_ips.join(", ")
+  )
+}
+
+fn openvpn_client_available() -> bool {
+  if let Ok(path) = std::env::var("DONUTBROWSER_OPENVPN_BIN") {
+    return PathBuf::from(path).exists();
+  }
+
+  std::process::Command::new(if cfg!(windows) { "where" } else { "which" })
+    .arg("openvpn")
+    .output()
+    .map(|output| output.status.success())
+    .unwrap_or(false)
+}
+
+#[cfg(windows)]
+fn openvpn_adapter_available() -> bool {
+  let openvpn = std::process::Command::new("openvpn")
+    .arg("--show-adapters")
+    .output();
+
+  openvpn
+    .ok()
+    .map(|output| {
+      let text = format!(
+        "{}{}",
+        String::from_utf8_lossy(&output.stdout),
+        String::from_utf8_lossy(&output.stderr)
+      );
+      text
+        .lines()
+        .map(str::trim)
+        .any(|line| !line.is_empty() && !line.starts_with("Available adapters"))
+    })
+    .unwrap_or(false)
+}
+
+#[cfg(not(windows))]
+fn openvpn_adapter_available() -> bool {
+  true
+}
+
+async fn start_proxy_with_upstream(
+  binary_path: &PathBuf,
+  upstream_proxy: &str,
+  bypass_rules: &[String],
+  blocklist_file: Option<&str>,
+  profile_id: Option<&str>,
+) -> Result<ProxyProcess, Box<dyn std::error::Error + Send + Sync>> {
+  let upstream_url = url::Url::parse(upstream_proxy)?;
+  let host = upstream_url
+    .host_str()
+    .ok_or("Upstream proxy host is missing")?
+    .to_string();
+  let port = upstream_url
+    .port()
+    .ok_or("Upstream proxy port is missing")?;
+
+  let mut args = vec![
+    "proxy".to_string(),
+    "start".to_string(),
+    "--host".to_string(),
+    host,
+    "--proxy-port".to_string(),
+    port.to_string(),
+    "--type".to_string(),
+    upstream_url.scheme().to_string(),
+  ];
+
+  if !bypass_rules.is_empty() {
+    args.push("--bypass-rules".to_string());
+    args.push(serde_json::to_string(bypass_rules)?);
+  }
+
+  if let Some(blocklist_file) = blocklist_file {
+    args.push("--blocklist-file".to_string());
+    args.push(blocklist_file.to_string());
+  }
+
+  if let Some(profile_id) = profile_id {
+    args.push("--profile-id".to_string());
+    args.push(profile_id.to_string());
+  }
+
+  let arg_refs = args.iter().map(String::as_str).collect::<Vec<_>>();
+  let output = TestUtils::execute_command(binary_path, &arg_refs).await?;
+  if !output.status.success() {
+    return Err(
+      format!(
+        "Failed to start local proxy - stdout: {}, stderr: {}",
+        String::from_utf8_lossy(&output.stdout),
+        String::from_utf8_lossy(&output.stderr)
+      )
+      .into(),
+    );
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  Ok(ProxyProcess {
+    id: config["id"].as_str().ok_or("Missing proxy id")?.to_string(),
+    local_port: config["localPort"].as_u64().ok_or("Missing local port")? as u16,
+  })
+}
+
+async fn stop_proxy(
+  binary_path: &PathBuf,
+  proxy_id: &str,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let output =
+    TestUtils::execute_command(binary_path, &["proxy", "stop", "--id", proxy_id]).await?;
+  if !output.status.success() {
+    return Err(
+      format!(
+        "Failed to stop proxy '{}' - stdout: {}, stderr: {}",
+        proxy_id,
+        String::from_utf8_lossy(&output.stdout),
+        String::from_utf8_lossy(&output.stderr)
+      )
+      .into(),
+    );
+  }
+  Ok(())
+}
+
+async fn raw_http_request_via_proxy(
+  local_port: u16,
+  url: &str,
+  host_header: &str,
+) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
+  let mut stream = tokio::time::timeout(
+    Duration::from_secs(20),
+    TcpStream::connect(("127.0.0.1", local_port)),
+  )
+  .await
+  .map_err(|_| "proxy TCP connect timed out after 20s")??;
+
+  let request = format!("GET {url} HTTP/1.1\r\nHost: {host_header}\r\nConnection: close\r\n\r\n");
+  stream.write_all(request.as_bytes()).await?;
+
+  let mut response = Vec::new();
+  tokio::time::timeout(Duration::from_secs(20), stream.read_to_end(&mut response))
+    .await
+    .map_err(|_| "proxy HTTP response timed out after 20s")??;
+  Ok(String::from_utf8_lossy(&response).to_string())
+}
+
+async fn cleanup_runtime() {
+  let _ = donutbrowser_lib::proxy_runner::stop_all_proxy_processes().await;
+  let _ = donutbrowser_lib::vpn_worker_runner::stop_all_vpn_workers().await;
+  test_harness::stop_vpn_servers().await;
+}
+
+async fn wait_for_file(
+  path: &std::path::Path,
+  timeout: Duration,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let deadline = tokio::time::Instant::now() + timeout;
+
+  while tokio::time::Instant::now() < deadline {
+    if path.exists() {
+      return Ok(());
+    }
+
+    sleep(Duration::from_millis(250)).await;
+  }
+
+  Err(format!("Timed out waiting for file: {}", path.display()).into())
+}
+
+async fn run_proxy_feature_suite(
+  binary_path: &PathBuf,
+  vpn_id: &str,
+  server_tunnel_ip: &str,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let vpn_worker = donutbrowser_lib::vpn_worker_runner::start_vpn_worker(vpn_id)
+    .await
+    .map_err(|error| error.to_string())?;
+  let vpn_upstream = vpn_worker
+    .local_url
+    .clone()
+    .ok_or("VPN worker did not expose a local URL")?;
+
+  let profile_id = format!("vpn-e2e-{}", uuid::Uuid::new_v4());
+  let proxy =
+    start_proxy_with_upstream(binary_path, &vpn_upstream, &[], None, Some(&profile_id)).await?;
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Test HTTP traffic through the tunnel to the internal HTTP server running
+  // inside the WireGuard container. This avoids depending on internet access
+  // from Docker (macOS Docker Desktop can't reliably NAT WireGuard tunnel
+  // traffic through to the internet).
+  let internal_url = format!("http://{}:8080/", server_tunnel_ip);
+  let internal_host = format!("{}:8080", server_tunnel_ip);
+  let http_response =
+    raw_http_request_via_proxy(proxy.local_port, &internal_url, &internal_host).await?;
+  assert!(
+    http_response.contains("WG-TUNNEL-OK"),
+    "HTTP traffic through donut-proxy+VPN tunnel should succeed, got: {}",
+    &http_response[..http_response.len().min(300)]
+  );
+
+  let stats_file = donutbrowser_lib::app_dirs::cache_dir()
+    .join("traffic_stats")
+    .join(format!("{}.json", profile_id));
+  wait_for_file(&stats_file, Duration::from_secs(8)).await?;
+
+  assert!(
+    stats_file.exists(),
+    "Traffic stats should exist for VPN-backed local proxy"
+  );
+  let stats: Value = serde_json::from_str(&std::fs::read_to_string(&stats_file)?)?;
+  let total_requests = stats["total_requests"].as_u64().unwrap_or_default();
+  assert!(
+    total_requests > 0,
+    "Traffic stats should record requests for VPN-backed local proxy"
+  );
+  let domains = stats["domains"]
+    .as_object()
+    .ok_or("Traffic stats are missing per-domain data")?;
+  assert!(
+    domains.contains_key(server_tunnel_ip),
+    "Traffic stats should include tunnel server IP activity, got: {:?}",
+    domains.keys().collect::<Vec<_>>()
+  );
+
+  stop_proxy(binary_path, &proxy.id).await?;
+
+  // DNS blocklist test: blocklist the tunnel server IP so it gets rejected
+  let blocklist_file = tempfile::NamedTempFile::new()?;
+  std::fs::write(blocklist_file.path(), format!("{server_tunnel_ip}\n"))?;
+  let blocked_proxy = start_proxy_with_upstream(
+    binary_path,
+    &vpn_upstream,
+    &[],
+    blocklist_file.path().to_str(),
+    None,
+  )
+  .await?;
+  let blocked_response =
+    raw_http_request_via_proxy(blocked_proxy.local_port, &internal_url, &internal_host).await?;
+  assert!(
+    blocked_response.contains("403") || blocked_response.contains("Blocked by DNS blocklist"),
+    "DNS blocklist should be enforced before forwarding to the VPN upstream"
+  );
+  stop_proxy(binary_path, &blocked_proxy.id).await?;
+
+  let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await?;
+  let bypass_target_port = listener.local_addr()?.port();
+  let bypass_server = tokio::spawn(async move {
+    while let Ok((stream, _)) = listener.accept().await {
+      let io = hyper_util::rt::TokioIo::new(stream);
+      tokio::spawn(async move {
+        let service = hyper::service::service_fn(|_req| async move {
+          Ok::<_, hyper::Error>(
+            hyper::Response::builder()
+              .status(hyper::StatusCode::OK)
+              .body(http_body_util::Full::new(hyper::body::Bytes::from(
+                "VPN-BYPASS-OK",
+              )))
+              .unwrap(),
+          )
+        });
+        let _ = hyper::server::conn::http1::Builder::new()
+          .serve_connection(io, service)
+          .await;
+      });
+    }
+  });
+
+  let bypass_proxy = start_proxy_with_upstream(
+    binary_path,
+    &vpn_upstream,
+    &["127.0.0.1".to_string(), "localhost".to_string()],
+    None,
+    None,
+  )
+  .await?;
+  let bypass_response = raw_http_request_via_proxy(
+    bypass_proxy.local_port,
+    &format!("http://127.0.0.1:{bypass_target_port}/"),
+    &format!("127.0.0.1:{bypass_target_port}"),
+  )
+  .await?;
+  assert!(
+    bypass_response.contains("VPN-BYPASS-OK"),
+    "Bypass rules should still work when donut-proxy is chained to a VPN worker"
+  );
+  stop_proxy(binary_path, &bypass_proxy.id).await?;
+  bypass_server.abort();
+
+  donutbrowser_lib::vpn_worker_runner::stop_vpn_worker(&vpn_worker.id)
+    .await
+    .map_err(|error| error.to_string())?;
+  Ok(())
+}
+
+#[tokio::test]
+#[serial]
+async fn test_wireguard_traffic_flows_through_donut_proxy(
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let _env = TestEnvGuard::new()?;
+
+  cleanup_runtime().await;
+  if !test_harness::is_docker_available() {
+    eprintln!("skipping WireGuard e2e test because Docker is unavailable");
+    return Ok(());
+  }
+
+  let binary_path = ensure_donut_proxy_binary().await?;
+  let wg_config = match test_harness::start_wireguard_server().await {
+    Ok(config) => config,
+    Err(error) => {
+      eprintln!("skipping WireGuard e2e test: {error}");
+      return Ok(());
+    }
+  };
+
+  let vpn_config = new_test_vpn_config(
+    "WireGuard E2E",
+    VpnType::WireGuard,
+    build_wireguard_config(&wg_config),
+  );
+  {
+    let storage = donutbrowser_lib::vpn::VPN_STORAGE.lock().unwrap();
+    storage.save_config(&vpn_config)?;
+  }
+
+  let result =
+    run_proxy_feature_suite(&binary_path, &vpn_config.id, &wg_config.server_tunnel_ip).await;
+  cleanup_runtime().await;
+
+  result
+}
+
+#[tokio::test]
+#[serial]
+async fn test_openvpn_traffic_flows_through_donut_proxy(
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let _env = TestEnvGuard::new()?;
+  cleanup_runtime().await;
+
+  if std::env::var("DONUTBROWSER_RUN_OPENVPN_E2E")
+    .ok()
+    .as_deref()
+    != Some("1")
+  {
+    eprintln!("skipping OpenVPN e2e test because DONUTBROWSER_RUN_OPENVPN_E2E is not set");
+    return Ok(());
+  }
+
+  if !test_harness::is_docker_available() {
+    eprintln!("skipping OpenVPN e2e test because Docker is unavailable");
+    return Ok(());
+  }
+
+  if !openvpn_client_available() {
+    eprintln!("skipping OpenVPN e2e test because the OpenVPN client binary is unavailable");
+    return Ok(());
+  }
+
+  if !openvpn_adapter_available() {
+    eprintln!("skipping OpenVPN e2e test because no Windows OpenVPN adapter is available");
+    return Ok(());
+  }
+
+  let binary_path = ensure_donut_proxy_binary().await?;
+  let ovpn_config = match test_harness::start_openvpn_server().await {
+    Ok(config) => config,
+    Err(error) => {
+      eprintln!("skipping OpenVPN e2e test: {error}");
+      return Ok(());
+    }
+  };
+
+  let vpn_config = new_test_vpn_config("OpenVPN E2E", VpnType::OpenVPN, ovpn_config.raw_config);
+  {
+    let storage = donutbrowser_lib::vpn::VPN_STORAGE.lock().unwrap();
+    storage.save_config(&vpn_config)?;
+  }
+
+  // OpenVPN test uses the server's tunnel IP for internal-only traffic.
+  // The OpenVPN server's subnet is 10.9.0.0/24, server at 10.9.0.1.
+  let result = run_proxy_feature_suite(&binary_path, &vpn_config.id, "10.9.0.1").await;
+  cleanup_runtime().await;
+  result
+}
@@ -1,14 +1,7 @@
-"use client";
 import { Geist, Geist_Mono } from "next/font/google";
 import "@/styles/globals.css";
 import "flag-icons/css/flag-icons.min.css";
-import { useEffect } from "react";
-import { I18nProvider } from "@/components/i18n-provider";
-import { CustomThemeProvider } from "@/components/theme-provider";
-import { Toaster } from "@/components/ui/sonner";
-import { TooltipProvider } from "@/components/ui/tooltip";
-import { WindowDragArea } from "@/components/window-drag-area";
-import { setupLogging } from "@/lib/logger";
+import { ClientProviders } from "@/components/client-providers";

 const geistSans = Geist({
  variable: "--font-geist-sans",
@@ -25,22 +18,12 @@ export default function RootLayout({
 }: Readonly<{
  children: React.ReactNode;
 }>) {
-  useEffect(() => {
-    void setupLogging();
-  }, []);
-
  return (
    <html lang="en" suppressHydrationWarning>
      <body
        className={`${geistSans.variable} ${geistMono.variable} antialiased overflow-hidden bg-background`}
      >
-        <I18nProvider>
-          <CustomThemeProvider>
-            <WindowDragArea />
-            <TooltipProvider>{children}</TooltipProvider>
-            <Toaster />
-          </CustomThemeProvider>
-        </I18nProvider>
+        <ClientProviders>{children}</ClientProviders>
      </body>
    </html>
  );
@@ -280,7 +280,7 @@ export default function Home() {
  const [processingUrls, setProcessingUrls] = useState<Set<string>>(new Set());

  const handleUrlOpen = useCallback(
-    async (url: string) => {
+    (url: string) => {
      // Prevent duplicate processing of the same URL
      if (processingUrls.has(url)) {
        console.log("URL already being processed:", url);
@@ -324,7 +324,7 @@ export default function Home() {
      const currentUrl = await getCurrent();
      if (currentUrl && currentUrl.length > 0) {
        console.log("Startup URL detected:", currentUrl[0]);
-        void handleUrlOpen(currentUrl[0]);
+        handleUrlOpen(currentUrl[0]);
      }
    } catch (error) {
      console.error("Failed to check current URL:", error);
@@ -372,7 +372,7 @@ export default function Home() {
    }
  }, [proxiesError]);

-  const checkAllPermissions = useCallback(async () => {
+  const checkAllPermissions = useCallback(() => {
    try {
      // Wait for permissions to be initialized before checking
      if (!isInitialized) {
@@ -413,13 +413,13 @@ export default function Home() {
      // Listen for URL open events from the deep link handler (when app is already running)
      await listen<string>("url-open-request", (event) => {
        console.log("Received URL open request:", event.payload);
-        void handleUrlOpen(event.payload);
+        handleUrlOpen(event.payload);
      });

      // Listen for show profile selector events
      await listen<string>("show-profile-selector", (event) => {
        console.log("Received show profile selector request:", event.payload);
-        void handleUrlOpen(event.payload);
+        handleUrlOpen(event.payload);
      });

      // Listen for show create profile dialog events
@@ -437,7 +437,7 @@ export default function Home() {
      // Listen for custom logo click events
      const handleLogoUrlEvent = (event: CustomEvent) => {
        console.log("Received logo URL event:", event.detail);
-        void handleUrlOpen(event.detail);
+        handleUrlOpen(event.detail);
      };

      window.addEventListener(
@@ -515,6 +515,8 @@ export default function Home() {
      groupId?: string;
      extensionGroupId?: string;
      ephemeral?: boolean;
+      dnsBlocklist?: string;
+      launchHook?: string;
    }) => {
      try {
        const profile = await invoke<BrowserProfile>(
@@ -529,9 +531,11 @@ export default function Home() {
            camoufoxConfig: profileData.camoufoxConfig,
            wayfernConfig: profileData.wayfernConfig,
            groupId:
-              profileData.groupId ||
+              profileData.groupId ??
              (selectedGroupId !== "default" ? selectedGroupId : undefined),
            ephemeral: profileData.ephemeral,
+            dnsBlocklist: profileData.dnsBlocklist,
+            launchHook: profileData.launchHook,
          },
        );

@@ -764,13 +768,13 @@ export default function Home() {
    setCookieManagementDialogOpen(true);
  }, []);

-  const handleGroupAssignmentComplete = useCallback(async () => {
+  const handleGroupAssignmentComplete = useCallback(() => {
    // No need to manually reload - useProfileEvents will handle the update
    setGroupAssignmentDialogOpen(false);
    setSelectedProfilesForGroup([]);
  }, []);

-  const handleProxyAssignmentComplete = useCallback(async () => {
+  const handleProxyAssignmentComplete = useCallback(() => {
    // No need to manually reload - useProfileEvents will handle the update
    setProxyAssignmentDialogOpen(false);
    setSelectedProfilesForProxy([]);
@@ -810,7 +814,7 @@ export default function Home() {
    let unlistenStatus: (() => void) | undefined;
    let unlistenProgress: (() => void) | undefined;
    const profilesWithTransfer = new Set<string>();
-    (async () => {
+    void (async () => {
      try {
        unlistenStatus = await listen<{
          profile_id: string;
@@ -898,7 +902,7 @@ export default function Home() {
    };

    let cleanup: (() => void) | undefined;
-    setupListeners().then((cleanupFn) => {
+    void setupListeners().then((cleanupFn) => {
      cleanup = cleanupFn;
    });

@@ -995,7 +999,7 @@ export default function Home() {
  // Check permissions when they are initialized
  useEffect(() => {
    if (isInitialized) {
-      void checkAllPermissions();
+      checkAllPermissions();
    }
  }, [isInitialized, checkAllPermissions]);

@@ -1093,7 +1097,9 @@ export default function Home() {
            crossOsUnlocked={crossOsUnlocked}
            syncUnlocked={syncUnlocked}
            getProfileSyncInfo={getProfileSyncInfo}
-            onLaunchWithSync={(profile) => setSyncLeaderProfile(profile)}
+            onLaunchWithSync={(profile) => {
+              setSyncLeaderProfile(profile);
+            }}
          />
        </div>
      </main>
@@ -1167,7 +1173,9 @@ export default function Home() {

      <CloneProfileDialog
        isOpen={!!cloneProfile}
-        onClose={() => setCloneProfile(null)}
+        onClose={() => {
+          setCloneProfile(null);
+        }}
        profile={cloneProfile}
      />

@@ -1197,7 +1205,9 @@ export default function Home() {

      <ExtensionManagementDialog
        isOpen={extensionManagementDialogOpen}
-        onClose={() => setExtensionManagementDialogOpen(false)}
+        onClose={() => {
+          setExtensionManagementDialogOpen(false);
+        }}
        limitedMode={!crossOsUnlocked}
      />

@@ -1242,7 +1252,9 @@ export default function Home() {
        selectedProfiles={selectedProfilesForCookies}
        profiles={profiles}
        runningProfiles={runningProfiles}
-        onCopyComplete={() => setSelectedProfilesForCookies([])}
+        onCopyComplete={() => {
+          setSelectedProfilesForCookies([]);
+        }}
      />

      <CookieManagementDialog
@@ -1256,7 +1268,9 @@ export default function Home() {

      <DeleteConfirmationDialog
        isOpen={showBulkDeleteConfirmation}
-        onClose={() => setShowBulkDeleteConfirmation(false)}
+        onClose={() => {
+          setShowBulkDeleteConfirmation(false);
+        }}
        onConfirm={confirmBulkDelete}
        title="Delete Selected Profiles"
        description={`This action cannot be undone. This will permanently delete ${selectedProfiles.length} profile${selectedProfiles.length !== 1 ? "s" : ""} and all associated data.`}
@@ -1279,7 +1293,9 @@ export default function Home() {

      <SyncAllDialog
        isOpen={syncAllDialogOpen}
-        onClose={() => setSyncAllDialogOpen(false)}
+        onClose={() => {
+          setSyncAllDialogOpen(false);
+        }}
      />

      <ProfileSyncDialog
@@ -1289,7 +1305,9 @@ export default function Home() {
          setCurrentProfileForSync(null);
        }}
        profile={currentProfileForSync}
-        onSyncConfigOpen={() => setSyncConfigDialogOpen(true)}
+        onSyncConfigOpen={() => {
+          setSyncConfigDialogOpen(true);
+        }}
      />

      {/* Wayfern Terms and Conditions Dialog - shown if terms not accepted */}
@@ -1313,7 +1331,9 @@ export default function Home() {
      {/* Launch on Login Dialog - shown on every startup until enabled or declined */}
      <LaunchOnLoginDialog
        isOpen={launchOnLoginDialogOpen}
-        onClose={() => setLaunchOnLoginDialogOpen(false)}
+        onClose={() => {
+          setLaunchOnLoginDialogOpen(false);
+        }}
      />

      <WindowResizeWarningDialog
@@ -1328,7 +1348,9 @@ export default function Home() {

      <SyncFollowerDialog
        isOpen={syncLeaderProfile !== null}
-        onClose={() => setSyncLeaderProfile(null)}
+        onClose={() => {
+          setSyncLeaderProfile(null);
+        }}
        leaderProfile={syncLeaderProfile}
        allProfiles={profiles}
        runningProfiles={runningProfiles}
@@ -44,7 +44,9 @@ export function AppUpdateToast({
            <span className="text-sm font-semibold text-foreground">
              {updateReady
                ? "Update ready, restart to apply"
-                : "Manual download required"}
+                : updateInfo.repo_update
+                  ? "Update available via package manager"
+                  : "Manual download required"}
            </span>
            <div className="text-xs text-muted-foreground">
              {updateInfo.current_version} → {updateInfo.new_version}
@@ -72,6 +74,7 @@ export function AppUpdateToast({
              Restart Now
            </RippleButton>
          ) : (
+            !updateInfo.repo_update &&
            updateInfo.manual_update_required && (
              <RippleButton
                onClick={handleViewRelease}
@@ -46,12 +46,6 @@ export function BandwidthMiniChart({
    return result;
  }, [data]);

-  // Find max value for scaling
-  const _maxBandwidth = React.useMemo(() => {
-    const max = Math.max(...chartData.map((d) => d.bandwidth), 1);
-    return max;
-  }, [chartData]);
-
  // Use external bandwidth if provided, otherwise calculate from last data point
  const currentBandwidth =
    externalBandwidth ?? chartData[chartData.length - 1]?.bandwidth ?? 0;
@@ -74,7 +68,12 @@ export function BandwidthMiniChart({
      )}
    >
      <div className="flex-1 h-3 pointer-events-none">
-        <ResponsiveContainer width="100%" height="100%">
+        <ResponsiveContainer
+          width="100%"
+          height="100%"
+          minWidth={1}
+          minHeight={1}
+        >
          <AreaChart
            data={chartData}
            margin={{ top: 0, right: 0, bottom: 0, left: 0 }}
@@ -0,0 +1,25 @@
+"use client";
+
+import { useEffect } from "react";
+import { I18nProvider } from "@/components/i18n-provider";
+import { CustomThemeProvider } from "@/components/theme-provider";
+import { Toaster } from "@/components/ui/sonner";
+import { TooltipProvider } from "@/components/ui/tooltip";
+import { WindowDragArea } from "@/components/window-drag-area";
+import { setupLogging } from "@/lib/logger";
+
+export function ClientProviders({ children }: { children: React.ReactNode }) {
+  useEffect(() => {
+    void setupLogging();
+  }, []);
+
+  return (
+    <I18nProvider>
+      <CustomThemeProvider>
+        <WindowDragArea />
+        <TooltipProvider>{children}</TooltipProvider>
+        <Toaster />
+      </CustomThemeProvider>
+    </I18nProvider>
+  );
+}
@@ -69,7 +69,12 @@ export function CloneProfileDialog({
  };

  return (
-    <Dialog open={isOpen} onOpenChange={(open) => !open && onClose()}>
+    <Dialog
+      open={isOpen}
+      onOpenChange={(open) => {
+        if (!open) onClose();
+      }}
+    >
      <DialogContent>
        <DialogHeader>
          <DialogTitle>{t("profileInfo.clone.title")}</DialogTitle>
@@ -80,7 +85,9 @@ export function CloneProfileDialog({
        <Input
          ref={inputRef}
          value={name}
-          onChange={(e) => setName(e.target.value)}
+          onChange={(e) => {
+            setName(e.target.value);
+          }}
          onKeyDown={(e) => {
            if (e.key === "Enter") void handleClone();
          }}
@@ -44,9 +44,15 @@ export function CommercialTrialModal({
    <Dialog open={isOpen}>
      <DialogContent
        className="sm:max-w-md"
-        onEscapeKeyDown={(e) => e.preventDefault()}
-        onPointerDownOutside={(e) => e.preventDefault()}
-        onInteractOutside={(e) => e.preventDefault()}
+        onEscapeKeyDown={(e) => {
+          e.preventDefault();
+        }}
+        onPointerDownOutside={(e) => {
+          e.preventDefault();
+        }}
+        onInteractOutside={(e) => {
+          e.preventDefault();
+        }}
      >
        <DialogHeader>
          <DialogTitle>Commercial Trial Expired</DialogTitle>
@@ -50,12 +50,13 @@ interface CookieCopyDialogProps {
  onCopyComplete?: () => void;
 }

-type SelectionState = {
-  [domain: string]: {
+type SelectionState = Record<
+  string,
+  {
    allSelected: boolean;
    cookies: Set<string>;
-  };
-};
+  }
+>;

 export function CookieCopyDialog({
  isOpen,
@@ -76,11 +77,16 @@ export function CookieCopyDialog({
  );
  const [error, setError] = useState<string | null>(null);

+  // Never offer a selected profile as a source — you can't copy a profile's
+  // cookies onto itself, and including it here would leave the user in a
+  // dead-end state (source picked = target list empty = copy button disabled).
  const eligibleSourceProfiles = useMemo(() => {
    return profiles.filter(
-      (p) => p.browser === "wayfern" || p.browser === "camoufox",
+      (p) =>
+        !selectedProfiles.includes(p.id) &&
+        (p.browser === "wayfern" || p.browser === "camoufox"),
    );
-  }, [profiles]);
+  }, [profiles, selectedProfiles]);

  const targetProfiles = useMemo(() => {
    return profiles.filter(
@@ -109,7 +115,7 @@ export function CookieCopyDialog({
      const domainSelection = selection[domain];
      if (domainSelection.allSelected) {
        const domainData = cookieData?.domains.find((d) => d.domain === domain);
-        count += domainData?.cookie_count || 0;
+        count += domainData?.cookie_count ?? 0;
      } else {
        count += domainSelection.cookies.size;
      }
@@ -147,22 +153,21 @@ export function CookieCopyDialog({
  const toggleDomain = useCallback(
    (domain: string, cookies: UnifiedCookie[]) => {
      setSelection((prev) => {
-        const current = prev[domain];
-        const allSelected = current?.allSelected || false;
-
-        if (allSelected) {
+        // `prev[domain]` is `undefined` for any domain not yet interacted with
+        // and after the user fully deselects it (toggleCookie deletes the
+        // entry on empty). Treat missing as "not selected".
+        if (prev[domain]?.allSelected) {
          const newSelection = { ...prev };
          delete newSelection[domain];
          return newSelection;
-        } else {
-          return {
-            ...prev,
-            [domain]: {
-              allSelected: true,
-              cookies: new Set(cookies.map((c) => c.name)),
-            },
-          };
        }
+        return {
+          ...prev,
+          [domain]: {
+            allSelected: true,
+            cookies: new Set(cookies.map((c) => c.name)),
+          },
+        };
      });
    },
    [],
@@ -171,7 +176,7 @@ export function CookieCopyDialog({
  const toggleCookie = useCallback(
    (domain: string, cookieName: string, totalCookies: number) => {
      setSelection((prev) => {
-        const current = prev[domain] || {
+        const current = prev[domain] ?? {
          allSelected: false,
          cookies: new Set<string>(),
        };
@@ -412,7 +417,9 @@ export function CookieCopyDialog({
                <Input
                  placeholder="Search domains or cookies..."
                  value={searchQuery}
-                  onChange={(e) => setSearchQuery(e.target.value)}
+                  onChange={(e) => {
+                    setSearchQuery(e.target.value);
+                  }}
                  className="pl-8"
                />
              </div>
@@ -500,9 +507,13 @@ function DomainRow({
  onToggleCookie,
  onToggleExpand,
 }: DomainRowProps) {
+  // `selection[domain.domain]` is `undefined` for domains the user hasn't
+  // touched yet (initial state after loading cookies is `{}`) and for any
+  // domain the user fully deselected (toggleCookie deletes the entry on
+  // empty). Default to "no cookies selected" instead of crashing.
  const domainSelection = selection[domain.domain];
-  const isAllSelected = domainSelection?.allSelected || false;
-  const selectedCount = domainSelection?.cookies.size || 0;
+  const isAllSelected = domainSelection?.allSelected ?? false;
+  const selectedCount = domainSelection?.cookies.size ?? 0;
  const isPartial =
    selectedCount > 0 && selectedCount < domain.cookie_count && !isAllSelected;

@@ -511,13 +522,17 @@ function DomainRow({
      <div className="flex items-center gap-2 p-2 hover:bg-accent/50 rounded">
        <Checkbox
          checked={isAllSelected || isPartial}
-          onCheckedChange={() => onToggleDomain(domain.domain, domain.cookies)}
+          onCheckedChange={() => {
+            onToggleDomain(domain.domain, domain.cookies);
+          }}
          className={isPartial ? "opacity-70" : ""}
        />
        <button
          type="button"
          className="flex items-center gap-1 flex-1 text-left bg-transparent border-none cursor-pointer"
-          onClick={() => onToggleExpand(domain.domain)}
+          onClick={() => {
+            onToggleExpand(domain.domain);
+          }}
        >
          {isExpanded ? (
            <LuChevronDown className="w-4 h-4" />
@@ -534,7 +549,7 @@ function DomainRow({
        <div className="ml-8 pl-2 border-l space-y-1">
          {domain.cookies.map((cookie) => {
            const isSelected =
-              domainSelection?.cookies.has(cookie.name) || false;
+              domainSelection?.cookies.has(cookie.name) ?? false;
            return (
              <div
                key={`${domain.domain}-${cookie.name}`}
@@ -542,13 +557,13 @@ function DomainRow({
              >
                <Checkbox
                  checked={isSelected || isAllSelected}
-                  onCheckedChange={() =>
+                  onCheckedChange={() => {
                    onToggleCookie(
                      domain.domain,
                      cookie.name,
                      domain.cookie_count,
-                    )
-                  }
+                    );
+                  }}
                />
                <span className="truncate">{cookie.name}</span>
              </div>
@@ -45,12 +45,13 @@ interface CookieManagementDialogProps {
  initialTab?: "import" | "export";
 }

-type SelectionState = {
-  [domain: string]: {
+type SelectionState = Record<
+  string,
+  {
    allSelected: boolean;
    cookies: Set<string>;
-  };
-};
+  }
+>;

 const countCookies = (content: string): number => {
  const trimmed = content.trim();
@@ -150,7 +151,7 @@ export function CookieManagementDialog({
        const domainData = exportCookieData?.domains.find(
          (d) => d.domain === domain,
        );
-        count += domainData?.cookie_count || 0;
+        count += domainData?.cookie_count ?? 0;
      } else {
        count += ds.cookies.size;
      }
@@ -308,8 +309,11 @@ export function CookieManagementDialog({
  const toggleDomain = useCallback(
    (domain: string, cookies: UnifiedCookie[]) => {
      setExportSelection((prev) => {
-        const current = prev[domain];
-        if (current?.allSelected) {
+        // `prev[domain]` is `undefined` when the domain was previously fully
+        // deselected (entries are deleted on empty — see toggleCookie). Treat
+        // missing as "not selected" so re-enabling falls through to the add
+        // branch instead of crashing on `.allSelected`.
+        if (prev[domain]?.allSelected) {
          const next = { ...prev };
          delete next[domain];
          return next;
@@ -329,7 +333,7 @@ export function CookieManagementDialog({
  const toggleCookie = useCallback(
    (domain: string, cookieName: string, totalCookies: number) => {
      setExportSelection((prev) => {
-        const current = prev[domain] || {
+        const current = prev[domain] ?? {
          allSelected: false,
          cookies: new Set<string>(),
        };
@@ -485,7 +489,9 @@ export function CookieManagementDialog({
              <Label>Format</Label>
              <Select
                value={format}
-                onValueChange={(v) => setFormat(v as "netscape" | "json")}
+                onValueChange={(v) => {
+                  setFormat(v as "netscape" | "json");
+                }}
              >
                <SelectTrigger>
                  <SelectValue />
@@ -589,8 +595,8 @@ function ExportDomainRow({
  onToggleExpand,
 }: ExportDomainRowProps) {
  const domainSelection = selection[domain.domain];
-  const isAllSelected = domainSelection?.allSelected || false;
-  const selectedCount = domainSelection?.cookies.size || 0;
+  const isAllSelected = domainSelection?.allSelected ?? false;
+  const selectedCount = domainSelection?.cookies.size ?? 0;
  const isPartial =
    selectedCount > 0 && selectedCount < domain.cookie_count && !isAllSelected;

@@ -599,13 +605,17 @@ function ExportDomainRow({
      <div className="flex items-center gap-2 p-1.5 hover:bg-accent/50 rounded">
        <Checkbox
          checked={isAllSelected || isPartial}
-          onCheckedChange={() => onToggleDomain(domain.domain, domain.cookies)}
+          onCheckedChange={() => {
+            onToggleDomain(domain.domain, domain.cookies);
+          }}
          className={isPartial ? "opacity-70" : ""}
        />
        <button
          type="button"
          className="flex items-center gap-1 flex-1 text-left text-sm bg-transparent border-none cursor-pointer"
-          onClick={() => onToggleExpand(domain.domain)}
+          onClick={() => {
+            onToggleExpand(domain.domain);
+          }}
        >
          {isExpanded ? (
            <LuChevronDown className="w-3.5 h-3.5" />
@@ -622,7 +632,7 @@ function ExportDomainRow({
        <div className="ml-7 pl-2 border-l space-y-0.5">
          {domain.cookies.map((cookie) => {
            const isSelected =
-              domainSelection?.cookies.has(cookie.name) || false;
+              domainSelection?.cookies.has(cookie.name) ?? false;
            return (
              <div
                key={`${domain.domain}-${cookie.name}`}
@@ -630,13 +640,13 @@ function ExportDomainRow({
              >
                <Checkbox
                  checked={isSelected || isAllSelected}
-                  onCheckedChange={() =>
+                  onCheckedChange={() => {
                    onToggleCookie(
                      domain.domain,
                      cookie.name,
                      domain.cookie_count,
-                    )
-                  }
+                    );
+                  }}
                />
                <span className="truncate">{cookie.name}</span>
              </div>
@@ -80,7 +80,9 @@ export function CreateGroupDialog({
              id="group-name"
              placeholder="Enter group name..."
              value={groupName}
-              onChange={(e) => setGroupName(e.target.value)}
+              onChange={(e) => {
+                setGroupName(e.target.value);
+              }}
              onKeyDown={(e) => {
                if (e.key === "Enter" && groupName.trim()) {
                  void handleCreate();
@@ -84,6 +84,8 @@ interface CreateProfileDialogProps {
    groupId?: string;
    extensionGroupId?: string;
    ephemeral?: boolean;
+    dnsBlocklist?: string;
+    launchHook?: string;
  }) => Promise<void>;
  selectedGroupId?: string;
  crossOsUnlocked?: boolean;
@@ -124,6 +126,8 @@ export function CreateProfileDialog({
    useState<BrowserTypeString | null>(null);
  const [selectedProxyId, setSelectedProxyId] = useState<string>();
  const [proxyPopoverOpen, setProxyPopoverOpen] = useState(false);
+  const [dnsBlocklist, setDnsBlocklist] = useState<string>("");
+  const [launchHook, setLaunchHook] = useState("");

  // Camoufox anti-detect states
  const [camoufoxConfig, setCamoufoxConfig] = useState<CamoufoxConfig>(() => ({
@@ -148,6 +152,7 @@ export function CreateProfileDialog({
    setSelectedBrowser(null);
    setProfileName("");
    setSelectedProxyId(undefined);
+    setLaunchHook("");
  };

  const handleTabChange = (value: string) => {
@@ -156,6 +161,7 @@ export function CreateProfileDialog({
    setSelectedBrowser(null);
    setProfileName("");
    setSelectedProxyId(undefined);
+    setLaunchHook("");
  };

  const [supportedBrowsers, setSupportedBrowsers] = useState<string[]>([]);
@@ -172,11 +178,13 @@ export function CreateProfileDialog({

  useEffect(() => {
    if (isOpen) {
-      invoke<{ id: string; name: string; extension_ids: string[] }[]>(
+      void invoke<{ id: string; name: string; extension_ids: string[] }[]>(
        "list_extension_groups",
      )
        .then(setExtensionGroups)
-        .catch(() => setExtensionGroups([]));
+        .catch(() => {
+          setExtensionGroups([]);
+        });
    }
  }, [isOpen]);
  const [releaseTypes, setReleaseTypes] = useState<BrowserReleaseTypes>();
@@ -393,6 +401,8 @@ export function CreateProfileDialog({
              selectedGroupId !== "default" ? selectedGroupId : undefined,
            extensionGroupId: selectedExtensionGroupId,
            ephemeral,
+            dnsBlocklist: dnsBlocklist || undefined,
+            launchHook: launchHook.trim() || undefined,
          });
        } else {
          // Default to Camoufox
@@ -418,6 +428,8 @@ export function CreateProfileDialog({
              selectedGroupId !== "default" ? selectedGroupId : undefined,
            extensionGroupId: selectedExtensionGroupId,
            ephemeral,
+            dnsBlocklist: dnsBlocklist || undefined,
+            launchHook: launchHook.trim() || undefined,
          });
        }
      } else {
@@ -441,6 +453,8 @@ export function CreateProfileDialog({
          releaseType: bestVersion.releaseType,
          proxyId: selectedProxyId,
          groupId: selectedGroupId !== "default" ? selectedGroupId : undefined,
+          dnsBlocklist: dnsBlocklist || undefined,
+          launchHook: launchHook.trim() || undefined,
        });
      }

@@ -462,6 +476,7 @@ export function CreateProfileDialog({
    setActiveTab("anti-detect");
    setSelectedBrowser(null);
    setSelectedProxyId(undefined);
+    setLaunchHook("");
    setReleaseTypes({});
    setIsLoadingReleaseTypes(false);
    setReleaseTypesError(null);
@@ -553,7 +568,9 @@ export function CreateProfileDialog({
                      <div className="space-y-3 pt-8">
                        {/* Wayfern (Chromium) - First */}
                        <Button
-                          onClick={() => handleBrowserSelect("wayfern")}
+                          onClick={() => {
+                            handleBrowserSelect("wayfern");
+                          }}
                          className="flex gap-3 justify-start items-center p-4 w-full h-16 border-2 transition-colors hover:border-primary/50"
                          variant="outline"
                        >
@@ -577,7 +594,9 @@ export function CreateProfileDialog({

                        {/* Camoufox (Firefox) - Second */}
                        <Button
-                          onClick={() => handleBrowserSelect("camoufox")}
+                          onClick={() => {
+                            handleBrowserSelect("camoufox");
+                          }}
                          className="flex gap-3 justify-start items-center p-4 w-full h-16 border-2 transition-colors hover:border-primary/50"
                          variant="outline"
                        >
@@ -620,9 +639,9 @@ export function CreateProfileDialog({
                            return (
                              <Button
                                key={browser.value}
-                                onClick={() =>
-                                  handleBrowserSelect(browser.value)
-                                }
+                                onClick={() => {
+                                  handleBrowserSelect(browser.value);
+                                }}
                                className="flex gap-3 justify-start items-center p-4 w-full h-16 border-2 transition-colors hover:border-primary/50"
                                variant="outline"
                              >
@@ -657,14 +676,16 @@ export function CreateProfileDialog({
                          <Input
                            id="profile-name"
                            value={profileName}
-                            onChange={(e) => setProfileName(e.target.value)}
+                            onChange={(e) => {
+                              setProfileName(e.target.value);
+                            }}
                            onKeyDown={(e) => {
                              if (
                                e.key === "Enter" &&
                                !isCreateDisabled &&
                                !isCreating
                              ) {
-                                handleCreate();
+                                void handleCreate();
                              }
                            }}
                            placeholder="Enter profile name"
@@ -677,9 +698,9 @@ export function CreateProfileDialog({
                            <Checkbox
                              id="ephemeral"
                              checked={ephemeral}
-                              onCheckedChange={(checked) =>
-                                setEphemeral(checked === true)
-                              }
+                              onCheckedChange={(checked) => {
+                                setEphemeral(checked === true);
+                              }}
                            />
                            <Label htmlFor="ephemeral" className="font-medium">
                              {t("profiles.ephemeral")}
@@ -746,7 +767,9 @@ export function CreateProfileDialog({
                                    })()}
                                  </p>
                                  <LoadingButton
-                                    onClick={() => handleDownload("wayfern")}
+                                    onClick={() => {
+                                      void handleDownload("wayfern");
+                                    }}
                                    isLoading={isBrowserCurrentlyDownloading(
                                      "wayfern",
                                    )}
@@ -848,7 +871,9 @@ export function CreateProfileDialog({
                                    })()}
                                  </p>
                                  <LoadingButton
-                                    onClick={() => handleDownload("camoufox")}
+                                    onClick={() => {
+                                      void handleDownload("camoufox");
+                                    }}
                                    isLoading={isBrowserCurrentlyDownloading(
                                      "camoufox",
                                    )}
@@ -955,9 +980,9 @@ export function CreateProfileDialog({
                                        })()}
                                      </p>
                                      <LoadingButton
-                                        onClick={() =>
-                                          handleDownload(selectedBrowser)
-                                        }
+                                        onClick={() => {
+                                          void handleDownload(selectedBrowser);
+                                        }}
                                        isLoading={isBrowserCurrentlyDownloading(
                                          selectedBrowser,
                                        )}
@@ -1014,7 +1039,9 @@ export function CreateProfileDialog({
                            <RippleButton
                              size="sm"
                              variant="outline"
-                              onClick={() => setShowProxyForm(true)}
+                              onClick={() => {
+                                setShowProxyForm(true);
+                              }}
                              className="px-2 h-7 text-xs"
                            >
                              <GoPlus className="mr-1 w-3 h-3" /> Add Proxy
@@ -1148,17 +1175,71 @@ export function CreateProfileDialog({
                          )}
                        </div>

+                        <div className="space-y-2">
+                          <Label htmlFor="launch-hook-url">
+                            {t("createProfile.launchHook.label")}
+                          </Label>
+                          <Input
+                            id="launch-hook-url"
+                            value={launchHook}
+                            onChange={(e) => {
+                              setLaunchHook(e.target.value);
+                            }}
+                            placeholder={t(
+                              "createProfile.launchHook.placeholder",
+                            )}
+                            disabled={isCreating}
+                          />
+                        </div>
+
+                        {/* DNS Blocklist */}
+                        <div className="space-y-2">
+                          <Label>{t("dnsBlocklist.title")}</Label>
+                          <Select
+                            value={dnsBlocklist || "none"}
+                            onValueChange={(val) => {
+                              setDnsBlocklist(val === "none" ? "" : val);
+                            }}
+                          >
+                            <SelectTrigger>
+                              <SelectValue
+                                placeholder={t("dnsBlocklist.none")}
+                              />
+                            </SelectTrigger>
+                            <SelectContent>
+                              <SelectItem value="none">
+                                {t("dnsBlocklist.none")}
+                              </SelectItem>
+                              <SelectItem value="light">
+                                {t("dnsBlocklist.light")}
+                              </SelectItem>
+                              <SelectItem value="normal">
+                                {t("dnsBlocklist.normal")}
+                              </SelectItem>
+                              <SelectItem value="pro">
+                                {t("dnsBlocklist.pro")}
+                              </SelectItem>
+                              <SelectItem value="pro_plus">
+                                {t("dnsBlocklist.proPlus")}
+                              </SelectItem>
+                              <SelectItem value="ultimate">
+                                {t("dnsBlocklist.ultimate")}
+                              </SelectItem>
+                            </SelectContent>
+                          </Select>
+                        </div>
+
                        {/* Extension Group */}
                        {extensionGroups.length > 0 && (
                          <div className="space-y-2">
                            <Label>{t("extensions.extensionGroup")}</Label>
                            <Select
-                              value={selectedExtensionGroupId || "none"}
-                              onValueChange={(val) =>
+                              value={selectedExtensionGroupId ?? "none"}
+                              onValueChange={(val) => {
                                setSelectedExtensionGroupId(
                                  val === "none" ? undefined : val,
-                                )
-                              }
+                                );
+                              }}
                            >
                              <SelectTrigger>
                                <SelectValue
@@ -1190,14 +1271,16 @@ export function CreateProfileDialog({
                          <Input
                            id="profile-name"
                            value={profileName}
-                            onChange={(e) => setProfileName(e.target.value)}
+                            onChange={(e) => {
+                              setProfileName(e.target.value);
+                            }}
                            onKeyDown={(e) => {
                              if (
                                e.key === "Enter" &&
                                !isCreateDisabled &&
                                !isCreating
                              ) {
-                                handleCreate();
+                                void handleCreate();
                              }
                            }}
                            placeholder="Enter profile name"
@@ -1251,9 +1334,9 @@ export function CreateProfileDialog({
                                      })()}
                                    </p>
                                    <LoadingButton
-                                      onClick={() =>
-                                        handleDownload(selectedBrowser)
-                                      }
+                                      onClick={() => {
+                                        void handleDownload(selectedBrowser);
+                                      }}
                                      isLoading={isBrowserCurrentlyDownloading(
                                        selectedBrowser,
                                      )}
@@ -1305,7 +1388,9 @@ export function CreateProfileDialog({
                            <RippleButton
                              size="sm"
                              variant="outline"
-                              onClick={() => setShowProxyForm(true)}
+                              onClick={() => {
+                                setShowProxyForm(true);
+                              }}
                              className="px-2 h-7 text-xs"
                            >
                              <GoPlus className="mr-1 w-3 h-3" /> Add Proxy
@@ -1438,6 +1523,23 @@ export function CreateProfileDialog({
                            </div>
                          )}
                        </div>
+
+                        <div className="space-y-2">
+                          <Label htmlFor="launch-hook-url-regular">
+                            {t("createProfile.launchHook.label")}
+                          </Label>
+                          <Input
+                            id="launch-hook-url-regular"
+                            value={launchHook}
+                            onChange={(e) => {
+                              setLaunchHook(e.target.value);
+                            }}
+                            placeholder={t(
+                              "createProfile.launchHook.placeholder",
+                            )}
+                            disabled={isCreating}
+                          />
+                        </div>
                      </div>
                    </TabsContent>
                  </>
@@ -1470,7 +1572,9 @@ export function CreateProfileDialog({
      </DialogContent>
      <ProxyFormDialog
        isOpen={showProxyForm}
-        onClose={() => setShowProxyForm(false)}
+        onClose={() => {
+          setShowProxyForm(false);
+        }}
      />
    </Dialog>
  );
@@ -363,15 +363,17 @@ export function UnifiedToast(props: ToastProps) {
          </>
        )}
        {action &&
-          "onClick" in (action as any) &&
-          "label" in (action as any) && (
+          "onClick" in (action as { onClick?: () => void; label?: string }) &&
+          "label" in (action as { onClick?: () => void; label?: string }) && (
            <div className="mt-2 w-full">
              <RippleButton
                size="sm"
                className="ml-auto"
-                onClick={(action as any).onClick}
+                onClick={
+                  (action as { onClick: () => void; label: string }).onClick
+                }
              >
-                {(action as any).label}
+                {(action as { onClick: () => void; label: string }).label}
              </RippleButton>
            </div>
          )}
@@ -40,11 +40,13 @@ function DataTableActionBar<TData>({
      }
    }
    window.addEventListener("keydown", onKeyDown);
-    return () => window.removeEventListener("keydown", onKeyDown);
+    return () => {
+      window.removeEventListener("keydown", onKeyDown);
+    };
  }, [table]);

  const portalContainer =
-    portalContainerProp ?? (mounted ? globalThis.document?.body : null);
+    portalContainerProp ?? (mounted ? globalThis.document.body : null);

  if (!portalContainer) return null;

@@ -2,6 +2,7 @@

 import { invoke } from "@tauri-apps/api/core";
 import { useCallback, useEffect, useState } from "react";
+import { useTranslation } from "react-i18next";
 import { toast } from "sonner";
 import { LoadingButton } from "@/components/loading-button";
 import {
@@ -31,6 +32,7 @@ export function DeleteGroupDialog({
  group,
  onGroupDeleted,
 }: DeleteGroupDialogProps) {
+  const { t } = useTranslation();
  const [associatedProfiles, setAssociatedProfiles] = useState<
    BrowserProfile[]
  >([]);
@@ -148,14 +150,14 @@ export function DeleteGroupDialog({
                    <Label>What should happen to these profiles?</Label>
                    <RadioGroup
                      value={deleteAction}
-                      onValueChange={(value) =>
-                        setDeleteAction(value as "move" | "delete")
-                      }
+                      onValueChange={(value) => {
+                        setDeleteAction(value as "move" | "delete");
+                      }}
                    >
                      <div className="flex items-center space-x-2">
                        <RadioGroupItem value="move" id="move" />
                        <Label htmlFor="move" className="text-sm">
-                          Move profiles to Default group
+                          {t("groups.moveToDefault")}
                        </Label>
                      </div>
                      <div className="flex items-center space-x-2">
@@ -0,0 +1,147 @@
+"use client";
+
+import { invoke } from "@tauri-apps/api/core";
+import { useCallback, useEffect, useState } from "react";
+import { useTranslation } from "react-i18next";
+import { LuRefreshCw } from "react-icons/lu";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+
+interface BlocklistCacheStatus {
+  level: string;
+  display_name: string;
+  entry_count: number;
+  file_size_bytes: number;
+  last_updated: number | null;
+  is_fresh: boolean;
+  is_cached: boolean;
+}
+
+interface DnsBlocklistDialogProps {
+  isOpen: boolean;
+  onClose: () => void;
+}
+
+export function DnsBlocklistDialog({
+  isOpen,
+  onClose,
+}: DnsBlocklistDialogProps) {
+  const { t } = useTranslation();
+  const [statuses, setStatuses] = useState<BlocklistCacheStatus[]>([]);
+  const [isRefreshing, setIsRefreshing] = useState(false);
+
+  const loadStatuses = useCallback(async () => {
+    try {
+      const result = await invoke<BlocklistCacheStatus[]>(
+        "get_dns_blocklist_cache_status",
+      );
+      setStatuses(result);
+    } catch (e) {
+      console.error("Failed to load blocklist status:", e);
+    }
+  }, []);
+
+  useEffect(() => {
+    if (isOpen) {
+      void loadStatuses();
+    }
+  }, [isOpen, loadStatuses]);
+
+  const handleRefreshAll = async () => {
+    setIsRefreshing(true);
+    try {
+      await invoke("refresh_dns_blocklists");
+      await loadStatuses();
+    } catch (e) {
+      console.error("Failed to refresh blocklists:", e);
+    } finally {
+      setIsRefreshing(false);
+    }
+  };
+
+  const formatSize = (bytes: number) => {
+    if (bytes < 1024) return `${bytes} B`;
+    if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+    return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+  };
+
+  const formatDate = (timestamp: number | null) => {
+    if (!timestamp) return t("dnsBlocklist.notCached");
+    return new Date(timestamp * 1000).toLocaleString();
+  };
+
+  return (
+    <Dialog open={isOpen} onOpenChange={(open) => !open && onClose()}>
+      <DialogContent className="max-w-md">
+        <DialogHeader>
+          <DialogTitle>{t("dnsBlocklist.title")}</DialogTitle>
+        </DialogHeader>
+
+        <p className="text-sm text-muted-foreground">
+          {t("dnsBlocklist.settingsDescription")}
+        </p>
+
+        <div className="space-y-3">
+          {statuses.map((status) => (
+            <div
+              key={status.level}
+              className="flex items-center justify-between rounded-md border border-border p-3"
+            >
+              <div className="space-y-1">
+                <div className="flex items-center gap-2">
+                  <span className="text-sm font-medium">
+                    {status.display_name}
+                  </span>
+                  {status.is_cached ? (
+                    status.is_fresh ? (
+                      <Badge variant="default" className="text-[10px] px-1.5">
+                        {t("dnsBlocklist.fresh")}
+                      </Badge>
+                    ) : (
+                      <Badge variant="secondary" className="text-[10px] px-1.5">
+                        {t("dnsBlocklist.stale")}
+                      </Badge>
+                    )
+                  ) : (
+                    <Badge
+                      variant="outline"
+                      className="text-[10px] px-1.5 text-muted-foreground"
+                    >
+                      {t("dnsBlocklist.notCached")}
+                    </Badge>
+                  )}
+                </div>
+                {status.is_cached && (
+                  <div className="text-xs text-muted-foreground">
+                    {status.entry_count.toLocaleString()}{" "}
+                    {t("dnsBlocklist.domains")} &middot;{" "}
+                    {formatSize(status.file_size_bytes)} &middot;{" "}
+                    {formatDate(status.last_updated)}
+                  </div>
+                )}
+              </div>
+            </div>
+          ))}
+        </div>
+
+        <Button
+          onClick={handleRefreshAll}
+          disabled={isRefreshing}
+          variant="outline"
+          className="w-full"
+        >
+          <LuRefreshCw
+            className={`mr-2 h-4 w-4 ${isRefreshing ? "animate-spin" : ""}`}
+          />
+          {t("dnsBlocklist.refreshAll")}
+        </Button>
+      </DialogContent>
+    </Dialog>
+  );
+}
--- a/Show More
+++ b/Show More