chore: merge Helix to master

chore: Helix Bridge 3.18.0 changelog.
chore: Grunwald Bridge 3.17.0 changelog.
2025-12-10 04:36:43 +00:00 · 2025-02-27 10:36:11 +00:00 · 2025-02-18 23:44:44 +01:00 · 2025-02-18 17:11:46 +01:00 · 2025-02-17 15:43:15 +00:00 · 2025-02-17 15:10:05 +01:00
1257 changed files with 107861 additions and 155316 deletions
--- a/.github/ISSUE_TEMPLATE/general-issue-template.md
+++ b/.github/ISSUE_TEMPLATE/general-issue-template.md
@ -1,41 +0,0 @@
---
-name: General issue template
-about: Template for detailed report of issues
-title: ''
-labels: ''
-assignees: ''
-
---
-
-Issue tracker is ONLY used for reporting bugs with technical details. "It doesn't work" or new features should be discussed with our customer support. Please use bug report function in Bridge or contact bridge@protonmail.ch.
-<!--- Provide a general summary of the issue in the Title above -->
-
-## Expected Behavior
-<!--- Tell us what should happen -->
-
-## Current Behavior
-<!--- Tell us what happens instead of the expected behavior -->
-
-## Possible Solution
-<!--- Not obligatory, but suggest a fix/reason for the bug, -->
-
-## Steps to Reproduce
-<!--- Provide a link to a live example, or an unambiguous set of steps to -->
-<!--- reproduce this bug. Include code to reproduce, if relevant -->
-1.
-2.
-3.
-4.
-
-## Version Information
-<!--- Which version of the app(s) were you using when you experienced this issue? -->
-
-## Context (Environment)
-<!--- How has this issue affected you? What are you trying to accomplish? -->
-<!--- Providing context helps us come up with a solution that is most useful in the real world -->
-
-## Detailed Description
-<!--- Provide a detailed description of the change or addition you are proposing -->
-
-## Possible Implementation
-<!--- Not obligatory, but suggest an idea for implementing addition or change -->
--- a/.gitignore
+++ b/.gitignore
@ -6,6 +6,8 @@
 .*.sw?
 *~
 .idea
+.vscode
+.vs

 # Test files
 godog.test
@ -34,9 +36,15 @@ cmd/Import-Export/deploy
 proton-bridge
 cmd/Desktop-Bridge/*.exe
 cmd/launcher/*.exe
+bin/
+obj/

 # Jetbrains (CLion, Golang) cmake build dirs
 cmake-build-*/

 # Doxygen doc files
 _doc/
+
+# gRPC auto-generated C++ source files
+*.pb.cc
+*.pb.h
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -16,295 +16,35 @@
 # along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.

 ---
-image: gitlab.protontech.ch:4567/go/bridge-internal:go18
+default:
+  tags:
+    - shared-small
+
+variables:
+  GOPRIVATE: gitlab.protontech.ch
+  GOMAXPROCS: $(( ${CI_TAG_CPU} / 2 ))

 before_script:
-  - eval $(ssh-agent -s)
-  - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
-  - mkdir -p .cache/bin
-  - export PATH=$(pwd)/.cache/bin:$PATH
-  - export GOPATH="$CI_PROJECT_DIR/.cache"
-  - make install-dev-dependencies
-  - git checkout .
-
-cache:
-  key: go18-mod
-  paths:
-    - .cache
-  policy: pull
+  - |
+    if [ "$CI_JOB_NAME" != "grype-scan-code-dependencies" ]; then
+      apt update && apt-get -y install libsecret-1-dev
+      git config --global url.https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}.insteadOf https://${CI_SERVER_HOST}
+    fi

 stages:
-  - cache
+  - analyse
  - test
+  - report
  - build
-  - check
-  - mirror

+include:
+  - local: ci/setup.yml
+  - local: ci/rules.yml
+  - local: ci/env.yml
+  - local: ci/test.yml
+  - local: ci/report.yml
+  - local: ci/build.yml
+  - component: gitlab.protontech.ch/proton/devops/cicd-components/kits/devsecops/go@~latest
+    inputs:
+      stage: analyse

-.rules-branch-and-MR-always:
-  rules:
-    - if: $CI_COMMIT_BRANCH ||  $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: always
-      allow_failure: false
-    - when: never
-
-.rules-branch-and-MR-manual:
-  rules:
-    - if: $CI_COMMIT_BRANCH ||  $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: manual
-      allow_failure: true
-    - when: never
-
-.rules-branch-manual-MR-always:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: always
-      allow_failure: false
-    - if: $CI_COMMIT_BRANCH
-      when: manual
-      allow_failure: true
-    - when: never
-
-# Stage: CACHE
-
-# This will ensure latest dependency versions and updates the cache for
-# all other following jobs which only pull the cache.
-cache-push:
-  stage: cache
-  extends:
-    - .rules-branch-and-MR-always
-  script:
-    - echo ""
-  cache:
-    key: go18-mod
-    paths:
-      - .cache
-
-# Stage: TEST
-
-lint:
-  stage: test
-  extends:
-    - .rules-branch-and-MR-always
-  before_script:
-    - mkdir -p .cache/bin
-    - export PATH=$(pwd)/.cache/bin:$PATH
-    - export GOPATH="$CI_PROJECT_DIR/.cache"
-  script:
-    - env GOMAXPROCS=$(( ${CI_TAG_CPU} / 2 )) make lint
-  tags:
-    - medium
-
-test-linux:
-  stage: test
-  extends:
-    - .rules-branch-manual-MR-always
-  script:
-    - apt-get -y install pass gnupg rng-tools
-    # First have enough of entropy (cat /proc/sys/kernel/random/entropy_avail).
-    - rngd -r /dev/urandom
-    # Generate GPG key without password for the password manager.
-    - gpg --batch --yes --passphrase '' --quick-generate-key 'tester@example.com'
-    # Use the last created GPG ID for the password manager.
-    - pass init `gpg --list-keys | grep "^   " | tail -1 | tr -d '[:space:]'`
-    # Then finally run the tests
-    - make test
-  tags:
-    - medium
-
-test-windows:
-  extends:
-    - .build-windows-base
-    - .rules-branch-and-MR-always
-  stage: test
-  needs: []
-  script:
-    - make test
-
-test-integration:
-  stage: test
-  extends:
-    - .rules-branch-manual-MR-always
-  script:
-    - VERBOSITY=debug make -C test test
-  tags:
-    - large
-
-dependency-updates:
-  stage: test
-  script:
-    - make updates
-
-# Stage: BUILD
-
-.build-base:
-  stage: build
-  needs: ["lint"]
-  rules:
-    # GODT-1833: use `=~ /qa/` after mac and windows runners are fixed
-    - if: $CI_JOB_NAME =~ /build-linux-qa/  && $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: always
-      allow_failure: false
-    - if: $CI_COMMIT_BRANCH || $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: manual
-      allow_failure: true
-    - when: never
-  before_script:
-    - mkdir -p .cache/bin
-    - export PATH=$(pwd)/.cache/bin:$PATH
-    - export GOPATH="$CI_PROJECT_DIR/.cache"
-    - export PATH=$PATH:$QT6DIR/bin
-  script:
-    - make build
-    - git diff && git diff-index --quiet HEAD
-  artifacts:
-    # Note: The latest artifacts for refs are locked against deletion, and kept
-    # regardless of the expiry time. Introduced in GitLab 13.0 behind a
-    # disabled feature flag, and made the default behavior in GitLab 13.4.
-    expire_in: 1 day
-    when: always
-    paths:
-      - bridge_*.tgz
-  tags:
-    - large
-
-build-linux:
-  extends: .build-base
-  image: gitlab.protontech.ch:4567/go/bridge-internal:qt6
-  variables:
-    VCPKG_DEFAULT_BINARY_CACHE: ${CI_PROJECT_DIR}/.cache
-  cache:
-    key: linux-vcpkg
-    paths:
-      - .cache
-    when: 'always'
-  artifacts:
-    name: "bridge-linux-$CI_COMMIT_SHORT_SHA"
-
-build-linux-qa:
-  extends: build-linux
-  variables:
-    BUILD_TAGS: "build_qa"
-  artifacts:
-    name: "bridge-linux-qa-$CI_COMMIT_SHORT_SHA"
-
-
-.build-darwin-base:
-  extends: .build-base
-  before_script:
-    - export PATH=/usr/local/bin:$PATH
-    - export PATH=/usr/local/opt/git/bin:$PATH
-    - export PATH=/usr/local/opt/make/libexec/gnubin:$PATH
-    - export PATH=/usr/local/opt/go@1.13/bin:$PATH
-    - export PATH=/usr/local/opt/gnu-sed/libexec/gnubin:$PATH
-    - export GOPATH=~/go
-    - export PATH=$GOPATH/bin:$PATH
-    - export CGO_CPPFLAGS='-Wno-error -Wno-nullability-completeness -Wno-expansion-to-defined -Wno-builtin-requires-header'
-  script:
-    - go version
-    - make build
-    - git diff && git diff-index --quiet HEAD
-  cache: {}
-  tags:
-    - macOS
-
-build-darwin:
-  extends: .build-darwin-base
-  artifacts:
-    name: "bridge-darwin-$CI_COMMIT_SHORT_SHA"
-
-build-darwin-qa:
-  extends: .build-darwin-base
-  variables:
-    BUILD_TAGS: "build_qa"
-  artifacts:
-    name: "bridge-darwin-qa-$CI_COMMIT_SHORT_SHA"
-
-
-.build-windows-base:
-  extends: .build-base
-  before_script:
-    - export GOROOT=/c/Go1.18/
-    - export PATH=$GOROOT/bin:$PATH
-    - export GOARCH=amd64
-    - export GOPATH=~/go18
-    - export GO111MODULE=on
-    - export PATH="${GOPATH}/bin:${PATH}"
-    - export MSYSTEM=
-    - export QT6DIR=/c/grrrQt/6.3.1/msvc2019_64
-    - export PATH=$PATH:${QT6DIR}/bin
-    - export PATH="/c/Program Files/Microsoft Visual Studio/2022/Community/Common7/IDE/CommonExtensions/Microsoft/CMake/CMake/bin:$PATH"
-  script:
-    - make build
-    - git diff && git diff-index --quiet HEAD
-  tags:
-    - windows-bridge
-
-build-windows:
-  extends: .build-windows-base
-  artifacts:
-    name: "bridge-windows-$CI_COMMIT_SHORT_SHA"
-
-build-windows-qa:
-  extends: .build-windows-base
-  variables:
-    BUILD_TAGS: "build_qa"
-  artifacts:
-    name: "bridge-windows-qa-$CI_COMMIT_SHORT_SHA"
-
-# Stage: CHECK
-
-check-gobinsec:
-  stage: check
-  needs: ["build-linux-qa"]
-  extends:
-    - .rules-branch-manual-MR-always
-  cache:
-    key: gobinsec-cache-v3
-    paths:
-      - ./gobinsec-cache-valid.yml
-    policy: pull-push
-  before_script:
-    - mkdir build
-    - tar -xzf bridge_linux_*.tgz -C build
-    - "[ ! -f ./gobinsec-cache-valid.yml ] && wget bridgeteam.protontech.ch/bridgeteam/gobinsec-cache-valid.yml"
-    - mv ./gobinsec-cache-valid.yml ./utils/gobinsec_update/gobinsec-cache-valid.yml
-  script:
-    - ./utils/gobinsec_update.sh
-    - cp ./utils/gobinsec_update/gobinsec-cache-valid.yml ./gobinsec-cache.yml
-    - cat ./gobinsec-cache.yml
-    - gobinsec -wait -cache -config utils/gobinsec_conf.yml build/bridge
-    - cp ./gobinsec-cache.yml ./gobinsec-cache-valid.yml   # Only update cache file if gobinsec succeeds
-
-
-
-# Stage: MIRROR
-
-mirror-repo:
-  stage: mirror
-  only:
-    refs:
-      - master
-  script:
-    - |
-      cat <<EOF > ~/.ssh/config
-      Host github.com
-          Hostname ssh.github.com
-          User git
-          Port 443
-          ProxyCommand connect-proxy -H $http_proxy %h %p
-      EOF
-    - ssh-keyscan -t rsa ${CI_SERVER_HOST} > ~/.ssh/known_hosts
-    - |
-      cat <<EOF >> ~/.ssh/known_hosts
-      # ssh.github.com:443 SSH-2.0-babeld-2e9d163d
-      [ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
-      EOF
-    - echo "$mirror_key" | tr -d '\r' | ssh-add - > /dev/null
-    - ssh-add -l
-    - git clone "$CI_REPOSITORY_URL" --branch master _REPO_CLONE;
-    - cd _REPO_CLONE
-    - git remote add public $mirror_url
-    - git push public master
-    # Pushing the latest tag from master history
-    - git push public "$(git describe --tags --abbrev=0 || echo master)"
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@ -0,0 +1 @@
+* @go/bridge-ppl/devs
--- a/.golangci.yml
+++ b/.golangci.yml
@ -2,11 +2,12 @@
 run:
  timeout: 10m
  skip-dirs:
-    - pkg/mime
-    - extern

 issues:
  exclude-use-default: false
+  exclude-dirs:
+    - pkg/mime
+    - extern
  exclude:
    - Using the variable on range scope `tt` in function literal
    # For now we are missing a lot of comments.
@ -15,15 +16,35 @@ issues:
    - at least one file in a package should have a package comment
    # Package comments.
    - "package-comments: should have a package comment"
+    # Migration uses underscores to make versions clearer.
+    - "var-naming: don't use underscores in Go names"
+    - "ST1003: should not use underscores in Go names"

  exclude-rules:
    - path: _test\.go
      linters:
        - dupl
-        - funlen
        - gochecknoglobals
        - gochecknoinits
        - gosec
+        - goconst
+        - dogsled
+    - path: test
+      linters:
+        - dupl
+        - gochecknoglobals
+        - gochecknoinits
+        - gosec
+        - goconst
+        - dogsled
+    - path: utils/smtp-send
+      linters:
+        - dupl
+        - gochecknoglobals
+        - gochecknoinits
+        - gosec
+        - goconst
+        - dogsled

 linters-settings:
  godox:
@ -36,21 +57,17 @@ linters:
  disable-all: true

  enable:
-    - deadcode          # Finds unused code [fast: true, auto-fix: false]
    - errcheck          # Errcheck is a program for checking for unchecked errors in go programs. These unchecked errors can be critical bugs in some cases [fast: true, auto-fix: false]
    - gosimple          # Linter for Go source code that specializes in simplifying a code [fast: true, auto-fix: false]
    - govet             # Vet examines Go source code and reports suspicious constructs, such as Printf calls whose arguments do not align with the format string [fast: true, auto-fix: false]
    - ineffassign       # Detects when assignments to existing variables are not used [fast: true, auto-fix: false]
    - staticcheck       # Staticcheck is a go vet on steroids, applying a ton of static analysis checks [fast: true, auto-fix: false]
-    - structcheck       # Finds unused struct fields [fast: true, auto-fix: false]
    - typecheck         # Like the front-end of a Go compiler, parses and type-checks Go code [fast: true, auto-fix: false]
    - unused            # Checks Go code for unused constants, variables, functions and types [fast: false, auto-fix: false]
-    - varcheck          # Finds unused global variables and constants [fast: true, auto-fix: false]
    - bodyclose         # checks whether HTTP response body is closed successfully [fast: true, auto-fix: false]
-    - depguard          # Go linter that checks if package imports are in a list of acceptable packages [fast: true, auto-fix: false]
+    #- depguard          # Go linter that checks if package imports are in a list of acceptable packages [fast: true, auto-fix: false]
    - dogsled           # Checks assignments with too many blank identifiers (e.g. x, _, _, _, := f()) [fast: true, auto-fix: false]
    - dupl              # Tool for code clone detection [fast: true, auto-fix: false]
-    - funlen            # Tool for detection of long functions [fast: true, auto-fix: false]
    - gochecknoglobals  # Checks that no globals are present in Go code [fast: true, auto-fix: false]
    - gochecknoinits    # Checks that no init functions are present in Go code [fast: true, auto-fix: false]
    - goconst           # Finds repeated strings that could be replaced by a constant [fast: true, auto-fix: false]
@ -70,7 +87,7 @@ linters:
    - asciicheck        # Simple linter to check that your code does not contain non-ASCII identifiers [fast: true, auto-fix: false]
    - durationcheck     # check for two durations multiplied together [fast: false, auto-fix: false]
    - exhaustive        # check exhaustiveness of enum switch statements [fast: false, auto-fix: false]
-    - exportloopref     # checks for pointers to enclosing loop variables [fast: false, auto-fix: false]
+    - copyloopvar       # detects places where loop variables are copied.
    - forcetypeassert   # finds forced type assertions [fast: true, auto-fix: false]
    - godot             # Check if comments end in a period [fast: true, auto-fix: true]
    - goheader          # Checks is file header matches to pattern [fast: true, auto-fix: false]
@ -108,3 +125,8 @@ linters:
    # - testpackage       # linter that makes you use a separate _test package [fast: true, auto-fix: false]
    # - thelper           # thelper detects golang test helpers without t.Helper() call and checks the consistency of test helpers [fast: false, auto-fix: false]
    # - wrapcheck         # Checks that errors returned from external packages are wrapped [fast: false, auto-fix: false]
+
+    # Deprecated:
+    # - structcheck       # Finds unused struct fields [fast: true, auto-fix: false] deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused.
+    # - deadcode          # Finds unused code [fast: true, auto-fix: false] deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused.
+    # - varcheck          # Finds unused global variables and constants [fast: true, auto-fix: false] deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused.
--- a/.grype.yaml
+++ b/.grype.yaml
@ -0,0 +1,2 @@
+# Check out for configuration details: https://github.com/anchore/grype?tab=readme-ov-file#configuration
+fail-on-severity: "medium"
--- a/BUILDS.md
+++ b/BUILDS.md
@ -3,20 +3,23 @@
 ## Prerequisites
 * 64-bit OS:
    - the go-rfc5322 module cannot currently be compiled for 32-bit OSes
-* Go 1.18
+* Go 1.23.4
 * Bash with basic build utils: make, gcc, sed, find, grep, ...
-  - For Windows it is recommended to use MinGW 64bit shell from [MSYS2](https://www.msys2.org/)
-* GCC (linux), msvc (windows) or Xcode (macOS)
-* Windres (windows)
-* libglvnd and libsecret development files (linux)
+  - For Windows, it is recommended to use MinGW 64bit shell from [MSYS2](https://www.msys2.org/)
+* GCC (Linux), msvc (Windows) or Xcode (macOS)
+* Windres (Windows)
+* libglvnd and libsecret development files (Linux)
+* pkg-config (Linux)
+* cmake, ninja-build and Qt 6.4.3 are required to build the graphical user interface. On Linux, 
+the Mesa OpenGL development files are also needed.

 To enable the sending of crash reports using Sentry please set the
-`main.DSNSentry` value with the client key of your sentry project before build.
+`DSN_SENTRY` environment variable with the client key of your sentry project before build.
 Otherwise, the sending of crash reports will be disabled.

 ## Build
 In order to build Bridge app with Qt interface we are using
-[Qt 6.3](https://doc.qt.io/qt-6/gettingstarted.html).
+[Qt 6.4.3](https://doc.qt.io/qt-6/gettingstarted.html).

 Please note that qmake path must be in your `PATH` to ensure Qt to be found.
 Also, before you start build **on Windows**, please unset the `MSYSTEM` variable
@ -44,9 +47,10 @@ make build
 make build-nogui
 ```

-* Bridge without GUI will start by default without any interface (i.e., there is no way to add or remove client, get bridge password, etc)
-* Bridge always has the option (whether built with Qt or without) to use a CLI interface by starting it with the argument `-c`
-* NOTE: You still need to setup supported keychain on your system
+* To launch Bridge without GUI, you can invoke the `bridge` executable with one the following command-line switches:
+  * `--noninteractive` or `-n` to start Bridge without any interface (i.e., there is no way to add or remove client, get bridge password, etc.)
+  * `--cli` or `-c` to start Bridge with an interactive terminal interface.
+* NOTE: You still need to set up a supported keychain on your system.

 ## Launchers
 Launchers are only included in official distributions and provide the public
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,10 +1,78 @@
-# Contribution Policy
+# Contributing guidelines
+
+The following document describes how to contribute to the project. In this context, contribution does not only mean code contribution but also reporting issues, requesting new features, or just asking for help.
+
+## Reporting issues
+
+In case you experience issues while using the application, our request is to contact Proton customer support directly.
+
+The benefits of using Proton customer support are
+
+- Available 24/7/365.
+- Provides priority support based on subscription type.
+- Will escalate the issue to the developers every time it becomes too technical or they do not know the answer to a question.
+- Easier to detect systematic issues by connecting similar reports.
+- Possible to quickly derive frequency of an issue.
+- Can assist you to transfer sensitive information safely to us.
+
+To speed up the communication with customer support, consider the following:
+
+- Whenever is possible, use the in-app bug report feature. It provides an application specific guide compared to using the generic report form on web.
+- Whenever is possible, proactively attach logs to your report. Reporting an issue from the application can help you in that.
+- Check whether your system is officially supported by Proton, including the source of the installer. We cannot provide help when the application is packaged by a third party or when the application is used on systems that we do not prepare to support.
+- If your report is a feature request, see the Feature request section. In case it is an issue related to application security, see the Security vulnerabilities section.
+
+In the past, we used GitHub issue tracker for more technical issues in parallel to Proton customer support, but we run into limitations with this approach:
+
+- Monitoring GitHub issue tracker took development time as it was managed by the development team.
+- It made issue frequency tracking challenging because we did not have a single point of entry for issues.
+- Users were confused what technical issue means, and used the GitHub issue tracker for feature requests, or non-technical discussions.
+- Users sometimes shared sensitive data through the GitHub issue tracker.
+
+For the above reasons, we do not use GitHub issue tracker anymore but ask you to contact our customer support in case you run into a problem.
+
+### Security vulnerabilities
+
+Proton runs a bug bounty program for security vulnerabilities. They differ from normal bug reports in the following ways:
+
+- These reports go directly to our security team.
+- They expect deeper explanation of the issue.
+- Depending on the finding, they may be financially rewarded.
+
+More information about the program can be found [here](https://proton.me/security/bug-bounty).
+
+## Feature requests
+
+What someone considers as a bug is sometimes a feature, and sometimes, a missing feature is considered as a bug. Instead of reporting feature requests as bugs, we setup a UserVoice page to allow our users to share their preferences. UserVoice also makes it possible to vote on other feature requests, making the community preference public.
+
+Our product team frequently monitors UserVoice, and the features listed there are taken into account in our planning.
+
+Examples for UserVoice requests:
+
+- Extending the officially supported environments (e.g., operating systems, clients, or computer architectures).
+- Requesting new features.
+- Integration with non-Proton services.
+
+UserVoice is available [here](https://protonmail.uservoice.com/).
+
+## Asking for help
+
+The best ways to get answer for generic questions or to get help with setting up the system is to interact with our active community on [Reddit](https://reddit.com/r/ProtonMail/) or to contact customer support.
+
+## Code contribution
+
+We are grateful if you can contribute directly with code. In that case there is nothing else to do than to open a pull request.
+
+The following is worthwhile noting
+
+- The project is primarily developed on an internal repository, and the one on GitHub is only a mirror of it. For that reason, the merge request will not be merged on GitHub but added to the project internally. We are keeping the original author in the change set to respect the contribution.
+- The application is used on numerous platforms and by many third party clients. To have higher chance your change to be accepted, consider all supported dependencies.
+- Give detailed description of the issue, preferably with test steps to reproduce the original issue, and to verify the fix. It is even better if you also extend the automated tests.
+
+### Contribution policy

 By making a contribution to this project:

-1.  I assign any and all copyright related to the contribution to Proton AG;
-2.  I certify that the contribution was created in whole by me;
-3.  I understand and agree that this project and the contribution are public
-    and that a record of the contribution (including all personal information I
-    submit with it) is maintained indefinitely and may be redistributed with
-    this project or the open source license(s) involved.
+1. You assign any and all copyright related to the contribution to Proton AG;
+2. You certify that the contribution was created in whole by you;
+3. You understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information you submit with it) is maintained indefinitely and may be redistributed with this project or the open source license(s) involved.
--- a/COPYING_NOTES.md
+++ b/COPYING_NOTES.md
@ -23,12 +23,9 @@ Proton Mail Bridge includes the following 3rd party software:
 <!-- START AUTOGEN -->
 * [notificator](https://github.com/0xAX/notificator) available under [license](https://github.com/0xAX/notificator/blob/master/LICENSE) 
 * [semver](https://github.com/Masterminds/semver/v3) available under [license](https://github.com/Masterminds/semver/v3/blob/master/LICENSE) 
+* [gluon](https://github.com/ProtonMail/gluon) available under [license](https://github.com/ProtonMail/gluon/blob/master/LICENSE) 
 * [go-autostart](https://github.com/ProtonMail/go-autostart) available under [license](https://github.com/ProtonMail/go-autostart/blob/master/LICENSE) 
-* [go-crypto](https://github.com/ProtonMail/go-crypto) available under [license](https://github.com/ProtonMail/go-crypto/blob/master/LICENSE) 
-* [go-imap-id](https://github.com/ProtonMail/go-imap-id) available under [license](https://github.com/ProtonMail/go-imap-id/blob/master/LICENSE) 
-* [go-rfc5322](https://github.com/ProtonMail/go-rfc5322) available under [license](https://github.com/ProtonMail/go-rfc5322/blob/master/LICENSE) 
-* [go-srp](https://github.com/ProtonMail/go-srp) available under [license](https://github.com/ProtonMail/go-srp/blob/master/LICENSE) 
-* [go-vcard](https://github.com/ProtonMail/go-vcard) available under [license](https://github.com/ProtonMail/go-vcard/blob/master/LICENSE) 
+* [go-proton-api](https://github.com/ProtonMail/go-proton-api) available under [license](https://github.com/ProtonMail/go-proton-api/blob/master/LICENSE) 
 * [gopenpgp](https://github.com/ProtonMail/gopenpgp/v2) available under [license](https://github.com/ProtonMail/gopenpgp/v2/blob/master/LICENSE) 
 * [goquery](https://github.com/PuerkitoBio/goquery) available under [license](https://github.com/PuerkitoBio/goquery/blob/master/LICENSE) 
 * [ishell](https://github.com/abiosoft/ishell) available under [license](https://github.com/abiosoft/ishell/blob/master/LICENSE) 
@ -39,14 +36,11 @@ Proton Mail Bridge includes the following 3rd party software:
 * [docker-credential-helpers](https://github.com/docker/docker-credential-helpers) available under [license](https://github.com/docker/docker-credential-helpers/blob/master/LICENSE) 
 * [go-sysinfo](https://github.com/elastic/go-sysinfo) available under [license](https://github.com/elastic/go-sysinfo/blob/master/LICENSE) 
 * [go-imap](https://github.com/emersion/go-imap) available under [license](https://github.com/emersion/go-imap/blob/master/LICENSE) 
-* [go-imap-appendlimit](https://github.com/emersion/go-imap-appendlimit) available under [license](https://github.com/emersion/go-imap-appendlimit/blob/master/LICENSE) 
-* [go-imap-move](https://github.com/emersion/go-imap-move) available under [license](https://github.com/emersion/go-imap-move/blob/master/LICENSE) 
-* [go-imap-quota](https://github.com/emersion/go-imap-quota) available under [license](https://github.com/emersion/go-imap-quota/blob/master/LICENSE) 
-* [go-imap-unselect](https://github.com/emersion/go-imap-unselect) available under [license](https://github.com/emersion/go-imap-unselect/blob/master/LICENSE) 
+* [go-imap-id](https://github.com/emersion/go-imap-id) available under [license](https://github.com/emersion/go-imap-id/blob/master/LICENSE) 
 * [go-message](https://github.com/emersion/go-message) available under [license](https://github.com/emersion/go-message/blob/master/LICENSE) 
 * [go-sasl](https://github.com/emersion/go-sasl) available under [license](https://github.com/emersion/go-sasl/blob/master/LICENSE) 
 * [go-smtp](https://github.com/emersion/go-smtp) available under [license](https://github.com/emersion/go-smtp/blob/master/LICENSE) 
-* [go-textwrapper](https://github.com/emersion/go-textwrapper) available under [license](https://github.com/emersion/go-textwrapper/blob/master/LICENSE) 
+* [go-vcard](https://github.com/emersion/go-vcard) available under [license](https://github.com/emersion/go-vcard/blob/master/LICENSE) 
 * [color](https://github.com/fatih/color) available under [license](https://github.com/fatih/color/blob/master/LICENSE) 
 * [sentry-go](https://github.com/getsentry/sentry-go) available under [license](https://github.com/getsentry/sentry-go/blob/master/LICENSE) 
 * [resty](https://github.com/go-resty/resty/v2) available under [license](https://github.com/go-resty/resty/v2/blob/master/LICENSE) 
@ -56,29 +50,36 @@ Proton Mail Bridge includes the following 3rd party software:
 * [uuid](https://github.com/google/uuid) available under [license](https://github.com/google/uuid/blob/master/LICENSE) 
 * [go-multierror](https://github.com/hashicorp/go-multierror) available under [license](https://github.com/hashicorp/go-multierror/blob/master/LICENSE) 
 * [html2text](https://github.com/jaytaylor/html2text) available under [license](https://github.com/jaytaylor/html2text/blob/master/LICENSE) 
+* [go-locale](https://github.com/jeandeaual/go-locale) available under [license](https://github.com/jeandeaual/go-locale/blob/master/LICENSE) 
 * [go-keychain](https://github.com/keybase/go-keychain) available under [license](https://github.com/keybase/go-keychain/blob/master/LICENSE) 
-* [aurora](https://github.com/logrusorgru/aurora) available under [license](https://github.com/logrusorgru/aurora/blob/master/LICENSE) 
 * [dns](https://github.com/miekg/dns) available under [license](https://github.com/miekg/dns/blob/master/LICENSE) 
-* [jsondiff](https://github.com/nsf/jsondiff) available under [license](https://github.com/nsf/jsondiff/blob/master/LICENSE) 
+* [memory](https://github.com/pbnjay/memory) available under [license](https://github.com/pbnjay/memory/blob/master/LICENSE) 
 * [errors](https://github.com/pkg/errors) available under [license](https://github.com/pkg/errors/blob/master/LICENSE) 
-* [du](https://github.com/ricochet2200/go-disk-usage/du) available under [license](https://github.com/ricochet2200/go-disk-usage/du/blob/master/LICENSE) 
+* [profile](https://github.com/pkg/profile) available under [license](https://github.com/pkg/profile/blob/master/LICENSE) 
 * [logrus](https://github.com/sirupsen/logrus) available under [license](https://github.com/sirupsen/logrus/blob/master/LICENSE) 
 * [testify](https://github.com/stretchr/testify) available under [license](https://github.com/stretchr/testify/blob/master/LICENSE) 
 * [cli](https://github.com/urfave/cli/v2) available under [license](https://github.com/urfave/cli/v2/blob/master/LICENSE) 
 * [msgpack](https://github.com/vmihailenco/msgpack/v5) available under [license](https://github.com/vmihailenco/msgpack/v5/blob/master/LICENSE) 
-* [bbolt](https://go.etcd.io/bbolt) available under [license](https://github.com/etcd-io/bbolt/blob/master/LICENSE) 
+* [goleak](https://go.uber.org/goleak) available under [license](https://pkg.go.dev/go.uber.org/goleak?tab=licenses) 
 * [exp](https://golang.org/x/exp) available under [license](https://cs.opensource.google/go/x/exp/+/master:LICENSE) 
 * [net](https://golang.org/x/net) available under [license](https://cs.opensource.google/go/x/net/+/master:LICENSE) 
+* [oauth2](https://golang.org/x/oauth2) available under [license](https://cs.opensource.google/go/x/oauth2/+/master:LICENSE) 
 * [sys](https://golang.org/x/sys) available under [license](https://cs.opensource.google/go/x/sys/+/master:LICENSE) 
 * [text](https://golang.org/x/text) available under [license](https://cs.opensource.google/go/x/text/+/master:LICENSE) 
+* [api](https://google.golang.org/api) available under [license](https://pkg.go.dev/google.golang.org/api?tab=licenses) 
 * [grpc](https://google.golang.org/grpc) available under [license](https://github.com/grpc/grpc-go/blob/master/LICENSE) 
 * [protobuf](https://google.golang.org/protobuf) available under [license](https://github.com/protocolbuffers/protobuf/blob/main/LICENSE) 
 * [plist](https://howett.net/plist) available under [license](https://github.com/DHowett/go-plist/blob/main/LICENSE) 
+* [compute](https://cloud.google.com/go/compute) available under [license](https://pkg.go.dev/cloud.google.com/go/compute?tab=licenses) 
+* [metadata](https://cloud.google.com/go/compute/metadata) available under [license](https://pkg.go.dev/cloud.google.com/go/compute/metadata?tab=licenses) 
 * [bcrypt](https://github.com/ProtonMail/bcrypt) available under [license](https://github.com/ProtonMail/bcrypt/blob/master/LICENSE) 
+* [go-crypto](https://github.com/ProtonMail/go-crypto) available under [license](https://github.com/ProtonMail/go-crypto/blob/master/LICENSE) 
 * [go-mime](https://github.com/ProtonMail/go-mime) available under [license](https://github.com/ProtonMail/go-mime/blob/master/LICENSE) 
+* [go-srp](https://github.com/ProtonMail/go-srp) available under [license](https://github.com/ProtonMail/go-srp/blob/master/LICENSE) 
 * [readline](https://github.com/abiosoft/readline) available under [license](https://github.com/abiosoft/readline/blob/master/LICENSE) 
 * [cascadia](https://github.com/andybalholm/cascadia) available under [license](https://github.com/andybalholm/cascadia/blob/master/LICENSE) 
-* [antlr](https://github.com/antlr/antlr4/runtime/Go/antlr) available under [license](https://github.com/antlr/antlr4/runtime/Go/antlr/blob/master/LICENSE) 
+* [sonic](https://github.com/bytedance/sonic) available under [license](https://github.com/bytedance/sonic/blob/master/LICENSE) 
+* [base64x](https://github.com/chenzhuoyu/base64x) available under [license](https://github.com/chenzhuoyu/base64x/blob/master/LICENSE) 
 * [test](https://github.com/chzyer/test) available under [license](https://github.com/chzyer/test/blob/master/LICENSE) 
 * [circl](https://github.com/cloudflare/circl) available under [license](https://github.com/cloudflare/circl/blob/master/LICENSE) 
 * [go-md2man](https://github.com/cpuguy83/go-md2man/v2) available under [license](https://github.com/cpuguy83/go-md2man/v2/blob/master/LICENSE) 
@ -87,34 +88,61 @@ Proton Mail Bridge includes the following 3rd party software:
 * [wincred](https://github.com/danieljoos/wincred) available under [license](https://github.com/danieljoos/wincred/blob/master/LICENSE) 
 * [go-spew](https://github.com/davecgh/go-spew) available under [license](https://github.com/davecgh/go-spew/blob/master/LICENSE) 
 * [go-windows](https://github.com/elastic/go-windows) available under [license](https://github.com/elastic/go-windows/blob/master/LICENSE) 
-* [go-vcard](https://github.com/emersion/go-vcard) available under [license](https://github.com/emersion/go-vcard/blob/master/LICENSE) 
+* [go-textwrapper](https://github.com/emersion/go-textwrapper) available under [license](https://github.com/emersion/go-textwrapper/blob/master/LICENSE) 
+* [fgprof](https://github.com/felixge/fgprof) available under [license](https://github.com/felixge/fgprof/blob/master/LICENSE) 
 * [go-shlex](https://github.com/flynn-archive/go-shlex) available under [license](https://github.com/flynn-archive/go-shlex/blob/master/LICENSE) 
+* [mimetype](https://github.com/gabriel-vasile/mimetype) available under [license](https://github.com/gabriel-vasile/mimetype/blob/master/LICENSE) 
+* [sse](https://github.com/gin-contrib/sse) available under [license](https://github.com/gin-contrib/sse/blob/master/LICENSE) 
+* [gin](https://github.com/gin-gonic/gin) available under [license](https://github.com/gin-gonic/gin/blob/master/LICENSE) 
+* [locales](https://github.com/go-playground/locales) available under [license](https://github.com/go-playground/locales/blob/master/LICENSE) 
+* [universal-translator](https://github.com/go-playground/universal-translator) available under [license](https://github.com/go-playground/universal-translator/blob/master/LICENSE) 
+* [validator](https://github.com/go-playground/validator/v10) available under [license](https://github.com/go-playground/validator/v10/blob/master/LICENSE) 
+* [go-json](https://github.com/goccy/go-json) available under [license](https://github.com/goccy/go-json/blob/master/LICENSE) 
 * [uuid](https://github.com/gofrs/uuid) available under [license](https://github.com/gofrs/uuid/blob/master/LICENSE) 
+* [groupcache](https://github.com/golang/groupcache) available under [license](https://github.com/golang/groupcache/blob/master/LICENSE) 
 * [protobuf](https://github.com/golang/protobuf) available under [license](https://github.com/golang/protobuf/blob/master/LICENSE) 
+* [pprof](https://github.com/google/pprof) available under [license](https://github.com/google/pprof/blob/master/LICENSE) 
+* [enterprise-certificate-proxy](https://github.com/googleapis/enterprise-certificate-proxy) available under [license](https://github.com/googleapis/enterprise-certificate-proxy/blob/master/LICENSE) 
+* [gax-go](https://github.com/googleapis/gax-go/v2) available under [license](https://github.com/googleapis/gax-go/v2/blob/master/LICENSE) 
 * [errwrap](https://github.com/hashicorp/errwrap) available under [license](https://github.com/hashicorp/errwrap/blob/master/LICENSE) 
 * [go-immutable-radix](https://github.com/hashicorp/go-immutable-radix) available under [license](https://github.com/hashicorp/go-immutable-radix/blob/master/LICENSE) 
 * [go-memdb](https://github.com/hashicorp/go-memdb) available under [license](https://github.com/hashicorp/go-memdb/blob/master/LICENSE) 
 * [golang-lru](https://github.com/hashicorp/golang-lru) available under [license](https://github.com/hashicorp/golang-lru/blob/master/LICENSE) 
 * [multierror](https://github.com/joeshaw/multierror) available under [license](https://github.com/joeshaw/multierror/blob/master/LICENSE) 
+* [go](https://github.com/json-iterator/go) available under [license](https://github.com/json-iterator/go/blob/master/LICENSE) 
+* [cpuid](https://github.com/klauspost/cpuid/v2) available under [license](https://github.com/klauspost/cpuid/v2/blob/master/LICENSE) 
+* [go-urn](https://github.com/leodido/go-urn) available under [license](https://github.com/leodido/go-urn/blob/master/LICENSE) 
 * [go-colorable](https://github.com/mattn/go-colorable) available under [license](https://github.com/mattn/go-colorable/blob/master/LICENSE) 
 * [go-isatty](https://github.com/mattn/go-isatty) available under [license](https://github.com/mattn/go-isatty/blob/master/LICENSE) 
 * [go-runewidth](https://github.com/mattn/go-runewidth) available under [license](https://github.com/mattn/go-runewidth/blob/master/LICENSE) 
+* [go-sqlite3](https://github.com/mattn/go-sqlite3) available under [license](https://github.com/mattn/go-sqlite3/blob/master/LICENSE) 
+* [concurrent](https://github.com/modern-go/concurrent) available under [license](https://github.com/modern-go/concurrent/blob/master/LICENSE) 
+* [reflect2](https://github.com/modern-go/reflect2) available under [license](https://github.com/modern-go/reflect2/blob/master/LICENSE) 
 * [tablewriter](https://github.com/olekukonko/tablewriter) available under [license](https://github.com/olekukonko/tablewriter/blob/master/LICENSE) 
+* [go-toml](https://github.com/pelletier/go-toml/v2) available under [license](https://github.com/pelletier/go-toml/v2/blob/master/LICENSE) 
+* [lz4](https://github.com/pierrec/lz4/v4) available under [license](https://github.com/pierrec/lz4/v4/blob/master/LICENSE) 
 * [go-difflib](https://github.com/pmezard/go-difflib) available under [license](https://github.com/pmezard/go-difflib/blob/master/LICENSE) 
 * [procfs](https://github.com/prometheus/procfs) available under [license](https://github.com/prometheus/procfs/blob/master/LICENSE) 
 * [uniseg](https://github.com/rivo/uniseg) available under [license](https://github.com/rivo/uniseg/blob/master/LICENSE) 
 * [blackfriday](https://github.com/russross/blackfriday/v2) available under [license](https://github.com/russross/blackfriday/v2/blob/master/LICENSE) 
 * [pflag](https://github.com/spf13/pflag) available under [license](https://github.com/spf13/pflag/blob/master/LICENSE) 
 * [bom](https://github.com/ssor/bom) available under [license](https://github.com/ssor/bom/blob/master/LICENSE) 
+* [golang-asm](https://github.com/twitchyliquid64/golang-asm) available under [license](https://github.com/twitchyliquid64/golang-asm/blob/master/LICENSE) 
+* [codec](https://github.com/ugorji/go/codec) available under [license](https://github.com/ugorji/go/codec/blob/master/LICENSE) 
 * [tagparser](https://github.com/vmihailenco/tagparser/v2) available under [license](https://github.com/vmihailenco/tagparser/v2/blob/master/LICENSE) 
 * [smetrics](https://github.com/xrash/smetrics) available under [license](https://github.com/xrash/smetrics/blob/master/LICENSE) 
+* [go-ordered-json](https://gitlab.com/c0b/go-ordered-json) available under [license](https://gitlab.com/c0b/go-ordered-json/blob/master/LICENSE) 
+* [go.opencensus.io](https://pkg.go.dev/go.opencensus.io?tab=licenses) available under [license](https://pkg.go.dev/go.opencensus.io?tab=licenses) 
+* [arch](https://golang.org/x/arch) available under [license](https://cs.opensource.google/go/x/arch/+/master:LICENSE) 
 * [crypto](https://golang.org/x/crypto) available under [license](https://cs.opensource.google/go/x/crypto/+/master:LICENSE) 
 * [mod](https://golang.org/x/mod) available under [license](https://cs.opensource.google/go/x/mod/+/master:LICENSE) 
+* [sync](https://golang.org/x/sync) available under [license](https://cs.opensource.google/go/x/sync/+/master:LICENSE) 
 * [tools](https://golang.org/x/tools) available under [license](https://cs.opensource.google/go/x/tools/+/master:LICENSE) 
-* [genproto](https://google.golang.org/genproto)
-gopkg.in/yaml.v3
-* [docker-credential-helpers](https://github.com/ProtonMail/docker-credential-helpers) available under [license](https://github.com/ProtonMail/docker-credential-helpers/blob/master/LICENSE) 
-* [go-imap](https://github.com/ProtonMail/go-imap) available under [license](https://github.com/ProtonMail/go-imap/blob/master/LICENSE) 
+* [appengine](https://google.golang.org/appengine) available under [license](https://pkg.go.dev/google.golang.org/appengine?tab=licenses) 
+* [genproto](https://google.golang.org/genproto) available under [license](https://pkg.go.dev/google.golang.org/genproto?tab=licenses) 
+* [yaml](https://gopkg.in/yaml.v3) available under [license](https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE)  available under [license](https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE) 
 * [go-message](https://github.com/ProtonMail/go-message) available under [license](https://github.com/ProtonMail/go-message/blob/master/LICENSE) 
+* [go-smtp](https://github.com/ProtonMail/go-smtp) available under [license](https://github.com/ProtonMail/go-smtp/blob/master/LICENSE) 
+* [resty](https://github.com/LBeernaertProton/resty/v2) available under [license](https://github.com/LBeernaertProton/resty/v2/blob/master/LICENSE) 
 * [go-keychain](https://github.com/cuthix/go-keychain) available under [license](https://github.com/cuthix/go-keychain/blob/master/LICENSE) 
 <!-- END AUTOGEN -->
--- a/Changelog.md
+++ b/Changelog.md
--- a/180
+++ b/180
@ -1,17 +1,18 @@
 export GO111MODULE=on
+export CGO_ENABLED=1

 # By default, the target OS is the same as the host OS,
 # but this can be overridden by setting TARGET_OS to "windows"/"darwin"/"linux".
 GOOS:=$(shell go env GOOS)
 TARGET_CMD?=Desktop-Bridge
 TARGET_OS?=${GOOS}
-ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+ROOT_DIR:=$(realpath .)

 ## Build
 .PHONY: build build-gui build-nogui build-launcher versioner hasher

 # Keep version hardcoded so app build works also without Git repository.
-BRIDGE_APP_VERSION?=2.4.3+git
+BRIDGE_APP_VERSION?=3.18.0+git
 APP_VERSION:=${BRIDGE_APP_VERSION}
 APP_FULL_NAME:=Proton Mail Bridge
 APP_VENDOR:=Proton AG
@ -19,27 +20,33 @@ SRC_ICO:=bridge.ico
 SRC_ICNS:=Bridge.icns
 SRC_SVG:=bridge.svg
 EXE_NAME:=proton-bridge
-REVISION:=$(shell git rev-parse --short=10 HEAD)
+REVISION:=$(shell "${ROOT_DIR}/utils/get_revision.sh" rev)
+TAG:=$(shell "${ROOT_DIR}/utils/get_revision.sh" tag)
 BUILD_TIME:=$(shell date +%FT%T%z)
-MACOS_MIN_VERSION=11.0
+MACOS_MIN_VERSION_ARM64=11.0
+MACOS_MIN_VERSION_AMD64=10.15
+BUILD_ENV?=dev

 BUILD_FLAGS:=-tags='${BUILD_TAGS}'
 BUILD_FLAGS_LAUNCHER:=${BUILD_FLAGS}
-BUILD_FLAGS_GUI:=-tags='${BUILD_TAGS} build_qt'
-GO_LDFLAGS:=$(addprefix -X github.com/ProtonMail/proton-bridge/v2/internal/constants., Version=${APP_VERSION} Revision=${REVISION} BuildTime=${BUILD_TIME})
-GO_LDFLAGS+=-X "github.com/ProtonMail/proton-bridge/v2/internal/constants.FullAppName=${APP_FULL_NAME}"
+GO_LDFLAGS:=$(addprefix -X github.com/ProtonMail/proton-bridge/v3/internal/constants., Version=${APP_VERSION} Revision=${REVISION} Tag=${TAG} BuildTime=${BUILD_TIME})
+GO_LDFLAGS+=-X "github.com/ProtonMail/proton-bridge/v3/internal/constants.FullAppName=${APP_FULL_NAME}"

-ifneq "${BUILD_LDFLAGS}" ""
-	GO_LDFLAGS+=${BUILD_LDFLAGS}
+ifneq "${DSN_SENTRY}" ""
+	GO_LDFLAGS+=-X github.com/ProtonMail/proton-bridge/v3/internal/constants.DSNSentry=${DSN_SENTRY}
 endif
+
+ifneq "${BUILD_ENV}" ""
+	GO_LDFLAGS+=-X github.com/ProtonMail/proton-bridge/v3/internal/constants.BuildEnv=${BUILD_ENV}
+endif
+
 GO_LDFLAGS_LAUNCHER:=${GO_LDFLAGS}
 ifeq "${TARGET_OS}" "windows"
-	GO_LDFLAGS+=-H=windowsgui
-	GO_LDFLAGS_LAUNCHER+=-H=windowsgui
+	#GO_LDFLAGS+=-H=windowsgui # Disabled so we can inspect trace logs from the bridge for debugging.
+	GO_LDFLAGS_LAUNCHER+=-H=windowsgui # Having this flag prevent a temporary cmd.exe window from popping when starting the application on Windows 11.
 endif

 BUILD_FLAGS+=-ldflags '${GO_LDFLAGS}'
-BUILD_FLAGS_GUI+=-ldflags "${GO_LDFLAGS}"
 BUILD_FLAGS_LAUNCHER+=-ldflags '${GO_LDFLAGS_LAUNCHER}'
 DEPLOY_DIR:=cmd/${TARGET_CMD}/deploy
 DIRNAME:=$(shell basename ${CURDIR})
@ -80,21 +87,24 @@ build: build-gui
 build-gui: ${TGZ_TARGET}

 build-nogui: ${EXE_NAME} build-launcher
+ifeq "${TARGET_OS}" "darwin"
+	mv ${BRIDGE_EXE} ${BRIDGE_EXE_NAME}
+endif

 go-build=go build $(1) -o $(2) $(3)
 go-build-finalize=${go-build}
 ifeq "${GOOS}-$(shell uname -m)" "darwin-arm64"
 	go-build-finalize= \
-		MACOSX_DEPLOYMENT_TARGET=${MACOS_MIN_VERSION} CGO_ENABLED=1 CGO_CFLAGS="-mmacosx-version-min=${MACOS_MIN_VERSION}" GOARCH=arm64 $(call go-build,$(1),$(2)_arm,$(3)) && \
-		MACOSX_DEPLOYMENT_TARGET=${MACOS_MIN_VERSION} CGO_ENABLED=1 CGO_CFLAGS="-mmacosx-version-min=${MACOS_MIN_VERSION}" GOARCH=amd64 $(call go-build,$(1),$(2)_amd,$(3)) && \
+		MACOSX_DEPLOYMENT_TARGET=${MACOS_MIN_VERSION_ARM64} CGO_ENABLED=1 CGO_CFLAGS="-mmacosx-version-min=${MACOS_MIN_VERSION_ARM64}" GOARCH=arm64 $(call go-build,$(1),$(2)_arm,$(3)) && \
+		MACOSX_DEPLOYMENT_TARGET=${MACOS_MIN_VERSION_AMD64} CGO_ENABLED=1 CGO_CFLAGS="-mmacosx-version-min=${MACOS_MIN_VERSION_AMD64}" GOARCH=amd64 $(call go-build,$(1),$(2)_amd,$(3)) && \
 		lipo -create -output $(2) $(2)_arm $(2)_amd && rm -f $(2)_arm $(2)_amd
 endif

 ifeq "${GOOS}" "windows"
 	go-build-finalize= \
-		powershell Copy-Item ${ROOT_DIR}/${RESOURCE_FILE} ${4}  && \
-		$(call go-build,$(1),$(2),$(3)) && \
-		powershell Remove-Item ${4} -Force
+		$(if $(4),cp "${ROOT_DIR}/${RESOURCE_FILE}" ${4}  &&,) \
+		$(call go-build,$(1),$(2),$(3)) \
+		$(if $(4), && rm -f ${4},)
 endif

 ${EXE_NAME}: gofiles  ${RESOURCE_FILE}
@ -107,6 +117,12 @@ build-launcher: ${RESOURCE_FILE}
 versioner:
 	go build ${BUILD_FLAGS} -o versioner utils/versioner/main.go

+vault-editor:
+	$(call go-build-finalize,-tags=debug,"vault-editor","./utils/vault-editor/main.go")
+
+bridge-rollout:
+	$(call go-build-finalize,, "bridge-rollout","./utils/bridge-rollout/bridge-rollout.go")
+
 hasher:
 	go build -o hasher utils/hasher/main.go

@ -147,9 +163,12 @@ ${EXE_TARGET}: check-build-essentials ${EXE_NAME}
 		BRIDGE_VENDOR="${APP_VENDOR}" \
 		BRIDGE_APP_VERSION=${APP_VERSION} \
 		BRIDGE_REVISION=${REVISION} \
+		BRIDGE_TAG=${TAG} \
+		BRIDGE_DSN_SENTRY=${DSN_SENTRY} \
 		BRIDGE_BUILD_TIME=${BUILD_TIME} \
 		BRIDGE_GUI_BUILD_CONFIG=Release \
-		BRIDGE_INSTALL_PATH=${ROOT_DIR}/${DEPLOY_DIR}/${GOOS} \
+		BRIDGE_BUILD_ENV=${BUILD_ENV} \
+		BRIDGE_INSTALL_PATH="${ROOT_DIR}/${DEPLOY_DIR}/${GOOS}" \
 		./build.sh install
 	mv "${ROOT_DIR}/${BRIDGE_EXE}" "$(ROOT_DIR)/${EXE_TARGET}"

@ -170,7 +189,7 @@ ${RESOURCE_FILE}: ./dist/info.rc ./dist/${SRC_ICO} .FORCE

 ## Dev dependencies
 .PHONY: install-devel-tools install-linter install-go-mod-outdated install-git-hooks
-LINTVER:="v1.50.0"
+LINTVER:="v1.61.0"
 LINTSRC:="https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh"

 install-dev-dependencies: install-devel-tools install-linter install-go-mod-outdated
@ -214,10 +233,51 @@ add-license:
 change-copyright-year:
 	./utils/missing_license.sh change-year

+GOCOVERAGE=-covermode=count -coverpkg=github.com/ProtonMail/proton-bridge/v3/internal/...,github.com/ProtonMail/proton-bridge/v3/pkg/...,
+GOCOVERDIR=-args -test.gocoverdir=$$PWD/coverage
+
 test: gofiles
-	go test -coverprofile=/tmp/coverage.out -run=${TESTRUN} \
-		./internal/...\
-		./pkg/...
+	mkdir -p coverage/unit-${GOOS}
+	go test \
+		-v -timeout=20m -p=1 -count=1 \
+		${GOCOVERAGE} \
+		-run=${TESTRUN} ./internal/... ./pkg/... \
+		${GOCOVERDIR}/unit-${GOOS}
+
+test-race: gofiles
+	go test -v -timeout=40m -p=1 -count=1 -race -failfast -run=${TESTRUN} ./internal/... ./pkg/...
+
+test-integration: gofiles
+	mkdir -p coverage/integration
+	go test \
+		-v -timeout=60m -p=1 -count=1 -tags=test_integration \
+		${GOCOVERAGE} \
+		github.com/ProtonMail/proton-bridge/v3/tests \
+		${GOCOVERDIR}/integration
+
+
+test-integration-debug: gofiles
+	dlv test github.com/ProtonMail/proton-bridge/v3/tests -- -test.v -test.timeout=10m -test.parallel=1 -test.count=1
+
+test-integration-race: gofiles
+	go test -v -timeout=60m -p=1 -count=1 -race -failfast github.com/ProtonMail/proton-bridge/v3/tests
+
+test-integration-nightly: gofiles
+	mkdir -p coverage/integration
+	gotestsum \
+		--junitfile tests/result/feature-tests.xml -- \
+		-v -timeout=90m -p=1 -count=1 -tags=test_integration \
+		${GOCOVERAGE} \
+		github.com/ProtonMail/proton-bridge/v3/tests \
+		${GOCOVERDIR}/integration \
+		nightly
+
+fuzz: gofiles
+	go test -fuzz=FuzzUnmarshal 	 -parallel=4 -fuzztime=60s $(PWD)/internal/legacy/credentials
+	go test -fuzz=FuzzNewParser 	 -parallel=4 -fuzztime=60s $(PWD)/pkg/message/parser
+	go test -fuzz=FuzzReadHeaderBody -parallel=4 -fuzztime=60s $(PWD)/pkg/message
+	go test -fuzz=FuzzDecodeHeader 	 -parallel=4 -fuzztime=60s $(PWD)/pkg/mime
+	go test -fuzz=FuzzDecodeCharset  -parallel=4 -fuzztime=60s $(PWD)/pkg/mime

 bench:
 	go test -run '^$$' -bench=. -memprofile bench_mem.pprof -cpuprofile bench_cpu.pprof ./internal/store
@ -227,18 +287,31 @@ bench:
 coverage: test
 	go tool cover -html=/tmp/coverage.out -o=coverage.html

-integration-test-bridge:
-	${MAKE} -C test test-bridge
-
 mocks:
-	mockgen --package mocks github.com/ProtonMail/proton-bridge/v2/internal/users Locator,PanicHandler,CredentialsStorer,StoreMaker > internal/users/mocks/mocks.go
-	mockgen --package mocks github.com/ProtonMail/proton-bridge/v2/pkg/listener Listener > internal/users/mocks/listener_mocks.go
-	mockgen --package mocks github.com/ProtonMail/proton-bridge/v2/internal/store PanicHandler,BridgeUser,ChangeNotifier,Storer > internal/store/mocks/mocks.go
-	mockgen --package mocks github.com/ProtonMail/proton-bridge/v2/pkg/listener Listener > internal/store/mocks/utils_mocks.go
-	mockgen --package mocks github.com/ProtonMail/proton-bridge/v2/pkg/pmapi Client,Manager > pkg/pmapi/mocks/mocks.go
-	mockgen --package mocks github.com/ProtonMail/proton-bridge/v2/pkg/message Fetcher > pkg/message/mocks/mocks.go
+	mockgen --package mocks github.com/ProtonMail/proton-bridge/v3/internal/bridge TLSReporter,ProxyController,Autostarter > tmp
+	mv tmp internal/bridge/mocks/mocks.go
+	mockgen --package mocks github.com/ProtonMail/gluon/async PanicHandler > internal/bridge/mocks/async_mocks.go
+	mockgen --package mocks github.com/ProtonMail/gluon/reporter Reporter > internal/bridge/mocks/gluon_mocks.go
+	mockgen --package mocks github.com/ProtonMail/proton-bridge/v3/internal/updater Downloader,Installer > internal/updater/mocks/mocks.go
+	mockgen --package mocks github.com/ProtonMail/proton-bridge/v3/internal/telemetry HeartbeatManager > internal/telemetry/mocks/mocks.go
+	cp internal/telemetry/mocks/mocks.go internal/bridge/mocks/telemetry_mocks.go
+	mockgen --package mocks github.com/ProtonMail/proton-bridge/v3/internal/services/userevents \
+EventSource,EventIDStore  > internal/services/userevents/mocks/mocks.go
+	mockgen --package userevents github.com/ProtonMail/proton-bridge/v3/internal/services/userevents \
+EventSubscriber,MessageEventHandler,LabelEventHandler,AddressEventHandler,RefreshEventHandler,UserEventHandler,UserUsedSpaceEventHandler > tmp
+	mv tmp internal/services/userevents/mocks_test.go
+	mockgen --package mocks github.com/ProtonMail/proton-bridge/v3/internal/events EventPublisher \
+> internal/events/mocks/mocks.go
+	mockgen --package mocks github.com/ProtonMail/proton-bridge/v3/internal/services/useridentity IdentityProvider,Telemetry \
+> internal/services/useridentity/mocks/mocks.go
+	mockgen --self_package "github.com/ProtonMail/proton-bridge/v3/internal/services/syncservice" -package syncservice github.com/ProtonMail/proton-bridge/v3/internal/services/syncservice \
+ApplyStageInput,BuildStageInput,BuildStageOutput,DownloadStageInput,DownloadStageOutput,MetadataStageInput,MetadataStageOutput,\
+StateProvider,Regulator,UpdateApplier,MessageBuilder,APIClient,Reporter,DownloadRateModifier \
+> tmp
+	mv tmp internal/services/syncservice/mocks_test.go
+	mockgen --package mocks github.com/ProtonMail/gluon/connector IMAPStateWrite > internal/services/imapservice/mocks/mocks.go

-lint: gofiles lint-golang lint-license lint-dependencies lint-changelog
+lint: gofiles lint-golang lint-license lint-dependencies lint-changelog lint-bug-report

 lint-license:
 	./utils/missing_license.sh check
@ -254,6 +327,12 @@ lint-golang:
 	$(info linting with GOMAXPROCS=${GOMAXPROCS})
 	golangci-lint run ./...

+lint-bug-report:
+	python3 utils/validate_bug_report_file.py --file "internal/frontend/bridge-gui/bridge-gui/qml/Resources/bug_report_flow.json"
+
+lint-bug-report-preview:
+	python3 utils/validate_bug_report_file.py --file "internal/frontend/bridge-gui/bridge-gui/qml/Resources/bug_report_flow.json" --preview
+
 updates: install-go-mod-outdated
 	# Uncomment the "-ci" to fail the job if something can be updated.
 	go list -u -m -json all | go-mod-outdated -update -direct #-ci
@ -261,7 +340,7 @@ updates: install-go-mod-outdated
 doc:
 	godoc -http=:6060

-release-notes: release-notes/bridge_stable.html release-notes/bridge_early.html
+release-notes: release-notes/bridge_stable.html release-notes/bridge_early.html utils/release_notes.sh

 release-notes/%.html: release-notes/%.md
 	./utils/release_notes.sh $^
@ -274,7 +353,7 @@ gofiles: ./internal/bridge/credits.go
 	cd ./utils/ && ./credits.sh bridge

 ## Run and debug
-.PHONY: run run-qt run-qt-cli run-nogui run-nogui-cli run-debug run-qml-preview clean-vendor clean-frontend-qt clean-frontend-qt-common clean
+.PHONY: run run-qt run-qt-cli run-nogui run-cli run-noninteractive run-debug run-gui-tester clean-vendor clean-frontend-qt clean-frontend-qt-common clean

 LOG?=debug
 LOG_IMAP?=client # client/server/all, or empty to turn it off
@ -285,18 +364,46 @@ run: run-qt

 run-cli: run-nogui

+run-noninteractive: build-nogui clean-vendor gofiles
+	PROTONMAIL_ENV=dev ./${LAUNCHER_EXE} ${RUN_FLAGS} -n
+
 run-qt: build-gui
+ifeq "${TARGET_OS}" "darwin"
+	PROTONMAIL_ENV=dev ${DARWINAPP_CONTENTS}/MacOS/${LAUNCHER_EXE}  ${RUN_FLAGS}
+else
 	PROTONMAIL_ENV=dev ./${DEPLOY_DIR}/${TARGET_OS}/${LAUNCHER_EXE} ${RUN_FLAGS}
+endif

 run-nogui: build-nogui clean-vendor gofiles
 	PROTONMAIL_ENV=dev ./${LAUNCHER_EXE} ${RUN_FLAGS} -c

+run-debug:
+	dlv debug \
+		--build-flags "-ldflags '-X github.com/ProtonMail/proton-bridge/v3/internal/constants.Version=3.1.0+git'" \
+		./cmd/Desktop-Bridge/main.go \
+		-- \
+		-n -l=trace
+
+ifeq "${TARGET_OS}" "windows"
+	EXE_SUFFIX=.exe
+endif
+
+bridge-gui-tester:  build-gui
+	cp ./cmd/Desktop-Bridge/deploy/${TARGET_OS}/bridge-gui${EXE_SUFFIX} .
+	cd ./internal/frontend/bridge-gui/bridge-gui-tester && cmake . && make
+
+run-gui-tester: bridge-gui-tester
+	# copying tester as bridge so bridge-gui will start it and connect to it automatically
+	cp ./internal/frontend/bridge-gui/bridge-gui-tester/bridge-gui-tester${EXE_SUFFIX} bridge${EXE_SUFFIX}
+	./bridge-gui${EXE_SUFFIX}
+
+
 clean-vendor:
 	rm -rf ./vendor

 clean-gui:
 	cd internal/frontend/bridge-gui/ && \
-		rm -f Version.h && \
+		rm -f BuildConfig.h && \
 		rm -rf cmake-build-*/

 clean-vcpkg:
@ -313,11 +420,12 @@ clean: clean-vendor clean-gui clean-vcpkg
 	rm -f ./*.syso
 	rm -f release-notes/bridge.html
 	rm -f release-notes/import-export.html
+	rm -f ${LAUNCHER_EXE} ${BRIDGE_EXE} ${BRIDGE_EXE_NAME}


 .PHONY: generate
 generate:
 	go generate ./...
-	$(MAKE) add-license
+	$(MAKE) build

 .FORCE:
--- a/README.md
+++ b/README.md
@ -1,7 +1,7 @@
-# Proton Mail Bridge and Import Export app
-Copyright (c) 2022 Proton AG
+# Proton Mail Bridge
+Copyright (c) 2025 Proton AG

-This repository holds the Proton Mail Bridge and the Proton Mail Import-Export applications.
+This repository holds the Proton Mail Bridge application.
 For a detailed build information see [BUILDS](./BUILDS.md).
 The license can be found in [LICENSE](./LICENSE) file, for more licensing information see [COPYING_NOTES](./COPYING_NOTES.md).
 For contribution policy see [CONTRIBUTING](./CONTRIBUTING.md).
@ -13,7 +13,7 @@ Proton Mail Bridge for e-mail clients.
 When launched, Bridge will initialize local IMAP/SMTP servers and render 
 its GUI.

-To configure an e-mail client, firstly log in using your Proton Mail credentials. 
+To configure an e-mail client, first log in using your Proton Mail credentials. 
 Open your e-mail client and add a new account using the settings which are 
 located in the Bridge GUI. The client will only be able to sync with 
 your Proton Mail account when the Bridge is running, thus the option 
@ -22,12 +22,12 @@ to start Bridge on startup is enabled by default.
 When the main window is closed, Bridge will continue to run in the
 background.

-More details [on the public website](https://protonmail.com/bridge).
+More details [on the public website](https://proton.me/mail/bridge).

-## Launchers
-Launchers are binaries used to run the Proton Mail Bridge or Import-Export apps.
+## Launcher
+The launcher is a binary used to run the Proton Mail Bridge.

-Official distributions of the Proton Mail Bridge and Import-Export apps contain
+The Official distribution of the Proton Mail Bridge application contains
 both a launcher and the app itself. The launcher is installed in a protected
 area of the system (i.e. an area accessible only with admin privileges) and is
 used to run the app. The launcher ensures that nobody tampered with the app's
@ -37,7 +37,7 @@ feature enables the app to securely update itself automatically without asking
 the user for a password.

 ## Keychain
-You need to have a keychain in order to run the Proton Mail Bridge. On Mac or
+You need to have a keychain in order to run Proton Mail Bridge. On Mac or
 Windows, Bridge uses native credential managers. On Linux, use `secret-service` freedesktop.org API
 (e.g. [Gnome keyring](https://wiki.gnome.org/Projects/GnomeKeyring/))
 or
@ -48,9 +48,6 @@ major problems.

 ## Environment Variables

-### Bridge application
- `BRIDGESTRICTMODE`: tells bridge to turn on `bbolt`'s "strict mode" which checks the database after every `Commit`. Set to `1` to enable.
-
 ### Dev build or run
 - `APP_VERSION`: set the bridge app version used during testing or building
 - `PROTONMAIL_ENV`: when set to `dev` it is not using Sentry to report crashes
@ -62,35 +59,34 @@ major problems.
 - `TAGS`: set build tags for tests
 - `FEATURES`: set feature dir, file or scenario to test

+## Folders
+
+There are now three types of system folders which Bridge recognises:
+
+|        | Windows                             | Mac                                                 | Linux                               | Linux (XDG)                           |
+|--------|-------------------------------------|-----------------------------------------------------|-------------------------------------|---------------------------------------|
+| config | %APPDATA%\protonmail\bridge-v3      | ~/Library/Application Support/protonmail/bridge-v3  | ~/.config/protonmail/bridge-v3      | $XDG_CONFIG_HOME/protonmail/bridge-v3 |
+| cache  | %LOCALAPPDATA%\protonmail\bridge-v3 | ~/Library/Caches/protonmail/bridge-v3               | ~/.cache/protonmail/bridge-v3       | $XDG_CACHE_HOME/protonmail/bridge-v3  |
+| data	  | %APPDATA%\protonmail\bridge-v3      | ~/Library/Application Support/protonmail/bridge-v3  | ~/.local/share/protonmail/bridge-v3 | $XDG_DATA_HOME/protonmail/bridge-v3   |
+| temp   | %LOCALAPPDATA%\Temp                 | $TMPDIR if non-empty, else /tmp                     | $TMPDIR if non-empty, else /tmp     | $TMPDIR if non-empty, else /tmp       |
+
+

 ## Files
-### Database
-The database stores metadata necessary for presenting messages and mailboxes to an email client:
- Linux: `~/.cache/protonmail/bridge/<cacheVersion>/mailbox-<userID>.db` (unless `XDG_CACHE_HOME` is set, in which case that is used as your `~`)
- macOS: `~/Library/Caches/protonmail/bridge/<cacheVersion>/mailbox-<userID>.db`
- Windows: `%LOCALAPPDATA%\protonmail\bridge\<cacheVersion>\mailbox-<userID>.db`

-### Preferences
-User preferences are stored in json at the following location:
- Linux: `~/.config/protonmail/bridge/prefs.json`
- macOS: `~/Library/ApplicationSupport/protonmail/bridge/prefs.json`
- Windows: `%APPDATA%\protonmail\bridge\prefs.json`
+|                        | Base Dir | Path                       |
+|------------------------|----------|----------------------------|
+| bridge lock file       | cache    | bridge.lock                |
+| bridge-gui lock file   | cache    | bridge-gui.lock            |
+| vault                  | config   | vault.enc                  |
+| gRPC server json       | config   | grpcServerConfig.json      |
+| gRPC client json       | config   | grpcClientConfig_<id>.json |
+| gRPC Focus server json | config   | grpcFocusServerConfig.json |
+| Logs                   | data     | logs                       |
+| gluon DB               | data     | gluon/backend/db           |
+| gluon messages         | data     | gluon/backend/store        |
+| Update files           | data     | updates                    |
+| sentry cache           | data     | sentry_cache               |
+| Mac/Linux File Socket  | temp     | bridge{4_DIGITS}           |

-### IMAP Cache
-The currently subscribed mailboxes are held in a json file:
- Linux: `~/.cache/protonmail/bridge/<cacheVersion>/user_info.json` (unless `XDG_CACHE_HOME` is set, in which case that is used as your `~`)
- macOS: `~/Library/Caches/protonmail/bridge/<cacheVersion>/user_info.json`
- Windows: `%LOCALAPPDATA%\protonmail\bridge\<cacheVersion>\user_info.json`
-
-### Lock file
-Bridge utilises an on-disk lock to ensure only one instance is run at once. The lock file is here: 
- Linux: `~/.cache/protonmail/bridge/<cacheVersion>/bridge.lock` (unless `XDG_CACHE_HOME` is set, in which case that is used as your `~`)
- macOS: `~/Library/Caches/protonmail/bridge/<cacheVersion>/bridge.lock`
- Windows: `%LOCALAPPDATA%\protonmail\bridge\<cacheVersion>\bridge.lock`
-
-### TLS Certificate and Key
-When bridge first starts, it generates a unique TLS certificate and key file at the following locations:
- Linux: `~/.config/protonmail/bridge/{cert,key}.pem` (unless `XDG_CONFIG_HOME` is set, in which case that is used as your `~/.config`)
- macOS: `~/Library/ApplicationSupport/protonmail/bridge/{cert,key}.pem`
- Windows: `%APPDATA%\protonmail\bridge\{cert,key}.pem`

--- a/ci/build.yml
+++ b/ci/build.yml
@ -0,0 +1,72 @@
+---
+
+.script-build:
+  stage: build
+  needs: ["lint"]
+  extends:
+    - .rules-branch-and-MR-manual
+  script:
+    - which go && go version
+    - which gcc && gcc --version
+    - which qmake && qmake --version
+    - git rev-parse --short=10 HEAD
+    - make build
+    - git diff && git diff-index --quiet HEAD
+    - make vault-editor
+    - make bridge-rollout
+  artifacts:
+    expire_in: 1 day
+    when: always
+    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
+    paths:
+      - bridge_*.tgz
+      - vault-editor
+      - bridge-rollout
+build-linux:
+  extends:
+    - .script-build
+    - .env-linux-build
+
+build-linux-qa:
+  extends:
+    - build-linux
+    - .rules-branch-manual-MR-and-devel-always
+  variables:
+    BUILD_TAGS: "build_qa"
+
+build-darwin:
+  extends:
+    - .script-build
+    - .env-darwin
+
+build-darwin-qa:
+  extends:
+    - build-darwin
+  variables:
+    BUILD_TAGS: "build_qa"
+
+build-windows:
+  extends:
+    - .script-build
+    - .env-windows
+
+build-windows-qa:
+  extends:
+    - build-windows
+  variables:
+    BUILD_TAGS: "build_qa"
+
+trigger-qa-installer:
+  stage: build
+  needs: ["lint"]
+  extends:
+    - .rules-br-tag-always-branch-and-MR-manual
+  variables:
+    APP: bridge
+    WORKFLOW: build-all
+    SRC_TAG: $CI_COMMIT_BRANCH
+    TAG: $CI_COMMIT_TAG
+    SRC_HASH: $CI_COMMIT_SHA
+  trigger:
+    project: "jcuth/bridge-release"
+    branch: master
--- a/ci/env.yml
+++ b/ci/env.yml
@ -0,0 +1,59 @@
+
+---
+
+.env-windows:
+  extends:
+    - .image-windows-virt-build
+  before_script:
+    - !reference [.before-script-windows-virt-build, before_script]
+    - !reference [.before-script-git-config, before_script]
+    - mkdir -p .cache/bin
+    - export PATH=$(pwd)/.cache/bin:$PATH
+    - export GOPATH="$CI_PROJECT_DIR/.cache"
+  variables:
+    GOARCH: amd64
+    BRIDGE_SYNC_FORCE_MINIMUM_SPEC: 1
+    VCPKG_DEFAULT_BINARY_CACHE: ${CI_PROJECT_DIR}/.cache
+  cache:
+    key: windows-vcpkg-go-0
+    paths:
+      - .cache
+    when: 'always'
+
+.env-darwin:
+  extends:
+    - .image-darwin-build
+  before_script:
+    - !reference [.before-script-darwin-tart-build, before_script]
+    - !reference [.before-script-git-config, before_script]
+    - mkdir -p .cache/bin
+    - export PATH=$(pwd)/.cache/bin:$PATH
+    - export GOPATH="$CI_PROJECT_DIR/.cache"
+  variables:
+    BRIDGE_SYNC_FORCE_MINIMUM_SPEC: 1
+    VCPKG_DEFAULT_BINARY_CACHE: ${CI_PROJECT_DIR}/.cache
+  cache:
+    key: darwin-go-and-vcpkg
+    paths:
+      - .cache
+    when: 'always'
+
+.env-linux-build:
+  extends:
+    - .image-linux-build
+  variables:
+    VCPKG_DEFAULT_BINARY_CACHE: ${CI_PROJECT_DIR}/.cache
+  cache:
+    key: linux-vcpkg
+    paths:
+      - .cache
+    when: 'always'
+  before_script:
+    - export BRIDGE_SYNC_FORCE_MINIMUM_SPEC=1
+    - !reference [.before-script-git-config, before_script]
+    - mkdir -p .cache/bin
+    - export PATH=$(pwd)/.cache/bin:$PATH
+    - export GOPATH="$CI_PROJECT_DIR/.cache"
+  tags:
+    - shared-large
+
--- a/ci/report.yml
+++ b/ci/report.yml
@ -0,0 +1,25 @@
+
+---
+
+include:
+  - project: 'tpe/testmo-reporter'
+    ref: master
+    file: '/scenarios/testmo-script.yml'
+
+testmo-upload:
+    stage: report
+    extends:
+      - .testmo-upload
+      - .rules-branch-manual-scheduled-and-test-branch-always
+    needs:
+      - test-integration-nightly
+    before_script: []
+    variables:
+      TESTMO_TOKEN: "$TESTMO_TOKEN"
+      TESTMO_URL: "https://proton.testmo.net"
+      PROJECT_ID: "9"
+      NAME: "Nightly integration tests"
+      MILESTONE: "Nightly integration tests"
+      SOURCE: "test-integration-nightly"
+      TAGS: "$CI_COMMIT_REF_SLUG"
+      RESULT_FOLDER: "tests/result/*.xml"
--- a/ci/rules.yml
+++ b/ci/rules.yml
@ -0,0 +1,58 @@
+
+---
+
+.rules-branch-and-MR-manual:
+  rules:
+    - if: $CI_COMMIT_BRANCH ||  $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: manual
+      allow_failure: true
+    - when: never
+
+.rules-branch-manual-MR-and-devel-always:
+  rules:
+    - if: $CI_COMMIT_BRANCH == "devel" || $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: always
+      allow_failure: false
+    - if: $CI_COMMIT_BRANCH
+      when: manual
+      allow_failure: true
+    - when: never
+
+.rules-branch-manual-br-tag-and-MR-and-devel-always:
+  rules:
+    - if: $CI_COMMIT_BRANCH == "devel" || $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: always
+      allow_failure: false
+    - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^br-\d+/
+      when: always
+      allow_failure: false
+    - if: $CI_COMMIT_BRANCH
+      when: manual
+      allow_failure: true
+    - when: never
+
+.rules-branch-manual-scheduled-and-test-branch-always:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: always
+      allow_failure: false
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME=~ /^test/
+      when: always
+      allow_failure: false
+    - if: $CI_COMMIT_BRANCH
+      when: manual
+      allow_failure: true
+    - when: never
+
+.rules-br-tag-always-branch-and-MR-manual:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH
+      when: manual
+      allow_failure: true
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      when: manual
+      allow_failure: true
+    - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^br-\d+/
+      when: always
+    - when: never
+
--- a/ci/setup.yml
+++ b/ci/setup.yml
@ -0,0 +1,7 @@
+---
+
+include:
+  - project: 'go/bridge-internal'
+    ref: 'master'
+    file: 'ci/runners-setup.yml'
+
--- a/ci/test.yml
+++ b/ci/test.yml
@ -0,0 +1,153 @@
+
+---
+
+lint:
+  stage: test
+  extends:
+    - .image-linux-test
+    - .rules-branch-manual-br-tag-and-MR-and-devel-always
+  script:
+    - make lint
+  tags:
+    - shared-medium
+
+lint-bug-report-preview:
+  stage: test
+  extends:
+    - .image-linux-test
+    - .rules-branch-and-MR-manual
+  script:
+    - make lint-bug-report-preview
+  tags:
+    - shared-medium
+
+.script-test:
+  stage: test
+  extends:
+    - .rules-branch-manual-MR-and-devel-always
+  script:
+    - which go && go version
+    - which gcc && gcc --version
+    - make test
+  artifacts:
+    paths:
+      - coverage/**
+
+
+
+test-linux:
+  extends:
+    - .image-linux-test
+    - .script-test
+  tags:
+    - shared-large
+
+test-windows:
+  extends:
+    - .env-windows
+    - .script-test
+
+test-darwin:
+  extends:
+    - .env-darwin
+    - .script-test
+
+fuzz-linux:
+  stage: test
+  extends:
+    - .image-linux-test
+    - .rules-branch-manual-MR-and-devel-always
+  script:
+    - make fuzz
+  tags:
+    - shared-large
+
+test-linux-race:
+  extends:
+    - test-linux
+    - .rules-branch-and-MR-manual
+  script:
+    - make test-race
+
+test-integration:
+  extends:
+    - test-linux
+  script:
+    - make test-integration | tee -a integration-job.log
+  after_script:
+    - |
+      grep "Error: " integration-job.log
+  artifacts:
+    when: always
+    paths:
+      - integration-job.log
+
+test-integration-race:
+  extends:
+    - test-integration
+    - .rules-branch-and-MR-manual
+  script:
+    - make test-integration-race | tee -a integration-race-job.log
+  artifacts:
+    when: always
+    paths:
+      - integration-race-job.log
+
+
+test-integration-nightly:
+  extends:
+    - test-integration
+    - .rules-branch-manual-scheduled-and-test-branch-always
+  needs:
+    - test-integration
+  script:
+    - make test-integration-nightly | tee -a nightly-job.log
+  after_script:
+    - |
+      grep "Error: " nightly-job.log
+  artifacts:
+    when: always
+    paths:
+      - tests/result/feature-tests.xml
+      - nightly-job.log
+
+test-coverage:
+  stage: test
+  extends:
+    - .image-linux-test
+    - .rules-branch-manual-scheduled-and-test-branch-always
+  script:
+    - ./utils/coverage.sh
+  coverage: '/total:.*\(statements\).*\d+\.\d+%/'
+  needs:
+    - test-linux
+    - test-windows
+    - test-darwin
+    - test-integration
+    - test-integration-nightly
+  tags:
+    - shared-small
+  artifacts:
+    paths:
+      - coverage*
+      - coverage/**
+    when: 'always'
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage.xml
+
+go-vuln-check:
+  extends:
+    - .image-linux-test
+    - .rules-branch-manual-MR-and-devel-always
+  stage: test
+  tags:
+    - shared-medium
+  script:
+    - ./utils/govulncheck.sh
+  artifacts:
+    when: always
+    paths:
+      - vulns*
+
--- a/cmd/Desktop-Bridge/main.go
+++ b/cmd/Desktop-Bridge/main.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -17,6 +17,21 @@

 package main

+import (
+	"os"
+	"runtime"
+	"strings"
+
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/internal/logging"
+	"github.com/ProtonMail/proton-bridge/v3/internal/sentry"
+	"github.com/sirupsen/logrus"
+
+	"github.com/ProtonMail/proton-bridge/v3/internal/app"
+	"github.com/bradenaw/juniper/xslices"
+)
+
 /*
                             ___....___
   ^^                __..-:'':__:..:__:'':-..__
@ -34,41 +49,73 @@ package main
   ~~^_~^~/   \~^-~^~ _~^-~_^~-^~_^~~-^~_~^~-~_~-^~_^/   \~^ ~~_ ^
 */

-import (
-	"os"
-
-	"github.com/ProtonMail/proton-bridge/v2/internal/app/base"
-	"github.com/ProtonMail/proton-bridge/v2/internal/app/bridge"
-	"github.com/ProtonMail/proton-bridge/v2/internal/constants"
-	"github.com/sirupsen/logrus"
-)
-
-const (
-	appUsage      = "Proton Mail IMAP and SMTP Bridge"
-	configName    = "bridge"
-	updateURLName = "bridge"
-	keychainName  = "bridge"
-	cacheVersion  = "c11"
-)
-
 func main() {
-	base, err := base.New(
-		constants.FullAppName,
-		appUsage,
-		configName,
-		updateURLName,
-		keychainName,
-		cacheVersion,
+	appErr := app.New().Run(xslices.Filter(os.Args, func(arg string) bool { return !strings.Contains(arg, "-psn_") }))
+	if appErr != nil {
+		_ = app.WithLocations(func(l *locations.Locations) error {
+			logsPath, err := l.ProvideLogsPath()
+			if err != nil {
+				return err
+			}
+
+			// Get the session ID if its specified
+			var sessionID logging.SessionID
+			if flagVal, found := getFlagValue(os.Args, app.FlagSessionID); found {
+				sessionID = logging.SessionID(flagVal)
+			} else {
+				sessionID = logging.NewSessionID()
+			}
+
+			closer, err := logging.Init(
+				logsPath,
+				sessionID,
+				logging.BridgeShortAppName,
+				logging.DefaultMaxLogFileSize,
+				logging.DefaultPruningSize,
+				"",
 			)
 			if err != nil {
-		logrus.WithError(err).Fatal("Failed to create app base")
-	}
-	// Other instance already running.
-	if base == nil {
-		return
+				return err
 			}

-	if err := bridge.New(base).Run(os.Args); err != nil {
-		logrus.WithError(err).Fatal("Bridge exited with error")
+			defer func() {
+				_ = logging.Close(closer)
+			}()
+
+			logrus.
+				WithField("appName", constants.FullAppName).
+				WithField("version", constants.Version).
+				WithField("revision", constants.Revision).
+				WithField("tag", constants.Tag).
+				WithField("build", constants.BuildTime).
+				WithField("runtime", runtime.GOOS).
+				WithField("args", os.Args).
+				WithField("SentryID", sentry.GetProtectedHostname()).WithError(appErr).Error("Failed to initialize bridge")
+			return nil
+		})
 	}
 }
+
+// getFlagValue - obtains the value of a specified tag
+// The flag can be of the following form `-flag value`, `--flag value`, `-flag=value` or `--flags=value`.
+func getFlagValue(argList []string, flag string) (string, bool) {
+	eqPrefix1 := "-" + flag + "="
+	eqPrefix2 := "--" + flag + "="
+
+	for i := 0; i < len(argList); i++ {
+		arg := argList[i]
+		if strings.HasPrefix(arg, eqPrefix1) {
+			val := strings.TrimPrefix(arg, eqPrefix1)
+			return val, len(val) > 0
+		}
+		if strings.HasPrefix(arg, eqPrefix2) {
+			val := strings.TrimPrefix(arg, eqPrefix2)
+			return val, len(val) > 0
+		}
+		if (arg == "-"+flag || arg == "--"+flag) && i+1 < len(argList) {
+			return argList[i+1], true
+		}
+	}
+
+	return "", false
+}
--- a/cmd/Desktop-Bridge/main_test.go
+++ b/cmd/Desktop-Bridge/main_test.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -15,46 +15,33 @@
 // You should have received a copy of the GNU General Public License
 // along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.

-package imap
+package main

 import (
 	"testing"
-	"time"

 	"github.com/stretchr/testify/require"
 )

-func TestUpdatesCanDelete(t *testing.T) {
-	u := newIMAPUpdates(nil)
-
-	can, _ := u.CanDelete("mbox")
-	require.True(t, can)
-
-	u.forbidExpunge("mbox")
-	u.allowExpunge("mbox")
-
-	can, _ = u.CanDelete("mbox")
-	require.True(t, can)
+func TestGetFlagValue(t *testing.T) {
+	tests := []struct {
+		args     []string
+		flag     string
+		expected string
+	}{
+		{[]string{"session-id", ""}, "session-id", ""},
+		{[]string{"-session-id", ""}, "session-id", ""},
+		{[]string{"--session-id", ""}, "session-id", ""},
+		{[]string{"session-id", "test"}, "session-id", ""},
+		{[]string{"-session-id", "test"}, "session-id", "test"},
+		{[]string{"--session-id", "test"}, "session-id", "test"},
+		{[]string{"session-id=test"}, "session-id", ""},
+		{[]string{"-session-id=test"}, "session-id", "test"},
+		{[]string{"--session-id=test"}, "session-id", "test"},
 	}

-func TestUpdatesCannotDelete(t *testing.T) {
-	u := newIMAPUpdates(nil)
-
-	u.forbidExpunge("mbox")
-	can, wait := u.CanDelete("mbox")
-	require.False(t, can)
-
-	ch := make(chan time.Duration)
-	go func() {
-		start := time.Now()
-		wait()
-		ch <- time.Since(start)
-		close(ch)
-	}()
-
-	time.Sleep(200 * time.Millisecond)
-	u.allowExpunge("mbox")
-	duration := <-ch
-
-	require.True(t, duration > 200*time.Millisecond)
+	for _, tt := range tests {
+		val, _ := getFlagValue(tt.args, tt.flag)
+		require.Equal(t, val, tt.expected)
+	}
 }
--- a/cmd/launcher/main.go
+++ b/cmd/launcher/main.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -18,112 +18,149 @@
 package main

 import (
-	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"runtime"
 	"time"

 	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/gluon/async"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/useragent"
-	"github.com/ProtonMail/proton-bridge/v2/internal/constants"
-	"github.com/ProtonMail/proton-bridge/v2/internal/crash"
-	"github.com/ProtonMail/proton-bridge/v2/internal/locations"
-	"github.com/ProtonMail/proton-bridge/v2/internal/logging"
-	"github.com/ProtonMail/proton-bridge/v2/internal/sentry"
-	"github.com/ProtonMail/proton-bridge/v2/internal/updater"
-	"github.com/ProtonMail/proton-bridge/v2/internal/versioner"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/crash"
+	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/internal/logging"
+	"github.com/ProtonMail/proton-bridge/v3/internal/sentry"
+	"github.com/ProtonMail/proton-bridge/v3/internal/updater"
+	"github.com/ProtonMail/proton-bridge/v3/internal/useragent"
+	"github.com/ProtonMail/proton-bridge/v3/internal/versioner"
 	"github.com/bradenaw/juniper/xslices"
 	"github.com/elastic/go-sysinfo"
 	"github.com/elastic/go-sysinfo/types"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sys/execabs"
 )

 const (
 	appName      = "Proton Mail Launcher"
-	configName = "bridge"
 	exeName      = "bridge"
 	guiName      = "bridge-gui"
+	launcherName = "launcher"

-	FlagCLI      = "--cli"
-	FlagCLIShort = "-c"
-	FlagLauncher = "--launcher"
-	FlagWait     = "--wait"
+	FlagCLI                 = "cli"
+	FlagCLIShort            = "c"
+	FlagNonInteractive      = "noninteractive"
+	FlagNonInteractiveShort = "n"
+	FlagLauncher            = "launcher"
+	FlagWait                = "wait"
+	FlagSessionID           = "session-id"
+	HyphenatedFlagLauncher  = "--" + FlagLauncher
+	HyphenatedFlagWait      = "--" + FlagWait
+	HyphenatedFlagSessionID = "--" + FlagSessionID
 )

 func main() { //nolint:funlen
-	reporter := sentry.NewReporter(appName, constants.Version, useragent.New())
+	logrus.SetLevel(logrus.DebugLevel)
+	l := logrus.WithField("launcher_version", constants.Version)
+
+	reporter := sentry.NewReporter(appName, useragent.New())

 	crashHandler := crash.NewHandler(reporter.ReportException)
-	defer crashHandler.HandlePanic()
+	defer async.HandlePanic(crashHandler)

-	locationsProvider, err := locations.NewDefaultProvider(filepath.Join(constants.VendorName, configName))
+	locationsProvider, err := locations.NewDefaultProvider(filepath.Join(constants.VendorName, constants.ConfigName))
 	if err != nil {
-		logrus.WithError(err).Fatal("Failed to get locations provider")
+		l.WithError(err).Fatal("Failed to get locations provider")
 	}

-	locations := locations.New(locationsProvider, configName)
+	locations := locations.New(locationsProvider, constants.ConfigName)

 	logsPath, err := locations.ProvideLogsPath()
 	if err != nil {
-		logrus.WithError(err).Fatal("Failed to get logs path")
-	}
-	crashHandler.AddRecoveryAction(logging.DumpStackTrace(logsPath))
-
-	if err := logging.Init(logsPath); err != nil {
-		logrus.WithError(err).Fatal("Failed to setup logging")
+		l.WithError(err).Fatal("Failed to get logs path")
 	}

-	logging.SetLevel(os.Getenv("VERBOSITY"))
+	sessionID := logging.NewSessionID()
+	crashHandler.AddRecoveryAction(logging.DumpStackTrace(logsPath, sessionID, launcherName))
+
+	var closer io.Closer
+	if closer, err = logging.Init(
+		logsPath,
+		sessionID,
+		logging.LauncherShortAppName,
+		logging.DefaultMaxLogFileSize,
+		logging.NoPruning,
+		os.Getenv("VERBOSITY"),
+	); err != nil {
+		l.WithError(err).Fatal("Failed to setup logging")
+	}
+
+	defer func() {
+		_ = logging.Close(closer)
+	}()

 	updatesPath, err := locations.ProvideUpdatesPath()
 	if err != nil {
-		logrus.WithError(err).Fatal("Failed to get updates path")
+		l.WithError(err).Fatal("Failed to get updates path")
 	}

 	key, err := crypto.NewKeyFromArmored(updater.DefaultPublicKey)
 	if err != nil {
-		logrus.WithError(err).Fatal("Failed to create new verification key")
+		l.WithError(err).Fatal("Failed to create new verification key")
 	}

 	kr, err := crypto.NewKeyRing(key)
 	if err != nil {
-		logrus.WithError(err).Fatal("Failed to create new verification keyring")
+		l.WithError(err).Fatal("Failed to create new verification keyring")
 	}

 	versioner := versioner.New(updatesPath)

-	exeToLaunch := guiName
-	args := os.Args[1:]
-	if inCLIMode(args) {
-		exeToLaunch = exeName
-	}
-
-	exe, err := getPathToUpdatedExecutable(exeToLaunch, versioner, kr, reporter)
-	if err != nil {
-		if exe, err = getFallbackExecutable(exeToLaunch, versioner); err != nil {
-			logrus.WithError(err).Fatal("Failed to find any launchable executable")
-		}
-	}
-
 	launcher, err := os.Executable()
 	if err != nil {
 		logrus.WithError(err).Fatal("Failed to determine path to launcher")
 	}

-	args, wait, mainExe := findAndStripWait(args)
-	if wait {
-		waitForProcessToFinish(mainExe)
+	l = l.WithField("launcher_path", launcher)
+
+	args := os.Args[1:]
+
+	exe, err := getPathToUpdatedExecutable(filepath.Base(launcher), versioner, kr)
+	if err != nil {
+		exeToLaunch := guiName
+		if inCLIMode(args) {
+			exeToLaunch = exeName
 		}

-	cmd := execabs.Command(exe, appendLauncherPath(launcher, args)...) //nolint:gosec
+		l = l.WithField("exe_to_launch", exeToLaunch)
+		l.WithError(err).Info("No more updates found, looking up bridge executable")
+
+		path, err := versioner.GetExecutableInDirectory(exeToLaunch, filepath.Dir(launcher))
+		if err != nil {
+			l.WithError(err).Fatal("No executable in launcher directory")
+		}
+
+		exe = path
+	}
+
+	l = l.WithField("exe_path", exe)
+
+	args, wait, mainExes := findAndStripWait(args)
+	if wait {
+		for _, mainExe := range mainExes {
+			waitForProcessToFinish(mainExe)
+		}
+	}
+
+	cmd := execabs.Command(exe, appendLauncherPath(launcher, appendOrModifySessionID(args, string(sessionID)))...) //nolint:gosec

 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
+	cmd.Env = os.Environ()

 	// On windows, if you use Run(), a terminal stays open; we don't want that.
 	if //goland:noinspection GoBoolExpressions
@ -134,15 +171,15 @@ func main() { //nolint:funlen
 	}

 	if err != nil {
-		logrus.WithError(err).Fatal("Failed to launch")
+		l.WithError(err).Fatal("Failed to launch")
 	}
 }

 // appendLauncherPath add launcher path if missing.
 func appendLauncherPath(path string, args []string) []string {
-	if !sliceContains(args, FlagLauncher) {
+	if !slices.Contains(args, HyphenatedFlagLauncher) {
 		res := append([]string{}, args...)
-		res = append(res, FlagLauncher, path)
+		res = append(res, HyphenatedFlagLauncher, path)
 		return res
 	}
 	return args
@ -150,12 +187,17 @@ func appendLauncherPath(path string, args []string) []string {

 // inCLIMode detect if CLI mode is asked.
 func inCLIMode(args []string) bool {
-	return sliceContains(args, FlagCLI) || sliceContains(args, FlagCLIShort)
+	return hasFlag(args, FlagCLI) || hasFlag(args, FlagCLIShort) || hasFlag(args, FlagNonInteractive) || hasFlag(args, FlagNonInteractiveShort)
 }

-// sliceContains checks if a value is present in a list.
-func sliceContains[T comparable](list []T, s T) bool {
-	return xslices.Any(list, func(arg T) bool { return arg == s })
+// hasFlag checks if a flag is present in a list.
+func hasFlag(args []string, flag string) bool {
+	return flagIndex(args, flag) >= 0
+}
+
+// flagIndex returns the position of the first occurrence of a flag int args, or -1 if the flag is not present.
+func flagIndex(args []string, flag string) int {
+	return slices.IndexFunc(args, func(arg string) bool { return (arg == "-"+flag) || (arg == "--"+flag) })
 }

 // findAndStrip check if a value is present in s list and remove all occurrences of the value from this list.
@ -167,37 +209,54 @@ func findAndStrip[T comparable](slice []T, v T) (strippedList []T, found bool) {
 }

 // findAndStripWait Check for waiter flag get its value and clean them both.
-func findAndStripWait(args []string) ([]string, bool, string) {
+func findAndStripWait(args []string) ([]string, bool, []string) {
 	res := append([]string{}, args...)

 	hasFlag := false
-	var value string
-
+	values := make([]string, 0)
 	for k, v := range res {
-		if v != FlagWait {
+		if v != HyphenatedFlagWait {
 			continue
 		}
 		if k+1 >= len(res) {
 			continue
 		}
 		hasFlag = true
-		value = res[k+1]
+		values = append(values, res[k+1])
 	}

 	if hasFlag {
-		res, _ = findAndStrip(res, FlagWait)
-		res, _ = findAndStrip(res, value)
+		res, _ = findAndStrip(res, HyphenatedFlagWait)
+		for _, v := range values {
+			res, _ = findAndStrip(res, v)
 		}
-	return res, hasFlag, value
+	}
+	return res, hasFlag, values
+}
+
+// return args with the sessionID flag and value added or modified. The original slice is not modified.
+func appendOrModifySessionID(args []string, sessionID string) []string {
+	index := flagIndex(args, FlagSessionID)
+	if index < 0 {
+		return append(args, HyphenatedFlagSessionID, sessionID)
+	}
+
+	if index == len(args)-1 {
+		return append(args, sessionID)
+	}
+
+	res := slices.Clone(args)
+	res[index+1] = sessionID
+
+	return res
 }

 func getPathToUpdatedExecutable(
 	name string,
-	versioner *versioner.Versioner,
+	ver *versioner.Versioner,
 	kr *crypto.KeyRing,
-	reporter *sentry.Reporter,
 ) (string, error) {
-	versions, err := versioner.ListVersions()
+	versions, err := ver.ListVersions()
 	if err != nil {
 		return "", errors.Wrap(err, "failed to list available versions")
 	}
@ -208,15 +267,15 @@ func getPathToUpdatedExecutable(
 	}

 	for _, version := range versions {
-		vlog := logrus.WithField("version", version)
+		vlog := logrus.WithFields(logrus.Fields{
+			"version":       constants.Version,
+			"check_version": version,
+			"name":          name,
+		})

 		if err := version.VerifyFiles(kr); err != nil {
 			vlog.WithError(err).Error("Files failed verification and will be removed")

-			if err := reporter.ReportMessage(fmt.Sprintf("version %v failed verification: %v", version, err)); err != nil {
-				vlog.WithError(err).Error("Failed to report corrupt update files")
-			}
-
 			if err := version.Remove(); err != nil {
 				vlog.WithError(err).Error("Failed to remove files")
 			}
@ -241,17 +300,6 @@ func getPathToUpdatedExecutable(
 	return "", errors.New("no available newer versions")
 }

-func getFallbackExecutable(name string, versioner *versioner.Versioner) (string, error) {
-	logrus.Info("Searching for fallback executable")
-
-	launcher, err := os.Executable()
-	if err != nil {
-		return "", errors.Wrap(err, "failed to determine path to launcher")
-	}
-
-	return versioner.GetExecutableInDirectory(name, filepath.Dir(launcher))
-}
-
 // waitForProcessToFinish waits until the process with the given path is finished.
 func waitForProcessToFinish(exePath string) {
 	for {
@ -270,7 +318,8 @@ func waitForProcessToFinish(exePath string) {
 		if xslices.Any(processes, func(process types.Process) bool {
 			info, err := process.Info()
 			if err != nil {
-				logrus.WithError(err).Error("Could not retrieve process info")
+				logrus.WithError(err).Trace("Could not retrieve process info")
+				return false
 			}

 			return sameFile(exeInfo, info.Exe)
@ -288,6 +337,7 @@ func sameFile(info os.FileInfo, path string) bool {
 	pathInfo, err := os.Stat(path)
 	if err != nil {
 		logrus.WithError(err).WithField("file", path).Error("Could not retrieve file info")
+		return false
 	}

 	return os.SameFile(pathInfo, info)
--- a/cmd/launcher/main_test.go
+++ b/cmd/launcher/main_test.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -20,39 +20,62 @@ package main
 import (
 	"testing"

-	"github.com/bradenaw/juniper/xslices"
+	"github.com/ProtonMail/proton-bridge/v3/internal/logging"
 	"github.com/stretchr/testify/assert"
 )

-func TestSliceContains(t *testing.T) {
-	assert.True(t, sliceContains([]string{"a", "b", "c"}, "a"))
-	assert.True(t, sliceContains([]int{1, 2, 3}, 2))
-	assert.False(t, sliceContains([]string{"a", "b", "c"}, "A"))
-	assert.False(t, sliceContains([]int{1, 2, 3}, 4))
-	assert.False(t, sliceContains([]string{}, "a"))
-	assert.True(t, sliceContains([]string{"a", "a"}, "a"))
-}
-
 func TestFindAndStrip(t *testing.T) {
 	list := []string{"a", "b", "c", "c", "b", "c"}

 	result, found := findAndStrip(list, "a")
 	assert.True(t, found)
-	assert.True(t, xslices.Equal(result, []string{"b", "c", "c", "b", "c"}))
+	assert.Equal(t, result, []string{"b", "c", "c", "b", "c"})

 	result, found = findAndStrip(list, "c")
 	assert.True(t, found)
-	assert.True(t, xslices.Equal(result, []string{"a", "b", "b"}))
+	assert.Equal(t, result, []string{"a", "b", "b"})

 	result, found = findAndStrip([]string{"c", "c", "c"}, "c")
 	assert.True(t, found)
-	assert.True(t, xslices.Equal(result, []string{}))
+	assert.Equal(t, result, []string{})

 	result, found = findAndStrip(list, "A")
 	assert.False(t, found)
-	assert.True(t, xslices.Equal(result, list))
+	assert.Equal(t, result, list)

 	result, found = findAndStrip([]string{}, "a")
 	assert.False(t, found)
-	assert.True(t, xslices.Equal(result, []string{}))
+	assert.Equal(t, result, []string{})
+}
+
+func TestFindAndStripWait(t *testing.T) {
+	result, found, values := findAndStripWait([]string{"a", "b", "c"})
+	assert.False(t, found)
+	assert.Equal(t, result, []string{"a", "b", "c"})
+	assert.Equal(t, values, []string{})
+
+	result, found, values = findAndStripWait([]string{"a", "--wait", "b"})
+	assert.True(t, found)
+	assert.Equal(t, result, []string{"a"})
+	assert.Equal(t, values, []string{"b"})
+
+	result, found, values = findAndStripWait([]string{"a", "--wait", "b", "--wait", "c"})
+	assert.True(t, found)
+	assert.Equal(t, result, []string{"a"})
+	assert.Equal(t, values, []string{"b", "c"})
+
+	result, found, values = findAndStripWait([]string{"a", "--wait", "b", "--wait", "c", "--wait", "d"})
+	assert.True(t, found)
+	assert.Equal(t, result, []string{"a"})
+	assert.Equal(t, values, []string{"b", "c", "d"})
+}
+
+func TestAppendOrModifySessionID(t *testing.T) {
+	sessionID := string(logging.NewSessionID())
+	assert.Equal(t, appendOrModifySessionID(nil, sessionID), []string{"--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{}, sessionID), []string{"--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{"--cli"}, sessionID), []string{"--cli", "--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{"--cli", "--session-id"}, sessionID), []string{"--cli", "--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{"--cli", "--session-id"}, sessionID), []string{"--cli", "--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{"--session-id", "<oldID>", "--cli"}, sessionID), []string{"--session-id", sessionID, "--cli"})
 }
--- a/dist/bridgeMacOS.svg
+++ b/dist/bridgeMacOS.svg
@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 260 260" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <g>
+        <g transform="matrix(1.27944,0,0,1.35453,-34.9539,-16.0513)">
+            <path d="M40,62.391C40,38.979 58.979,20 82.391,20L177.609,20C201.021,20 220,38.979 220,62.391L220,157.609C220,181.021 201.021,200 177.609,200L82.391,200C58.979,200 40,181.021 40,157.609L40,62.391Z" style="fill:white;fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.41874,0,0,1.41874,-55.214,-18.9171)">
+            <path d="M129.748,48.657C101.923,48.657 79.369,71.21 79.369,99.035L79.369,149.747C79.369,155.139 83.74,159.509 89.131,159.509L171.407,159.509C176.22,159.509 180.126,155.604 180.126,150.79L180.126,99.035C180.126,71.214 157.572,48.657 129.748,48.657ZM158.746,98.755L136.726,117.305C132.752,120.655 126.939,120.655 122.965,117.305L100.945,98.755C100.945,83.014 113.708,70.251 129.45,70.251L130.242,70.251C145.983,70.251 158.746,83.014 158.746,98.755Z" style="fill:rgb(109,74,255);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.41874,0,0,1.41874,-55.214,-18.9171)">
+            <path d="M129.748,48.657C101.923,48.657 79.369,71.21 79.369,99.035L79.369,149.748C79.369,155.139 83.74,159.509 89.131,159.509L171.407,159.509C176.22,159.509 180.126,155.604 180.126,150.79L180.126,99.035C180.126,71.214 157.572,48.657 129.748,48.657ZM158.746,98.755L136.726,117.305C132.752,120.655 126.939,120.655 122.965,117.305L100.945,98.755C100.945,83.014 113.708,70.251 129.45,70.251L130.242,70.251C145.983,70.251 158.746,83.014 158.746,98.755Z" style="fill:url(#_Linear1);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.41874,0,0,1.41874,-55.214,-18.9171)">
+            <path d="M136.764,117.529C134.468,119.388 128.499,121.99 122.989,117.529C117.479,113.069 106.044,103.208 101.015,98.835L101.041,98.835L100.946,98.756C100.946,83.014 113.709,70.251 129.45,70.251L130.242,70.251C145.984,70.251 158.746,83.014 158.746,98.756L158.652,98.835L158.737,98.835L158.737,159.51L171.407,159.51C176.221,159.51 180.126,155.604 180.126,150.79L180.126,99.035C180.126,71.214 157.573,48.657 129.748,48.657C101.923,48.657 79.37,71.211 79.37,99.035L79.37,102.219L110.526,129.008C112.822,131.195 118.857,134.256 124.629,129.008C130.401,123.761 135.124,119.169 136.764,117.529Z" style="fill:url(#_Radial2);fill-rule:nonzero;"/>
+        </g>
+    </g>
+    <defs>
+        <linearGradient id="_Linear1" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(15.0864,-42.636,42.636,15.0864,82.9769,172.3)"><stop offset="0" style="stop-color:rgb(40,176,232);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(197,183,255);stop-opacity:0"/></linearGradient>
+        <radialGradient id="_Radial2" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-94.8157,-85.2706,69.7189,-77.5232,174.186,168.693)"><stop offset="0" style="stop-color:rgb(226,219,255);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(109,74,255);stop-opacity:1"/></radialGradient>
+    </defs>
+</svg>
--- a/dist/info.rc
+++ b/dist/info.rc
@ -3,7 +3,7 @@

 IDI_ICON1 ICON DISCARDABLE STRINGIZE(ICO_FILE)

-#define FILE_COMMENTS "The Bridge is an application that runs on your computer in the background and seamlessly encrypts and decrypts your mail as it enters and leaves your computer."
+#define FILE_COMMENTS "Proton Mail Bridge is a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer."
 #define FILE_DESCRIPTION "Proton Mail Bridge"
 #define INTERNAL_NAME STRINGIZE(EXE_NAME)
 #define PRODUCT_NAME "Proton Mail Bridge for Windows"
--- a/dist/proton-bridge.desktop
+++ b/dist/proton-bridge.desktop
@ -3,7 +3,7 @@ Type=Application
 Version=1.1
 Name=Proton Mail Bridge
 GenericName=Proton Mail Bridge for Linux
-Comment=The Bridge is an application that runs on your computer in the background and seamlessly encrypts and decrypts your mail as it enters and leaves your computer.
+Comment=Proton Mail Bridge is a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer.
 Icon=protonmail-bridge
 Exec=protonmail-bridge
 Terminal=false
--- a/doc/bridge.md
+++ b/doc/bridge.md
@ -1,135 +0,0 @@
-# Bridge
-
-## Main blocks
-
-This is basic overview of the main bridge blocks.
-
-Note connection between IMAP/SMTP and PMAPI. IMAP and SMTP packages are in the queue to be refactored
-and we would like to try to have functionality in bridge core or bridge utilities (such as messages)
-than direct usage of PMAPI from IMAP or SMTP. Also database (BoltDB) should be moved to bridge core.
-
-```mermaid
-graph LR
-    S[Server]
-    C[Client]
-    U[User]
-
-    subgraph "Bridge app"
-        Core[Bridge core]
-        API[PMAPI]
-        Store
-        DB[BoltDB]
-        Frontend["Qt / CLI"]
-        IMAP
-        SMTP
-
-        IMAP --> Store
-        IMAP --> Core
-        SMTP --> Core
-        SMTP --> API
-        Core --> API
-        Core --> Store
-        Store --> API
-        Store --> DB
-        Frontend --> Core
-
-    end
-
-    C --> IMAP
-    C --> SMTP
-    U --> Frontend
-    API --> S
-```
-
-## Code structure
-
-More detailed graph of main types used in Bridge app and connection between them. Here is already
-communication to PMAPI only from bridge core which is not true, yet. IMAP and SMTP are still calling
-PMAPI directly.
-
-```mermaid
-graph TD
-
-    C["Client (e.g. Thunderbird)"]
-    PM[Proton Mail Server]
-
-    subgraph "Bridge app"
-        subgraph "Bridge core"
-            B[Bridge]
-            U[User]
-
-            B --> U
-        end
-
-        subgraph Store
-            StoreU[Store User]
-            StoreA[Address]
-            StoreM[Mailbox]
-
-            StoreU --> StoreA
-            StoreA --> StoreM
-        end
-
-        subgraph Credentials
-            CredStore[Store]
-            Creds[Credentials]
-
-            CredStore --> Creds
-        end
-
-        subgraph Frontend
-            CLI
-            Qt
-        end
-
-        subgraph IMAP
-            IB[IMAP backend]
-            IA[IMAP address]
-            IM[IMAP mailbox]
-
-            IB --> B
-            IB --> IA
-            IA --> IM
-            IA --> U
-            IA --> StoreA
-            IM --> StoreM
-        end
-
-        subgraph SMTP
-            SB[SMTP backend]
-            SS[SMTP session]
-
-            SB --> B
-            SB --> SS
-            SS --> U
-        end
-    end
-
-    subgraph PMAPI
-        AC[Client]
-    end
-
-    C --> IB
-    C --> SB
-
-    CLI --> B
-    Qt --> B
-
-    U --> CredStore
-    U --> Creds
-
-    U --> StoreU
-
-    StoreU --> AC
-    StoreA --> AC
-    StoreM --> AC
-
-    B --> AC
-    U --> AC
-
-    AC --> PM
-```
-
-## How to debug
-
-Run `make run-debug` which starts [Delve](https://github.com/go-delve/delve).
--- a/doc/communication.md
+++ b/doc/communication.md
@ -1,114 +0,0 @@
-# Communication
-
-## First login and sync
-
-When user logs in to the bridge for the first time, immediatelly starts the first sync.
-First sync downloads all headers of all e-mails and creates database to have proper UIDs
-and indexes for IMAP. See [database](database.md) for more information.
-
-By default, whenever it's possible, sync downloads only all e-mails maiblox which already
-have list of labels so we can construct all mailboxes (inbox, sent, trash, custom folders
-and lables) without need to download each e-mail headers many times.
-
-Note that we need to download also bodies to calculate size of the e-mail and set proper
-content type (clients uses content type for guess if e-mail contains attachment)--but only
-body, not attachment. Also it's downloaded only for the first time. After that we store
-those information in our database so next time we only sync headers, labels and so on.
-
-First sync takes some time. List of 150 messages takes about second and then we need to
-download bodies for each message. We still need to do some optimalizations. Anyway, if
-user has reasonable amount of e-mails, there is good chance user will see e-mails in the
-client right after adding account.
-
-When account is added to client, client start the sync. This sync will ask Bridge app
-for all headers (done quickly) and then starts to download all bodies and attachment.
-Unfortunatelly for some e-mail more than once if the same e-mail is in more mailboxes
-(e.g. inbox and all mail)--there is no way to tell over IMAP it's the same message.
-
-After successful login of client to IMAP, Bridge starts event loop. That periodicly ask
-servers (each 30 seconds) for new updates (new message, keys, …).
-
-```mermaid
-sequenceDiagram
-    participant S as Server
-    participant B as Bridge
-    participant C as Client
-
-    Note right of B: Set up PM account<br/>by user
-
-    loop First sync
-        B ->> S: Fetch body and attachements
-        Note right of B: Build local database<br/>(e-mail UIDs)
-    end
-
-    Note right of C: Set up IMAP/SMTP<br/>by user
-
-    C ->> B: IMAP login
-    B ->> S: Authenticate user
-    Note right of B: Create IMAP user
-
-    loop Event loop, every 30 sec
-        B ->> S: Fetch e-mail headers
-        B ->> C: Send IMAP IDLE response
-    end
-
-    C ->> B: IMAP LIST directories
-
-    loop Client sync
-        C ->> B: IMAP SELECT directory
-        C ->> B: IMAP SEARCH e-mails UIDs
-        C ->> B: IMAP FETCH of e-mail UID
-        B ->> S: Fetch body and attachements
-        Note right of B: Decrypt message<br/>and attachement
-        B ->> C: IMAP response
-    end
-```
-
-## IMAP IDLE extension
-
-IMAP IDLE is extension, it has to be supported by both client and server. IMAP server (in our case
-the bridge) supports it so clients can use it. It works by issuing `IDLE` command by the client and
-keeps the connection open. When the server has some update, server (the bridge) will respond to that
-by `EXISTS` (new message), `APPEND` (imported message), `EXPUNGE` (deleted message) or `MOVE` response.
-
-Even when there is connection with IDLE open, server can mark the client as inactive. Therefore,
-it's recommended the client should reissue the connection after each 29 minutes. This is not the
-real push and can fail!
-
-Our event loop is also simple pull and it will trigger IMAP IDLE when we get some new update from 
-the server. Would be good to have push from the server, but we need to wait for the support on API.
-
-RFC: https://tools.ietf.org/html/rfc2177
-
-```mermaid
-sequenceDiagram
-    participant S as Server
-    participant B as Bridge
-    participant C as Client
-
-    C ->> B: IMAP IDLE
-
-    loop Every 30 seconds
-        S ->> B: Checking events
-        B ->> C: IMAP response
-    end
-```
-
-## Sending e-mails
-
-E-mail are sent over standard SMTP protocol. Our bridge takes the message, encrypts and sent it
-further to our server which will then send the message to its final destination. The important
-and tricky part is encryption. See [encryption](encryption.md) or [PMEL document](https://docs.google.com/document/d/1lEBkG0DC5FOWlumInKtu4a9Cc1Eszp48ZhFy9UpPQso/edit)
-for more information.
-
-```mermaid
-sequenceDiagram
-    participant S as Server
-    participant B as Bridge
-    participant C as Client
-
-    C ->> B: SMTP send e-mail
-    Note right of B: Encrypt messages
-    B ->> S: Send encrypted e-mail
-    B ->> C: Respond OK
-```
--- a/doc/database.md
+++ b/doc/database.md
@ -1,27 +0,0 @@
-# Database
-
-Bridge needs to have a small database to pair our IDs with IMAP UIDs and indexes. IMAP protocol
-requires every message to have an unique UID in mailbox. In this context, mailbox is not an account,
-but a folder or label. This means that one message can have more UIDs, one for each mailbox (folder), 
-and that two messages can have the same UID, but each for different mailbox (folder).
-
-IMAP index is just an index. Look at it like to an array: `["UID1", "UID2", "UID3"]`. We can access
-message by UID or index; for example index 2 and UID `UID2`. When this message is deleted, we need
-to re-index all following messages. The array will look now like `["UID1", "UID3"]` and the last
-message can be accessed by index 2 or UID `UID3`.
-
-See RFCs for more information:
-
-* https://tools.ietf.org/html/rfc822
-* https://tools.ietf.org/html/rfc3501
-
-Our database is currently built on BBolt and have those buckets (key-value storage):
-
-* Message metadata bucket:
-
-    * `[metadataBucket][API_ID] -> pmapi.Message{subject, from, to, size, other headers...}` (without body or attachment)
-
-* Mapping buckets
-
-    * `[mailboxesBucket][addressID-mailboxID][api_ids][API_ID] -> UID`
-    * `[mailboxesBucket][addressID-mailboxID][imap_ids][UID] -> API_ID`
--- a/doc/encryption.md
+++ b/doc/encryption.md
@ -1,12 +0,0 @@
-# Encryption
-
-Encryption is done in PMAPI, bridge utils and bridge itself. The best would be to keep encryption
-in PMAPI and bridge utils (in package such as messages). All packages are using our high-level
-GopenPGP library on top of OpenPGP.
-
-## `gopenpgp.KeyRing`
-
-We use one `KeyRing` per address. Our usage then contains all keys for specific address. Primary
-key is always on the first position, then there old ones to be able to decrypt last e-mail.
-OpenPGP encrypts given message with all available keys, so we need to first get first (primary)
-key for encryption to have message encrypted only once with primary key.
--- a/doc/index.md
+++ b/doc/index.md
@ -1,9 +0,0 @@
-# Bridge Documentation
-
-Documentation pages in order to read for a novice:
-
-* [Bridge code](bridge.md)
-* [Internal Bridge database](database.md)
-* [Communication between Bridge, Client and Server](communication.md)
-* [Encryption](encryption.md)
-
--- a/doc/updates.md
+++ b/doc/updates.md
@ -1,103 +0,0 @@
-# Update mechanism of Bridge
-
-There are mulitple options how to change version of application:
-* Automatic in-app update
-* Manual in-app update
-* Manual install
-
-In-app update ends with restarting bridge into new version. Automatic in-app
-update is downloading, verifying and installing the new version immediatelly
-without user confirmation. For manual in-app update user needs to confirm first.
-Update is done from special update file published on website.
-
-The manual installation requires user to download, verify and install manually
-using installer for given OS.
-
-The bridge is installed and executed differently for given OS:
-
-* Windows and Linux apps are using launcher mechanism:
-    * There is system protected installation path which is created on first
-      install. It contains bridge exe and launcher exe. When users starts
-      bridge the launcher is executed first. It will check update path compare
-      version with installed one. The newer version then is then executed.
-    * Update mechanism means to replace files in update folder which is located
-      in user space.
-
-* macOS app does not use launcher
-    * No launcher, only one executable
-    * In-App udpate replaces the bridge files in installation path directly
-
-
-```mermaid
-flowchart LR
-    subgraph Frontend
-    U[User requests<br>version check]
-    ManIns((Notify user about<br>manual install<br>is needed))
-    R((Notify user<br>about restart))
-    ManUp((Notify user about<br>manual update))
-    NF((Notify user about<br>force update))
-
-    ManUp -->|Install| InstFront[Install]
-    InstFront -->|Ok| R
-    InstFront -->|Error| ManIns
-
-    U --> CheckFront[Check online]
-    CheckFront -->|Ok| IAFront{Is new version<br>and applicable?}
-    CheckFront -->|Error| ManIns
-
-    IAFront -->|No| Latest((Notify user<br>has latest version))
-    IAFront -->|Yes| CanInstall{Can update?}
-    CanInstall -->|No| ManIns
-    CanInstall -->|Yes| NotifOrInstall{Is automatic<br>update enabled?}
-    NotifOrInstall -->|Manual| ManUp
-    end
-
-
-    subgraph Backend
-    W[Wait for next check]
-
-    W --> Check[Check online]
-
-    Check --> NV{Has new<br>version?}
-    Check -->|Error| W
-    NV -->|No new version| W
-    IA{Is install<br>applicable?}
-    NV -->|New version<br>available| IA
-    IA -->|Local rollout<br>not enough| W
-    IA -->|Yes| AU{Is automatic\nupdate enabled?}
-
-    AU -->|Yes| CanUp{Can update?}
-    CanUp -->|No| ManIns
-
-    CanUp -->|Yes| Ins[Install]
-    Ins -->|Error| ManIns
-    Ins -->|Ok| R
-
-    AU -->|No| ManUp
-    ManUp -->|Ignore| W
-
-
-    F[Force update]
-    F --> NF
-    end
-
-    ManIns --> Web[Open web page]
-    NF --> Web
-    ManUp --> Web
-    R --> Re[Restart]
-    NF --> Q[Quit bridge]
-    NotifOrInstall -->|Automatic| W
-```
-
-
-The non-trivial is to combine the update with setting change:
-* turn off/on automatic in-app updates
-* change from stable to beta or back
-
-_TODO fill flow chart details_
-
-
-We are not support downgrade functionality. Only some circumstances can lead to
-downgrading the app version.
-
-_TODO fill flow chart details_
--- a/extern/vcpkg
+++ b/extern/vcpkg
--- a/go.mod
+++ b/go.mod
@ -1,108 +1,138 @@
-module github.com/ProtonMail/proton-bridge/v2
+module github.com/ProtonMail/proton-bridge/v3

-go 1.18
+go 1.23
+
+toolchain go1.23.4

 require (
 	github.com/0xAX/notificator v0.0.0-20220220101646-ee9b8921e557
-	github.com/Masterminds/semver/v3 v3.1.1
+	github.com/Masterminds/semver/v3 v3.2.0
+	github.com/ProtonMail/gluon v0.17.1-0.20250116113909-2ebd96ec0bc2
 	github.com/ProtonMail/go-autostart v0.0.0-20210130080809-00ed301c8e9a
-	github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895
-	github.com/ProtonMail/go-imap-id v0.0.0-20190926060100-f94a56b9ecde
-	github.com/ProtonMail/go-rfc5322 v0.11.0
-	github.com/ProtonMail/go-srp v0.0.5
-	github.com/ProtonMail/go-vcard v0.0.0-20180326232728-33aaa0a0c8a5
-	github.com/ProtonMail/gopenpgp/v2 v2.4.10
-	github.com/PuerkitoBio/goquery v1.8.0
+	github.com/ProtonMail/go-proton-api v0.4.1-0.20250217140732-2e531f21de4c
+	github.com/ProtonMail/gopenpgp/v2 v2.8.2-proton
+	github.com/PuerkitoBio/goquery v1.8.1
 	github.com/abiosoft/ishell v2.0.0+incompatible
 	github.com/allan-simon/go-singleinstance v0.0.0-20210120080615-d0997106ab37
-	github.com/bradenaw/juniper v0.8.0
+	github.com/bradenaw/juniper v0.12.0
 	github.com/cucumber/godog v0.12.5
 	github.com/cucumber/messages-go/v16 v16.0.1
-	github.com/docker/docker-credential-helpers v0.6.4
-	github.com/elastic/go-sysinfo v1.8.1
+	github.com/docker/docker-credential-helpers v0.8.1
+	github.com/elastic/go-sysinfo v1.11.2-0.20231129083954-35e55cd2a542
 	github.com/emersion/go-imap v1.2.1
-	github.com/emersion/go-imap-appendlimit v0.0.0-20210907172056-e3baed77bbe4
-	github.com/emersion/go-imap-move v0.0.0-20210907172020-fe4558f9c872
-	github.com/emersion/go-imap-quota v0.0.0-20210203125329-619074823f3c
-	github.com/emersion/go-imap-unselect v0.0.0-20210907172115-4c2c4843bf69
+	github.com/emersion/go-imap-id v0.0.0-20190926060100-f94a56b9ecde
 	github.com/emersion/go-message v0.16.0
 	github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead
-	github.com/emersion/go-smtp v0.15.0
-	github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594
+	github.com/emersion/go-smtp v0.15.1-0.20221021114529-49b17434419d
+	github.com/emersion/go-vcard v0.0.0-20230331202150-f3d26859ccd3
 	github.com/fatih/color v1.13.0
-	github.com/getsentry/sentry-go v0.13.0
+	github.com/getsentry/sentry-go v0.15.0
 	github.com/go-resty/resty/v2 v2.7.0
 	github.com/godbus/dbus v4.1.0+incompatible
 	github.com/golang/mock v1.6.0
-	github.com/google/go-cmp v0.5.9
+	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/jaytaylor/html2text v0.0.0-20211105163654-bc68cce691ba
-	github.com/keybase/go-keychain v0.0.0-20220610143837-c2ce06069005
-	github.com/logrusorgru/aurora v2.0.3+incompatible
+	github.com/jeandeaual/go-locale v0.0.0-20220711133428-7de61946b173
+	github.com/keybase/go-keychain v0.0.0
 	github.com/miekg/dns v1.1.50
-	github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249
+	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58
 	github.com/pkg/errors v0.9.1
-	github.com/ricochet2200/go-disk-usage/du v0.0.0-20210707232629-ac9918953285
-	github.com/sirupsen/logrus v1.9.0
-	github.com/stretchr/testify v1.8.0
-	github.com/urfave/cli/v2 v2.16.3
+	github.com/pkg/profile v1.7.0
+	github.com/sirupsen/logrus v1.9.2
+	github.com/stretchr/testify v1.8.4
+	github.com/urfave/cli/v2 v2.24.4
 	github.com/vmihailenco/msgpack/v5 v5.3.5
-	go.etcd.io/bbolt v1.3.6
-	golang.org/x/exp v0.0.0-20220921164117-439092de6870
-	golang.org/x/net v0.0.0-20220921203646-d300de134e69
-	golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8
-	golang.org/x/text v0.3.7
-	google.golang.org/grpc v1.49.0
-	google.golang.org/protobuf v1.28.1
+	go.uber.org/goleak v1.2.1
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
+	golang.org/x/net v0.34.0
+	golang.org/x/oauth2 v0.7.0
+	golang.org/x/sys v0.29.0
+	golang.org/x/text v0.21.0
+	google.golang.org/api v0.114.0
+	google.golang.org/grpc v1.56.3
+	google.golang.org/protobuf v1.33.0
 	howett.net/plist v1.0.0
 )

 require (
+	cloud.google.com/go/compute v1.19.1 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/ProtonMail/bcrypt v0.0.0-20211005172633-e235017c1baf // indirect
-	github.com/ProtonMail/go-mime v0.0.0-20220429130430-2192574d760f // indirect
+	github.com/ProtonMail/go-crypto v1.1.4-proton // indirect
+	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
+	github.com/ProtonMail/go-srp v0.0.7 // indirect
 	github.com/abiosoft/readline v0.0.0-20180607040430-155bce2042db // indirect
-	github.com/andybalholm/cascadia v1.3.1 // indirect
-	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
+	github.com/andybalholm/cascadia v1.3.2 // indirect
+	github.com/bytedance/sonic v1.9.1 // indirect
+	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
 	github.com/chzyer/test v1.0.0 // indirect
-	github.com/cloudflare/circl v1.2.0 // indirect
+	github.com/cloudflare/circl v1.5.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/cronokirby/saferith v0.33.0 // indirect
 	github.com/cucumber/gherkin-go/v19 v19.0.3 // indirect
-	github.com/danieljoos/wincred v1.1.2 // indirect
+	github.com/danieljoos/wincred v1.2.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/go-windows v1.0.1 // indirect
-	github.com/emersion/go-vcard v0.0.0-20220507122617-d4056df0ec4a // indirect
+	github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594 // indirect
+	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/flynn-archive/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/gin-gonic/gin v1.9.1 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.14.0 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gofrs/uuid v4.3.0+incompatible // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/pprof v0.0.0-20211214055906-6f57359322fd // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
+	github.com/googleapis/gax-go/v2 v2.7.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-memdb v1.3.3 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
+	github.com/leodido/go-urn v1.2.4 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mattn/go-sqlite3 v1.14.22 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/pierrec/lz4/v4 v4.1.17 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rivo/uniseg v0.4.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.2.11 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/tools v0.1.12 // indirect
-	google.golang.org/genproto v0.0.0-20220921223823-23cae91e6737 // indirect
+	gitlab.com/c0b/go-ordered-json v0.0.0-20201030195603-febf46534d5a // indirect
+	go.opencensus.io v0.24.0 // indirect
+	golang.org/x/arch v0.3.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

 replace (
-	github.com/docker/docker-credential-helpers => github.com/ProtonMail/docker-credential-helpers v1.1.0
-	github.com/emersion/go-imap => github.com/ProtonMail/go-imap v0.0.0-20201228133358-4db68cea0cac
-	github.com/emersion/go-message => github.com/ProtonMail/go-message v0.0.0-20210611055058-fabeff2ec753
-	github.com/keybase/go-keychain => github.com/cuthix/go-keychain v0.0.0-20220405075754-31e7cee908fe
+	github.com/emersion/go-message => github.com/ProtonMail/go-message v0.13.1-0.20240919135104-3bc88e6a9423
+	github.com/emersion/go-smtp => github.com/ProtonMail/go-smtp v0.0.0-20231109081432-2b3d50599865
+	github.com/go-resty/resty/v2 => github.com/LBeernaertProton/resty/v2 v2.0.0-20231129100320-dddf8030d93a
+	github.com/keybase/go-keychain => github.com/cuthix/go-keychain v0.0.0-20240103134243-0b6a41580b77
 )
--- a/go.sum
+++ b/go.sum
@ -5,62 +5,70 @@ cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6A
 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
 cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
 cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/compute v1.19.1 h1:am86mquDUgjGNWxiGn+5PGLbmgiWXlE/yNWpIpNvuXY=
+cloud.google.com/go/compute v1.19.1/go.mod h1:6ylj3a05WF8leseCdIf77NK0g1ey+nj5IKd5/kvShxE=
+cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
+cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM=
+cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+fyne.io/fyne v1.4.2/go.mod h1:xL4c3WmpE/Tvz5CEm5vqsaizU/EeOCm9DYlL2GtTSiM=
 github.com/0xAX/notificator v0.0.0-20220220101646-ee9b8921e557 h1:l6surSnJ3RP4qA1qmKJ+hQn3UjytosdoG27WGjrDlVs=
 github.com/0xAX/notificator v0.0.0-20220220101646-ee9b8921e557/go.mod h1:sTrmvD/TxuypdOERsDOS7SndZg0rzzcCi1b6wQMXUYM=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
-github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
+github.com/Kodeworks/golang-image-ico v0.0.0-20141118225523-73f0f4cfade9/go.mod h1:7uhhqiBaR4CpN0k9rMjOtjpcfGd6DG2m04zQxKnWQ0I=
+github.com/LBeernaertProton/resty/v2 v2.0.0-20231129100320-dddf8030d93a h1:eQO/GF/+H8/9udc9QAgieFr+jr1tjXlJo35RAhsUbWY=
+github.com/LBeernaertProton/resty/v2 v2.0.0-20231129100320-dddf8030d93a/go.mod h1:iiP/OpA0CkcL3IGt1O0+/SIItFUbkkyw5BGXiVdTu+A=
+github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g=
+github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
+github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/ProtonMail/bcrypt v0.0.0-20210511135022-227b4adcab57/go.mod h1:HecWFHognK8GfRDGnFQbW/LiV7A3MX3gZVs45vk5h8I=
 github.com/ProtonMail/bcrypt v0.0.0-20211005172633-e235017c1baf h1:yc9daCCYUefEs69zUkSzubzjBbL+cmOXgnmt9Fyd9ug=
 github.com/ProtonMail/bcrypt v0.0.0-20211005172633-e235017c1baf/go.mod h1:o0ESU9p83twszAU8LBeJKFAAMX14tISa0yk4Oo5TOqo=
-github.com/ProtonMail/docker-credential-helpers v1.1.0 h1:+kvUIpwWcbtP3WFv5sSvkFn/XLzSqPOB5AAthuk9xPk=
-github.com/ProtonMail/docker-credential-helpers v1.1.0/go.mod h1:mK0aBveCxhnQ756AmaTfXMZDeULvheYVhF/MWMErN5g=
+github.com/ProtonMail/gluon v0.17.1-0.20250116113909-2ebd96ec0bc2 h1:lDgMidI/9j2eedavcy7YICv8+F73ooVTUoUGBE4dO0s=
+github.com/ProtonMail/gluon v0.17.1-0.20250116113909-2ebd96ec0bc2/go.mod h1:0/c03TzZPNiSgY5UDJK1iRDkjlDPwWugxTT6et2qDu8=
 github.com/ProtonMail/go-autostart v0.0.0-20210130080809-00ed301c8e9a h1:D+aZah+k14Gn6kmL7eKxoo/4Dr/lK3ChBcwce2+SQP4=
 github.com/ProtonMail/go-autostart v0.0.0-20210130080809-00ed301c8e9a/go.mod h1:oTGdE7/DlWIr23G0IKW3OXK9wZ5Hw1GGiaJFccTvZi4=
-github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
-github.com/ProtonMail/go-crypto v0.0.0-20220822140716-1678d6eb0cbe/go.mod h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8=
-github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895 h1:NsReiLpErIPzRrnogAXYwSoU7txA977LjDGrbkewJbg=
-github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895/go.mod h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8=
-github.com/ProtonMail/go-imap v0.0.0-20201228133358-4db68cea0cac h1:2xU3QncAiS/W3UlWZTkbNKW5WkLzk6Egl1T0xX+sbjs=
-github.com/ProtonMail/go-imap v0.0.0-20201228133358-4db68cea0cac/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU=
-github.com/ProtonMail/go-imap-id v0.0.0-20190926060100-f94a56b9ecde h1:5koQozTDELymYOyFbQ/VSubexAEXzDR8qGM5mO8GRdw=
-github.com/ProtonMail/go-imap-id v0.0.0-20190926060100-f94a56b9ecde/go.mod h1:795VPXcRUIQ9JyMNHP4el582VokQfippgjkQP3Gk0r0=
-github.com/ProtonMail/go-message v0.0.0-20210611055058-fabeff2ec753 h1:I8IsYA297x0QLU80G5I6aLYUu3JYNSpo8j5fkXtFDW0=
-github.com/ProtonMail/go-message v0.0.0-20210611055058-fabeff2ec753/go.mod h1:NBAn21zgCJ/52WLDyed18YvYFm5tEoeDauubFqLokM4=
-github.com/ProtonMail/go-mime v0.0.0-20220302105931-303f85f7fe0f/go.mod h1:NYt+V3/4rEeDuaev/zw1zCq8uqVEuPHzDPo3OZrlGJ4=
-github.com/ProtonMail/go-mime v0.0.0-20220429130430-2192574d760f h1:4IWzKjHzZxdrW9k4zl/qCwenOVHDbVDADPPHFLjs0Oc=
-github.com/ProtonMail/go-mime v0.0.0-20220429130430-2192574d760f/go.mod h1:qRZgbeASl2a9OwmsV85aWwRqic0NHPh+9ewGAzb4cgM=
-github.com/ProtonMail/go-rfc5322 v0.11.0 h1:o5Obrm4DpmQEffvgsVqG6S4BKwC1Wat+hYwjIp2YcCY=
-github.com/ProtonMail/go-rfc5322 v0.11.0/go.mod h1:6oOKr0jXvpoE6pwTx/HukigQpX2J9WUf6h0auplrFTw=
-github.com/ProtonMail/go-srp v0.0.5 h1:xhUioxZgDbCnpo9JehyFhwwsn9JLWkUGfB0oiKXgiGg=
-github.com/ProtonMail/go-srp v0.0.5/go.mod h1:06iYHtLXW8vjLtccWj++x3MKy65sIT8yZd7nrJF49rs=
-github.com/ProtonMail/go-vcard v0.0.0-20180326232728-33aaa0a0c8a5 h1:Uga1DHFN4GUxuDQr0F71tpi8I9HqPIlZodZAI1lR6VQ=
-github.com/ProtonMail/go-vcard v0.0.0-20180326232728-33aaa0a0c8a5/go.mod h1:oeP9CMN+ajWp5jKp1kue5daJNwMMxLF+ujPaUIoJWlA=
-github.com/ProtonMail/gopenpgp/v2 v2.4.10 h1:EYgkxzwmQvsa6kxxkgP1AwzkFqKHscF2UINxaSn6rdI=
-github.com/ProtonMail/gopenpgp/v2 v2.4.10/go.mod h1:CTRA7/toc/4DxDy5Du4hPDnIZnJvXSeQ8LsRTOUJoyc=
-github.com/PuerkitoBio/goquery v1.8.0 h1:PJTF7AmFCFKk1N6V6jmKfrNH9tV5pNE6lZMkG0gta/U=
-github.com/PuerkitoBio/goquery v1.8.0/go.mod h1:ypIiRMtY7COPGk+I/YbZLbxsxn9g5ejnI2HSMtkjZvI=
+github.com/ProtonMail/go-crypto v0.0.0-20230321155629-9a39f2531310/go.mod h1:8TI4H3IbrackdNgv+92dI+rhpCaLqM0IfpgCgenFvRE=
+github.com/ProtonMail/go-crypto v1.1.4-proton h1:KIo9uNlk3vzlwI7o5VjhiEjI4Ld1TDixOMnoNZyfpFE=
+github.com/ProtonMail/go-crypto v1.1.4-proton/go.mod h1:zNoyBJW3p/yVWiHNZgfTF9VsjwqYof5YY0M9kt2QaX0=
+github.com/ProtonMail/go-message v0.13.1-0.20240919135104-3bc88e6a9423 h1:p8nBDxvRnvDOyrcePKkPpErWGhDoTqpX8a1c54CcSu0=
+github.com/ProtonMail/go-message v0.13.1-0.20240919135104-3bc88e6a9423/go.mod h1:NBAn21zgCJ/52WLDyed18YvYFm5tEoeDauubFqLokM4=
+github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ekTTXpdwKYF8eBlsYsDVoggDAuAjoK66k=
+github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw=
+github.com/ProtonMail/go-proton-api v0.4.1-0.20250121114701-67bd01ad0bc3 h1:YYnLBVcg7WrEbYVmF1PBr4AEQlob9rCphsMHAmF4CAo=
+github.com/ProtonMail/go-proton-api v0.4.1-0.20250121114701-67bd01ad0bc3/go.mod h1:RYgagBFkA3zFrSt7/vviFFwjZxBo6pGzcTwFsLwsnyc=
+github.com/ProtonMail/go-proton-api v0.4.1-0.20250217140732-2e531f21de4c h1:dxnbB+ov77BDj1LC35fKZ14hLoTpU6OTpZySwxarVx0=
+github.com/ProtonMail/go-proton-api v0.4.1-0.20250217140732-2e531f21de4c/go.mod h1:RYgagBFkA3zFrSt7/vviFFwjZxBo6pGzcTwFsLwsnyc=
+github.com/ProtonMail/go-smtp v0.0.0-20231109081432-2b3d50599865 h1:EP1gnxLL5Z7xBSymE9nSTM27nRYINuvssAtDmG0suD8=
+github.com/ProtonMail/go-smtp v0.0.0-20231109081432-2b3d50599865/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
+github.com/ProtonMail/go-srp v0.0.7 h1:Sos3Qk+th4tQR64vsxGIxYpN3rdnG9Wf9K4ZloC1JrI=
+github.com/ProtonMail/go-srp v0.0.7/go.mod h1:giCp+7qRnMIcCvI6V6U3S1lDDXDQYx2ewJ6F/9wdlJk=
+github.com/ProtonMail/gopenpgp/v2 v2.8.2-proton h1:MMVgE6nk5Ulh9Ud5L1Xc5iaPKE85FbfKQV17ZMucrR0=
+github.com/ProtonMail/gopenpgp/v2 v2.8.2-proton/go.mod h1:+PjybET6fgcLzldFy1hpy7s8VibZ0T1hLFbxnnMk0lo=
+github.com/PuerkitoBio/goquery v1.8.1 h1:uQxhNlArOIdbrH1tr0UXwdVFgDcZDrZVdcpygAcwmWM=
+github.com/PuerkitoBio/goquery v1.8.1/go.mod h1:Q8ICL1kNUJ2sXGoAhPGUdYDJvgQgHzJsnnd3H7Ho5jQ=
 github.com/abiosoft/ishell v2.0.0+incompatible h1:zpwIuEHc37EzrsIYah3cpevrIc8Oma7oZPxr03tlmmw=
 github.com/abiosoft/ishell v2.0.0+incompatible/go.mod h1:HQR9AqF2R3P4XXpMpI0NAzgHf/aS6+zVXRj14cVk9qg=
 github.com/abiosoft/readline v0.0.0-20180607040430-155bce2042db h1:CjPUSXOiYptLbTdr1RceuZgSFDQ7U15ITERUGrUORx8=
 github.com/abiosoft/readline v0.0.0-20180607040430-155bce2042db/go.mod h1:rB3B4rKii8V21ydCbIzH5hZiCQE7f5E9SzUb/ZZx530=
+github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/allan-simon/go-singleinstance v0.0.0-20210120080615-d0997106ab37 h1:28uU3TtuvQ6KRndxg9TrC868jBWmSKgh0GTXkACCXmA=
 github.com/allan-simon/go-singleinstance v0.0.0-20210120080615-d0997106ab37/go.mod h1:6AXRstqK+32jeFmw89QGL2748+dj34Av4xc/I9oo9BY=
-github.com/andybalholm/cascadia v1.3.1 h1:nhxRkql1kdYCc8Snf7D5/D3spOX+dBgjA6u8x004T2c=
 github.com/andybalholm/cascadia v1.3.1/go.mod h1:R4bJ1UQfqADjvDa4P6HZHLh/3OxWWEqc0Sk8XGwHqvA=
-github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220816024939-bc8df83d7b9d/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
-github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves=
-github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
+github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss=
+github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
@ -68,19 +76,29 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
-github.com/bradenaw/juniper v0.8.0 h1:sdanLNdJbLjcLj993VYIwUHlUVkLzvgiD/x9O7cvvxk=
-github.com/bradenaw/juniper v0.8.0/go.mod h1:Z2B7aJlQ7xbfWsnMLROj5t/5FQ94/MkIdKC30J4WvzI=
+github.com/bradenaw/juniper v0.12.0 h1:Q/7icpPQD1nH/La5DobQfNEtwyrBSiSu47jOQx7lJEM=
+github.com/bradenaw/juniper v0.12.0/go.mod h1:Z2B7aJlQ7xbfWsnMLROj5t/5FQ94/MkIdKC30J4WvzI=
 github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/bwesterb/go-ristretto v1.2.1/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/bytedance/sonic v1.5.0/go.mod h1:ED5hyg4y6t3/9Ku1R6dU/4KyJ48DZ4jPhfY1O2AihPM=
+github.com/bytedance/sonic v1.9.1 h1:6iJ6NqdoxCDr6mbY8h18oSO+cShGSMRGCEo7F2h0x8s=
+github.com/bytedance/sonic v1.9.1/go.mod h1:i736AoUSYt75HyZLoJW9ERYxcy6eaN6h4BZXU064P/U=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/chenzhuoyu/base64x v0.0.0-20211019084208-fb5309c8db06/go.mod h1:DH46F32mSOjUmXrMHnKwZdA8wcEefY7UVqBKYGjpdQY=
+github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 h1:qSGYFH7+jGhDF8vLC+iwCD4WpbV1EBDSzWkJODFLams=
+github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311/go.mod h1:b583jCggY9gE99b6G5LEC39OIiVsWj+R97kbl5odCEk=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/logex v1.2.1 h1:XHDu3E6q+gdHgsdTPH6ImJMIp436vR6MPtH8gP05QzM=
 github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
-github.com/cloudflare/circl v1.2.0 h1:NheeISPSUcYftKlfrLuOo4T62FkmD4t4jviLfFFYaec=
-github.com/cloudflare/circl v1.2.0/go.mod h1:Ch2UgYr6ti2KTtlejELlROl0YIYj7SLjAC8M+INXlMk=
+github.com/cloudflare/circl v1.5.0 h1:hxIWksrX6XN5a1L2TI/h53AGPhNHoUBo+TD1ms9+pys=
+github.com/cloudflare/circl v1.5.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@ -98,64 +116,98 @@ github.com/cucumber/godog v0.12.5/go.mod h1:u6SD7IXC49dLpPN35kal0oYEjsXZWee4pW6T
 github.com/cucumber/messages-go/v16 v16.0.0/go.mod h1:EJcyR5Mm5ZuDsKJnT2N9KRnBK30BGjtYotDKpwQ0v6g=
 github.com/cucumber/messages-go/v16 v16.0.1 h1:fvkpwsLgnIm0qugftrw2YwNlio+ABe2Iu94Ap8GMYIY=
 github.com/cucumber/messages-go/v16 v16.0.1/go.mod h1:EJcyR5Mm5ZuDsKJnT2N9KRnBK30BGjtYotDKpwQ0v6g=
-github.com/cuthix/go-keychain v0.0.0-20220405075754-31e7cee908fe h1:KRj3wdvA9yE92prNmOjS7x5DOqoyjxqdE30qnrmTasc=
-github.com/cuthix/go-keychain v0.0.0-20220405075754-31e7cee908fe/go.mod h1:ZoZU1fnBy3mOLWr3Pg+Y2+nTKtu6ypDte2kZg9HvSwY=
-github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg=
-github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
-github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
+github.com/cuthix/go-keychain v0.0.0-20240103134243-0b6a41580b77 h1:sdB/yJMbubPQothFl6KYCOrMBRgy0pZbBXIWoJqSFLo=
+github.com/cuthix/go-keychain v0.0.0-20240103134243-0b6a41580b77/go.mod h1:ZoZU1fnBy3mOLWr3Pg+Y2+nTKtu6ypDte2kZg9HvSwY=
+github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs=
+github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/elastic/go-sysinfo v1.8.1 h1:4Yhj+HdV6WjbCRgGdZpPJ8lZQlXZLKDAeIkmQ/VRvi4=
-github.com/elastic/go-sysinfo v1.8.1/go.mod h1:JfllUnzoQV/JRYymbH3dO1yggI3mV2oTKSXsDHM+uIM=
+github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
+github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
+github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
+github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
+github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
+github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/elastic/go-sysinfo v1.11.2-0.20231129083954-35e55cd2a542 h1:IFTm6NBbfSgZCaeEzorQhH4T7ZERl4j+1u7oXWzmJcM=
+github.com/elastic/go-sysinfo v1.11.2-0.20231129083954-35e55cd2a542/go.mod h1:GKqR8bbMK/1ITnez9NIsIfXQr25aLhRJa7AfT8HpBFQ=
 github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0=
 github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss=
-github.com/emersion/go-imap-appendlimit v0.0.0-20210907172056-e3baed77bbe4 h1:U6LL6F1dYqXpVTwEbXhcfU8hgpNvmjB9xeOAiHN695o=
-github.com/emersion/go-imap-appendlimit v0.0.0-20210907172056-e3baed77bbe4/go.mod h1:ikgISoP7pRAolqsVP64yMteJa2FIpS6ju88eBT6K1yQ=
-github.com/emersion/go-imap-move v0.0.0-20210907172020-fe4558f9c872 h1:HGBfonz0q/zq7y3ew+4oy4emHSvk6bkmV0mdDG3E77M=
-github.com/emersion/go-imap-move v0.0.0-20210907172020-fe4558f9c872/go.mod h1:QuMaZcKFDVI0yCrnAbPLfbwllz1wtOrZH8/vZ5yzp4w=
-github.com/emersion/go-imap-quota v0.0.0-20210203125329-619074823f3c h1:khcEdu1yFiZjBgi7gGnQiLhpSgghJ0YTnKD0l4EUqqc=
-github.com/emersion/go-imap-quota v0.0.0-20210203125329-619074823f3c/go.mod h1:iApyhIQBiU4XFyr+3kdJyyGqle82TbQyuP2o+OZHrV0=
-github.com/emersion/go-imap-unselect v0.0.0-20210907172115-4c2c4843bf69 h1:ltTnRlPdSMMb0a/pg7S31T3g+syYeSS5UVJtiR7ez1Y=
-github.com/emersion/go-imap-unselect v0.0.0-20210907172115-4c2c4843bf69/go.mod h1:+gnnZx3Mg3MnCzZrv0eZdp5puxXQUgGT/6N6L7ShKfM=
-github.com/emersion/go-sasl v0.0.0-20191210011802-430746ea8b9b/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k=
+github.com/emersion/go-imap v1.2.1 h1:+s9ZjMEjOB8NzZMVTM3cCenz2JrQIGGo5j1df19WjTA=
+github.com/emersion/go-imap v1.2.1/go.mod h1:Qlx1FSx2FTxjnjWpIlVNEuX+ylerZQNFE5NsmKFSejY=
+github.com/emersion/go-imap-id v0.0.0-20190926060100-f94a56b9ecde h1:43mBoVwooyLm1+1YVf5nvn1pSFWhw7rOpcrp1Jg/qk0=
+github.com/emersion/go-imap-id v0.0.0-20190926060100-f94a56b9ecde/go.mod h1:sPwp0FFboaK/bxsrUz1lNrDMUCsZUsKC5YuM4uRVRVs=
 github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
 github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead h1:fI1Jck0vUrXT8bnphprS1EoVRe2Q5CKCX8iDlpqjQ/Y=
 github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
-github.com/emersion/go-smtp v0.15.0 h1:3+hMGMGrqP/lqd7qoxZc1hTU8LY8gHV9RFGWlqSDmP8=
-github.com/emersion/go-smtp v0.15.0/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
 github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594 h1:IbFBtwoTQyw0fIM5xv1HF+Y+3ZijDR839WMulgxCcUY=
 github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594/go.mod h1:aqO8z8wPrjkscevZJFVE1wXJrLpC5LtJG7fqLOsPb2U=
-github.com/emersion/go-vcard v0.0.0-20220507122617-d4056df0ec4a h1:cltZpe6s0SJtqK5c/5y2VrIYi8BAtDM6qjmiGYqfTik=
-github.com/emersion/go-vcard v0.0.0-20220507122617-d4056df0ec4a/go.mod h1:HMJKR5wlh/ziNp+sHEDV2ltblO4JD2+IdDOWtGcQBTM=
+github.com/emersion/go-vcard v0.0.0-20230331202150-f3d26859ccd3 h1:hQ1wTMaKcGfobYRT88RM8NFNyX+IQHvagkm/tqViU98=
+github.com/emersion/go-vcard v0.0.0-20230331202150-f3d26859ccd3/go.mod h1:HMJKR5wlh/ziNp+sHEDV2ltblO4JD2+IdDOWtGcQBTM=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
+github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
+github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/flynn-archive/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BMXYYRWTLOJKlh+lOBt6nUQgXAfB7oVIQt5cNreqSLI=
 github.com/flynn-archive/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:rZfgFAXFS/z/lEd6LJmf9HVZ1LkgYiHx5pHhV5DR16M=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/getsentry/sentry-go v0.13.0 h1:20dgTiUSfxRB/EhMPtxcL9ZEbM1ZdR+W/7f7NWD+xWo=
-github.com/getsentry/sentry-go v0.13.0/go.mod h1:EOsfu5ZdvKPfeHYV6pTVQnsjfp30+XA7//UooKNumH0=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fyne-io/mobile v0.1.2-0.20201127155338-06aeb98410cc/go.mod h1:/kOrWrZB6sasLbEy2JIvr4arEzQTXBTZGb3Y96yWbHY=
+github.com/fyne-io/mobile v0.1.2/go.mod h1:/kOrWrZB6sasLbEy2JIvr4arEzQTXBTZGb3Y96yWbHY=
+github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
+github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
+github.com/getsentry/sentry-go v0.15.0 h1:CP9bmA7pralrVUedYZsmIHWpq/pBtXTSew7xvVpfLaA=
+github.com/getsentry/sentry-go v0.15.0/go.mod h1:RZPJKSw+adu8PBNygiri/A98FqVr2HtRckJk9XVxJ9I=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
+github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
+github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
+github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
+github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-gl/gl v0.0.0-20190320180904-bf2b1f2f34d7/go.mod h1:482civXOzJJCPzJ4ZOX/pwvXBWSnzD4OKMdH4ClKGbk=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200625191551-73d3c3675aa3/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY=
-github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.14.0 h1:vgvQWe3XCz3gIeFDm/HnTIbj6UGmg/+t63MyGU2n5js=
+github.com/go-playground/validator/v10 v10.14.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
+github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/godbus/dbus v4.1.0+incompatible h1:WqqLRTsQic3apZUK9qC5sGNfXthmPXzUZ7nQPrNITa4=
 github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
+github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
 github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/goki/freetype v0.0.0-20181231101311-fa8a33aabaff/go.mod h1:wfqRWLHRBsRgkp5dmbG56SA0DmVtwrF5N3oPdI8t+Aw=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
@ -164,24 +216,43 @@ github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+Licev
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20211214055906-6f57359322fd h1:1FjCyPC+syAzJ5/2S8fqdZK1R22vvA0J7JZKcuOIQ7Y=
+github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k=
+github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/googleapis/gax-go/v2 v2.7.1 h1:gF4c0zjUP2H/s/hEGyLA3I0fA2ZWjzYiONAD6cvPr8A=
+github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@ -222,30 +293,43 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jackmordaunt/icns v0.0.0-20181231085925-4f16af745526/go.mod h1:UQkeMHVoNcyXYq9otUupF7/h/2tmHlhrS2zw7ZVvUqc=
 github.com/jaytaylor/html2text v0.0.0-20211105163654-bc68cce691ba h1:QFQpJdgbON7I0jr2hYW7Bs+XV0qjc3d5tZoDnRFnqTg=
 github.com/jaytaylor/html2text v0.0.0-20211105163654-bc68cce691ba/go.mod h1:CVKlgaMiht+LXvHG173ujK6JUhZXKb2u/BQtjPDIvyk=
+github.com/jeandeaual/go-locale v0.0.0-20220711133428-7de61946b173 h1:jOONCXyzHWM+ukp+weX77o//U3pMeOj62CNxChJLxIU=
+github.com/jeandeaual/go-locale v0.0.0-20220711133428-7de61946b173/go.mod h1:uO/uctjf8AcWhNfp5Ili6oPtyFrAoQXEtVY3N798VkQ=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4=
 github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/josephspurrier/goversioninfo v0.0.0-20200309025242-14b0ab84c6ca/go.mod h1:eJTEwMjXb7kZ633hO3Ln9mBUCOjX2+FlTljvpl9SYdE=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.2.4 h1:acbojRNwl3o09bUq+yDCtZFc1aiwaAAxtcn8YkZXnvk=
+github.com/klauspost/cpuid/v2 v2.2.4/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
-github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=
+github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=
+github.com/lucor/goinfo v0.0.0-20200401173949-526b5363a13a/go.mod h1:ORP3/rB5IsulLEBwQZCJyyV6niqmI7P4EWSmkug+1Ng=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@ -254,11 +338,14 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
@ -271,21 +358,39 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249 h1:NHrXEjTNQY7P0Zfx1aMrNhpgxHmow66XQtm0aQLY0AE=
-github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249/go.mod h1:mpRZBD8SJ55OIICQ3iWH0Yz3cjzA61JdqMLoWXeB2+8=
+github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
+github.com/nicksnyder/go-i18n/v2 v2.1.1/go.mod h1:d++QJC9ZVf7pa48qrsRWhMJ5pSHIPmS3OLqK1niyLxs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
+github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 h1:onHthvaw9LFnH4t2DcNVpwGmV9E1BkGknEliJkfwQj0=
+github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58/go.mod h1:DXv8WO4yhMYhSNPKjeNKa5WY9YCIEBRbNzFFPJbWO6Y=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ=
+github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
+github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
+github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
+github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
+github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
@ -293,20 +398,21 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
-github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
+github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
+github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/ricochet2200/go-disk-usage/du v0.0.0-20210707232629-ac9918953285 h1:d54EL9l+XteliUfUCGsEwwuk65dmmxX85VXF+9T6+50=
-github.com/ricochet2200/go-disk-usage/du v0.0.0-20210707232629-ac9918953285/go.mod h1:fxIDly1xtudczrZeOOlfaUvd2OPb2qZAPuWdU2BsBTk=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.2 h1:YwD0ulJSJytLpiaWua0sBDusfsCZohxjxzVTYjwxfV8=
 github.com/rivo/uniseg v0.4.2/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@ -314,9 +420,8 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.2 h1:oxx1eChJGI6Uks2ZC4W1zpLlVgqB8ner4EuQwV4Ik1Y=
+github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
@ -331,25 +436,35 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
+github.com/srwiley/oksvg v0.0.0-20200311192757-870daf9aa564/go.mod h1:afMbS0qvv1m5tfENCwnOdZGOF8RGR/FsZ7bvBxQGZG4=
+github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9/go.mod h1:mvWM0+15UqyrFKqdRjY6LuAVJR0HOVhJlEgZ5JWtSWU=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf/go.mod h1:RJID2RhlZKId02nZ62WenDCkgHFerpIOmW0iT7GKmXM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/urfave/cli/v2 v2.16.3 h1:gHoFIwpPjoyIMbJp/VFd+/vuD0dAgFK4B6DpEMFJfQk=
-github.com/urfave/cli/v2 v2.16.3/go.mod h1:1CNUng3PtjQMtRzJO4FMXBQvkGtuYRxxiR9xMa7jMwI=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=
+github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/urfave/cli/v2 v2.24.4 h1:0gyJJEBYtCV87zI/x2nZCPyDxD51K6xM8SkwjHFCNEU=
+github.com/urfave/cli/v2 v2.24.4/go.mod h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc=
 github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU=
 github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
@ -357,36 +472,46 @@ github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=
 github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+gitlab.com/c0b/go-ordered-json v0.0.0-20201030195603-febf46534d5a h1:DxppxFKRqJ8WD6oJ3+ZXKDY0iMONQDl5UTg2aTyHh8k=
+gitlab.com/c0b/go-ordered-json v0.0.0-20201030195603-febf46534d5a/go.mod h1:NREvu3a57BaK0R1+ztrEzHWiZAihohNLQ6trPxlIqZI=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
-go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
+go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
+golang.org/x/arch v0.3.0 h1:02VY4/ZcO/gBOH6PUaoiptASxtXU10jazRCP865E97k=
+golang.org/x/arch v0.3.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 h1:a5Yg6ylndHHYJqIPrdq0AhvR6KTvDTAvgBtaidhEevY=
-golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190731235908-ec7cb31e5a56/go.mod h1:JhuoJpWY28nO4Vef9tZUw9qufEGTyX1+7lmHxV5q5G4=
 golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
 golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20220921164117-439092de6870 h1:j8b6j9gzSigH28O5SjSpQSSh9lFd6f5D/q0aHjNTulc=
-golang.org/x/exp v0.0.0-20220921164117-439092de6870/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.0.0-20200430140353-33d19683fad8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@ -396,14 +521,14 @@ golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mobile v0.0.0-20200801112145-973feb4309de/go.mod h1:skQtrUTUwhdJvXM/2KKJzY8pDgNr9I/FOMqDVRPBUS4=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191209134235-331c550502dd/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -418,24 +543,38 @@ golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220921203646-d300de134e69 h1:hUJpGDpnfwdJW8iNypFjmSY0sCBEL+spFTZ2eO+Sfps=
-golang.org/x/net v0.0.0-20220921203646-d300de134e69/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
+golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -445,39 +584,62 @@ golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200720211630-cb9d2d5c5666/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 h1:h+EGohizhe9XlX18rfpa8k8RAc5XyaeamM+0VHRd4lc=
-golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5-0.20201125200606-c27b9fd57aec/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -488,19 +650,23 @@ golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190808195139-e713427fea3f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200117012304-6edc0a871e69/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200328031815-3db5fc6bac03/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -510,10 +676,14 @@ google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.114.0 h1:1xQPji6cO2E2vLiI+C/XiFAnsn1WV3mjaEwGLhi3grE=
+google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@ -523,20 +693,35 @@ google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20220921223823-23cae91e6737 h1:K1zaaMdYBXRyX+cwFnxj7M6zwDyumLQMZ5xqwGvjreQ=
-google.golang.org/genproto v0.0.0-20220921223823-23cae91e6737/go.mod h1:2r/26NEF3bFmT3eC3aZreahSal0C3Shl8Gi6vyDYqOQ=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw=
-google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc=
+google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
@ -548,6 +733,7 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
@ -555,7 +741,9 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
--- a/internal/api/api.go
+++ b/internal/api/api.go
@ -1,85 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-// Package api provides HTTP API of the Bridge.
-//
-// API endpoints:
-//   - /focus, see focusHandler
-package api
-
-import (
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/ProtonMail/proton-bridge/v2/internal/bridge"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
-	"github.com/ProtonMail/proton-bridge/v2/internal/events"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/listener"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/ports"
-	"github.com/sirupsen/logrus"
-)
-
-var log = logrus.WithField("pkg", "api") //nolint:gochecknoglobals
-
-type apiServer struct {
-	host          string
-	settings      *settings.Settings
-	eventListener listener.Listener
-}
-
-// NewAPIServer returns prepared API server struct.
-func NewAPIServer(settings *settings.Settings, eventListener listener.Listener) *apiServer { //nolint:revive
-	return &apiServer{
-		host:          bridge.Host,
-		settings:      settings,
-		eventListener: eventListener,
-	}
-}
-
-// Starts the server.
-func (api *apiServer) ListenAndServe() {
-	mux := http.NewServeMux()
-	mux.HandleFunc("/focus", wrapper(api, focusHandler))
-
-	addr := api.getAddress()
-	server := &http.Server{
-		Addr:              addr,
-		Handler:           mux,
-		ReadHeaderTimeout: 5 * time.Second, // fix gosec G112 (vulnerability to [Slowloris](https://www.cloudflare.com/en-gb/learning/ddos/ddos-attack-tools/slowloris/) attack).
-	}
-
-	log.Info("API listening at ", addr)
-	if err := server.ListenAndServe(); err != nil {
-		api.eventListener.Emit(events.ErrorEvent, "API failed: "+err.Error())
-		log.Error("API failed: ", err)
-	}
-	defer server.Close() //nolint:errcheck
-}
-
-func (api *apiServer) getAddress() string {
-	port := api.settings.GetInt(settings.APIPortKey)
-	newPort := ports.FindFreePortFrom(port)
-	if newPort != port {
-		api.settings.SetInt(settings.APIPortKey, newPort)
-	}
-	return getAPIAddress(api.host, newPort)
-}
-
-func getAPIAddress(host string, port int) string {
-	return fmt.Sprintf("%s:%d", host, port)
-}
--- a/internal/api/ctx.go
+++ b/internal/api/ctx.go
@ -1,51 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-package api
-
-import (
-	"net/http"
-
-	"github.com/ProtonMail/proton-bridge/v2/pkg/listener"
-)
-
-// httpHandler with Go's Response and Request.
-type httpHandler func(http.ResponseWriter, *http.Request)
-
-// handler with our context.
-type handler func(handlerContext) error
-
-type handlerContext struct {
-	req           *http.Request
-	resp          http.ResponseWriter
-	eventListener listener.Listener
-}
-
-func wrapper(api *apiServer, callback handler) httpHandler {
-	return func(w http.ResponseWriter, req *http.Request) {
-		ctx := handlerContext{
-			req:           req,
-			resp:          w,
-			eventListener: api.eventListener,
-		}
-		err := callback(ctx)
-		if err != nil {
-			log.Error("API callback of ", req.URL, " failed: ", err)
-			http.Error(w, err.Error(), 500)
-		}
-	}
-}
--- a/internal/api/focus.go
+++ b/internal/api/focus.go
@ -1,51 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-package api
-
-import (
-	"fmt"
-	"net/http"
-
-	"github.com/ProtonMail/proton-bridge/v2/internal/bridge"
-	"github.com/ProtonMail/proton-bridge/v2/internal/events"
-)
-
-// focusHandler should be called from other instances (attempt to start bridge
-// for the second time) to get focus in the currently running instance.
-func focusHandler(ctx handlerContext) error {
-	log.Info("Focus from other instance")
-	ctx.eventListener.Emit(events.SecondInstanceEvent, "")
-	fmt.Fprintf(ctx.resp, "OK")
-	return nil
-}
-
-// CheckOtherInstanceAndFocus is helper for new instances to check if there is
-// already a running instance and get it's focus.
-func CheckOtherInstanceAndFocus(port int) error {
-	addr := getAPIAddress(bridge.Host, port)
-	resp, err := (&http.Client{}).Get("http://" + addr + "/focus")
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close() //nolint:errcheck
-
-	if resp.StatusCode != 200 {
-		log.Error("Focus error: ", resp.StatusCode)
-	}
-	return nil
-}
--- a/internal/app/app.go
+++ b/internal/app/app.go
@ -0,0 +1,581 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package app
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/cookiejar"
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"time"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/gluon/async"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/cookies"
+	"github.com/ProtonMail/proton-bridge/v3/internal/crash"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/ProtonMail/proton-bridge/v3/internal/focus"
+	"github.com/ProtonMail/proton-bridge/v3/internal/frontend/theme"
+	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/internal/logging"
+	"github.com/ProtonMail/proton-bridge/v3/internal/sentry"
+	"github.com/ProtonMail/proton-bridge/v3/internal/useragent"
+	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/restarter"
+	"github.com/elastic/go-sysinfo"
+	"github.com/pkg/profile"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli/v2"
+)
+
+// Visible flags.
+const (
+	flagCPUProfile      = "cpu-prof"
+	flagCPUProfileShort = "p"
+
+	flagTraceProfile      = "trace-prof"
+	flagTraceProfileShort = "t"
+
+	flagMemProfile      = "mem-prof"
+	flagMemProfileShort = "m"
+
+	flagLogLevel      = "log-level"
+	flagLogLevelShort = "l"
+
+	flagGRPC      = "grpc"
+	flagGRPCShort = "g"
+
+	flagCLI      = "cli"
+	flagCLIShort = "c"
+
+	flagNonInteractive      = "noninteractive"
+	flagNonInteractiveShort = "n"
+
+	flagLogIMAP = "log-imap"
+	flagLogSMTP = "log-smtp"
+
+	flagEnableKeychainTest  = "enable-keychain-test"
+	flagDisableKeychainTest = "disable-keychain-test"
+
+	flagSoftwareRenderer    = "software-renderer"
+	flagSetSoftwareRenderer = "set-software-renderer"
+	flagSetHardwareRenderer = "set-hardware-renderer"
+)
+
+// Hidden flags.
+const (
+	flagLauncher  = "launcher"
+	flagNoWindow  = "no-window"
+	flagParentPID = "parent-pid"
+	FlagSessionID = "session-id"
+)
+
+const (
+	appUsage     = "Proton Mail IMAP and SMTP Bridge"
+	appShortName = "bridge"
+)
+
+// the two flags below have been deprecated by BRIDGE-281. We however keep them so that bridge does not error if they are passed on startup.
+var cliFlagEnableKeychainTest = &cli.BoolFlag{ //nolint:gochecknoglobals
+	Name:               flagEnableKeychainTest,
+	Usage:              "This flag is deprecated and does nothing",
+	Value:              false,
+	DisableDefaultText: true,
+	Hidden:             true,
+}
+
+var cliFlagDisableKeychainTest = &cli.BoolFlag{ //nolint:gochecknoglobals
+	Name:               flagDisableKeychainTest,
+	Usage:              "This flag is deprecated and does nothing",
+	Value:              false,
+	DisableDefaultText: true,
+	Hidden:             true,
+}
+
+func New() *cli.App {
+	app := cli.NewApp()
+
+	app.Name = constants.FullAppName
+	app.Usage = appUsage
+	app.Flags = []cli.Flag{
+		&cli.BoolFlag{
+			Name:    flagCPUProfile,
+			Aliases: []string{flagCPUProfileShort},
+			Usage:   "Generate CPU profile",
+		},
+		&cli.BoolFlag{
+			Name:    flagTraceProfile,
+			Aliases: []string{flagTraceProfileShort},
+			Usage:   "Generate Trace profile",
+		},
+		&cli.BoolFlag{
+			Name:    flagMemProfile,
+			Aliases: []string{flagMemProfileShort},
+			Usage:   "Generate memory profile",
+		},
+		&cli.StringFlag{
+			Name:    flagLogLevel,
+			Aliases: []string{flagLogLevelShort},
+			Usage:   "Set the log level (one of panic, fatal, error, warn, info, debug)",
+		},
+		&cli.BoolFlag{
+			Name:    flagGRPC,
+			Aliases: []string{flagGRPCShort},
+			Usage:   "Start the gRPC service",
+		},
+		&cli.BoolFlag{
+			Name:    flagCLI,
+			Aliases: []string{flagCLIShort},
+			Usage:   "Start the command line interface",
+		},
+		&cli.BoolFlag{
+			Name:    flagNonInteractive,
+			Aliases: []string{flagNonInteractiveShort},
+			Usage:   "Start the app in non-interactive mode",
+		},
+		&cli.StringFlag{
+			Name:  flagLogIMAP,
+			Usage: "Enable logging of IMAP communications (all|client|server) (may contain decrypted data!)",
+		},
+		&cli.BoolFlag{
+			Name:  flagLogSMTP,
+			Usage: "Enable logging of SMTP communications (may contain decrypted data!)",
+		},
+		&cli.BoolFlag{
+			Name:               flagSoftwareRenderer, // This flag is ignored by bridge, but should be passed to launcher in case of restart, so it need to be accepted by the CLI parser.
+			Usage:              "Use software rendering of the GUI for the current execution of the application",
+			Value:              false,
+			DisableDefaultText: true,
+		},
+		&cli.BoolFlag{
+			Name:               flagSetSoftwareRenderer, // This flag is ignored by bridge, we just want it to be shown in the help (BRIDGE-217).
+			Usage:              "Toggle software rendering of the GUI for the current and future executions of the application",
+			Value:              false,
+			DisableDefaultText: true,
+		},
+		&cli.BoolFlag{
+			Name:               flagSetHardwareRenderer, // This flag is ignored by bridge, we just want it to be shown in the help (BRIDGE-217).
+			Usage:              "Toggle hardware rendering of the GUI for the current and future executions of the application",
+			Value:              false,
+			DisableDefaultText: true,
+		},
+
+		// Hidden flags
+		&cli.BoolFlag{
+			Name:   flagNoWindow,
+			Usage:  "Don't show window after start",
+			Hidden: true,
+		},
+		&cli.StringFlag{
+			Name:   flagLauncher,
+			Usage:  "The launcher used to start the app",
+			Hidden: true,
+		},
+		&cli.IntFlag{
+			Name:   flagParentPID,
+			Usage:  "Process ID of the parent",
+			Hidden: true,
+			Value:  -1,
+		},
+		&cli.StringFlag{
+			Name:   FlagSessionID,
+			Hidden: true,
+		},
+	}
+
+	// We override the default help value because we want "Show" to be capitalized
+	cli.HelpFlag = &cli.BoolFlag{
+		Name:               "help",
+		Aliases:            []string{"h"},
+		Usage:              "Show help",
+		DisableDefaultText: true,
+	}
+
+	if onMacOS() {
+		// The two flags below were introduced for BRIDGE-116, and are available only on macOS.
+		// They have been later removed fro BRIDGE-281.
+		app.Flags = append(app.Flags, cliFlagEnableKeychainTest, cliFlagDisableKeychainTest)
+	}
+
+	app.Action = run
+
+	return app
+}
+
+func run(c *cli.Context) error {
+	// Get the current bridge version.
+	version, err := semver.NewVersion(constants.Version)
+	if err != nil {
+		return fmt.Errorf("could not create version: %w", err)
+	}
+
+	// Create a user agent that will be used for all requests.
+	identifier := useragent.New()
+
+	// Create a new Sentry client that will be used to report crashes etc.
+	reporter := sentry.NewReporter(constants.FullAppName, identifier)
+
+	// Determine the exe that should be used to restart/autostart the app.
+	// By default, this is the launcher, if used. Otherwise, we try to get
+	// the current exe, and fall back to os.Args[0] if that fails.
+	var exe string
+
+	if launcher := c.String(flagLauncher); launcher != "" {
+		exe = launcher
+	} else if executable, err := os.Executable(); err == nil {
+		exe = executable
+	} else {
+		exe = os.Args[0]
+	}
+
+	var logCloser io.Closer
+	defer func() {
+		_ = logging.Close(logCloser)
+	}()
+
+	// Restart the app if requested.
+	err = withRestarter(exe, func(restarter *restarter.Restarter) error {
+		// Handle crashes with various actions.
+		return withCrashHandler(restarter, reporter, func(crashHandler *crash.Handler, quitCh <-chan struct{}) error {
+			migrationErr := migrateOldVersions()
+
+			// Run with profiling if requested.
+			return withProfiler(c, func() error {
+				// Load the locations where we store our files.
+				return WithLocations(func(locations *locations.Locations) error {
+					// Migrate the keychain helper.
+					if err := migrateKeychainHelper(locations); err != nil {
+						logrus.WithError(err).Error("Failed to migrate keychain helper")
+					}
+
+					// Initialize logging.
+					return withLogging(c, crashHandler, locations, func(closer io.Closer) error {
+						logCloser = closer
+
+						// If there was an error during migration, log it now.
+						if migrationErr != nil {
+							logrus.WithError(migrationErr).Error("Failed to migrate old app data")
+						}
+
+						// Ensure we are the only instance running.
+						settings, err := locations.ProvideSettingsPath()
+						if err != nil {
+							logrus.WithError(err).Error("Failed to get settings path")
+						}
+
+						return withSingleInstance(settings, locations.GetLockFile(), version, func() error {
+							// Look for available keychains
+							return WithKeychainList(crashHandler, func(keychains *keychain.List) error {
+								// Unlock the encrypted vault.
+								return WithVault(reporter, locations, keychains, crashHandler, func(v *vault.Vault, insecure, corrupt bool) error {
+									if !v.Migrated() {
+										// Migrate old settings into the vault.
+										if err := migrateOldSettings(v); err != nil {
+											logrus.WithError(err).Error("Failed to migrate old settings")
+										}
+
+										// Migrate old accounts into the vault.
+										if err := migrateOldAccounts(locations, keychains, v); err != nil {
+											logrus.WithError(err).Error("Failed to migrate old accounts")
+										}
+
+										// The vault has been migrated.
+										if err := v.SetMigrated(); err != nil {
+											logrus.WithError(err).Error("Failed to mark vault as migrated")
+										}
+									}
+
+									logrus.WithFields(logrus.Fields{
+										"lastVersion": v.GetLastVersion().String(),
+										"showAllMail": v.GetShowAllMail(),
+										"updateCh":    v.GetUpdateChannel(),
+										"autoUpdate":  v.GetAutoUpdate(),
+										"rollout":     v.GetUpdateRollout(),
+										"DoH":         v.GetProxyAllowed(),
+									}).Info("Vault loaded")
+
+									// Load the cookies from the vault.
+									return withCookieJar(v, func(cookieJar http.CookieJar) error {
+										// Create a new bridge instance.
+										return withBridge(c, exe, locations, version, identifier, crashHandler, reporter, v, cookieJar, keychains, func(b *bridge.Bridge, eventCh <-chan events.Event) error {
+											if insecure {
+												logrus.Warn("The vault key could not be retrieved; the vault will not be encrypted")
+												b.PushError(bridge.ErrVaultInsecure)
+											}
+
+											if corrupt {
+												logrus.Warn("The vault is corrupt and has been wiped")
+												b.PushError(bridge.ErrVaultCorrupt)
+											}
+
+											// Remove old updates files
+											b.RemoveOldUpdates()
+
+											// Run the frontend.
+											return runFrontend(c, crashHandler, restarter, locations, b, eventCh, quitCh, c.Int(flagParentPID))
+										})
+									})
+								})
+							})
+						})
+					})
+				})
+			})
+		})
+	})
+
+	// if an error occurs, it must be logged now because we're about to close the log file.
+	if err != nil {
+		logrus.Fatal(err)
+	}
+
+	return err
+}
+
+// If there's another instance already running, try to raise it and exit.
+func withSingleInstance(settingPath, lockFile string, version *semver.Version, fn func() error) error {
+	logrus.Debug("Checking for other instances")
+	defer logrus.Debug("Single instance stopped")
+
+	lock, err := checkSingleInstance(settingPath, lockFile, version)
+	if err != nil {
+		logrus.Info("Another instance is already running; raising it")
+
+		if ok := focus.TryRaise(settingPath); !ok {
+			return fmt.Errorf("another instance is already running but it could not be raised")
+		}
+
+		logrus.Info("The other instance has been raised")
+
+		return nil
+	}
+
+	defer func() {
+		if err := lock.Close(); err != nil {
+			logrus.WithError(err).Error("Failed to close lock file")
+		}
+	}()
+
+	return fn()
+}
+
+// Initialize our logging system.
+func withLogging(c *cli.Context, crashHandler *crash.Handler, locations *locations.Locations, fn func(closer io.Closer) error) error {
+	logrus.Debug("Initializing logging")
+	defer logrus.Debug("Logging stopped")
+
+	// Get a place to keep our logs.
+	logsPath, err := locations.ProvideLogsPath()
+	if err != nil {
+		return fmt.Errorf("could not provide logs path: %w", err)
+	}
+
+	logrus.WithField("path", logsPath).Debug("Received logs path")
+
+	// Initialize logging.
+	sessionID := logging.NewSessionIDFromString(c.String(FlagSessionID))
+	var closer io.Closer
+	if closer, err = logging.Init(
+		logsPath,
+		sessionID,
+		logging.BridgeShortAppName,
+		logging.DefaultMaxLogFileSize,
+		logging.DefaultPruningSize,
+		c.String(flagLogLevel),
+	); err != nil {
+		return fmt.Errorf("could not initialize logging: %w", err)
+	}
+
+	// Ensure we dump a stack trace if we crash.
+	crashHandler.AddRecoveryAction(logging.DumpStackTrace(logsPath, sessionID, appShortName))
+
+	logrus.
+		WithField("appName", constants.FullAppName).
+		WithField("version", constants.Version).
+		WithField("revision", constants.Revision).
+		WithField("tag", constants.Tag).
+		WithField("build", constants.BuildTime).
+		WithField("runtime", runtime.GOOS).
+		WithField("args", os.Args).
+		WithField("SentryID", sentry.GetProtectedHostname()).
+		Info("Run app")
+
+	now := time.Now()
+	logrus.
+		WithField("timeZone", now.Format("MST")).
+		WithField("offset", now.Format("-07:00:00")).
+		Info("Time zone info")
+
+	host, err := sysinfo.Host()
+	if err != nil {
+		logrus.WithError(err).Error("Could not retrieve operating system info")
+	} else {
+		osInfo := host.Info().OS
+		logrus.
+			WithField("name", osInfo.Name).
+			WithField("version", osInfo.Version).
+			WithField("build", osInfo.Build).
+			Info("Operating system info")
+	}
+
+	return fn(closer)
+}
+
+// WithLocations provides access to locations where we store our files.
+func WithLocations(fn func(*locations.Locations) error) error {
+	logrus.Debug("Creating locations")
+	defer logrus.Debug("Locations stopped")
+
+	// Create a locations provider to determine where to store our files.
+	provider, err := locations.NewDefaultProvider(filepath.Join(constants.VendorName, constants.ConfigName))
+	if err != nil {
+		return fmt.Errorf("could not create locations provider: %w", err)
+	}
+
+	// Create a new locations object that will be used to provide paths to store files.
+	return fn(locations.New(provider, constants.ConfigName))
+}
+
+// Start profiling if requested.
+func withProfiler(c *cli.Context, fn func() error) error {
+	defer logrus.Debug("Profiler stopped")
+
+	if c.Bool(flagCPUProfile) {
+		logrus.Debug("Running with CPU profiling")
+		defer profile.Start(profile.CPUProfile, profile.ProfilePath(".")).Stop()
+	}
+
+	if c.Bool(flagTraceProfile) {
+		logrus.Debug("Running with Trace profiling")
+		defer profile.Start(profile.TraceProfile, profile.ProfilePath(".")).Stop()
+	}
+
+	if c.Bool(flagMemProfile) {
+		logrus.Debug("Running with memory profiling")
+		defer profile.Start(profile.MemProfile, profile.MemProfileAllocs, profile.ProfilePath(".")).Stop()
+	}
+
+	return fn()
+}
+
+// Restart the app if necessary.
+func withRestarter(exe string, fn func(*restarter.Restarter) error) error {
+	logrus.Debug("Creating restarter")
+	defer logrus.Debug("Restarter stopped")
+
+	restarter := restarter.New(exe)
+	defer restarter.Restart()
+
+	return fn(restarter)
+}
+
+// Handle crashes if they occur.
+func withCrashHandler(restarter *restarter.Restarter, reporter *sentry.Reporter, fn func(*crash.Handler, <-chan struct{}) error) error {
+	logrus.Debug("Creating crash handler")
+	defer logrus.Debug("Crash handler stopped")
+
+	crashHandler := crash.NewHandler(crash.ShowErrorNotification(constants.FullAppName))
+	defer async.HandlePanic(crashHandler)
+
+	// On crash, send crash report to Sentry.
+	crashHandler.AddRecoveryAction(reporter.ReportException)
+
+	// On crash, notify the user and restart the app.
+	crashHandler.AddRecoveryAction(crash.ShowErrorNotification(constants.FullAppName))
+
+	// On crash, restart the app.
+	crashHandler.AddRecoveryAction(func(any) error { restarter.Set(true, true); return nil })
+
+	// quitCh is closed when the app is quitting.
+	quitCh := make(chan struct{})
+
+	// On crash, quit the app.
+	crashHandler.AddRecoveryAction(func(any) error { close(quitCh); return nil })
+
+	return fn(crashHandler, quitCh)
+}
+
+// Use a custom cookie jar to persist values across runs.
+func withCookieJar(vault *vault.Vault, fn func(http.CookieJar) error) error {
+	logrus.Debug("Creating cookie jar")
+	defer logrus.Debug("Cookie jar stopped")
+
+	// Create the underlying cookie jar.
+	jar, err := cookiejar.New(nil)
+	if err != nil {
+		return fmt.Errorf("could not create cookie jar: %w", err)
+	}
+
+	// Create the cookie jar which persists to the vault.
+	persister, err := cookies.NewCookieJar(jar, vault)
+	if err != nil {
+		return fmt.Errorf("could not create cookie jar: %w", err)
+	}
+
+	if err := setDeviceCookies(persister); err != nil {
+		return fmt.Errorf("could not set device cookies: %w", err)
+	}
+
+	// Persist the cookies to the vault when we close.
+	defer func() {
+		logrus.Debug("Persisting cookies")
+
+		if err := persister.PersistCookies(); err != nil {
+			logrus.WithError(err).Error("Failed to persist cookies")
+		}
+	}()
+
+	return fn(persister)
+}
+
+// WithKeychainList init the list of usable keychains.
+func WithKeychainList(panicHandler async.PanicHandler, fn func(*keychain.List) error) error {
+	logrus.Debug("Creating keychain list")
+	defer logrus.Debug("Keychain list stop")
+	defer async.HandlePanic(panicHandler)
+	return fn(keychain.NewList())
+}
+
+func setDeviceCookies(jar *cookies.Jar) error {
+	url, err := url.Parse(constants.APIHost)
+	if err != nil {
+		return err
+	}
+
+	for name, value := range map[string]string{
+		"hhn": sentry.GetProtectedHostname(),
+		"tz":  sentry.GetTimeZone(),
+		"lng": sentry.GetSystemLang(),
+		"clr": string(theme.DefaultTheme()),
+	} {
+		jar.SetCookies(url, []*http.Cookie{{Name: name, Value: value, Secure: true}})
+	}
+
+	return nil
+}
+
+func onMacOS() bool {
+	return runtime.GOOS == "darwin"
+}
--- a/internal/app/base/args.go
+++ b/internal/app/base/args.go
@ -1,35 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-package base
-
-import "strings"
-
-// StripProcessSerialNumber removes additional flag from macOS.
-// More info:
-// http://mirror.informatimago.com/next/developer.apple.com/documentation/Carbon/Reference/Process_Manager/prmref_main/data_type_5.html#//apple_ref/doc/uid/TP30000208/C001951
-func StripProcessSerialNumber(args []string) []string {
-	res := args[:0]
-
-	for _, arg := range args {
-		if !strings.Contains(arg, "-psn_") {
-			res = append(res, arg)
-		}
-	}
-
-	return res
-}
--- a/internal/app/base/base.go
+++ b/internal/app/base/base.go
@ -1,424 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-// Package base implements a common application base currently shared by bridge and IE.
-// The base includes the following:
-//   - access to standard filesystem locations like config, cache, logging dirs
-//   - an extensible crash handler
-//   - versioned cache directory
-//   - persistent settings
-//   - event listener
-//   - credentials store
-//   - pmapi Manager
-//
-// In addition, the base initialises logging and reacts to command line arguments
-// which control the log verbosity and enable cpu/memory profiling.
-package base
-
-import (
-	"math/rand"
-	"os"
-	"path/filepath"
-	"runtime"
-	"runtime/pprof"
-	"time"
-
-	"github.com/Masterminds/semver/v3"
-	"github.com/ProtonMail/go-autostart"
-	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/ProtonMail/proton-bridge/v2/internal/api"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/cache"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/tls"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/useragent"
-	"github.com/ProtonMail/proton-bridge/v2/internal/constants"
-	"github.com/ProtonMail/proton-bridge/v2/internal/cookies"
-	"github.com/ProtonMail/proton-bridge/v2/internal/crash"
-	"github.com/ProtonMail/proton-bridge/v2/internal/events"
-	"github.com/ProtonMail/proton-bridge/v2/internal/locations"
-	"github.com/ProtonMail/proton-bridge/v2/internal/logging"
-	"github.com/ProtonMail/proton-bridge/v2/internal/sentry"
-	"github.com/ProtonMail/proton-bridge/v2/internal/updater"
-	"github.com/ProtonMail/proton-bridge/v2/internal/users/credentials"
-	"github.com/ProtonMail/proton-bridge/v2/internal/versioner"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/keychain"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/listener"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/pmapi"
-	"github.com/sirupsen/logrus"
-	"github.com/urfave/cli/v2"
-)
-
-const (
-	flagCPUProfile      = "cpu-prof"
-	flagCPUProfileShort = "p"
-	flagMemProfile      = "mem-prof"
-	flagMemProfileShort = "m"
-	flagLogLevel        = "log-level"
-	flagLogLevelShort   = "l"
-	// FlagCLI indicate to start with command line interface.
-	FlagCLI      = "cli"
-	flagCLIShort = "c"
-	flagRestart  = "restart"
-	FlagLauncher = "launcher"
-	FlagNoWindow = "no-window"
-)
-
-type Base struct {
-	SentryReporter *sentry.Reporter
-	CrashHandler   *crash.Handler
-	Locations      *locations.Locations
-	Settings       *settings.Settings
-	Lock           *os.File
-	Cache          *cache.Cache
-	Listener       listener.Listener
-	Creds          *credentials.Store
-	CM             pmapi.Manager
-	CookieJar      *cookies.Jar
-	UserAgent      *useragent.UserAgent
-	Updater        *updater.Updater
-	Versioner      *versioner.Versioner
-	TLS            *tls.TLS
-	Autostart      *autostart.App
-
-	Name           string // the app's name
-	usage          string // the app's usage description
-	command        string // the command used to launch the app (either the exe path or the launcher path)
-	restart        bool   // whether the app is currently set to restart
-	launcher       string // launcher to be used if not set in args
-	mainExecutable string // mainExecutable  the main executable process.
-
-	teardown []func() error // actions to perform when app is exiting
-}
-
-func New( //nolint:funlen
-	appName,
-	appUsage,
-	configName,
-	updateURLName,
-	keychainName,
-	cacheVersion string,
-) (*Base, error) {
-	userAgent := useragent.New()
-
-	sentryReporter := sentry.NewReporter(appName, constants.Version, userAgent)
-
-	crashHandler := crash.NewHandler(
-		sentryReporter.ReportException,
-		crash.ShowErrorNotification(appName),
-	)
-	defer crashHandler.HandlePanic()
-
-	rand.Seed(time.Now().UnixNano())
-	os.Args = StripProcessSerialNumber(os.Args)
-
-	locationsProvider, err := locations.NewDefaultProvider(filepath.Join(constants.VendorName, configName))
-	if err != nil {
-		return nil, err
-	}
-
-	locations := locations.New(locationsProvider, configName)
-
-	logsPath, err := locations.ProvideLogsPath()
-	if err != nil {
-		return nil, err
-	}
-	if err := logging.Init(logsPath); err != nil {
-		return nil, err
-	}
-	crashHandler.AddRecoveryAction(logging.DumpStackTrace(logsPath))
-
-	if err := migrateFiles(configName); err != nil {
-		logrus.WithError(err).Warn("Old config files could not be migrated")
-	}
-
-	if err := locations.Clean(); err != nil {
-		return nil, err
-	}
-
-	settingsPath, err := locations.ProvideSettingsPath()
-	if err != nil {
-		return nil, err
-	}
-	settingsObj := settings.New(settingsPath)
-
-	lock, err := checkSingleInstance(locations.GetLockFile(), settingsObj)
-	if err != nil {
-		logrus.WithError(err).Warnf("%v is already running", appName)
-		return nil, api.CheckOtherInstanceAndFocus(settingsObj.GetInt(settings.APIPortKey))
-	}
-
-	if err := migrateRebranding(settingsObj, keychainName); err != nil {
-		logrus.WithError(err).Warn("Rebranding migration failed")
-	}
-
-	cachePath, err := locations.ProvideCachePath()
-	if err != nil {
-		return nil, err
-	}
-	cache, err := cache.New(cachePath, cacheVersion)
-	if err != nil {
-		return nil, err
-	}
-	if err := cache.RemoveOldVersions(); err != nil {
-		return nil, err
-	}
-
-	listener := listener.New()
-	events.SetupEvents(listener)
-
-	// If we can't load the keychain for whatever reason,
-	// we signal to frontend and supply a dummy keychain that always returns errors.
-	kc, err := keychain.NewKeychain(settingsObj, keychainName)
-	if err != nil {
-		listener.Emit(events.CredentialsErrorEvent, err.Error())
-		kc = keychain.NewMissingKeychain()
-	}
-
-	cfg := pmapi.NewConfig(configName, constants.Version)
-	cfg.GetUserAgent = userAgent.String
-	cfg.UpgradeApplicationHandler = func() { listener.Emit(events.UpgradeApplicationEvent, "") }
-	cfg.TLSIssueHandler = func() { listener.Emit(events.TLSCertIssue, "") }
-
-	cm := pmapi.New(cfg)
-
-	sentryReporter.SetClientFromManager(cm)
-
-	cm.AddConnectionObserver(pmapi.NewConnectionObserver(
-		func() { listener.Emit(events.InternetConnChangedEvent, events.InternetOff) },
-		func() { listener.Emit(events.InternetConnChangedEvent, events.InternetOn) },
-	))
-
-	jar, err := cookies.NewCookieJar(settingsObj)
-	if err != nil {
-		return nil, err
-	}
-
-	cm.SetCookieJar(jar)
-
-	key, err := crypto.NewKeyFromArmored(updater.DefaultPublicKey)
-	if err != nil {
-		return nil, err
-	}
-
-	kr, err := crypto.NewKeyRing(key)
-	if err != nil {
-		return nil, err
-	}
-
-	updatesDir, err := locations.ProvideUpdatesPath()
-	if err != nil {
-		return nil, err
-	}
-
-	versioner := versioner.New(updatesDir)
-	installer := updater.NewInstaller(versioner)
-	updater := updater.New(
-		cm,
-		installer,
-		settingsObj,
-		kr,
-		semver.MustParse(constants.Version),
-		updateURLName,
-		runtime.GOOS,
-	)
-
-	exe, err := os.Executable()
-	if err != nil {
-		return nil, err
-	}
-
-	autostart := &autostart.App{
-		Name:        startupNameForRebranding(appName),
-		DisplayName: appName,
-		Exec:        []string{exe, "--" + FlagNoWindow},
-	}
-
-	return &Base{
-		SentryReporter: sentryReporter,
-		CrashHandler:   crashHandler,
-		Locations:      locations,
-		Settings:       settingsObj,
-		Lock:           lock,
-		Cache:          cache,
-		Listener:       listener,
-		Creds:          credentials.NewStore(kc),
-		CM:             cm,
-		CookieJar:      jar,
-		UserAgent:      userAgent,
-		Updater:        updater,
-		Versioner:      versioner,
-		TLS:            tls.New(settingsPath),
-		Autostart:      autostart,
-
-		Name:  appName,
-		usage: appUsage,
-
-		// By default, the command is the app's executable.
-		// This can be changed at runtime by using the "--launcher" flag.
-		command: exe,
-		// By default, the command is the app's executable.
-		// This can be changed at runtime by summoning the SetMainExecutable gRPC call.
-		mainExecutable: exe,
-	}, nil
-}
-
-func (b *Base) NewApp(mainLoop func(*Base, *cli.Context) error) *cli.App {
-	app := cli.NewApp()
-
-	app.Name = b.Name
-	app.Usage = b.usage
-	app.Version = constants.Version
-	app.Action = b.wrapMainLoop(mainLoop)
-	app.Flags = []cli.Flag{
-		&cli.BoolFlag{
-			Name:    flagCPUProfile,
-			Aliases: []string{flagCPUProfileShort},
-			Usage:   "Generate CPU profile",
-		},
-		&cli.BoolFlag{
-			Name:    flagMemProfile,
-			Aliases: []string{flagMemProfileShort},
-			Usage:   "Generate memory profile",
-		},
-		&cli.StringFlag{
-			Name:    flagLogLevel,
-			Aliases: []string{flagLogLevelShort},
-			Usage:   "Set the log level (one of panic, fatal, error, warn, info, debug)",
-		},
-		&cli.BoolFlag{
-			Name:    FlagCLI,
-			Aliases: []string{flagCLIShort},
-			Usage:   "Use command line interface",
-		},
-		&cli.BoolFlag{
-			Name:  FlagNoWindow,
-			Usage: "Don't show window after start",
-		},
-		&cli.StringFlag{
-			Name:   flagRestart,
-			Usage:  "The number of times the application has already restarted",
-			Hidden: true,
-		},
-		&cli.StringFlag{
-			Name:   FlagLauncher,
-			Usage:  "The launcher to use to restart the application",
-			Hidden: true,
-		},
-	}
-
-	return app
-}
-
-// SetToRestart sets the app to restart the next time it is closed.
-func (b *Base) SetToRestart() {
-	b.restart = true
-}
-
-func (b *Base) ForceLauncher(launcher string) {
-	b.launcher = launcher
-	b.setupLauncher(launcher)
-}
-
-func (b *Base) SetMainExecutable(exe string) {
-	logrus.Info("Main Executable set to ", exe)
-	b.mainExecutable = exe
-}
-
-// AddTeardownAction adds an action to perform during app teardown.
-func (b *Base) AddTeardownAction(fn func() error) {
-	b.teardown = append(b.teardown, fn)
-}
-
-func (b *Base) wrapMainLoop(appMainLoop func(*Base, *cli.Context) error) cli.ActionFunc { //nolint:funlen
-	return func(c *cli.Context) error {
-		defer b.CrashHandler.HandlePanic()
-		defer func() { _ = b.Lock.Close() }()
-
-		// If launcher was used to start the app, use that for restart
-		// and autostart.
-		if launcher := c.String(FlagLauncher); launcher != "" {
-			b.setupLauncher(launcher)
-		}
-
-		if c.Bool(flagCPUProfile) {
-			startCPUProfile()
-			defer pprof.StopCPUProfile()
-		}
-
-		if c.Bool(flagMemProfile) {
-			defer makeMemoryProfile()
-		}
-
-		logging.SetLevel(c.String(flagLogLevel))
-		b.CM.SetLogging(logrus.WithField("pkg", "pmapi"), logrus.GetLevel() == logrus.TraceLevel)
-
-		logrus.
-			WithField("appName", b.Name).
-			WithField("version", constants.Version).
-			WithField("revision", constants.Revision).
-			WithField("build", constants.BuildTime).
-			WithField("runtime", runtime.GOOS).
-			WithField("args", os.Args).
-			Info("Run app")
-
-		b.CrashHandler.AddRecoveryAction(func(interface{}) error {
-			sentry.Flush(2 * time.Second)
-
-			if c.Int(flagRestart) > maxAllowedRestarts {
-				logrus.
-					WithField("restart", c.Int("restart")).
-					Warn("Not restarting, already restarted too many times")
-				os.Exit(1)
-
-				return nil
-			}
-
-			return b.restartApp(true)
-		})
-
-		if err := appMainLoop(b, c); err != nil {
-			return err
-		}
-
-		if err := b.doTeardown(); err != nil {
-			return err
-		}
-
-		if b.restart {
-			return b.restartApp(false)
-		}
-
-		return nil
-	}
-}
-
-func (b *Base) doTeardown() error {
-	for _, action := range b.teardown {
-		if err := action(); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (b *Base) setupLauncher(launcher string) {
-	b.command = launcher
-	// Bridge supports no-window option which we should use
-	// for autostart.
-	b.Autostart.Exec = []string{launcher, "--" + FlagNoWindow}
-}
--- a/internal/app/base/migration.go
+++ b/internal/app/base/migration.go
@ -1,131 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-package base
-
-import (
-	"os"
-	"path/filepath"
-
-	"github.com/ProtonMail/proton-bridge/v2/internal/constants"
-	"github.com/ProtonMail/proton-bridge/v2/internal/locations"
-	"github.com/sirupsen/logrus"
-)
-
-// migrateFiles migrates files from their old (pre-refactor) locations to their new locations.
-// We can remove this eventually.
-//
-// | entity    |               old location                |            new location                |
-// |-----------|-------------------------------------------|----------------------------------------|
-// | prefs     | ~/.cache/protonmail/<app>/c11/prefs.json  | ~/.config/protonmail/<app>/prefs.json  |
-// | c11 1.5.x | ~/.cache/protonmail/<app>/c11             | ~/.cache/protonmail/<app>/cache/c11    |
-// | c11 1.6.x | ~/.cache/protonmail/<app>/cache/c11       | ~/.config/protonmail/<app>/cache/c11   |
-// | updates   | ~/.cache/protonmail/<app>/updates         | ~/.config/protonmail/<app>/updates     |.
-func migrateFiles(configName string) error {
-	locationsProvider, err := locations.NewDefaultProvider(filepath.Join(constants.VendorName, configName))
-	if err != nil {
-		return err
-	}
-
-	locations := locations.New(locationsProvider, configName)
-	userCacheDir := locationsProvider.UserCache()
-
-	if err := migratePrefsFrom15x(locations, userCacheDir); err != nil {
-		return err
-	}
-	if err := migrateCacheFromBoth15xAnd16x(locations, userCacheDir); err != nil {
-		return err
-	}
-	if err := migrateUpdatesFrom16x(configName, locations); err != nil { //nolint:revive It is more clear to structure this way
-		return err
-	}
-	return nil
-}
-
-func migratePrefsFrom15x(locations *locations.Locations, userCacheDir string) error {
-	newSettingsDir, err := locations.ProvideSettingsPath()
-	if err != nil {
-		return err
-	}
-
-	return moveIfExists(
-		filepath.Join(userCacheDir, "c11", "prefs.json"),
-		filepath.Join(newSettingsDir, "prefs.json"),
-	)
-}
-
-func migrateCacheFromBoth15xAnd16x(locations *locations.Locations, userCacheDir string) error {
-	olderCacheDir := userCacheDir
-	newerCacheDir := locations.GetOldCachePath()
-	latestCacheDir, err := locations.ProvideCachePath()
-	if err != nil {
-		return err
-	}
-
-	// Migration for versions before 1.6.x.
-	if err := moveIfExists(
-		filepath.Join(olderCacheDir, "c11"),
-		filepath.Join(latestCacheDir, "c11"),
-	); err != nil {
-		return err
-	}
-
-	// Migration for versions 1.6.x.
-	return moveIfExists(
-		filepath.Join(newerCacheDir, "c11"),
-		filepath.Join(latestCacheDir, "c11"),
-	)
-}
-
-func migrateUpdatesFrom16x(configName string, locations *locations.Locations) error {
-	// In order to properly update Bridge 1.6.X and higher we need to
-	// change the launcher first. Since this is not part of automatic
-	// updates the migration must wait until manual update. Until that
-	// we need to keep old path.
-	if configName == "bridge" {
-		return nil
-	}
-
-	oldUpdatesPath := locations.GetOldUpdatesPath()
-	// Do not use ProvideUpdatesPath, that creates dir right away.
-	newUpdatesPath := locations.GetUpdatesPath()
-
-	return moveIfExists(oldUpdatesPath, newUpdatesPath)
-}
-
-func moveIfExists(source, destination string) error {
-	l := logrus.WithField("source", source).WithField("destination", destination)
-
-	if _, err := os.Stat(source); os.IsNotExist(err) {
-		l.Info("No need to migrate file, source doesn't exist")
-		return nil
-	}
-
-	if _, err := os.Stat(destination); !os.IsNotExist(err) {
-		// Once migrated, files should not stay in source anymore. Therefore
-		// if some files are still in source location but target already exist,
-		// it's suspicious. Could happen by installing new version, then the
-		// old one because of some reason, and then the new one again.
-		// Good to see as warning because it could be a reason why Bridge is
-		// behaving weirdly, like wrong configuration, or db re-sync and so on.
-		l.Warn("No need to migrate file, target already exists")
-		return nil
-	}
-
-	l.Info("Migrating files")
-	return os.Rename(source, destination)
-}
--- a/internal/app/base/migration_rebranding.go
+++ b/internal/app/base/migration_rebranding.go
@ -1,197 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-package base
-
-import (
-	"errors"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strings"
-
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/keychain"
-	"github.com/hashicorp/go-multierror"
-	"github.com/sirupsen/logrus"
-)
-
-const darwin = "darwin"
-
-func migrateRebranding(settingsObj *settings.Settings, keychainName string) (result error) {
-	if err := migrateStartupBeforeRebranding(); err != nil {
-		result = multierror.Append(result, err)
-	}
-
-	lastUsedVersion := settingsObj.Get(settings.LastVersionKey)
-
-	// Skipping migration: it is first bridge start or cache was cleared.
-	if lastUsedVersion == "" {
-		settingsObj.SetBool(settings.RebrandingMigrationKey, true)
-		return
-	}
-
-	// Skipping rest of migration: already done
-	if settingsObj.GetBool(settings.RebrandingMigrationKey) {
-		return
-	}
-
-	switch runtime.GOOS {
-	case "windows", "linux":
-		// GODT-1260 we would need admin rights to changes desktop files
-		// and start menu items.
-		settingsObj.SetBool(settings.RebrandingMigrationKey, true)
-	case darwin:
-		if shouldContinue, err := isMacBeforeRebranding(); !shouldContinue || err != nil {
-			if err != nil {
-				result = multierror.Append(result, err)
-			}
-			break
-		}
-
-		if err := migrateMacKeychainBeforeRebranding(settingsObj, keychainName); err != nil {
-			result = multierror.Append(result, err)
-		}
-
-		settingsObj.SetBool(settings.RebrandingMigrationKey, true)
-	}
-
-	return result
-}
-
-// migrateMacKeychainBeforeRebranding deals with write access restriction to
-// mac keychain passwords which are caused by application renaming. The old
-// passwords are copied under new name in order to have write access afer
-// renaming.
-func migrateMacKeychainBeforeRebranding(settingsObj *settings.Settings, keychainName string) error {
-	l := logrus.WithField("pkg", "app/base/migration")
-	l.Warn("Migrating mac keychain")
-
-	helperConstructor, ok := keychain.Helpers["macos-keychain"]
-	if !ok {
-		return errors.New("cannot find macos-keychain helper")
-	}
-
-	oldKC, err := helperConstructor("ProtonMailBridgeService")
-	if err != nil {
-		l.WithError(err).Error("Keychain constructor failed")
-		return err
-	}
-
-	idByURL, err := oldKC.List()
-	if err != nil {
-		l.WithError(err).Error("List old keychain failed")
-		return err
-	}
-
-	newKC, err := keychain.NewKeychain(settingsObj, keychainName)
-	if err != nil {
-		return err
-	}
-
-	for url, id := range idByURL {
-		li := l.WithField("id", id).WithField("url", url)
-		userID, secret, err := oldKC.Get(url)
-		if err != nil {
-			li.WithField("userID", userID).
-				WithField("err", err).
-				Error("Faild to get old item")
-			continue
-		}
-
-		if _, _, err := newKC.Get(userID); err == nil {
-			li.Warn("Skipping migration, item already exists.")
-			continue
-		}
-
-		if err := newKC.Put(userID, secret); err != nil {
-			li.WithError(err).Error("Failed to migrate user")
-		}
-
-		li.Info("Item migrated")
-	}
-
-	return nil
-}
-
-// migrateStartupBeforeRebranding removes old startup links. The creation of new links is
-// handled by bridge initialisation.
-func migrateStartupBeforeRebranding() error {
-	path, err := os.UserHomeDir()
-	if err != nil {
-		return err
-	}
-
-	switch runtime.GOOS {
-	case "windows":
-		path = filepath.Join(path, `AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProtonMail Bridge.lnk`)
-	case "linux":
-		path = filepath.Join(path, `.config/autostart/ProtonMail Bridge.desktop`)
-	case darwin:
-		path = filepath.Join(path, `Library/LaunchAgents/ProtonMail Bridge.plist`)
-	default:
-		return errors.New("unknown GOOS")
-	}
-
-	if _, err := os.Stat(path); os.IsNotExist(err) {
-		return nil
-	}
-
-	logrus.WithField("pkg", "app/base/migration").Warn("Migrating autostartup links")
-	return os.Remove(path)
-}
-
-// startupNameForRebranding returns the name for autostart launcher based on
-// type of rebranded instance i.e. update or manual.
-//
-// This only affects darwin when udpate re-writes the old startup and then
-// manual installed it would not run proper exe. Therefore we return "old" name
-// for updates and "new" name for manual which would be properly migrated.
-//
-// For orther (linux and windows) the link is always pointing to launcher which
-// path didn't changed.
-func startupNameForRebranding(origin string) string {
-	if runtime.GOOS == darwin {
-		if path, err := os.Executable(); err == nil && strings.Contains(path, "ProtonMail Bridge") {
-			return "ProtonMail Bridge"
-		}
-	}
-
-	// No need to solve for other OS. See comment above.
-	return origin
-}
-
-// isBeforeRebranding decide if last used version was older than 2.2.0. If
-// cannot decide it returns false with error.
-func isMacBeforeRebranding() (bool, error) {
-	// previous version | update | do mac migration |
-	//                  | first  | false            |
-	// cleared-cache    | manual | false            |
-	// cleared-cache    | in-app | false            |
-	// old              | in-app | false            |
-	// old in-app       | in-app | false            |
-	// old              | manual | true             |
-	// old in-app       | manual | true             |
-	// manual           | in-app | false            |
-
-	// Skip if it was in-app update and not manual
-	if path, err := os.Executable(); err != nil || strings.Contains(path, "ProtonMail Bridge") {
-		return false, err
-	}
-
-	return true, nil
-}
--- a/internal/app/base/profiling.go
+++ b/internal/app/base/profiling.go
@ -1,56 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-package base
-
-import (
-	"os"
-	"path/filepath"
-	"runtime"
-	"runtime/pprof"
-
-	"github.com/sirupsen/logrus"
-)
-
-// startCPUProfile starts CPU pprof.
-func startCPUProfile() {
-	f, err := os.Create("./cpu.pprof")
-	if err != nil {
-		logrus.Fatal("Could not create CPU profile: ", err)
-	}
-	if err := pprof.StartCPUProfile(f); err != nil {
-		logrus.Fatal("Could not start CPU profile: ", err)
-	}
-}
-
-// makeMemoryProfile generates memory pprof.
-func makeMemoryProfile() {
-	name := "./mem.pprof"
-	f, err := os.Create(name)
-	if err != nil {
-		logrus.Fatal("Could not create memory profile: ", err)
-	}
-	if abs, err := filepath.Abs(name); err == nil {
-		name = abs
-	}
-	logrus.Info("Writing memory profile to ", name)
-	runtime.GC() // get up-to-date statistics
-	if err := pprof.WriteHeapProfile(f); err != nil {
-		logrus.Fatal("Could not write memory profile: ", err)
-	}
-	_ = f.Close()
-}
--- a/internal/app/base/restart.go
+++ b/internal/app/base/restart.go
@ -1,112 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-package base
-
-import (
-	"os"
-	"strconv"
-
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/execabs"
-)
-
-// maxAllowedRestarts controls after how many crashes the app will give up restarting.
-const maxAllowedRestarts = 10
-
-func (b *Base) restartApp(crash bool) error {
-	var args []string
-
-	if crash {
-		args = incrementRestartFlag(os.Args)[1:]
-		defer func() { os.Exit(1) }()
-	} else {
-		args = os.Args[1:]
-	}
-
-	if b.launcher != "" {
-		args = forceLauncherFlag(args, b.launcher)
-	}
-
-	args = append(args, "--wait", b.mainExecutable)
-
-	logrus.
-		WithField("command", b.command).
-		WithField("args", args).
-		Warn("Restarting")
-
-	return execabs.Command(b.command, args...).Start() //nolint:gosec
-}
-
-// incrementRestartFlag increments the value of the restart flag.
-// If no such flag is present, it is added with initial value 1.
-func incrementRestartFlag(args []string) []string {
-	res := append([]string{}, args...)
-
-	hasFlag := false
-
-	for k, v := range res {
-		if v != "--restart" {
-			continue
-		}
-
-		hasFlag = true
-
-		if k+1 >= len(res) {
-			continue
-		}
-
-		n, err := strconv.Atoi(res[k+1])
-		if err != nil {
-			res[k+1] = "1"
-		} else {
-			res[k+1] = strconv.Itoa(n + 1)
-		}
-	}
-
-	if !hasFlag {
-		res = append(res, "--restart", "1")
-	}
-
-	return res
-}
-
-// forceLauncherFlag  replace or add the launcher args with the one set in the app.
-func forceLauncherFlag(args []string, launcher string) []string {
-	res := append([]string{}, args...)
-
-	hasFlag := false
-
-	for k, v := range res {
-		if v != "--launcher" {
-			continue
-		}
-
-		if k+1 >= len(res) {
-			continue
-		}
-
-		hasFlag = true
-		res[k+1] = launcher
-	}
-
-	if !hasFlag {
-		res = append(res, "--launcher", launcher)
-	}
-
-	return res
-}
--- a/internal/app/base/restart_test.go
+++ b/internal/app/base/restart_test.go
@ -1,63 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-package base
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/Masterminds/semver/v3"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestIncrementRestartFlag(t *testing.T) {
-	tests := []struct {
-		in  []string
-		out []string
-	}{
-		{[]string{"./bridge", "--restart", "1"}, []string{"./bridge", "--restart", "2"}},
-		{[]string{"./bridge", "--restart", "2"}, []string{"./bridge", "--restart", "3"}},
-		{[]string{"./bridge", "--other", "--restart", "2"}, []string{"./bridge", "--other", "--restart", "3"}},
-		{[]string{"./bridge", "--restart", "2", "--other"}, []string{"./bridge", "--restart", "3", "--other"}},
-		{[]string{"./bridge", "--restart", "2", "--other", "2"}, []string{"./bridge", "--restart", "3", "--other", "2"}},
-		{[]string{"./bridge"}, []string{"./bridge", "--restart", "1"}},
-		{[]string{"./bridge", "--something"}, []string{"./bridge", "--something", "--restart", "1"}},
-		{[]string{"./bridge", "--something", "--else"}, []string{"./bridge", "--something", "--else", "--restart", "1"}},
-		{[]string{"./bridge", "--restart", "bad"}, []string{"./bridge", "--restart", "1"}},
-		{[]string{"./bridge", "--restart", "bad", "--other"}, []string{"./bridge", "--restart", "1", "--other"}},
-	}
-
-	for _, tt := range tests {
-		t.Run(strings.Join(tt.in, " "), func(t *testing.T) {
-			assert.Equal(t, tt.out, incrementRestartFlag(tt.in))
-		})
-	}
-}
-
-func TestVersionLessThan(t *testing.T) {
-	r := require.New(t)
-
-	old := semver.MustParse("1.1.0")
-	current := semver.MustParse("1.1.1")
-	newer := semver.MustParse("1.1.2")
-
-	r.True(old.LessThan(current))
-	r.False(current.LessThan(current))
-	r.False(newer.LessThan(current))
-}
--- a/internal/app/base/singleinstance_unix.go
+++ b/internal/app/base/singleinstance_unix.go
@ -1,101 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-//go:build !windows
-// +build !windows
-
-package base
-
-import (
-	"errors"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/Masterminds/semver/v3"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
-	"github.com/ProtonMail/proton-bridge/v2/internal/constants"
-	"github.com/allan-simon/go-singleinstance"
-	"golang.org/x/sys/unix"
-)
-
-// checkSingleInstance returns error if a bridge instance is already running
-// This instance should be stop and window of running window should be brought
-// to focus.
-//
-// For macOS and Linux when already running version is older than this instance
-// it will kill old and continue with this new bridge (i.e. no error returned).
-func checkSingleInstance(lockFilePath string, settingsObj *settings.Settings) (*os.File, error) {
-	if lock, err := singleinstance.CreateLockFile(lockFilePath); err == nil {
-		// Bridge is not runnig, continue normally
-		return lock, nil
-	}
-
-	if err := runningVersionIsOlder(settingsObj); err != nil {
-		return nil, err
-	}
-
-	pid, err := getPID(lockFilePath)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := unix.Kill(pid, unix.SIGTERM); err != nil {
-		return nil, err
-	}
-
-	// Need to wait some time to release file lock
-	time.Sleep(time.Second)
-
-	return singleinstance.CreateLockFile(lockFilePath)
-}
-
-func getPID(lockFilePath string) (int, error) {
-	file, err := os.Open(filepath.Clean(lockFilePath))
-	if err != nil {
-		return 0, err
-	}
-	defer func() { _ = file.Close() }()
-
-	rawPID := make([]byte, 10) // PID is probably up to 7 digits long, 10 should be enough
-	n, err := file.Read(rawPID)
-	if err != nil {
-		return 0, err
-	}
-
-	return strconv.Atoi(strings.TrimSpace(string(rawPID[:n])))
-}
-
-func runningVersionIsOlder(settingsObj *settings.Settings) error {
-	currentVer, err := semver.StrictNewVersion(constants.Version)
-	if err != nil {
-		return err
-	}
-
-	runningVer, err := semver.StrictNewVersion(settingsObj.Get(settings.LastVersionKey))
-	if err != nil {
-		return err
-	}
-
-	if !runningVer.LessThan(currentVer) {
-		return errors.New("running version is not older")
-	}
-
-	return nil
-}
--- a/internal/app/bridge.go
+++ b/internal/app/bridge.go
@ -0,0 +1,167 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package app
+
+import (
+	"fmt"
+	"net/http"
+	"runtime"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/gluon/imap"
+	"github.com/ProtonMail/go-autostart"
+	"github.com/ProtonMail/gopenpgp/v2/crypto"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/crash"
+	"github.com/ProtonMail/proton-bridge/v3/internal/dialer"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/internal/sentry"
+	"github.com/ProtonMail/proton-bridge/v3/internal/updater"
+	"github.com/ProtonMail/proton-bridge/v3/internal/useragent"
+	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
+	"github.com/ProtonMail/proton-bridge/v3/internal/versioner"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli/v2"
+)
+
+// deleteOldGoIMAPFiles Set with `-ldflags -X app.deleteOldGoIMAPFiles=true` to enable cleanup of old imap cache data.
+var deleteOldGoIMAPFiles bool //nolint:gochecknoglobals
+
+// withBridge creates and tears down the bridge.
+func withBridge(
+	c *cli.Context,
+	exe string,
+	locations *locations.Locations,
+	version *semver.Version,
+	identifier *useragent.UserAgent,
+	crashHandler *crash.Handler,
+	reporter *sentry.Reporter,
+	vault *vault.Vault,
+	cookieJar http.CookieJar,
+	keychains *keychain.List,
+	fn func(*bridge.Bridge, <-chan events.Event) error,
+) error {
+	logrus.Debug("Creating bridge")
+	defer logrus.Debug("Bridge stopped")
+
+	// Delete old go-imap cache files
+	if deleteOldGoIMAPFiles {
+		logrus.Debug("Deleting old go-imap cache files")
+
+		if err := locations.CleanGoIMAPCache(); err != nil {
+			logrus.WithError(err).Error("Failed to remove old go-imap cache")
+		}
+	}
+
+	// Create the underlying dialer used by the bridge.
+	// It only connects to trusted servers and reports any untrusted servers it finds.
+	pinningDialer := dialer.NewPinningTLSDialer(
+		dialer.NewBasicTLSDialer(constants.APIHost),
+		dialer.NewTLSReporter(constants.APIHost, constants.AppVersion(version.Original()), identifier, dialer.TrustedAPIPins),
+		dialer.NewTLSPinChecker(dialer.TrustedAPIPins),
+	)
+
+	// Create a proxy dialer which switches to a proxy if the request fails.
+	proxyDialer := dialer.NewProxyTLSDialer(pinningDialer, constants.APIHost, crashHandler)
+
+	// Create the autostarter.
+	autostarter := newAutostarter(exe)
+
+	// Create the update installer.
+	updater, err := newUpdater(locations)
+	if err != nil {
+		return fmt.Errorf("could not create updater: %w", err)
+	}
+
+	// Create a new bridge.
+	bridge, eventCh, err := bridge.New(
+		// The app stuff.
+		locations,
+		vault,
+		autostarter,
+		updater,
+		version,
+		keychains,
+
+		// The API stuff.
+		constants.APIHost,
+		cookieJar,
+		identifier,
+		pinningDialer,
+		dialer.CreateTransportWithDialer(proxyDialer),
+		proxyDialer,
+
+		// Crash and report stuff
+		crashHandler,
+		reporter,
+		imap.DefaultEpochUIDValidityGenerator(),
+		nil,
+
+		// The logging stuff.
+		c.String(flagLogIMAP) == "client" || c.String(flagLogIMAP) == "all",
+		c.String(flagLogIMAP) == "server" || c.String(flagLogIMAP) == "all",
+		c.Bool(flagLogSMTP),
+	)
+	if err != nil {
+		return fmt.Errorf("could not create bridge: %w", err)
+	}
+
+	// Ensure we close bridge when we exit.
+	defer bridge.Close(c.Context)
+
+	return fn(bridge, eventCh)
+}
+
+func newAutostarter(exe string) *autostart.App {
+	logrus.Debug("Creating autostarter")
+
+	return &autostart.App{
+		Name:        constants.FullAppName,
+		DisplayName: constants.FullAppName,
+		Exec:        []string{exe, "--" + flagNoWindow},
+	}
+}
+
+func newUpdater(locations *locations.Locations) (*updater.Updater, error) {
+	updatesDir, err := locations.ProvideUpdatesPath()
+	if err != nil {
+		return nil, fmt.Errorf("could not provide updates path: %w", err)
+	}
+
+	logrus.WithField("updates", updatesDir).Debug("Creating updater")
+
+	key, err := crypto.NewKeyFromArmored(updater.DefaultPublicKey)
+	if err != nil {
+		return nil, fmt.Errorf("could not create key from armored: %w", err)
+	}
+
+	verifier, err := crypto.NewKeyRing(key)
+	if err != nil {
+		return nil, fmt.Errorf("could not create key ring: %w", err)
+	}
+
+	return updater.NewUpdater(
+		versioner.New(updatesDir),
+		verifier,
+		constants.UpdateName,
+		runtime.GOOS,
+	), nil
+}
--- a/internal/app/bridge/bridge.go
+++ b/internal/app/bridge/bridge.go
@ -1,273 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-// Package bridge implements the bridge CLI application.
-package bridge
-
-import (
-	"time"
-
-	"github.com/ProtonMail/proton-bridge/v2/internal/api"
-	"github.com/ProtonMail/proton-bridge/v2/internal/app/base"
-	pkgBridge "github.com/ProtonMail/proton-bridge/v2/internal/bridge"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
-	"github.com/ProtonMail/proton-bridge/v2/internal/constants"
-	"github.com/ProtonMail/proton-bridge/v2/internal/frontend"
-	"github.com/ProtonMail/proton-bridge/v2/internal/frontend/types"
-	"github.com/ProtonMail/proton-bridge/v2/internal/imap"
-	"github.com/ProtonMail/proton-bridge/v2/internal/smtp"
-	"github.com/ProtonMail/proton-bridge/v2/internal/store"
-	"github.com/ProtonMail/proton-bridge/v2/internal/store/cache"
-	"github.com/ProtonMail/proton-bridge/v2/internal/updater"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/message"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"github.com/urfave/cli/v2"
-)
-
-const (
-	flagLogIMAP        = "log-imap"
-	flagLogSMTP        = "log-smtp"
-	flagNonInteractive = "noninteractive"
-
-	// Memory cache was estimated by empirical usage in the past, and it was set to 100MB.
-	// NOTE: This value must not be less than maximal size of one email (~30MB).
-	inMemoryCacheLimit = 100 * (1 << 20)
-)
-
-func New(base *base.Base) *cli.App {
-	app := base.NewApp(main)
-
-	app.Flags = append(app.Flags, []cli.Flag{
-		&cli.StringFlag{
-			Name:  flagLogIMAP,
-			Usage: "Enable logging of IMAP communications (all|client|server) (may contain decrypted data!)",
-		},
-		&cli.BoolFlag{
-			Name:  flagLogSMTP,
-			Usage: "Enable logging of SMTP communications (may contain decrypted data!)",
-		},
-		&cli.BoolFlag{
-			Name:  flagNonInteractive,
-			Usage: "Start Bridge entirely non-interactively",
-		},
-	}...)
-
-	return app
-}
-
-func main(b *base.Base, c *cli.Context) error { //nolint:funlen
-	frontendType := getFrontendTypeFromCLIParams(c)
-	f := frontend.New(
-		frontendType,
-		!c.Bool(base.FlagNoWindow),
-		b.CrashHandler,
-		b.Listener,
-		b.Updater,
-		b,
-		b.Locations,
-	)
-
-	cache, cacheErr := loadMessageCache(b)
-	if cacheErr != nil {
-		logrus.WithError(cacheErr).Error("Could not load local cache.")
-	}
-
-	builder := message.NewBuilder(
-		b.Settings.GetInt(settings.FetchWorkers),
-		b.Settings.GetInt(settings.AttachmentWorkers),
-	)
-
-	bridge := pkgBridge.New(
-		b.Locations,
-		b.Cache,
-		b.Settings,
-		b.SentryReporter,
-		b.CrashHandler,
-		b.Listener,
-		b.TLS,
-		b.UserAgent,
-		cache,
-		builder,
-		b.CM,
-		b.Creds,
-		b.Updater,
-		b.Versioner,
-		b.Autostart,
-	)
-	imapBackend := imap.NewIMAPBackend(b.CrashHandler, b.Listener, b.Cache, b.Settings, bridge)
-	smtpBackend := smtp.NewSMTPBackend(b.CrashHandler, b.Listener, b.Settings, bridge)
-
-	tlsConfig, err := bridge.GetTLSConfig()
-	if err != nil {
-		return err
-	}
-
-	if cacheErr != nil {
-		bridge.AddError(pkgBridge.ErrLocalCacheUnavailable)
-	}
-
-	go func() {
-		defer b.CrashHandler.HandlePanic()
-		api.NewAPIServer(b.Settings, b.Listener).ListenAndServe()
-	}()
-
-	go func() {
-		defer b.CrashHandler.HandlePanic()
-		imapPort := b.Settings.GetInt(settings.IMAPPortKey)
-		imap.NewIMAPServer(
-			b.CrashHandler,
-			c.String(flagLogIMAP) == "client" || c.String(flagLogIMAP) == "all",
-			c.String(flagLogIMAP) == "server" || c.String(flagLogIMAP) == "all",
-			imapPort, tlsConfig, imapBackend, b.UserAgent, b.Listener).ListenAndServe()
-	}()
-
-	go func() {
-		defer b.CrashHandler.HandlePanic()
-		smtpPort := b.Settings.GetInt(settings.SMTPPortKey)
-		useSSL := b.Settings.GetBool(settings.SMTPSSLKey)
-		smtp.NewSMTPServer(
-			b.CrashHandler,
-			c.Bool(flagLogSMTP),
-			smtpPort, useSSL, tlsConfig, smtpBackend, b.Listener).ListenAndServe()
-	}()
-
-	// We want to remove old versions if the app exits successfully.
-	b.AddTeardownAction(b.Versioner.RemoveOldVersions)
-
-	// We want cookies to be saved to disk so they are loaded the next time.
-	b.AddTeardownAction(b.CookieJar.PersistCookies)
-
-	if frontendType == frontend.NonInteractive {
-		return <-(make(chan error))
-	}
-
-	// Watch for updates routine
-	go func() {
-		ticker := time.NewTicker(constants.UpdateCheckInterval)
-
-		for {
-			checkAndHandleUpdate(b.Updater, f, b.Settings.GetBool(settings.AutoUpdateKey))
-			<-ticker.C
-		}
-	}()
-
-	return f.Loop(bridge)
-}
-
-func getFrontendTypeFromCLIParams(c *cli.Context) frontend.Type {
-	switch {
-	case c.Bool(base.FlagCLI):
-		return frontend.CLI
-	case c.Bool(flagNonInteractive):
-		return frontend.NonInteractive
-	default:
-		return frontend.GRPC
-	}
-}
-
-func checkAndHandleUpdate(u types.Updater, f frontend.Frontend, autoUpdate bool) {
-	log := logrus.WithField("pkg", "app/bridge")
-	version, err := u.Check()
-	if err != nil {
-		log.WithError(err).Error("An error occurred while checking for updates")
-		return
-	}
-
-	f.WaitUntilFrontendIsReady()
-
-	// Update links in UI
-	f.SetVersion(version)
-
-	if !u.IsUpdateApplicable(version) {
-		log.Info("No need to update")
-		return
-	}
-
-	log.WithField("version", version.Version).Info("An update is available")
-
-	if !autoUpdate {
-		f.NotifyManualUpdate(version, u.CanInstall(version))
-		return
-	}
-
-	if !u.CanInstall(version) {
-		log.Info("A manual update is required")
-		f.NotifySilentUpdateError(updater.ErrManualUpdateRequired)
-		return
-	}
-
-	if err := u.InstallUpdate(version); err != nil {
-		if errors.Cause(err) == updater.ErrDownloadVerify {
-			log.WithError(err).Warning("Skipping update installation due to temporary error")
-		} else {
-			log.WithError(err).Error("The update couldn't be installed")
-			f.NotifySilentUpdateError(err)
-		}
-
-		return
-	}
-
-	f.NotifySilentUpdateInstalled()
-}
-
-// loadMessageCache loads local cache in case it is enabled in settings and available.
-// In any other case it is returning in-memory cache. Could also return an error in case
-// local cache is enabled but unavailable (in-memory cache will be returned nevertheless).
-func loadMessageCache(b *base.Base) (cache.Cache, error) {
-	if !b.Settings.GetBool(settings.CacheEnabledKey) {
-		return cache.NewInMemoryCache(inMemoryCacheLimit), nil
-	}
-
-	var compressor cache.Compressor
-
-	// NOTE(GODT-1158): Changing compression is not an option currently
-	// available for user but, if user changes compression setting we have
-	// to nuke the cache.
-	if b.Settings.GetBool(settings.CacheCompressionKey) {
-		compressor = &cache.GZipCompressor{}
-	} else {
-		compressor = &cache.NoopCompressor{}
-	}
-
-	var path string
-
-	if customPath := b.Settings.Get(settings.CacheLocationKey); customPath != "" {
-		path = customPath
-	} else {
-		path = b.Cache.GetDefaultMessageCacheDir()
-		// Store path so it will always persist if default location
-		// will be changed in new version.
-		b.Settings.Set(settings.CacheLocationKey, path)
-	}
-
-	// To prevent memory peaks we set maximal write concurrency for store
-	// build jobs.
-	store.SetBuildAndCacheJobLimit(b.Settings.GetInt(settings.CacheConcurrencyWrite))
-
-	messageCache, err := cache.NewOnDiskCache(path, compressor, cache.Options{
-		MinFreeAbs:      uint64(b.Settings.GetInt(settings.CacheMinFreeAbsKey)),
-		MinFreeRat:      b.Settings.GetFloat64(settings.CacheMinFreeRatKey),
-		ConcurrentRead:  b.Settings.GetInt(settings.CacheConcurrencyRead),
-		ConcurrentWrite: b.Settings.GetInt(settings.CacheConcurrencyWrite),
-	})
-	if err != nil {
-		return cache.NewInMemoryCache(inMemoryCacheLimit), err
-	}
-
-	return messageCache, nil
-}
--- a/internal/app/frontend.go
+++ b/internal/app/frontend.go
@ -0,0 +1,70 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package app
+
+import (
+	"fmt"
+
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/crash"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	bridgeCLI "github.com/ProtonMail/proton-bridge/v3/internal/frontend/cli"
+	"github.com/ProtonMail/proton-bridge/v3/internal/frontend/grpc"
+	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/restarter"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli/v2"
+)
+
+func runFrontend(
+	c *cli.Context,
+	crashHandler *crash.Handler,
+	restarter *restarter.Restarter,
+	locations *locations.Locations,
+	bridge *bridge.Bridge,
+	eventCh <-chan events.Event,
+	quitCh <-chan struct{},
+	parentPID int,
+) error {
+	logrus.Debug("Running frontend")
+	defer logrus.Debug("Frontend stopped")
+
+	switch {
+	case c.Bool(flagCLI):
+		return bridgeCLI.New(bridge, restarter, eventCh, crashHandler, quitCh).Loop()
+
+	case c.Bool(flagNonInteractive):
+		<-quitCh
+		return nil
+
+	case c.Bool(flagGRPC):
+		service, err := grpc.NewService(crashHandler, restarter, locations, bridge, eventCh, quitCh, !c.Bool(flagNoWindow), parentPID)
+		if err != nil {
+			return fmt.Errorf("could not create service: %w", err)
+		}
+
+		return service.Loop()
+
+	default:
+		if err := cli.ShowAppHelp(c); err != nil {
+			logrus.WithError(err).Error("Failed to show app help")
+		}
+
+		return fmt.Errorf("no frontend specified, use --cli, --grpc or --noninteractive")
+	}
+}
--- a/internal/app/migration.go
+++ b/internal/app/migration.go
@ -0,0 +1,375 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package app
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/proton-bridge/v3/internal/legacy/credentials"
+	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/internal/logging"
+	"github.com/ProtonMail/proton-bridge/v3/internal/updater"
+	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/algo"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
+	"github.com/allan-simon/go-singleinstance"
+	"github.com/hashicorp/go-multierror"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// nolint:gosec
+func migrateKeychainHelper(locations *locations.Locations) error {
+	logrus.Trace("Checking if keychain helper needs to be migrated")
+
+	settings, err := locations.ProvideSettingsPath()
+	if err != nil {
+		return fmt.Errorf("failed to get settings path: %w", err)
+	}
+
+	// If keychain helper file is already there do not migrate again.
+	if keychainName, _ := vault.GetHelper(settings); keychainName != "" {
+		return nil
+	}
+
+	configDir, err := os.UserConfigDir()
+	if err != nil {
+		return fmt.Errorf("failed to get user config dir: %w", err)
+	}
+
+	b, err := os.ReadFile(filepath.Join(configDir, "protonmail", "bridge", "prefs.json"))
+	if errors.Is(err, fs.ErrNotExist) {
+		return nil
+	} else if err != nil {
+		return fmt.Errorf("failed to read old prefs file: %w", err)
+	}
+
+	var prefs struct {
+		Helper string `json:"preferred_keychain"`
+	}
+
+	if err := json.Unmarshal(b, &prefs); err != nil {
+		return fmt.Errorf("failed to unmarshal old prefs file: %w", err)
+	}
+
+	err = vault.SetHelper(settings, prefs.Helper)
+	if err == nil {
+		logrus.Info("Keychain helper has been migrated")
+	}
+	return err
+}
+
+// nolint:gosec
+func migrateOldSettings(v *vault.Vault) error {
+	logrus.Info("Migrating settings")
+
+	configDir, err := os.UserConfigDir()
+	if err != nil {
+		return fmt.Errorf("failed to get user config dir: %w", err)
+	}
+
+	return migrateOldSettingsWithDir(configDir, v)
+}
+
+// nolint:gosec
+func migrateOldSettingsWithDir(configDir string, v *vault.Vault) error {
+	b, err := os.ReadFile(filepath.Join(configDir, "protonmail", "bridge", "prefs.json"))
+	if errors.Is(err, fs.ErrNotExist) {
+		return nil
+	} else if err != nil {
+		return fmt.Errorf("failed to read old prefs file: %w", err)
+	}
+
+	if err := migratePrefsToVault(v, b); err != nil {
+		return fmt.Errorf("failed to migrate prefs to vault: %w", err)
+	}
+
+	logrus.Info("Migrating TLS certificate")
+
+	certPEM, err := os.ReadFile(filepath.Join(configDir, "protonmail", "bridge", "cert.pem"))
+	if errors.Is(err, fs.ErrNotExist) {
+		return nil
+	} else if err != nil {
+		return fmt.Errorf("failed to read old cert file: %w", err)
+	}
+
+	keyPEM, err := os.ReadFile(filepath.Join(configDir, "protonmail", "bridge", "key.pem"))
+	if errors.Is(err, fs.ErrNotExist) {
+		return nil
+	} else if err != nil {
+		return fmt.Errorf("failed to read old key file: %w", err)
+	}
+
+	return v.SetBridgeTLSCertKey(certPEM, keyPEM)
+}
+
+func migrateOldAccounts(locations *locations.Locations, keychains *keychain.List, v *vault.Vault) error {
+	logrus.Info("Migrating accounts")
+
+	settings, err := locations.ProvideSettingsPath()
+	if err != nil {
+		return fmt.Errorf("failed to get settings path: %w", err)
+	}
+
+	helper, err := vault.GetHelper(settings)
+	if err != nil {
+		return fmt.Errorf("failed to get helper: %w", err)
+	}
+	keychain, err := keychain.NewKeychain(helper, "bridge", keychains.GetHelpers(), keychains.GetDefaultHelper())
+	if err != nil {
+		return fmt.Errorf("failed to create keychain: %w", err)
+	}
+
+	store := credentials.NewStore(keychain)
+
+	users, err := store.List()
+	if err != nil {
+		return fmt.Errorf("failed to create credentials store: %w", err)
+	}
+
+	var migrationErrors error
+
+	for _, userID := range users {
+		if err := migrateOldAccount(userID, store, v); err != nil {
+			migrationErrors = multierror.Append(migrationErrors, err)
+		}
+	}
+
+	return migrationErrors
+}
+
+func migrateOldAccount(userID string, store *credentials.Store, v *vault.Vault) error {
+	l := logrus.WithField("userID", userID)
+	l.Info("Migrating account")
+
+	creds, err := store.Get(userID)
+	if err != nil {
+		return fmt.Errorf("failed to get user %q: %w", userID, err)
+	}
+
+	authUID, authRef, err := creds.SplitAPIToken()
+	if err != nil {
+		return fmt.Errorf("failed to split api token for user %q: %w", userID, err)
+	}
+
+	var primaryEmail string
+	if len(creds.EmailList()) > 0 {
+		primaryEmail = creds.EmailList()[0]
+	}
+
+	user, err := v.AddUser(creds.UserID, creds.Name, primaryEmail, authUID, authRef, creds.MailboxPassword)
+	if err != nil {
+		return fmt.Errorf("failed to add user %q: %w", userID, err)
+	}
+
+	l = l.WithField("username", logging.Sensitive(user.Username()))
+	l.Info("Migrated account with random bridge password")
+
+	defer func() {
+		if err := user.Close(); err != nil {
+			logrus.WithField("userID", userID).WithError(err).Error("Failed to close vault user after migration")
+		}
+	}()
+
+	dec, err := algo.B64RawDecode([]byte(creds.BridgePassword))
+	if err != nil {
+		return fmt.Errorf("failed to decode bridge password for user %q: %w", userID, err)
+	}
+
+	if err := user.SetBridgePass(dec); err != nil {
+		return fmt.Errorf("failed to set bridge password for user %q: %w", userID, err)
+	}
+
+	l = l.WithField("password", logging.Sensitive(string(algo.B64RawEncode(dec))))
+	l.Info("Migrated existing bridge password")
+
+	if !creds.IsCombinedAddressMode {
+		if err := user.SetAddressMode(vault.SplitMode); err != nil {
+			return fmt.Errorf("failed to set split address mode to user %q: %w", userID, err)
+		}
+	}
+
+	return nil
+}
+
+func migratePrefsToVault(vault *vault.Vault, b []byte) error {
+	var prefs struct {
+		IMAPPort int  `json:"user_port_imap,,string"`
+		SMTPPort int  `json:"user_port_smtp,,string"`
+		SMTPSSL  bool `json:"user_ssl_smtp,,string"`
+
+		AutoUpdate    bool            `json:"autoupdate,,string"`
+		UpdateChannel updater.Channel `json:"update_channel"`
+		UpdateRollout float64         `json:"rollout,,string"`
+
+		FirstStart  bool            `json:"first_time_start,,string"`
+		ColorScheme string          `json:"color_scheme"`
+		LastVersion *semver.Version `json:"last_used_version"`
+		Autostart   bool            `json:"autostart,,string"`
+
+		AllowProxy        bool `json:"allow_proxy,,string"`
+		FetchWorkers      int  `json:"fetch_workers,,string"`
+		AttachmentWorkers int  `json:"attachment_workers,,string"`
+		ShowAllMail       bool `json:"is_all_mail_visible,,string"`
+
+		Cookies string `json:"cookies"`
+	}
+
+	if err := json.Unmarshal(b, &prefs); err != nil {
+		return fmt.Errorf("failed to unmarshal old prefs file: %w", err)
+	}
+
+	var errs error
+
+	if err := vault.SetIMAPPort(prefs.IMAPPort); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate IMAP port: %w", err))
+	}
+
+	if err := vault.SetSMTPPort(prefs.SMTPPort); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate SMTP port: %w", err))
+	}
+
+	if err := vault.SetSMTPSSL(prefs.SMTPSSL); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate SMTP SSL: %w", err))
+	}
+
+	if err := vault.SetAutoUpdate(prefs.AutoUpdate); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate auto update: %w", err))
+	}
+
+	if err := vault.SetUpdateChannel(prefs.UpdateChannel); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate update channel: %w", err))
+	}
+
+	if err := vault.SetUpdateRollout(prefs.UpdateRollout); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate rollout: %w", err))
+	}
+
+	if err := vault.SetFirstStart(prefs.FirstStart); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate first start: %w", err))
+	}
+
+	if err := vault.SetColorScheme(prefs.ColorScheme); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate color scheme: %w", err))
+	}
+
+	if err := vault.SetLastVersion(prefs.LastVersion); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate last version: %w", err))
+	}
+
+	if err := vault.SetAutostart(prefs.Autostart); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate autostart: %w", err))
+	}
+
+	if err := vault.SetProxyAllowed(prefs.AllowProxy); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate allow proxy: %w", err))
+	}
+
+	if err := vault.SetShowAllMail(prefs.ShowAllMail); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate show all mail: %w", err))
+	}
+
+	if err := vault.SetCookies([]byte(prefs.Cookies)); err != nil {
+		errs = multierror.Append(errs, fmt.Errorf("failed to migrate cookies: %w", err))
+	}
+
+	return errs
+}
+
+func migrateOldVersions() (allErrors error) {
+	cacheDir, cacheError := os.UserCacheDir()
+	if cacheError != nil {
+		allErrors = multierror.Append(allErrors, errors.Wrap(cacheError, "cannot get os cache"))
+		return // not need to continue for now (with more migrations might be still ok to continue)
+	}
+
+	if err := killV2AppAndRemoveV2LockFiles(filepath.Join(cacheDir, "protonmail", "bridge", "bridge.lock")); err != nil {
+		allErrors = multierror.Append(allErrors, errors.Wrap(err, "cannot migrate lockfiles"))
+	}
+
+	return
+}
+
+func killV2AppAndRemoveV2LockFiles(lockFilePathV2 string) error {
+	l := logrus.WithField("path", lockFilePathV2)
+
+	if _, err := os.Stat(lockFilePathV2); os.IsNotExist(err) {
+		l.Debug("no v2 lockfile")
+		return nil
+	}
+
+	lock, err := singleinstance.CreateLockFile(lockFilePathV2)
+
+	if err == nil {
+		l.Debug("no other v2 instance is running")
+
+		if errClose := lock.Close(); errClose != nil {
+			l.WithError(errClose).Error("Cannot close lock file")
+		}
+
+		return os.Remove(lockFilePathV2)
+	}
+
+	// The other instance is an older version, so we should kill it.
+	pid, err := getPID(lockFilePathV2)
+	if err != nil {
+		return errors.Wrap(err, "cannot get v2 pid")
+	}
+
+	if err := killPID(pid); err != nil {
+		return errors.Wrapf(err, "cannot kill v2 app (PID %d)", pid)
+	}
+
+	// Need to wait some time to release file lock
+	time.Sleep(time.Second)
+
+	return nil
+}
+
+func getPID(lockFilePath string) (int, error) {
+	file, err := os.Open(filepath.Clean(lockFilePath))
+	if err != nil {
+		return 0, err
+	}
+	defer func() { _ = file.Close() }()
+
+	rawPID := make([]byte, 10) // PID is probably up to 7 digits long, 10 should be enough
+	n, err := file.Read(rawPID)
+	if err != nil {
+		return 0, err
+	}
+
+	return strconv.Atoi(strings.TrimSpace(string(rawPID[:n])))
+}
+
+func killPID(pid int) error {
+	p, err := os.FindProcess(pid)
+	if err != nil {
+		return err
+	}
+
+	return p.Kill()
+}
--- a/internal/app/migration_test.go
+++ b/internal/app/migration_test.go
@ -0,0 +1,227 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package app
+
+import (
+	"net/http/cookiejar"
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/ProtonMail/gluon/async"
+	"github.com/ProtonMail/gopenpgp/v2/crypto"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/cookies"
+	"github.com/ProtonMail/proton-bridge/v3/internal/legacy/credentials"
+	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/internal/updater"
+	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/algo"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMigratePrefsToVaultWithKeys(t *testing.T) {
+	// Create a new vault.
+	vault, corrupt, err := vault.New(t.TempDir(), t.TempDir(), []byte("my secret key"), async.NoopPanicHandler{})
+	require.NoError(t, err)
+	require.NoError(t, corrupt)
+
+	// load the old prefs file.
+	configDir := filepath.Join("testdata", "with_keys")
+
+	// Migrate the old prefs file to the new vault.
+	require.NoError(t, migrateOldSettingsWithDir(configDir, vault))
+
+	// Check Json Settings
+	validateJSONPrefs(t, vault)
+
+	cert, key := vault.GetBridgeTLSCert()
+	// Check the keys were found and collected.
+	require.Equal(t, "-----BEGIN CERTIFICATE-----", string(cert))
+	require.Equal(t, "-----BEGIN RSA PRIVATE KEY-----", string(key))
+}
+
+func TestMigratePrefsToVaultWithoutKeys(t *testing.T) {
+	// Create a new vault.
+	vault, corrupt, err := vault.New(t.TempDir(), t.TempDir(), []byte("my secret key"), async.NoopPanicHandler{})
+	require.NoError(t, err)
+	require.NoError(t, corrupt)
+
+	// load the old prefs file.
+	configDir := filepath.Join("testdata", "without_keys")
+
+	// Migrate the old prefs file to the new vault.
+	require.NoError(t, migrateOldSettingsWithDir(configDir, vault))
+
+	// Migrate the old prefs file to the new vault.
+	require.NoError(t, migrateOldSettingsWithDir(configDir, vault))
+
+	// Check Json Settings
+	validateJSONPrefs(t, vault)
+
+	// Check the keys were found and collected.
+	cert, key := vault.GetBridgeTLSCert()
+	require.NotEqual(t, []byte("-----BEGIN CERTIFICATE-----"), cert)
+	require.NotEqual(t, []byte("-----BEGIN RSA PRIVATE KEY-----"), key)
+}
+
+func TestKeychainMigration(t *testing.T) {
+	// Migration tested only for linux.
+	if runtime.GOOS != "linux" {
+		return
+	}
+
+	tmpDir := t.TempDir()
+
+	// Prepare for keychain migration test
+	{
+		require.NoError(t, os.Setenv("XDG_CONFIG_HOME", tmpDir))
+		oldCacheDir := filepath.Join(tmpDir, "protonmail", "bridge")
+		require.NoError(t, os.MkdirAll(oldCacheDir, 0o700))
+
+		oldPrefs, err := os.ReadFile(filepath.Join("testdata", "without_keys", "protonmail", "bridge", "prefs.json"))
+		require.NoError(t, err)
+
+		require.NoError(t, os.WriteFile(
+			filepath.Join(oldCacheDir, "prefs.json"),
+			oldPrefs, 0o600,
+		))
+	}
+
+	locations := locations.New(bridge.NewTestLocationsProvider(tmpDir), "config-name")
+	settingsFolder, err := locations.ProvideSettingsPath()
+	require.NoError(t, err)
+
+	// Check that there is nothing yet
+	keychainName, err := vault.GetHelper(settingsFolder)
+	require.NoError(t, err)
+	require.Equal(t, "", keychainName)
+
+	// Check migration
+	require.NoError(t, migrateKeychainHelper(locations))
+	keychainName, err = vault.GetHelper(settingsFolder)
+	require.NoError(t, err)
+	require.Equal(t, "secret-service", keychainName)
+
+	// Change the migrated value
+	require.NoError(t, vault.SetHelper(settingsFolder, "different"))
+
+	// Calling migration again will not overwrite existing prefs
+	require.NoError(t, migrateKeychainHelper(locations))
+	keychainName, err = vault.GetHelper(settingsFolder)
+	require.NoError(t, err)
+	require.Equal(t, "different", keychainName)
+}
+
+func TestUserMigration(t *testing.T) {
+	kcl := keychain.NewTestKeychainsList()
+
+	kc, err := keychain.NewKeychain("mock", "bridge", kcl.GetHelpers(), kcl.GetDefaultHelper())
+	require.NoError(t, err)
+
+	require.NoError(t, kc.Put("brokenID", "broken"))
+	require.NoError(t, kc.Put(
+		"emptyID",
+		(&credentials.Credentials{}).Marshal(),
+	))
+
+	wantUID := "uidtoken"
+	wantRefresh := "refreshtoken"
+
+	wantCredentials := credentials.Credentials{
+		UserID:                "validID",
+		Name:                  "user@pm.me",
+		Emails:                "user@pm.me;alias@pm.me",
+		APIToken:              wantUID + ":" + wantRefresh,
+		MailboxPassword:       []byte("secret"),
+		BridgePassword:        "bElu2Q1Vusy28J3Wf56cIg",
+		Version:               "v2.3.X",
+		Timestamp:             100,
+		IsCombinedAddressMode: true,
+	}
+	require.NoError(t, kc.Put(
+		wantCredentials.UserID,
+		wantCredentials.Marshal(),
+	))
+
+	tmpDir := t.TempDir()
+	locations := locations.New(bridge.NewTestLocationsProvider(tmpDir), "config-name")
+	settingsFolder, err := locations.ProvideSettingsPath()
+	require.NoError(t, err)
+	require.NoError(t, vault.SetHelper(settingsFolder, "mock"))
+
+	token, err := crypto.RandomToken(32)
+	require.NoError(t, err)
+
+	v, corrupt, err := vault.New(settingsFolder, settingsFolder, token, async.NoopPanicHandler{})
+	require.NoError(t, err)
+	require.NoError(t, corrupt)
+
+	require.NoError(t, migrateOldAccounts(locations, kcl, v))
+	require.Equal(t, []string{wantCredentials.UserID}, v.GetUserIDs())
+
+	require.NoError(t, v.GetUser(wantCredentials.UserID, func(u *vault.User) {
+		require.Equal(t, wantCredentials.UserID, u.UserID())
+		require.Equal(t, wantUID, u.AuthUID())
+		require.Equal(t, wantRefresh, u.AuthRef())
+		require.Equal(t, wantCredentials.MailboxPassword, u.KeyPass())
+		require.Equal(t,
+			[]byte(wantCredentials.BridgePassword),
+			algo.B64RawEncode(u.BridgePass()),
+		)
+		require.Equal(t, vault.CombinedMode, u.AddressMode())
+	}))
+}
+
+func validateJSONPrefs(t *testing.T, vault *vault.Vault) {
+	// Check that the IMAP and SMTP prefs are migrated.
+	require.Equal(t, 2143, vault.GetIMAPPort())
+	require.Equal(t, 2025, vault.GetSMTPPort())
+	require.True(t, vault.GetSMTPSSL())
+
+	// Check that the update channel is migrated.
+	require.True(t, vault.GetAutoUpdate())
+	require.Equal(t, updater.EarlyChannel, vault.GetUpdateChannel())
+	require.Equal(t, 0.4849529004202015, vault.GetUpdateRollout())
+
+	// Check that the app settings have been migrated.
+	require.False(t, vault.GetFirstStart())
+	require.Equal(t, "blablabla", vault.GetColorScheme())
+	require.Equal(t, "2.3.0+git", vault.GetLastVersion().String())
+	require.True(t, vault.GetAutostart())
+
+	// Check that the other app settings have been migrated.
+	require.False(t, vault.GetProxyAllowed())
+	require.False(t, vault.GetShowAllMail())
+
+	// Check that the cookies have been migrated.
+	jar, err := cookiejar.New(nil)
+	require.NoError(t, err)
+
+	cookies, err := cookies.NewCookieJar(jar, vault)
+	require.NoError(t, err)
+
+	url, err := url.Parse("https://api.protonmail.ch")
+	require.NoError(t, err)
+
+	// There should be a cookie for the API.
+	require.NotEmpty(t, cookies.Cookies(url))
+}
--- a/internal/app/singleinstance.go
+++ b/internal/app/singleinstance.go
@ -0,0 +1,70 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package app
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/proton-bridge/v3/internal/focus"
+	"github.com/allan-simon/go-singleinstance"
+	"github.com/sirupsen/logrus"
+)
+
+// checkSingleInstance checks if another instance of the application is already running.
+// It tries to create a lock file at the given path.
+// If it succeeds, it returns the lock file and a nil error.
+//
+// For macOS and Linux when already running version is older than this instance
+// it will kill old and continue with this new bridge (i.e. no error returned).
+func checkSingleInstance(settingPath, lockFilePath string, curVersion *semver.Version) (*os.File, error) {
+	if lock, err := singleinstance.CreateLockFile(lockFilePath); err == nil {
+		logrus.WithField("path", lockFilePath).Debug("Created lock file; no other instance is running")
+		return lock, nil
+	}
+
+	logrus.Warn("Failed to create lock file; another instance is running")
+
+	// We couldn't create the lock file, so another instance is probably running.
+	// Check if it's an older version of the app.
+	lastVersion, ok := focus.TryVersion(settingPath)
+	if !ok {
+		return nil, fmt.Errorf("failed to determine version of running instance")
+	}
+
+	if !lastVersion.LessThan(curVersion) {
+		return nil, fmt.Errorf("running instance is newer than this one")
+	}
+
+	// The other instance is an older version, so we should kill it.
+	pid, err := getPID(lockFilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := killPID(pid); err != nil {
+		return nil, err
+	}
+
+	// Need to wait some time to release file lock
+	time.Sleep(time.Second)
+
+	return singleinstance.CreateLockFile(lockFilePath)
+}
--- a/internal/app/testdata/with_keys/protonmail/bridge/cert.pem
+++ b/internal/app/testdata/with_keys/protonmail/bridge/cert.pem
@ -0,0 +1 @@
+-----BEGIN CERTIFICATE-----
--- a/internal/app/testdata/with_keys/protonmail/bridge/key.pem
+++ b/internal/app/testdata/with_keys/protonmail/bridge/key.pem
@ -0,0 +1 @@
+-----BEGIN RSA PRIVATE KEY-----
--- a/internal/app/testdata/with_keys/protonmail/bridge/prefs.json
+++ b/internal/app/testdata/with_keys/protonmail/bridge/prefs.json
@ -0,0 +1,31 @@
+{
+	"allow_proxy": "false",
+	"attachment_workers": "16",
+	"autostart": "true",
+	"autoupdate": "true",
+	"cache_compression": "true",
+	"cache_concurrent_read": "16",
+	"cache_concurrent_write": "16",
+	"cache_enabled": "true",
+	"cache_location": "/home/user/.config/protonmail/bridge/cache/c11/messages",
+	"cache_min_free_abs": "250000000",
+	"cache_min_free_rat": "",
+	"color_scheme": "blablabla",
+	"cookies": "{\"https://api.protonmail.ch\":[{\"Name\":\"Session-Id\",\"Value\":\"blablablablablablablablabla\",\"Path\":\"/\",\"Domain\":\"protonmail.ch\",\"Expires\":\"2023-02-19T00:20:40.269424437+01:00\",\"RawExpires\":\"\",\"MaxAge\":7776000,\"Secure\":true,\"HttpOnly\":true,\"SameSite\":0,\"Raw\":\"Session-Id=blablablablablablablablabla; Domain=protonmail.ch; Path=/; HttpOnly; Secure; Max-Age=7776000\",\"Unparsed\":null},{\"Name\":\"Tag\",\"Value\":\"default\",\"Path\":\"/\",\"Domain\":\"\",\"Expires\":\"2023-02-19T00:20:40.269428627+01:00\",\"RawExpires\":\"\",\"MaxAge\":7776000,\"Secure\":true,\"HttpOnly\":false,\"SameSite\":0,\"Raw\":\"Tag=default; Path=/; Secure; Max-Age=7776000\",\"Unparsed\":null}],\"https://protonmail.com\":[{\"Name\":\"Session-Id\",\"Value\":\"blablablablablablablablabla\",\"Path\":\"/\",\"Domain\":\"protonmail.com\",\"Expires\":\"2023-02-19T00:20:18.315084712+01:00\",\"RawExpires\":\"\",\"MaxAge\":7776000,\"Secure\":true,\"HttpOnly\":true,\"SameSite\":0,\"Raw\":\"Session-Id=Y3q2Mh-ClvqL6LWeYdfyPgAAABI; Domain=protonmail.com; Path=/; HttpOnly; Secure; Max-Age=7776000\",\"Unparsed\":null},{\"Name\":\"Tag\",\"Value\":\"redirect\",\"Path\":\"/\",\"Domain\":\"\",\"Expires\":\"2023-02-19T00:20:18.315087646+01:00\",\"RawExpires\":\"\",\"MaxAge\":7776000,\"Secure\":true,\"HttpOnly\":false,\"SameSite\":0,\"Raw\":\"Tag=redirect; Path=/; Secure; Max-Age=7776000\",\"Unparsed\":null}]}",
+	"fetch_workers": "16",
+	"first_time_start": "false",
+	"first_time_start_gui": "true",
+	"imap_workers": "16",
+	"is_all_mail_visible": "false",
+	"last_heartbeat": "325",
+	"last_used_version": "2.3.0+git",
+	"preferred_keychain": "secret-service",
+	"rebranding_migrated": "true",
+	"report_outgoing_email_without_encryption": "false",
+	"rollout": "0.4849529004202015",
+	"user_port_api": "1042",
+	"update_channel": "early",
+	"user_port_imap": "2143",
+	"user_port_smtp": "2025",
+	"user_ssl_smtp": "true"
+}
--- a/internal/app/testdata/without_keys/protonmail/bridge/prefs.json
+++ b/internal/app/testdata/without_keys/protonmail/bridge/prefs.json
@ -0,0 +1,31 @@
+{
+	"allow_proxy": "false",
+	"attachment_workers": "16",
+	"autostart": "true",
+	"autoupdate": "true",
+	"cache_compression": "true",
+	"cache_concurrent_read": "16",
+	"cache_concurrent_write": "16",
+	"cache_enabled": "true",
+	"cache_location": "/home/user/.config/protonmail/bridge/cache/c11/messages",
+	"cache_min_free_abs": "250000000",
+	"cache_min_free_rat": "",
+	"color_scheme": "blablabla",
+	"cookies": "{\"https://api.protonmail.ch\":[{\"Name\":\"Session-Id\",\"Value\":\"blablablablablablablablabla\",\"Path\":\"/\",\"Domain\":\"protonmail.ch\",\"Expires\":\"2023-02-19T00:20:40.269424437+01:00\",\"RawExpires\":\"\",\"MaxAge\":7776000,\"Secure\":true,\"HttpOnly\":true,\"SameSite\":0,\"Raw\":\"Session-Id=blablablablablablablablabla; Domain=protonmail.ch; Path=/; HttpOnly; Secure; Max-Age=7776000\",\"Unparsed\":null},{\"Name\":\"Tag\",\"Value\":\"default\",\"Path\":\"/\",\"Domain\":\"\",\"Expires\":\"2023-02-19T00:20:40.269428627+01:00\",\"RawExpires\":\"\",\"MaxAge\":7776000,\"Secure\":true,\"HttpOnly\":false,\"SameSite\":0,\"Raw\":\"Tag=default; Path=/; Secure; Max-Age=7776000\",\"Unparsed\":null}],\"https://protonmail.com\":[{\"Name\":\"Session-Id\",\"Value\":\"blablablablablablablablabla\",\"Path\":\"/\",\"Domain\":\"protonmail.com\",\"Expires\":\"2023-02-19T00:20:18.315084712+01:00\",\"RawExpires\":\"\",\"MaxAge\":7776000,\"Secure\":true,\"HttpOnly\":true,\"SameSite\":0,\"Raw\":\"Session-Id=Y3q2Mh-ClvqL6LWeYdfyPgAAABI; Domain=protonmail.com; Path=/; HttpOnly; Secure; Max-Age=7776000\",\"Unparsed\":null},{\"Name\":\"Tag\",\"Value\":\"redirect\",\"Path\":\"/\",\"Domain\":\"\",\"Expires\":\"2023-02-19T00:20:18.315087646+01:00\",\"RawExpires\":\"\",\"MaxAge\":7776000,\"Secure\":true,\"HttpOnly\":false,\"SameSite\":0,\"Raw\":\"Tag=redirect; Path=/; Secure; Max-Age=7776000\",\"Unparsed\":null}]}",
+	"fetch_workers": "16",
+	"first_time_start": "false",
+	"first_time_start_gui": "true",
+	"imap_workers": "16",
+	"is_all_mail_visible": "false",
+	"last_heartbeat": "325",
+	"last_used_version": "2.3.0+git",
+	"preferred_keychain": "secret-service",
+	"rebranding_migrated": "true",
+	"report_outgoing_email_without_encryption": "false",
+	"rollout": "0.4849529004202015",
+	"user_port_api": "1042",
+	"update_channel": "early",
+	"user_port_imap": "2143",
+	"user_port_smtp": "2025",
+	"user_ssl_smtp": "true"
+}
--- a/internal/app/vault.go
+++ b/internal/app/vault.go
@ -0,0 +1,129 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package app
+
+import (
+	"fmt"
+	"path"
+
+	"github.com/ProtonMail/gluon/async"
+	"github.com/ProtonMail/proton-bridge/v3/internal/certs"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/internal/sentry"
+	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
+	"github.com/sirupsen/logrus"
+)
+
+func WithVault(reporter *sentry.Reporter, locations *locations.Locations, keychains *keychain.List, panicHandler async.PanicHandler, fn func(*vault.Vault, bool, bool) error) error {
+	logrus.Debug("Creating vault")
+	defer logrus.Debug("Vault stopped")
+
+	// Create the encVault.
+	encVault, insecure, corrupt, err := newVault(reporter, locations, keychains, panicHandler)
+	if err != nil {
+		return fmt.Errorf("could not create vault: %w", err)
+	}
+
+	logrus.WithFields(logrus.Fields{
+		"insecure": insecure,
+		"corrupt":  corrupt != nil,
+	}).Debug("Vault created")
+
+	if corrupt != nil {
+		logrus.WithError(corrupt).Warn("Failed to load existing vault, vault has been reset")
+	}
+
+	cert, _ := encVault.GetBridgeTLSCert()
+	certs.NewInstaller().LogCertInstallStatus(cert)
+
+	// GODT-1950: Add teardown actions (e.g. to close the vault).
+
+	return fn(encVault, insecure, corrupt != nil)
+}
+
+func newVault(reporter *sentry.Reporter, locations *locations.Locations, keychains *keychain.List, panicHandler async.PanicHandler) (*vault.Vault, bool, error, error) {
+	vaultDir, err := locations.ProvideSettingsPath()
+	if err != nil {
+		return nil, false, nil, fmt.Errorf("could not get vault dir: %w", err)
+	}
+
+	logrus.WithField("vaultDir", vaultDir).Debug("Loading vault from directory")
+
+	var (
+		vaultKey []byte
+		insecure bool
+	)
+
+	if key, err := loadVaultKey(vaultDir, keychains); err != nil {
+		if reporter != nil {
+			if rerr := reporter.ReportMessageWithContext("Could not load/create vault key", map[string]any{
+				"keychainDefaultHelper":       keychains.GetDefaultHelper(),
+				"keychainUsableHelpersLength": len(keychains.GetHelpers()),
+				"error":                       err.Error(),
+			}); rerr != nil {
+				logrus.WithError(err).Info("Failed to report keychain issue to Sentry")
+			}
+		}
+
+		logrus.WithError(err).Error("Could not load/create vault key")
+		insecure = true
+
+		// We store the insecure vault in a separate directory
+		vaultDir = path.Join(vaultDir, "insecure")
+	} else {
+		vaultKey = key
+	}
+
+	gluonCacheDir, err := locations.ProvideGluonCachePath()
+	if err != nil {
+		return nil, false, nil, fmt.Errorf("could not provide gluon path: %w", err)
+	}
+
+	vault, corrupt, err := vault.New(vaultDir, gluonCacheDir, vaultKey, panicHandler)
+	if err != nil {
+		return nil, false, corrupt, fmt.Errorf("could not create vault: %w", err)
+	}
+
+	return vault, insecure, corrupt, nil
+}
+
+func loadVaultKey(vaultDir string, keychains *keychain.List) ([]byte, error) {
+	helper, err := vault.GetHelper(vaultDir)
+	if err != nil {
+		return nil, fmt.Errorf("could not get keychain helper: %w", err)
+	}
+
+	kc, err := keychain.NewKeychain(helper, constants.KeyChainName, keychains.GetHelpers(), keychains.GetDefaultHelper())
+	if err != nil {
+		return nil, fmt.Errorf("could not create keychain: %w", err)
+	}
+
+	key, err := vault.GetVaultKey(kc)
+	if err != nil {
+		if keychain.IsErrKeychainNoItem(err) {
+			logrus.WithError(err).Warn("no vault key found, generating new")
+			return vault.NewVaultKey(kc)
+		}
+
+		return nil, fmt.Errorf("could not check for vault key: %w", err)
+	}
+
+	return key, nil
+}
--- a/internal/bridge/api.go
+++ b/internal/bridge/api.go
@ -0,0 +1,46 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge
+
+import (
+	"net/http"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/gluon/async"
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/sirupsen/logrus"
+)
+
+// defaultAPIOptions returns a set of default API options for the given parameters.
+func defaultAPIOptions(
+	apiURL string,
+	version *semver.Version,
+	cookieJar http.CookieJar,
+	transport http.RoundTripper,
+	panicHandler async.PanicHandler,
+) []proton.Option {
+	return []proton.Option{
+		proton.WithHostURL(apiURL),
+		proton.WithAppVersion(constants.AppVersion(version.Original())),
+		proton.WithCookieJar(cookieJar),
+		proton.WithTransport(transport),
+		proton.WithLogger(logrus.WithField("pkg", "gpa/client")),
+		proton.WithPanicHandler(panicHandler),
+	}
+}
--- a/internal/bridge/api_default.go
+++ b/internal/bridge/api_default.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -15,22 +15,25 @@
 // You should have received a copy of the GNU General Public License
 // along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.

-//go:build !build_qa
-// +build !build_qa
+//go:build !build_qa && !test_integration

-package pmapi
+package bridge

 import (
 	"net/http"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/gluon/async"
+	"github.com/ProtonMail/go-proton-api"
 )

-func getRootURL() string {
-	return "https://api.protonmail.ch"
-}
-
-func newProxyDialerAndTransport(cfg Config) (*ProxyTLSDialer, http.RoundTripper) {
-	basicDialer := NewBasicTLSDialer(cfg)
-	pinningDialer := NewPinningTLSDialer(cfg, basicDialer)
-	proxyDialer := NewProxyTLSDialer(cfg, pinningDialer)
-	return proxyDialer, CreateTransportWithDialer(proxyDialer)
+// newAPIOptions returns a set of API options for the given parameters.
+func newAPIOptions(
+	apiURL string,
+	version *semver.Version,
+	cookieJar http.CookieJar,
+	transport http.RoundTripper,
+	panicHandler async.PanicHandler,
+) []proton.Option {
+	return defaultAPIOptions(apiURL, version, cookieJar, transport, panicHandler)
 }
--- a/internal/bridge/api_qa.go
+++ b/internal/bridge/api_qa.go
@ -0,0 +1,63 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+//go:build build_qa || test_integration
+
+package bridge
+
+import (
+	"crypto/tls"
+	"net/http"
+	"os"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/gluon/async"
+	"github.com/ProtonMail/go-proton-api"
+)
+
+// newAPIOptions returns a set of API options for the given parameters.
+func newAPIOptions(
+	apiURL string,
+	version *semver.Version,
+	cookieJar http.CookieJar,
+	transport http.RoundTripper,
+	panicHandler async.PanicHandler,
+) []proton.Option {
+
+	if allow := os.Getenv("BRIDGE_ALLOW_PROXY"); allow != "" {
+		transport = &http.Transport{
+			Proxy:           http.ProxyFromEnvironment,
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+	}
+
+	opt := defaultAPIOptions(apiURL, version, cookieJar, transport, panicHandler)
+
+	if host := os.Getenv("BRIDGE_API_HOST"); host != "" {
+		opt = append(opt, proton.WithHostURL(host))
+	}
+
+	if debug := os.Getenv("BRIDGE_API_DEBUG"); debug != "" {
+		opt = append(opt, proton.WithDebug(true))
+	}
+
+	if skipVerify := os.Getenv("BRIDGE_API_SKIP_VERIFY"); skipVerify != "" {
+		opt = append(opt, proton.WithSkipVerifyProofs())
+	}
+
+	return opt
+}
--- a/internal/bridge/autostart.go
+++ b/internal/bridge/autostart.go
@ -1,38 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-// Package bridge provides core functionality of Bridge app.
-package bridge
-
-import "github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
-
-// IsAutostartEnabled checks if link file exits.
-func (b *Bridge) IsAutostartEnabled() bool {
-	return b.autostart.IsEnabled()
-}
-
-// EnableAutostart creates link and sets the preferences.
-func (b *Bridge) EnableAutostart() error {
-	b.settings.SetBool(settings.AutostartKey, true)
-	return b.autostart.Enable()
-}
-
-// DisableAutostart removes link and sets the preferences.
-func (b *Bridge) DisableAutostart() error {
-	b.settings.SetBool(settings.AutostartKey, false)
-	return b.autostart.Disable()
-}
--- a/internal/bridge/bridge.go
+++ b/internal/bridge/bridge.go
--- a/internal/bridge/bridge_test.go
+++ b/internal/bridge/bridge_test.go
--- a/internal/bridge/bug_report.go
+++ b/internal/bridge/bug_report.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -18,189 +18,142 @@
 package bridge

 import (
-	"archive/zip"
-	"bytes"
 	"context"
 	"errors"
 	"io"
-	"os"
-	"path/filepath"
-	"sort"

-	"github.com/ProtonMail/proton-bridge/v2/internal/logging"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/pmapi"
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/logging"
+	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
 )

 const (
-	MaxAttachmentSize       = 7 * 1024 * 1024 // MaxAttachmentSize 7 MB total limit
-	MaxCompressedFilesCount = 6
+	DefaultMaxBugReportZipSize         = 7 * 1024 * 1024
+	DefaultMaxSessionCountForBugReport = 10
 )

-var ErrSizeTooLarge = errors.New("file is too big")
-
-// ReportBug reports a new bug from the user.
-func (b *Bridge) ReportBug(osType, osVersion, description, accountName, address, emailClient string, attachLogs bool) error {
-	if user, err := b.GetUser(address); err == nil {
-		accountName = user.Username()
-	} else if users := b.GetUsers(); len(users) > 0 {
-		accountName = users[0].Username()
+type ReportBugReq struct {
+	OSType      string
+	OSVersion   string
+	Title       string
+	Description string
+	Username    string
+	Email       string
+	EmailClient string
+	IncludeLogs bool
 }

-	report := pmapi.ReportBugReq{
-		OS:          osType,
-		OSVersion:   osVersion,
-		Browser:     emailClient,
-		Title:       "[Bridge] Bug",
-		Description: description,
-		Username:    accountName,
-		Email:       address,
-	}
-
-	if attachLogs {
-		logs, err := b.getMatchingLogs(
-			func(filename string) bool {
-				return logging.MatchLogName(filename) && !logging.MatchStackTraceName(filename)
-			},
-		)
-		if err != nil {
-			log.WithError(err).Error("Can't get log files list")
-		}
-		crashes, err := b.getMatchingLogs(
-			func(filename string) bool {
-				return logging.MatchLogName(filename) && logging.MatchStackTraceName(filename)
-			},
-		)
-		if err != nil {
-			log.WithError(err).Error("Can't get crash files list")
-		}
-
-		var matchFiles []string
-
-		matchFiles = append(matchFiles, logs[max(0, len(logs)-(MaxCompressedFilesCount/2)):]...)
-		matchFiles = append(matchFiles, crashes[max(0, len(crashes)-(MaxCompressedFilesCount/2)):]...)
-
-		archive, err := zipFiles(matchFiles)
-		if err != nil {
-			log.WithError(err).Error("Can't zip logs and crashes")
-		}
-
-		if archive != nil {
-			report.AddAttachment("logs.zip", "application/zip", archive)
+func (bridge *Bridge) ReportBug(ctx context.Context, report *ReportBugReq) error {
+	if info, err := bridge.QueryUserInfo(report.Username); err == nil {
+		report.Username = info.Username
+	} else if userIDs := bridge.GetUserIDs(); len(userIDs) > 0 {
+		if err := bridge.vault.GetUser(userIDs[0], func(user *vault.User) {
+			report.Username = user.Username()
+		}); err != nil {
+			return err
 		}
 	}

-	return b.clientManager.ReportBug(context.Background(), report)
-}
-
-func max(a, b int) int {
-	if a > b {
-		return a
-	}
-	return b
-}
-
-func (b *Bridge) getMatchingLogs(filenameMatchFunc func(string) bool) (filenames []string, err error) {
-	logsPath, err := b.locations.ProvideLogsPath()
-	if err != nil {
-		return nil, err
-	}
-
-	files, err := os.ReadDir(logsPath)
-	if err != nil {
-		return nil, err
-	}
-
-	var matchFiles []string
-
-	for _, file := range files {
-		if filenameMatchFunc(file.Name()) {
-			matchFiles = append(matchFiles, filepath.Join(logsPath, file.Name()))
-		}
-	}
-	sort.Strings(matchFiles) // Sorted by timestamp: oldest first.
-
-	return matchFiles, nil
-}
-
-type LimitedBuffer struct {
-	capacity int
-	buf      *bytes.Buffer
-}
-
-func NewLimitedBuffer(capacity int) *LimitedBuffer {
-	return &LimitedBuffer{
-		capacity: capacity,
-		buf:      bytes.NewBuffer(make([]byte, 0, capacity)),
-	}
-}
-
-func (b *LimitedBuffer) Write(p []byte) (n int, err error) {
-	if len(p)+b.buf.Len() > b.capacity {
-		return 0, ErrSizeTooLarge
-	}
-
-	return b.buf.Write(p)
-}
-
-func (b *LimitedBuffer) Read(p []byte) (n int, err error) {
-	return b.buf.Read(p)
-}
-
-func zipFiles(filenames []string) (io.Reader, error) {
-	if len(filenames) == 0 {
-		return nil, nil
-	}
-
-	buf := NewLimitedBuffer(MaxAttachmentSize)
-
-	w := zip.NewWriter(buf)
-	defer w.Close() //nolint:errcheck
-
-	for _, file := range filenames {
-		err := addFileToZip(file, w)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if err := w.Close(); err != nil {
-		return nil, err
-	}
-
-	return buf, nil
-}
-
-func addFileToZip(filename string, writer *zip.Writer) error {
-	fileReader, err := os.Open(filepath.Clean(filename))
+	var attachments []proton.ReportBugAttachment
+	if report.IncludeLogs {
+		logs, err := bridge.CollectLogs()
 		if err != nil {
 			return err
 		}
-	defer fileReader.Close() //nolint:errcheck,gosec
+		attachments = append(attachments, logs)
+	}

-	fileInfo, err := fileReader.Stat()
+	var firstAtt proton.ReportBugAttachment
+	if len(attachments) > 0 && report.IncludeLogs {
+		firstAtt = attachments[0]
+	}
+
+	attachmentType := proton.AttachmentTypeSync
+	if len(attachments) > 1 {
+		attachmentType = proton.AttachmentTypeAsync
+	}
+
+	token, err := bridge.createTicket(ctx, report, attachmentType, firstAtt)
+	if err != nil || token == "" {
+		return err
+	}
+
+	// if we have a token we can append more attachment to the bugReport
+	for i, att := range attachments {
+		if i == 0 && report.IncludeLogs {
+			continue
+		}
+		err := bridge.appendComment(ctx, token, att)
 		if err != nil {
 			return err
 		}
+	}
+	return err
+}

-	header, err := zip.FileInfoHeader(fileInfo)
+func (bridge *Bridge) CollectLogs() (proton.ReportBugAttachment, error) {
+	logsPath, err := bridge.locator.ProvideLogsPath()
 	if err != nil {
-		return err
+		return proton.ReportBugAttachment{}, err
 	}

-	header.Method = zip.Deflate
-	header.Name = filepath.Base(filename)
-
-	fileWriter, err := writer.CreateHeader(header)
+	buffer, err := logging.ZipLogsForBugReport(logsPath, DefaultMaxSessionCountForBugReport, DefaultMaxBugReportZipSize)
 	if err != nil {
-		return err
+		return proton.ReportBugAttachment{}, err
 	}

-	_, err = io.Copy(fileWriter, fileReader)
+	body, err := io.ReadAll(buffer)
 	if err != nil {
-		return err
+		return proton.ReportBugAttachment{}, err
 	}

-	err = fileReader.Close()
-
-	return err
+	return proton.ReportBugAttachment{
+		Name:     "logs.zip",
+		Filename: "logs.zip",
+		MIMEType: "application/zip",
+		Body:     body,
+	}, nil
+}
+
+func (bridge *Bridge) createTicket(ctx context.Context, report *ReportBugReq,
+	asyncAttach proton.AttachmentType, att proton.ReportBugAttachment) (string, error) {
+	var attachments []proton.ReportBugAttachment
+	attachments = append(attachments, att)
+	res, err := bridge.api.ReportBug(ctx, proton.ReportBugReq{
+		OS:        report.OSType,
+		OSVersion: report.OSVersion,
+
+		Title:       "[Bridge] Bug - " + report.Title,
+		Description: report.Description,
+
+		Client:        report.EmailClient,
+		ClientType:    proton.ClientTypeEmail,
+		ClientVersion: constants.AppVersion(bridge.curVersion.Original()),
+
+		Username: report.Username,
+		Email:    report.Email,
+
+		AsyncAttachments: asyncAttach,
+	}, attachments...)
+
+	if err != nil || asyncAttach != proton.AttachmentTypeAsync {
+		return "", err
+	}
+
+	if asyncAttach == proton.AttachmentTypeAsync && res.Token == nil {
+		return "", errors.New("no token returns for AsyncAttachments")
+	}
+
+	return *res.Token, nil
+}
+
+func (bridge *Bridge) appendComment(ctx context.Context, token string, att proton.ReportBugAttachment) error {
+	var attachments []proton.ReportBugAttachment
+	attachments = append(attachments, att)
+	return bridge.api.ReportBugAttachement(ctx, proton.ReportBugAttachmentReq{
+		Product: proton.ClientTypeEmail,
+		Body:    "Comment adding attachment: " + att.Filename,
+		Token:   token,
+	}, attachments...)
 }
--- a/internal/bridge/configure.go
+++ b/internal/bridge/configure.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -18,53 +18,73 @@
 package bridge

 import (
+	"context"
+	"errors"
 	"strings"

-	"github.com/ProtonMail/proton-bridge/v2/internal/clientconfig"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
-	"github.com/ProtonMail/proton-bridge/v2/internal/config/useragent"
+	"github.com/ProtonMail/proton-bridge/v3/internal/clientconfig"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/logging"
+	"github.com/ProtonMail/proton-bridge/v3/internal/safe"
+	"github.com/ProtonMail/proton-bridge/v3/internal/useragent"
+	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
+	"github.com/sirupsen/logrus"
 )

-func (b *Bridge) ConfigureAppleMail(userID, address string) (bool, error) {
-	user, err := b.GetUser(userID)
-	if err != nil {
-		return false, err
+// ConfigureAppleMail configures Apple Mail for the given userID and address.
+// If configuring Apple Mail for Catalina or newer, it ensures Bridge is using SSL.
+func (bridge *Bridge) ConfigureAppleMail(ctx context.Context, userID, address string) error {
+	logPkg.WithFields(logrus.Fields{
+		"userID":  userID,
+		"address": logging.Sensitive(address),
+	}).Info("Configuring Apple Mail")
+
+	return safe.RLockRet(func() error {
+		user, ok := bridge.users[userID]
+		if !ok {
+			return ErrNoSuchUser
+		}
+
+		emails := user.Emails()
+		displayNames := user.DisplayNames()
+		if (len(emails) == 0) || (len(displayNames) == 0) {
+			return errors.New("could not retrieve user address info")
 		}

 		if address == "" {
-		address = user.GetPrimaryAddress()
+			address = emails[0]
 		}

-	username := address
-	addresses := address
-
-	if user.IsCombinedAddressMode() {
-		username = user.GetPrimaryAddress()
-		addresses = strings.Join(user.GetAddresses(), ",")
+		var username, displayName, addresses string
+		if user.GetAddressMode() == vault.CombinedMode {
+			username = address
+			displayName = displayNames[username]
+			addresses = strings.Join(emails, ",")
+		} else {
+			username = address
+			addresses = address
+			displayName = displayNames[address]
+			if len(displayName) == 0 {
+				displayName = address
+			}
 		}

-	var (
-		restart = false
-		smtpSSL = b.settings.GetBool(settings.SMTPSSLKey)
+		if useragent.IsCatalinaOrNewer() && !bridge.vault.GetSMTPSSL() {
+			if err := bridge.SetSMTPSSL(ctx, true); err != nil {
+				return err
+			}
+		}
+
+		return (&clientconfig.AppleMail{}).Configure(
+			constants.Host,
+			bridge.vault.GetIMAPPort(),
+			bridge.vault.GetSMTPPort(),
+			bridge.vault.GetIMAPSSL(),
+			bridge.vault.GetSMTPSSL(),
+			username,
+			displayName,
+			addresses,
+			user.BridgePass(),
 		)
-
-	// If configuring apple mail for Catalina or newer, users should use SSL.
-	if useragent.IsCatalinaOrNewer() && !smtpSSL {
-		smtpSSL = true
-		restart = true
-		b.settings.SetBool(settings.SMTPSSLKey, true)
-	}
-
-	if err := (&clientconfig.AppleMail{}).Configure(
-		Host,
-		b.settings.GetInt(settings.IMAPPortKey),
-		b.settings.GetInt(settings.SMTPPortKey),
-		false, smtpSSL,
-		username, addresses,
-		user.GetBridgePassword(),
-	); err != nil {
-		return false, err
-	}
-
-	return restart, nil
+	}, bridge.usersLock)
 }
--- a/internal/bridge/debug.go
+++ b/internal/bridge/debug.go
@ -0,0 +1,301 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+
+	"github.com/ProtonMail/gluon/imap"
+	"github.com/ProtonMail/gluon/rfc822"
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/proton-bridge/v3/internal/user"
+	"github.com/bradenaw/juniper/iterator"
+	"github.com/bradenaw/juniper/xslices"
+	goimap "github.com/emersion/go-imap"
+	goimapclient "github.com/emersion/go-imap/client"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
+)
+
+type CheckClientStateResult struct {
+	MissingMessages map[string]map[string]user.DiagMailboxMessage
+}
+
+func (c *CheckClientStateResult) AddMissingMessage(userID string, message user.DiagMailboxMessage) {
+	v, ok := c.MissingMessages[userID]
+	if !ok {
+		c.MissingMessages[userID] = map[string]user.DiagMailboxMessage{message.ID: message}
+	} else {
+		v[message.ID] = message
+	}
+}
+
+// CheckClientState checks the current IMAP client reported state against the proton server state and reports
+// anything that is out of place.
+func (bridge *Bridge) CheckClientState(ctx context.Context, checkFlags bool, progressCB func(string)) (CheckClientStateResult, error) {
+	bridge.usersLock.RLock()
+	defer bridge.usersLock.RUnlock()
+
+	users := maps.Values(bridge.users)
+
+	result := CheckClientStateResult{
+		MissingMessages: make(map[string]map[string]user.DiagMailboxMessage),
+	}
+
+	for _, usr := range users {
+		if progressCB != nil {
+			progressCB(fmt.Sprintf("Checking state for user %v", usr.Name()))
+		}
+		log := logrus.WithFields(logrus.Fields{
+			"pkg":  "bridge/debug",
+			"user": usr.Name(),
+			"diag": "state-check",
+		})
+		log.Debug("Retrieving all server metadata")
+		meta, err := usr.GetDiagnosticMetadata(ctx)
+		if err != nil {
+			return result, err
+		}
+
+		success := true
+
+		if len(meta.Metadata) != len(meta.MessageIDs) {
+			log.Errorf("Metadata (%v) and message(%v) list sizes do not match", len(meta.Metadata), len(meta.MessageIDs))
+		}
+
+		log.Debug("Building state")
+		state, err := meta.BuildMailboxToMessageMap(ctx, usr)
+		if err != nil {
+			log.WithError(err).Error("Failed to build state")
+			return result, err
+		}
+
+		info, err := bridge.GetUserInfo(usr.ID())
+		if err != nil {
+			log.WithError(err).Error("Failed to get user info")
+			return result, err
+		}
+
+		addr := fmt.Sprintf("127.0.0.1:%v", bridge.GetIMAPPort())
+
+		for account, mboxMap := range state {
+			if progressCB != nil {
+				progressCB(fmt.Sprintf("Checking state for user %v's account '%v'", usr.Name(), account))
+			}
+			if err := func(account string, mboxMap user.AccountMailboxMap) error {
+				client, err := goimapclient.Dial(addr)
+				if err != nil {
+					log.WithError(err).Error("Failed to connect to imap client")
+					return err
+				}
+
+				defer func() {
+					_ = client.Logout()
+				}()
+
+				if err := client.Login(account, string(info.BridgePass)); err != nil {
+					return fmt.Errorf("failed to login for user %v:%w", usr.Name(), err)
+				}
+
+				log := log.WithField("account", account)
+				for mboxName, messageList := range mboxMap {
+					log := log.WithField("mbox", mboxName)
+					status, err := client.Select(mboxName, true)
+					if err != nil {
+						log.WithError(err).Errorf("Failed to select mailbox %v", messageList)
+						return fmt.Errorf("failed to select '%v':%w", mboxName, err)
+					}
+
+					log.Debug("Checking message count")
+
+					if int(status.Messages) != len(messageList) {
+						success = false
+						log.Errorf("Message count doesn't match, got '%v' expected '%v'", status.Messages, len(messageList))
+					}
+
+					ids, err := clientGetMessageIDs(client, mboxName)
+					if err != nil {
+						return fmt.Errorf("failed to get message ids for mbox '%v': %w", mboxName, err)
+					}
+
+					for _, msg := range messageList {
+						imapFlags, ok := ids[msg.ID]
+						if !ok {
+							if meta.FailedMessageIDs.Contains(msg.ID) {
+								log.Warningf("Missing message '%v', but it is part of failed message set", msg.ID)
+							} else {
+								log.Errorf("Missing message '%v'", msg.ID)
+							}
+
+							result.AddMissingMessage(msg.UserID, msg)
+							continue
+						}
+
+						if checkFlags {
+							if !imapFlags.Equals(msg.Flags) {
+								log.Errorf("Message '%v' flags do mot match, got=%v, expected=%v",
+									msg.ID,
+									imapFlags.ToSlice(),
+									msg.Flags.ToSlice(),
+								)
+							}
+						}
+					}
+				}
+
+				if !success {
+					log.Errorf("State does not match")
+				} else {
+					log.Info("State matches")
+				}
+
+				return nil
+			}(account, mboxMap); err != nil {
+				return result, err
+			}
+		}
+
+		// Check for orphaned messages (only present in All Mail)
+		if progressCB != nil {
+			progressCB(fmt.Sprintf("Checking user %v for orphans", usr.Name()))
+		}
+		log.Debugf("Checking for orphans")
+
+		for _, m := range meta.Metadata {
+			filteredLabels := xslices.Filter(m.LabelIDs, func(t string) bool {
+				switch t {
+				case proton.AllMailLabel:
+					return false
+				case proton.AllSentLabel:
+					return false
+				case proton.AllDraftsLabel:
+					return false
+				case proton.OutboxLabel:
+					return false
+				default:
+					return true
+				}
+			})
+
+			if len(filteredLabels) == 0 {
+				log.Warnf("Message %v is only present in All Mail (Subject=%v)", m.ID, m.Subject)
+			}
+		}
+	}
+
+	return result, nil
+}
+
+func (bridge *Bridge) DebugDownloadFailedMessages(
+	ctx context.Context,
+	result CheckClientStateResult,
+	exportPath string,
+	progressCB func(string, int, int),
+) error {
+	bridge.usersLock.RLock()
+	defer bridge.usersLock.RUnlock()
+
+	for userID, messages := range result.MissingMessages {
+		usr, ok := bridge.users[userID]
+		if !ok {
+			return fmt.Errorf("failed to find user with id %v", userID)
+		}
+
+		userDir := filepath.Join(exportPath, userID)
+		if err := os.MkdirAll(userDir, 0o700); err != nil {
+			return fmt.Errorf("failed to create directory '%v': %w", userDir, err)
+		}
+
+		if err := usr.DebugDownloadMessages(ctx, userDir, messages, progressCB); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func clientGetMessageIDs(client *goimapclient.Client, mailbox string) (map[string]imap.FlagSet, error) {
+	status, err := client.Select(mailbox, true)
+	if err != nil {
+		return nil, err
+	}
+
+	if status.Messages == 0 {
+		return nil, nil
+	}
+
+	resCh := make(chan *goimap.Message)
+
+	section, err := goimap.ParseBodySectionName("BODY[HEADER]")
+	if err != nil {
+		return nil, err
+	}
+
+	fetchItems := []goimap.FetchItem{"BODY[HEADER]", goimap.FetchFlags}
+
+	seq, err := goimap.ParseSeqSet("1:*")
+	if err != nil {
+		return nil, err
+	}
+
+	go func() {
+		if err := client.Fetch(
+			seq,
+			fetchItems,
+			resCh,
+		); err != nil {
+			panic(err)
+		}
+	}()
+
+	messages := iterator.Collect(iterator.Chan(resCh))
+
+	ids := make(map[string]imap.FlagSet, len(messages))
+
+	for i, m := range messages {
+		literal, err := io.ReadAll(m.GetBody(section))
+		if err != nil {
+			return nil, err
+		}
+
+		header, err := rfc822.NewHeader(literal)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse header for msg %v: %w", i, err)
+		}
+
+		internalID, ok := header.GetChecked("X-Pm-Internal-Id")
+		if !ok {
+			logrus.WithField("pkg", "bridge/debug").Errorf("Message %v does not have internal id", internalID)
+			continue
+		}
+
+		messageFlags := imap.NewFlagSet(m.Flags...)
+
+		// Recent and Deleted are not part of the proton flag set.
+		messageFlags.RemoveFromSelf("\\Recent")
+		messageFlags.RemoveFromSelf("\\Deleted")
+
+		ids[internalID] = messageFlags
+	}
+
+	return ids, nil
+}
--- a/internal/bridge/draft_test.go
+++ b/internal/bridge/draft_test.go
@ -0,0 +1,171 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/ProtonMail/gluon/rfc822"
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	go_imap "github.com/emersion/go-imap"
+	"github.com/emersion/go-sasl"
+	"github.com/emersion/go-smtp"
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBridge_HandleDraftsSendFromOtherClient(t *testing.T) {
+	getGluonHeaderID := func(literal []byte) (string, string) {
+		h, err := rfc822.NewHeader(literal)
+		require.NoError(t, err)
+
+		gluonID, ok := h.GetChecked("X-Pm-Gluon-Id")
+		require.True(t, ok)
+
+		externalID, ok := h.GetChecked("Message-Id")
+		require.True(t, ok)
+
+		return gluonID, externalID
+	}
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		_, _, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		_, _, err = s.CreateUser("bar", password)
+		require.NoError(t, err)
+
+		// The initial user should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](b.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			userID, err := b.LoginFull(ctx, "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			require.Equal(t, userID, (<-syncCh).UserID)
+
+			info, err := b.GetUserInfo(userID)
+			require.NoError(t, err)
+			require.True(t, info.State == bridge.Connected)
+
+			client, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, b.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, client.Login(info.Addresses[0], string(info.BridgePass)))
+			defer func() { _ = client.Logout() }()
+
+			// Create first draft in client.
+			literal := fmt.Sprintf(`From: %v
+To: %v
+Date: Fri, 3 Feb 2023 01:04:32 +0100
+Subject: Foo
+
+Hello
+`, info.Addresses[0], "bar@proton.local")
+
+			require.NoError(t, client.Append("Drafts", nil, time.Now(), strings.NewReader(literal)))
+			// Verify the draft is available in client.
+			require.Eventually(t, func() bool {
+				status, err := client.Status("Drafts", []go_imap.StatusItem{go_imap.StatusMessages})
+				require.NoError(t, err)
+				return status.Messages == 1
+			}, 2*time.Second, time.Second)
+
+			// Retrieve the new literal so we can have the Proton Message ID.
+			messages, err := clientFetch(client, "Drafts")
+			require.NoError(t, err)
+			require.Equal(t, 1, len(messages))
+
+			newLiteral, err := io.ReadAll(messages[0].GetBody(must(go_imap.ParseBodySectionName("BODY[]"))))
+			require.NoError(t, err)
+			logrus.Info(string(newLiteral))
+
+			newLiteralID, newLiteralExternID := getGluonHeaderID(newLiteral)
+
+			// Modify new literal.
+			newLiteralModified := append(newLiteral, []byte(" world from client2")...) //nolint:gocritic
+
+			func() {
+				smtpClient, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(b.GetSMTPPort())))
+				require.NoError(t, err)
+				defer func() { _ = smtpClient.Close() }()
+
+				// Upgrade to TLS.
+				require.NoError(t, smtpClient.StartTLS(&tls.Config{InsecureSkipVerify: true}))
+
+				// Authorize with SASL PLAIN.
+				require.NoError(t, smtpClient.Auth(sasl.NewPlainClient(
+					info.Addresses[0],
+					info.Addresses[0],
+					string(info.BridgePass)),
+				))
+
+				// Send the message.
+				require.NoError(t, smtpClient.SendMail(
+					info.Addresses[0],
+					[]string{"bar@proton.local"},
+					bytes.NewReader(newLiteralModified),
+				))
+			}()
+
+			// Append message to Sent as the imap client would.
+			require.NoError(t, client.Append("Sent", nil, time.Now(), strings.NewReader(literal)))
+
+			// Verify the sent message gets updated with the new literal.
+			require.Eventually(t, func() bool {
+				// Check if sent message matches the latest draft.
+				messagesClient1, err := clientFetch(client, "Sent", "BODY[TEXT]", "BODY[]")
+				require.NoError(t, err)
+
+				if len(messagesClient1) != 1 {
+					return false
+				}
+
+				sentLiteral, err := io.ReadAll(messagesClient1[0].GetBody(must(go_imap.ParseBodySectionName("BODY[]"))))
+				require.NoError(t, err)
+
+				sentLiteralID, sentLiteralExternID := getGluonHeaderID(sentLiteral)
+
+				sentLiteralText, err := io.ReadAll(messagesClient1[0].GetBody(must(go_imap.ParseBodySectionName("BODY[TEXT]"))))
+				require.NoError(t, err)
+
+				sentLiteralStr := string(sentLiteralText)
+
+				literalMatches := sentLiteralStr == "Hello\r\n world from client2\r\n"
+
+				idIsDifferent := sentLiteralID != newLiteralID
+
+				externIDMatches := sentLiteralExternID == newLiteralExternID
+
+				return literalMatches && idIsDifferent && externIDMatches
+			}, 2*time.Second, time.Second)
+		})
+	}, server.WithMessageDedup())
+}
--- a/internal/updater/errors.go
+++ b/internal/updater/errors.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -15,11 +15,19 @@
 // You should have received a copy of the GNU General Public License
 // along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.

-package updater
+package bridge

 import "errors"

 var (
-	ErrDownloadVerify = errors.New("failed to download or verify the update")
-	ErrInstall        = errors.New("failed to install the update")
+	ErrVaultInsecure = errors.New("the vault is insecure")
+	ErrVaultCorrupt  = errors.New("the vault is corrupt")
+	ErrWatchUpdates  = errors.New("failed to watch for updates")
+
+	ErrNoSuchUser          = errors.New("no such user")
+	ErrUserAlreadyExists   = errors.New("user already exists")
+	ErrUserAlreadyLoggedIn = errors.New("the user is already logged in")
+	ErrNotImplemented      = errors.New("not implemented")
+
+	ErrSizeTooLarge = errors.New("file is too big")
 )
--- a/internal/bridge/events.go
+++ b/internal/bridge/events.go
@ -0,0 +1,45 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge
+
+import (
+	"context"
+
+	"github.com/ProtonMail/gluon/watcher"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+)
+
+type bridgeEventSubscription struct {
+	b *Bridge
+}
+
+func (b bridgeEventSubscription) Add(ofType ...events.Event) *watcher.Watcher[events.Event] {
+	return b.b.addWatcher(ofType...)
+}
+
+func (b bridgeEventSubscription) Remove(watcher *watcher.Watcher[events.Event]) {
+	b.b.remWatcher(watcher)
+}
+
+type bridgeEventPublisher struct {
+	b *Bridge
+}
+
+func (b bridgeEventPublisher) PublishEvent(_ context.Context, event events.Event) {
+	b.b.publish(event)
+}
--- a/internal/bridge/heartbeat.go
+++ b/internal/bridge/heartbeat.go
@ -0,0 +1,167 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge
+
+import (
+	"context"
+	"encoding/json"
+	"sync"
+	"time"
+
+	"github.com/ProtonMail/gluon/async"
+	"github.com/ProtonMail/gluon/reporter"
+	"github.com/ProtonMail/proton-bridge/v3/internal/safe"
+	"github.com/ProtonMail/proton-bridge/v3/internal/telemetry"
+	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
+	"github.com/sirupsen/logrus"
+)
+
+const HeartbeatCheckInterval = time.Hour
+
+type heartBeatState struct {
+	task *async.Group
+	telemetry.Heartbeat
+	taskLock     sync.Mutex
+	taskStarted  bool
+	taskInterval time.Duration
+}
+
+func newHeartBeatState(ctx context.Context, panicHandler async.PanicHandler) *heartBeatState {
+	return &heartBeatState{
+		task: async.NewGroup(ctx, panicHandler),
+	}
+}
+
+func (h *heartBeatState) init(bridge *Bridge, manager telemetry.HeartbeatManager) {
+	h.Heartbeat = telemetry.NewHeartbeat(manager, 1143, 1025, bridge.GetGluonCacheDir(), bridge.keychains.GetDefaultHelper())
+	h.taskInterval = manager.GetHeartbeatPeriodicInterval()
+	h.SetRollout(bridge.GetUpdateRollout())
+	h.SetAutoStart(bridge.GetAutostart())
+	h.SetAutoUpdate(bridge.GetAutoUpdate())
+	h.SetBeta(bridge.GetUpdateChannel())
+	h.SetDoh(bridge.GetProxyAllowed())
+	h.SetShowAllMail(bridge.GetShowAllMail())
+	h.SetIMAPConnectionMode(bridge.GetIMAPSSL())
+	h.SetSMTPConnectionMode(bridge.GetSMTPSSL())
+	h.SetIMAPPort(bridge.GetIMAPPort())
+	h.SetSMTPPort(bridge.GetSMTPPort())
+	h.SetCacheLocation(bridge.GetGluonCacheDir())
+	if val, err := bridge.GetKeychainApp(); err != nil {
+		h.SetKeyChainPref(val)
+	} else {
+		h.SetKeyChainPref(bridge.keychains.GetDefaultHelper())
+	}
+	h.SetPrevVersion(bridge.GetLastVersion().String())
+
+	safe.RLock(func() {
+		var splitMode = false
+		for _, user := range bridge.users {
+			if user.GetAddressMode() == vault.SplitMode {
+				splitMode = true
+			}
+			h.SetUserPlan(user.GetUserPlanName())
+		}
+		var numberConnectedAccounts = len(bridge.users)
+		h.SetNumberConnectedAccounts(numberConnectedAccounts)
+		h.SetSplitMode(splitMode)
+
+		// Do not try to send if there is no user yet.
+		if numberConnectedAccounts > 0 {
+			defer h.start()
+		}
+	}, bridge.usersLock)
+}
+
+func (h *heartBeatState) start() {
+	h.taskLock.Lock()
+	defer h.taskLock.Unlock()
+	if h.taskStarted {
+		return
+	}
+
+	h.taskStarted = true
+
+	h.task.PeriodicOrTrigger(h.taskInterval, 0, func(ctx context.Context) {
+		logrus.WithField("pkg", "bridge/heartbeat").Debug("Checking for heartbeat")
+
+		h.TrySending(ctx)
+	})
+}
+
+func (h *heartBeatState) stop() {
+	h.taskLock.Lock()
+	defer h.taskLock.Unlock()
+	if !h.taskStarted {
+		return
+	}
+
+	h.task.CancelAndWait()
+	h.taskStarted = false
+}
+
+func (bridge *Bridge) IsTelemetryAvailable(ctx context.Context) bool {
+	var flag = true
+	if bridge.GetTelemetryDisabled() {
+		return false
+	}
+
+	safe.RLock(func() {
+		for _, user := range bridge.users {
+			flag = flag && user.IsTelemetryEnabled(ctx)
+		}
+	}, bridge.usersLock)
+
+	return flag
+}
+
+func (bridge *Bridge) SendHeartbeat(ctx context.Context, heartbeat *telemetry.HeartbeatData) bool {
+	data, err := json.Marshal(heartbeat)
+	if err != nil {
+		if err := bridge.reporter.ReportMessageWithContext("Cannot parse heartbeat data.", reporter.Context{
+			"error": err,
+		}); err != nil {
+			logrus.WithField("pkg", "bridge/heartbeat").WithError(err).Error("Failed to parse heartbeat data.")
+		}
+		return false
+	}
+
+	var sent = false
+
+	safe.RLock(func() {
+		for _, user := range bridge.users {
+			if err := user.SendTelemetry(ctx, data); err == nil {
+				sent = true
+				break
+			}
+		}
+	}, bridge.usersLock)
+
+	return sent
+}
+
+func (bridge *Bridge) GetLastHeartbeatSent() time.Time {
+	return bridge.vault.GetLastHeartbeatSent()
+}
+
+func (bridge *Bridge) SetLastHeartbeatSent(timestamp time.Time) error {
+	return bridge.vault.SetLastHeartbeatSent(timestamp)
+}
+
+func (bridge *Bridge) GetHeartbeatPeriodicInterval() time.Duration {
+	return HeartbeatCheckInterval
+}
--- a/internal/bridge/identifier.go
+++ b/internal/bridge/identifier.go
@ -0,0 +1,79 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge
+
+import (
+	"github.com/sirupsen/logrus"
+)
+
+func (bridge *Bridge) GetCurrentUserAgent() string {
+	return bridge.identifier.GetUserAgent()
+}
+
+func (bridge *Bridge) SetCurrentPlatform(platform string) {
+	bridge.identifier.SetPlatform(platform)
+}
+
+func (bridge *Bridge) setUserAgent(name, version string) {
+	currentUserAgent := bridge.identifier.GetClientString()
+
+	bridge.heartbeat.SetContactedByAppleNotes(name)
+
+	bridge.identifier.SetClient(name, version)
+
+	newUserAgent := bridge.identifier.GetClientString()
+
+	if currentUserAgent != newUserAgent {
+		if err := bridge.vault.SetLastUserAgent(newUserAgent); err != nil {
+			logrus.WithError(err).Error("Failed to write new user agent to vault")
+		}
+	}
+}
+
+type bridgeUserAgentUpdater struct {
+	*Bridge
+}
+
+func (b *bridgeUserAgentUpdater) GetUserAgent() string {
+	return b.identifier.GetUserAgent()
+}
+
+func (b *bridgeUserAgentUpdater) HasClient() bool {
+	return b.identifier.HasClient()
+}
+
+func (b *bridgeUserAgentUpdater) SetClient(name, version string) {
+	b.heartbeat.SetContactedByAppleNotes(name)
+	b.identifier.SetClient(name, version)
+}
+
+func (b *bridgeUserAgentUpdater) SetPlatform(platform string) {
+	b.identifier.SetPlatform(platform)
+}
+
+func (b *bridgeUserAgentUpdater) SetClientString(client string) {
+	b.identifier.SetClientString(client)
+}
+
+func (b *bridgeUserAgentUpdater) GetClientString() string {
+	return b.identifier.GetClientString()
+}
+
+func (b *bridgeUserAgentUpdater) SetUserAgent(name, version string) {
+	b.setUserAgent(name, version)
+}
--- a/internal/bridge/imap.go
+++ b/internal/bridge/imap.go
@ -0,0 +1,136 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge
+
+import (
+	"context"
+	"crypto/tls"
+	"strings"
+
+	"github.com/Masterminds/semver/v3"
+	imapEvents "github.com/ProtonMail/gluon/events"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/ProtonMail/proton-bridge/v3/internal/services/imapsmtpserver"
+	"github.com/ProtonMail/proton-bridge/v3/internal/unleash"
+	"github.com/ProtonMail/proton-bridge/v3/internal/useragent"
+	"github.com/sirupsen/logrus"
+)
+
+func (bridge *Bridge) restartIMAP(ctx context.Context) error {
+	return bridge.serverManager.RestartIMAP(ctx)
+}
+
+func (bridge *Bridge) handleIMAPEvent(event imapEvents.Event) {
+	log := logrus.WithField("pkg", "bridge/event/imap")
+
+	switch event := event.(type) {
+	case imapEvents.UserAdded:
+		for labelID, count := range event.Counts {
+			log.WithFields(logrus.Fields{
+				"gluonID": event.UserID,
+				"labelID": labelID,
+				"count":   count,
+			}).Info("Received mailbox message count")
+		}
+
+	case imapEvents.IMAPID:
+		log.WithFields(logrus.Fields{
+			"sessionID": event.SessionID,
+			"name":      event.IMAPID.Name,
+			"version":   event.IMAPID.Version,
+		}).Info("Received IMAP ID")
+
+		if event.IMAPID.Name != "" && event.IMAPID.Version != "" {
+			bridge.setUserAgent(event.IMAPID.Name, event.IMAPID.Version)
+		}
+
+	case imapEvents.LoginFailed:
+		log.WithFields(logrus.Fields{
+			"sessionID": event.SessionID,
+			"username":  event.Username,
+			"pkg":       "imap",
+		}).Error("Incorrect login credentials.")
+		bridge.publish(events.IMAPLoginFailed{Username: event.Username})
+
+	case imapEvents.Login:
+		if strings.Contains(bridge.GetCurrentUserAgent(), useragent.DefaultUserAgent) {
+			bridge.setUserAgent(useragent.UnknownClient, useragent.DefaultVersion)
+		}
+	}
+}
+
+type bridgeIMAPSettings struct {
+	b *Bridge
+}
+
+func (b *bridgeIMAPSettings) EventPublisher() imapsmtpserver.IMAPEventPublisher {
+	return b
+}
+
+func (b *bridgeIMAPSettings) TLSConfig() *tls.Config {
+	return b.b.tlsConfig
+}
+
+func (b *bridgeIMAPSettings) LogClient() bool {
+	return b.b.logIMAPClient
+}
+
+func (b *bridgeIMAPSettings) LogServer() bool {
+	return b.b.logIMAPServer
+}
+
+func (b *bridgeIMAPSettings) DisableIMAPAuthenticate() bool {
+	return b.b.unleashService.GetFlagValue(unleash.IMAPAuthenticateCommandDisabled)
+}
+
+func (b *bridgeIMAPSettings) Port() int {
+	return b.b.vault.GetIMAPPort()
+}
+
+func (b *bridgeIMAPSettings) SetPort(i int) error {
+	return b.b.vault.SetIMAPPort(i)
+}
+
+func (b *bridgeIMAPSettings) UseSSL() bool {
+	return b.b.vault.GetIMAPSSL()
+}
+
+func (b *bridgeIMAPSettings) CacheDirectory() string {
+	return b.b.GetGluonCacheDir()
+}
+
+func (b *bridgeIMAPSettings) DataDirectory() (string, error) {
+	return b.b.GetGluonDataDir()
+}
+
+func (b *bridgeIMAPSettings) SetCacheDirectory(s string) error {
+	return b.b.vault.SetGluonDir(s)
+}
+
+func (b *bridgeIMAPSettings) Version() *semver.Version {
+	return b.b.curVersion
+}
+
+func (b *bridgeIMAPSettings) PublishIMAPEvent(ctx context.Context, event imapEvents.Event) {
+	select {
+	case <-ctx.Done():
+		return
+	case b.b.imapEventCh <- event:
+		// do nothing
+	}
+}
--- a/internal/bridge/imapsmtp_telemetry.go
+++ b/internal/bridge/imapsmtp_telemetry.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -17,10 +17,10 @@

 package bridge

-func (b *Bridge) GetCurrentUserAgent() string {
-	return b.userAgent.String()
+type bridgeIMAPSMTPTelemetry struct {
+	b *Bridge
 }

-func (b *Bridge) SetCurrentPlatform(platform string) {
-	b.userAgent.SetPlatform(platform)
+func (b bridgeIMAPSMTPTelemetry) SetCacheLocation(s string) {
+	b.b.heartbeat.SetCacheLocation(s)
 }
--- a/internal/store/cache/options.go
+++ b/internal/store/cache/options.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -15,11 +15,10 @@
 // You should have received a copy of the GNU General Public License
 // along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.

-package cache
+package bridge

-type Options struct {
-	MinFreeAbs      uint64
-	MinFreeRat      float64
-	ConcurrentRead  int
-	ConcurrentWrite int
+import "golang.org/x/exp/maps"
+
+func (bridge *Bridge) GetHelpersNames() []string {
+	return maps.Keys(bridge.keychains.GetHelpers())
 }
--- a/internal/bridge/locations.go
+++ b/internal/bridge/locations.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -17,14 +17,14 @@

 package bridge

-func (b *Bridge) ProvideLogsPath() (string, error) {
-	return b.locations.ProvideLogsPath()
+func (bridge *Bridge) GetLogsPath() (string, error) {
+	return bridge.locator.ProvideLogsPath()
 }

-func (b *Bridge) GetLicenseFilePath() string {
-	return b.locations.GetLicenseFilePath()
+func (bridge *Bridge) GetLicenseFilePath() string {
+	return bridge.locator.GetLicenseFilePath()
 }

-func (b *Bridge) GetDependencyLicensesLink() string {
-	return b.locations.GetDependencyLicensesLink()
+func (bridge *Bridge) GetDependencyLicensesLink() string {
+	return bridge.locator.GetDependencyLicensesLink()
 }
--- a/internal/bridge/main_test.go
+++ b/internal/bridge/main_test.go
@ -0,0 +1,36 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"os"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+	"go.uber.org/goleak"
+)
+
+func TestMain(m *testing.M) {
+	if level := os.Getenv("BRIDGE_LOG_LEVEL"); level != "" {
+		if parsed, err := logrus.ParseLevel(level); err == nil {
+			logrus.SetLevel(parsed)
+		}
+	}
+
+	goleak.VerifyTestMain(m, goleak.IgnoreCurrent())
+}
--- a/internal/bridge/mocks.go
+++ b/internal/bridge/mocks.go
@ -0,0 +1,181 @@
+package bridge
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"os"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge/mocks"
+	"github.com/ProtonMail/proton-bridge/v3/internal/updater"
+	"github.com/golang/mock/gomock"
+)
+
+type Mocks struct {
+	ProxyCtl    *mocks.MockProxyController
+	TLSReporter *mocks.MockTLSReporter
+	TLSIssueCh  chan struct{}
+
+	Updater     *TestUpdater
+	Autostarter *mocks.MockAutostarter
+
+	CrashHandler *mocks.MockPanicHandler
+	Reporter     *mocks.MockReporter
+	Heartbeat    *mocks.MockHeartbeatManager
+}
+
+func NewMocks(tb testing.TB, version, minAuto *semver.Version) *Mocks {
+	ctl := gomock.NewController(tb)
+
+	mocks := &Mocks{
+		ProxyCtl:    mocks.NewMockProxyController(ctl),
+		TLSReporter: mocks.NewMockTLSReporter(ctl),
+		TLSIssueCh:  make(chan struct{}),
+
+		Updater:     NewTestUpdater(version, minAuto),
+		Autostarter: mocks.NewMockAutostarter(ctl),
+
+		CrashHandler: mocks.NewMockPanicHandler(ctl),
+		Reporter:     mocks.NewMockReporter(ctl),
+		Heartbeat:    mocks.NewMockHeartbeatManager(ctl),
+	}
+
+	// When getting the TLS issue channel, we want to return the test channel.
+	mocks.TLSReporter.EXPECT().GetTLSIssueCh().Return(mocks.TLSIssueCh).AnyTimes()
+
+	// This is called at the end of any go-routine:
+	mocks.CrashHandler.EXPECT().HandlePanic(gomock.Any()).AnyTimes()
+
+	// this is called at start of heartbeat process.
+	mocks.Heartbeat.EXPECT().IsTelemetryAvailable(gomock.Any()).AnyTimes()
+	mocks.Heartbeat.EXPECT().GetHeartbeatPeriodicInterval().AnyTimes().Return(500 * time.Millisecond)
+
+	return mocks
+}
+
+func (mocks *Mocks) Close() {
+	close(mocks.TLSIssueCh)
+}
+
+type TestCookieJar struct {
+	cookies map[string][]*http.Cookie
+}
+
+func NewTestCookieJar() *TestCookieJar {
+	return &TestCookieJar{
+		cookies: make(map[string][]*http.Cookie),
+	}
+}
+
+func (j *TestCookieJar) SetCookies(u *url.URL, cookies []*http.Cookie) {
+	j.cookies[u.Host] = cookies
+}
+
+func (j *TestCookieJar) Cookies(u *url.URL) []*http.Cookie {
+	return j.cookies[u.Host]
+}
+
+type TestLocationsProvider struct {
+	config, data, cache string
+}
+
+func NewTestLocationsProvider(dir string) *TestLocationsProvider {
+	config, err := os.MkdirTemp(dir, "config")
+	if err != nil {
+		panic(err)
+	}
+
+	data, err := os.MkdirTemp(dir, "data")
+	if err != nil {
+		panic(err)
+	}
+
+	cache, err := os.MkdirTemp(dir, "cache")
+	if err != nil {
+		panic(err)
+	}
+
+	return &TestLocationsProvider{
+		config: config,
+		data:   data,
+		cache:  cache,
+	}
+}
+
+func (provider *TestLocationsProvider) UserConfig() string {
+	return provider.config
+}
+
+func (provider *TestLocationsProvider) UserData() string {
+	return provider.data
+}
+
+func (provider *TestLocationsProvider) UserCache() string {
+	return provider.cache
+}
+
+type TestUpdater struct {
+	latest   updater.VersionInfoLegacy
+	releases updater.VersionInfo
+	lock     sync.RWMutex
+}
+
+func NewTestUpdater(version, minAuto *semver.Version) *TestUpdater {
+	return &TestUpdater{
+		latest: updater.VersionInfoLegacy{
+			Version: version,
+			MinAuto: minAuto,
+
+			RolloutProportion: 1.0,
+		},
+	}
+}
+
+func (testUpdater *TestUpdater) SetLatestVersionLegacy(version, minAuto *semver.Version) {
+	testUpdater.lock.Lock()
+	defer testUpdater.lock.Unlock()
+
+	testUpdater.latest = updater.VersionInfoLegacy{
+		Version: version,
+		MinAuto: minAuto,
+
+		RolloutProportion: 1.0,
+	}
+}
+
+func (testUpdater *TestUpdater) GetVersionInfoLegacy(_ context.Context, _ updater.Downloader, _ updater.Channel) (updater.VersionInfoLegacy, error) {
+	testUpdater.lock.RLock()
+	defer testUpdater.lock.RUnlock()
+
+	return testUpdater.latest, nil
+}
+
+func (testUpdater *TestUpdater) InstallUpdateLegacy(_ context.Context, _ updater.Downloader, _ updater.VersionInfoLegacy) error {
+	return nil
+}
+
+func (testUpdater *TestUpdater) RemoveOldUpdates() error {
+	return nil
+}
+
+func (testUpdater *TestUpdater) SetLatestVersion(releases updater.VersionInfo) {
+	testUpdater.lock.Lock()
+	defer testUpdater.lock.Unlock()
+
+	testUpdater.releases = releases
+}
+
+func (testUpdater *TestUpdater) GetVersionInfo(_ context.Context, _ updater.Downloader) (updater.VersionInfo, error) {
+	testUpdater.lock.RLock()
+	defer testUpdater.lock.RUnlock()
+
+	return testUpdater.releases, nil
+}
+
+func (testUpdater *TestUpdater) InstallUpdate(_ context.Context, _ updater.Downloader, _ updater.Release) error {
+	return nil
+}
--- a/internal/bridge/mocks/async_mocks.go
+++ b/internal/bridge/mocks/async_mocks.go
@ -0,0 +1,46 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/ProtonMail/gluon/async (interfaces: PanicHandler)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockPanicHandler is a mock of PanicHandler interface.
+type MockPanicHandler struct {
+	ctrl     *gomock.Controller
+	recorder *MockPanicHandlerMockRecorder
+}
+
+// MockPanicHandlerMockRecorder is the mock recorder for MockPanicHandler.
+type MockPanicHandlerMockRecorder struct {
+	mock *MockPanicHandler
+}
+
+// NewMockPanicHandler creates a new mock instance.
+func NewMockPanicHandler(ctrl *gomock.Controller) *MockPanicHandler {
+	mock := &MockPanicHandler{ctrl: ctrl}
+	mock.recorder = &MockPanicHandlerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockPanicHandler) EXPECT() *MockPanicHandlerMockRecorder {
+	return m.recorder
+}
+
+// HandlePanic mocks base method.
+func (m *MockPanicHandler) HandlePanic(arg0 interface{}) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "HandlePanic", arg0)
+}
+
+// HandlePanic indicates an expected call of HandlePanic.
+func (mr *MockPanicHandlerMockRecorder) HandlePanic(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HandlePanic", reflect.TypeOf((*MockPanicHandler)(nil).HandlePanic), arg0)
+}
--- a/internal/bridge/mocks/gluon_mocks.go
+++ b/internal/bridge/mocks/gluon_mocks.go
@ -0,0 +1,90 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/ProtonMail/gluon/reporter (interfaces: Reporter)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockReporter is a mock of Reporter interface.
+type MockReporter struct {
+	ctrl     *gomock.Controller
+	recorder *MockReporterMockRecorder
+}
+
+// MockReporterMockRecorder is the mock recorder for MockReporter.
+type MockReporterMockRecorder struct {
+	mock *MockReporter
+}
+
+// NewMockReporter creates a new mock instance.
+func NewMockReporter(ctrl *gomock.Controller) *MockReporter {
+	mock := &MockReporter{ctrl: ctrl}
+	mock.recorder = &MockReporterMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockReporter) EXPECT() *MockReporterMockRecorder {
+	return m.recorder
+}
+
+// ReportException mocks base method.
+func (m *MockReporter) ReportException(arg0 interface{}) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReportException", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ReportException indicates an expected call of ReportException.
+func (mr *MockReporterMockRecorder) ReportException(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReportException", reflect.TypeOf((*MockReporter)(nil).ReportException), arg0)
+}
+
+// ReportExceptionWithContext mocks base method.
+func (m *MockReporter) ReportExceptionWithContext(arg0 interface{}, arg1 map[string]interface{}) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReportExceptionWithContext", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ReportExceptionWithContext indicates an expected call of ReportExceptionWithContext.
+func (mr *MockReporterMockRecorder) ReportExceptionWithContext(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReportExceptionWithContext", reflect.TypeOf((*MockReporter)(nil).ReportExceptionWithContext), arg0, arg1)
+}
+
+// ReportMessage mocks base method.
+func (m *MockReporter) ReportMessage(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReportMessage", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ReportMessage indicates an expected call of ReportMessage.
+func (mr *MockReporterMockRecorder) ReportMessage(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReportMessage", reflect.TypeOf((*MockReporter)(nil).ReportMessage), arg0)
+}
+
+// ReportMessageWithContext mocks base method.
+func (m *MockReporter) ReportMessageWithContext(arg0 string, arg1 map[string]interface{}) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReportMessageWithContext", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// ReportMessageWithContext indicates an expected call of ReportMessageWithContext.
+func (mr *MockReporterMockRecorder) ReportMessageWithContext(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReportMessageWithContext", reflect.TypeOf((*MockReporter)(nil).ReportMessageWithContext), arg0, arg1)
+}
--- a/internal/bridge/mocks/matcher.go
+++ b/internal/bridge/mocks/matcher.go
@ -0,0 +1,108 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package mocks
+
+import (
+	"strings"
+
+	"github.com/ProtonMail/go-proton-api"
+)
+
+type refreshContextMatcher struct {
+	wantRefresh proton.RefreshFlag
+}
+
+func NewRefreshContextMatcher(refreshFlag proton.RefreshFlag) *refreshContextMatcher { //nolint:revive
+	return &refreshContextMatcher{wantRefresh: refreshFlag}
+}
+
+func (m *refreshContextMatcher) Matches(x interface{}) bool {
+	context, ok := x.(map[string]interface{})
+	if !ok {
+		return false
+	}
+
+	i, ok := context["EventLoop"]
+	if !ok {
+		return false
+	}
+
+	el, ok := i.(map[string]interface{})
+	if !ok {
+		return false
+	}
+
+	vID, ok := el["EventID"]
+	if !ok {
+		return false
+	}
+
+	id, ok := vID.(string)
+	if !ok {
+		return false
+	}
+
+	if id == "" {
+		return false
+	}
+
+	vRefresh, ok := el["Refresh"]
+	if !ok {
+		return false
+	}
+
+	refresh, ok := vRefresh.(proton.RefreshFlag)
+	if !ok {
+		return false
+	}
+
+	return refresh == m.wantRefresh
+}
+
+func (m *refreshContextMatcher) String() string {
+	return `map[string]interface which contains "Refresh" field with value proton.RefreshAll`
+}
+
+type closedConnectionMatcher struct{}
+
+func NewClosedConnectionMatcher() *closedConnectionMatcher { //nolint:revive
+	return &closedConnectionMatcher{}
+}
+
+func (m *closedConnectionMatcher) Matches(x interface{}) bool {
+	context, ok := x.(map[string]interface{})
+	if !ok {
+		return false
+	}
+
+	vErr, ok := context["error"]
+	if !ok {
+		return false
+	}
+
+	err, ok := vErr.(error)
+	if !ok {
+		return false
+	}
+
+	return strings.Contains(err.Error(), "used of closed network connection")
+}
+
+func (m *closedConnectionMatcher) String() string {
+	return "map containing error of closed network connection"
+}
--- a/internal/bridge/mocks/mocks.go
+++ b/internal/bridge/mocks/mocks.go
@ -0,0 +1,160 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/ProtonMail/proton-bridge/v3/internal/bridge (interfaces: TLSReporter,ProxyController,Autostarter)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockTLSReporter is a mock of TLSReporter interface.
+type MockTLSReporter struct {
+	ctrl     *gomock.Controller
+	recorder *MockTLSReporterMockRecorder
+}
+
+// MockTLSReporterMockRecorder is the mock recorder for MockTLSReporter.
+type MockTLSReporterMockRecorder struct {
+	mock *MockTLSReporter
+}
+
+// NewMockTLSReporter creates a new mock instance.
+func NewMockTLSReporter(ctrl *gomock.Controller) *MockTLSReporter {
+	mock := &MockTLSReporter{ctrl: ctrl}
+	mock.recorder = &MockTLSReporterMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockTLSReporter) EXPECT() *MockTLSReporterMockRecorder {
+	return m.recorder
+}
+
+// GetTLSIssueCh mocks base method.
+func (m *MockTLSReporter) GetTLSIssueCh() <-chan struct{} {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetTLSIssueCh")
+	ret0, _ := ret[0].(<-chan struct{})
+	return ret0
+}
+
+// GetTLSIssueCh indicates an expected call of GetTLSIssueCh.
+func (mr *MockTLSReporterMockRecorder) GetTLSIssueCh() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTLSIssueCh", reflect.TypeOf((*MockTLSReporter)(nil).GetTLSIssueCh))
+}
+
+// MockProxyController is a mock of ProxyController interface.
+type MockProxyController struct {
+	ctrl     *gomock.Controller
+	recorder *MockProxyControllerMockRecorder
+}
+
+// MockProxyControllerMockRecorder is the mock recorder for MockProxyController.
+type MockProxyControllerMockRecorder struct {
+	mock *MockProxyController
+}
+
+// NewMockProxyController creates a new mock instance.
+func NewMockProxyController(ctrl *gomock.Controller) *MockProxyController {
+	mock := &MockProxyController{ctrl: ctrl}
+	mock.recorder = &MockProxyControllerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockProxyController) EXPECT() *MockProxyControllerMockRecorder {
+	return m.recorder
+}
+
+// AllowProxy mocks base method.
+func (m *MockProxyController) AllowProxy() {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "AllowProxy")
+}
+
+// AllowProxy indicates an expected call of AllowProxy.
+func (mr *MockProxyControllerMockRecorder) AllowProxy() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AllowProxy", reflect.TypeOf((*MockProxyController)(nil).AllowProxy))
+}
+
+// DisallowProxy mocks base method.
+func (m *MockProxyController) DisallowProxy() {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "DisallowProxy")
+}
+
+// DisallowProxy indicates an expected call of DisallowProxy.
+func (mr *MockProxyControllerMockRecorder) DisallowProxy() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisallowProxy", reflect.TypeOf((*MockProxyController)(nil).DisallowProxy))
+}
+
+// MockAutostarter is a mock of Autostarter interface.
+type MockAutostarter struct {
+	ctrl     *gomock.Controller
+	recorder *MockAutostarterMockRecorder
+}
+
+// MockAutostarterMockRecorder is the mock recorder for MockAutostarter.
+type MockAutostarterMockRecorder struct {
+	mock *MockAutostarter
+}
+
+// NewMockAutostarter creates a new mock instance.
+func NewMockAutostarter(ctrl *gomock.Controller) *MockAutostarter {
+	mock := &MockAutostarter{ctrl: ctrl}
+	mock.recorder = &MockAutostarterMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockAutostarter) EXPECT() *MockAutostarterMockRecorder {
+	return m.recorder
+}
+
+// Disable mocks base method.
+func (m *MockAutostarter) Disable() error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Disable")
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Disable indicates an expected call of Disable.
+func (mr *MockAutostarterMockRecorder) Disable() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Disable", reflect.TypeOf((*MockAutostarter)(nil).Disable))
+}
+
+// Enable mocks base method.
+func (m *MockAutostarter) Enable() error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Enable")
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Enable indicates an expected call of Enable.
+func (mr *MockAutostarterMockRecorder) Enable() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Enable", reflect.TypeOf((*MockAutostarter)(nil).Enable))
+}
+
+// IsEnabled mocks base method.
+func (m *MockAutostarter) IsEnabled() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "IsEnabled")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// IsEnabled indicates an expected call of IsEnabled.
+func (mr *MockAutostarterMockRecorder) IsEnabled() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsEnabled", reflect.TypeOf((*MockAutostarter)(nil).IsEnabled))
+}
--- a/internal/bridge/mocks/observability_mocks.go
+++ b/internal/bridge/mocks/observability_mocks.go
@ -0,0 +1,49 @@
+package mocks
+
+import (
+	reflect "reflect"
+
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/proton-bridge/v3/internal/services/observability"
+	"github.com/golang/mock/gomock"
+)
+
+type MockObservabilitySender struct {
+	ctrl     *gomock.Controller
+	recorder *MockObservabilitySenderRecorder
+}
+
+type MockObservabilitySenderRecorder struct {
+	mock *MockObservabilitySender
+}
+
+func NewMockObservabilitySender(ctrl *gomock.Controller) *MockObservabilitySender {
+	mock := &MockObservabilitySender{ctrl: ctrl}
+	mock.recorder = &MockObservabilitySenderRecorder{mock: mock}
+	return mock
+}
+
+func (m *MockObservabilitySender) EXPECT() *MockObservabilitySenderRecorder { return m.recorder }
+
+func (m *MockObservabilitySender) AddDistinctMetrics(errType observability.DistinctionErrorTypeEnum, _ ...proton.ObservabilityMetric) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "AddDistinctMetrics", errType)
+}
+
+func (m *MockObservabilitySender) AddMetrics(metrics ...proton.ObservabilityMetric) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "AddMetrics", metrics)
+}
+
+func (mr *MockObservabilitySenderRecorder) AddDistinctMetrics(errType observability.DistinctionErrorTypeEnum, _ ...proton.ObservabilityMetric) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock,
+		"AddDistinctMetrics",
+		reflect.TypeOf((*MockObservabilitySender)(nil).AddDistinctMetrics),
+		errType)
+}
+
+func (mr *MockObservabilitySenderRecorder) AddMetrics(metrics ...proton.ObservabilityMetric) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMetrics", reflect.TypeOf((*MockObservabilitySender)(nil).AddMetrics), metrics)
+}
--- a/internal/bridge/mocks/telemetry_mocks.go
+++ b/internal/bridge/mocks/telemetry_mocks.go
@ -0,0 +1,107 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/ProtonMail/proton-bridge/v3/internal/telemetry (interfaces: HeartbeatManager)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	context "context"
+	reflect "reflect"
+	time "time"
+
+	telemetry "github.com/ProtonMail/proton-bridge/v3/internal/telemetry"
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockHeartbeatManager is a mock of HeartbeatManager interface.
+type MockHeartbeatManager struct {
+	ctrl     *gomock.Controller
+	recorder *MockHeartbeatManagerMockRecorder
+}
+
+// MockHeartbeatManagerMockRecorder is the mock recorder for MockHeartbeatManager.
+type MockHeartbeatManagerMockRecorder struct {
+	mock *MockHeartbeatManager
+}
+
+// NewMockHeartbeatManager creates a new mock instance.
+func NewMockHeartbeatManager(ctrl *gomock.Controller) *MockHeartbeatManager {
+	mock := &MockHeartbeatManager{ctrl: ctrl}
+	mock.recorder = &MockHeartbeatManagerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockHeartbeatManager) EXPECT() *MockHeartbeatManagerMockRecorder {
+	return m.recorder
+}
+
+// GetHeartbeatPeriodicInterval mocks base method.
+func (m *MockHeartbeatManager) GetHeartbeatPeriodicInterval() time.Duration {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetHeartbeatPeriodicInterval")
+	ret0, _ := ret[0].(time.Duration)
+	return ret0
+}
+
+// GetHeartbeatPeriodicInterval indicates an expected call of GetHeartbeatPeriodicInterval.
+func (mr *MockHeartbeatManagerMockRecorder) GetHeartbeatPeriodicInterval() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetHeartbeatPeriodicInterval", reflect.TypeOf((*MockHeartbeatManager)(nil).GetHeartbeatPeriodicInterval))
+}
+
+// GetLastHeartbeatSent mocks base method.
+func (m *MockHeartbeatManager) GetLastHeartbeatSent() time.Time {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetLastHeartbeatSent")
+	ret0, _ := ret[0].(time.Time)
+	return ret0
+}
+
+// GetLastHeartbeatSent indicates an expected call of GetLastHeartbeatSent.
+func (mr *MockHeartbeatManagerMockRecorder) GetLastHeartbeatSent() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLastHeartbeatSent", reflect.TypeOf((*MockHeartbeatManager)(nil).GetLastHeartbeatSent))
+}
+
+// IsTelemetryAvailable mocks base method.
+func (m *MockHeartbeatManager) IsTelemetryAvailable(arg0 context.Context) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "IsTelemetryAvailable", arg0)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// IsTelemetryAvailable indicates an expected call of IsTelemetryAvailable.
+func (mr *MockHeartbeatManagerMockRecorder) IsTelemetryAvailable(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsTelemetryAvailable", reflect.TypeOf((*MockHeartbeatManager)(nil).IsTelemetryAvailable), arg0)
+}
+
+// SendHeartbeat mocks base method.
+func (m *MockHeartbeatManager) SendHeartbeat(arg0 context.Context, arg1 *telemetry.HeartbeatData) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SendHeartbeat", arg0, arg1)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// SendHeartbeat indicates an expected call of SendHeartbeat.
+func (mr *MockHeartbeatManagerMockRecorder) SendHeartbeat(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SendHeartbeat", reflect.TypeOf((*MockHeartbeatManager)(nil).SendHeartbeat), arg0, arg1)
+}
+
+// SetLastHeartbeatSent mocks base method.
+func (m *MockHeartbeatManager) SetLastHeartbeatSent(arg0 time.Time) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetLastHeartbeatSent", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetLastHeartbeatSent indicates an expected call of SetLastHeartbeatSent.
+func (mr *MockHeartbeatManagerMockRecorder) SetLastHeartbeatSent(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLastHeartbeatSent", reflect.TypeOf((*MockHeartbeatManager)(nil).SetLastHeartbeatSent), arg0)
+}
--- a/internal/bridge/observability_test.go
+++ b/internal/bridge/observability_test.go
@ -0,0 +1,164 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/services/observability"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/net/context"
+)
+
+func TestBridge_Observability(t *testing.T) {
+	testMetric := proton.ObservabilityMetric{
+		Name:      "test1",
+		Version:   1,
+		Timestamp: time.Now().Unix(),
+		Data:      nil,
+	}
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, vaultKey []byte) {
+		throttlePeriod := time.Millisecond * 500
+		observability.ModifyThrottlePeriod(throttlePeriod)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, vaultKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			require.NoError(t, getErr(bridge.LoginFull(ctx, username, password, nil, nil)))
+
+			bridge.PushObservabilityMetric(testMetric)
+			time.Sleep(time.Millisecond * 50) // Wait for the metric to be sent
+			require.Equal(t, 1, len(s.GetObservabilityStatistics().Metrics))
+
+			for i := 0; i < 10; i++ {
+				time.Sleep(time.Millisecond * 5) // Minor delay between each so our tests aren't flaky
+				bridge.PushObservabilityMetric(testMetric)
+			}
+			// We should still have only 1 metric sent as the throttleDuration has not passed
+			require.Equal(t, 1, len(s.GetObservabilityStatistics().Metrics))
+
+			// Wait for throttle duration to pass; we should have our remaining metrics posted
+			time.Sleep(throttlePeriod)
+			require.Equal(t, 11, len(s.GetObservabilityStatistics().Metrics))
+
+			// Wait for the throttle duration to reset; i.e. so we have enough time to send a request immediately
+			time.Sleep(throttlePeriod)
+			for i := 0; i < 10; i++ {
+				time.Sleep(time.Millisecond * 5)
+				bridge.PushObservabilityMetric(testMetric)
+			}
+			// We should only have one additional metric sent immediately
+			require.Equal(t, 12, len(s.GetObservabilityStatistics().Metrics))
+
+			// Wait for the others to be sent
+			time.Sleep(throttlePeriod)
+			require.Equal(t, 21, len(s.GetObservabilityStatistics().Metrics))
+
+			// Spam the endpoint a bit
+			for i := 0; i < 300; i++ {
+				if i < 200 {
+					time.Sleep(time.Millisecond * 10)
+				}
+				bridge.PushObservabilityMetric(testMetric)
+			}
+
+			// Ensure we've sent all metrics
+			time.Sleep(throttlePeriod)
+
+			observabilityStats := s.GetObservabilityStatistics()
+			require.Equal(t, 321, len(observabilityStats.Metrics))
+
+			// Verify that each request had a throttleDuration time difference between each request
+			for i := 0; i < len(observabilityStats.RequestTime)-1; i++ {
+				tOne := observabilityStats.RequestTime[i]
+				tTwo := observabilityStats.RequestTime[i+1]
+				require.True(t, tTwo.Sub(tOne).Abs() > throttlePeriod)
+			}
+		})
+	})
+}
+
+func TestBridge_Observability_Heartbeat(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, vaultKey []byte) {
+		throttlePeriod := time.Millisecond * 300
+		observability.ModifyThrottlePeriod(throttlePeriod)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, vaultKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			require.NoError(t, getErr(bridge.LoginFull(ctx, username, password, nil, nil)))
+			bridge.ModifyObservabilityHeartbeatInterval(throttlePeriod)
+
+			require.Equal(t, 0, len(s.GetObservabilityStatistics().Metrics))
+			time.Sleep(time.Millisecond * 150)
+			require.Equal(t, 0, len(s.GetObservabilityStatistics().Metrics))
+			time.Sleep(time.Millisecond * 200)
+			require.Equal(t, 1, len(s.GetObservabilityStatistics().Metrics))
+			time.Sleep(time.Millisecond * 350)
+			require.Equal(t, 2, len(s.GetObservabilityStatistics().Metrics))
+			time.Sleep(time.Millisecond * 350)
+			require.Equal(t, 3, len(s.GetObservabilityStatistics().Metrics))
+		})
+	})
+}
+
+func TestBridge_Observability_UserMetric(t *testing.T) {
+	testMetric := proton.ObservabilityMetric{
+		Name:      "test1",
+		Version:   1,
+		Timestamp: time.Now().Unix(),
+		Data:      nil,
+	}
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, vaultKey []byte) {
+		userMetricPeriod := time.Millisecond * 200
+		heartbeatPeriod := time.Second * 10
+		throttlePeriod := time.Millisecond * 100
+		observability.ModifyUserMetricInterval(userMetricPeriod)
+		observability.ModifyThrottlePeriod(throttlePeriod)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, vaultKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			require.NoError(t, getErr(bridge.LoginFull(ctx, username, password, nil, nil)))
+			bridge.ModifyObservabilityHeartbeatInterval(heartbeatPeriod)
+
+			time.Sleep(throttlePeriod)
+			require.Equal(t, 0, len(s.GetObservabilityStatistics().Metrics))
+
+			bridge.PushDistinctObservabilityMetrics(observability.SyncError, testMetric)
+			time.Sleep(throttlePeriod)
+			// We're expecting two observability metrics to be sent, the actual metric + the user metric.
+			require.Equal(t, 2, len(s.GetObservabilityStatistics().Metrics))
+
+			bridge.PushDistinctObservabilityMetrics(observability.SyncError, testMetric)
+			time.Sleep(throttlePeriod)
+			// We're expecting only a single metric to be sent, since the user metric update has been sent already within the predefined period.
+			require.Equal(t, 3, len(s.GetObservabilityStatistics().Metrics))
+
+			bridge.PushDistinctObservabilityMetrics(observability.SyncError, testMetric)
+			time.Sleep(throttlePeriod)
+			// Two metric updates should be sent again.
+			require.Equal(t, 5, len(s.GetObservabilityStatistics().Metrics))
+
+			bridge.PushDistinctObservabilityMetrics(observability.SyncError, testMetric)
+			time.Sleep(throttlePeriod)
+			// Only a single one should be sent.
+			require.Equal(t, 6, len(s.GetObservabilityStatistics().Metrics))
+		})
+	})
+}
--- a/internal/bridge/refresh_test.go
+++ b/internal/bridge/refresh_test.go
@ -0,0 +1,118 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/bradenaw/juniper/iterator"
+	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBridge_Refresh(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, _, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		names := iterator.Collect(iterator.Map(iterator.Counter(10), func(i int) string {
+			return fmt.Sprintf("folder%v", i)
+		}))
+
+		for _, name := range names {
+			must(s.CreateLabel(userID, name, "", proton.LabelTypeFolder))
+		}
+
+		// The initial user should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](b.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			userID, err := b.LoginFull(ctx, "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			require.Equal(t, userID, (<-syncCh).UserID)
+		})
+
+		var uidValidities = make(map[string]uint32, len(names))
+		// If we then connect an IMAP client, it should see all the labels with UID validity of 1.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, mocks *bridge.Mocks) {
+			mocks.Reporter.EXPECT().ReportMessageWithContext(gomock.Any(), gomock.Any()).AnyTimes()
+
+			info, err := b.GetUserInfo(userID)
+			require.NoError(t, err)
+			require.True(t, info.State == bridge.Connected)
+
+			client, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, b.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, client.Login(info.Addresses[0], string(info.BridgePass)))
+			defer func() { _ = client.Logout() }()
+
+			for _, name := range names {
+				status, err := client.Select("Folders/"+name, false)
+				require.NoError(t, err)
+				uidValidities[name] = status.UidValidity
+			}
+		})
+
+		// Refresh the user; this will force a resync.
+		require.NoError(t, s.RefreshUser(userID, proton.RefreshAll))
+
+		// If we then connect an IMAP client, it should see all the labels with UID validity of 1.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, mocks *bridge.Mocks) {
+			mocks.Reporter.EXPECT().ReportMessageWithContext(gomock.Any(), gomock.Any()).AnyTimes()
+
+			// Wait for refresh event first
+			refreshCh, refreshChDone := chToType[events.Event, events.UserRefreshed](b.GetEvents(events.UserRefreshed{}))
+			defer refreshChDone()
+			require.Equal(t, userID, (<-refreshCh).UserID)
+			// Then sync event
+			syncCh, done := chToType[events.Event, events.SyncFinished](b.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			require.Equal(t, userID, (<-syncCh).UserID)
+		})
+
+		// After resync, the IMAP client should see all the labels with UID validity of 2.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, mocks *bridge.Mocks) {
+			mocks.Reporter.EXPECT().ReportMessageWithContext(gomock.Any(), gomock.Any()).AnyTimes()
+
+			info, err := b.GetUserInfo(userID)
+			require.NoError(t, err)
+			require.True(t, info.State == bridge.Connected)
+
+			client, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, b.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, client.Login(info.Addresses[0], string(info.BridgePass)))
+			defer func() { _ = client.Logout() }()
+
+			for _, name := range names {
+				status, err := client.Select("Folders/"+name, false)
+				require.NoError(t, err)
+				require.Greater(t, status.UidValidity, uidValidities[name])
+			}
+		})
+	})
+}
--- a/internal/bridge/send_test.go
+++ b/internal/bridge/send_test.go
@ -0,0 +1,737 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	smtpservice "github.com/ProtonMail/proton-bridge/v3/internal/services/smtp"
+	"github.com/emersion/go-imap"
+	"github.com/emersion/go-sasl"
+	"github.com/emersion/go-smtp"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBridge_Send(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		_, _, err := s.CreateUser("recipient", password)
+		require.NoError(t, err)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			senderUserID, err := bridge.LoginFull(ctx, username, password, nil, nil)
+			require.NoError(t, err)
+
+			recipientUserID, err := bridge.LoginFull(ctx, "recipient", password, nil, nil)
+			require.NoError(t, err)
+
+			senderInfo, err := bridge.GetUserInfo(senderUserID)
+			require.NoError(t, err)
+
+			recipientInfo, err := bridge.GetUserInfo(recipientUserID)
+			require.NoError(t, err)
+
+			for i := 0; i < 10; i++ {
+				// Dial the server.
+				client, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+				require.NoError(t, err)
+				defer client.Close() //nolint:errcheck
+
+				// Upgrade to TLS.
+				require.NoError(t, client.StartTLS(&tls.Config{InsecureSkipVerify: true}))
+
+				if i%2 == 0 {
+					// Authorize with SASL PLAIN.
+					require.NoError(t, client.Auth(sasl.NewPlainClient(
+						senderInfo.Addresses[0],
+						senderInfo.Addresses[0],
+						string(senderInfo.BridgePass)),
+					))
+				} else {
+					// Authorize with SASL LOGIN.
+					require.NoError(t, client.Auth(sasl.NewLoginClient(
+						senderInfo.Addresses[0],
+						string(senderInfo.BridgePass)),
+					))
+				}
+
+				// Send the message.
+				require.NoError(t, client.SendMail(
+					senderInfo.Addresses[0],
+					[]string{recipientInfo.Addresses[0]},
+					strings.NewReader(fmt.Sprintf("Subject: Test %v\r\n\r\nHello world!", i)),
+				))
+			}
+
+			// Connect the sender IMAP client.
+			senderIMAPClient, err := eventuallyDial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetIMAPPort())))
+			require.NoError(t, err)
+			require.NoError(t, senderIMAPClient.Login(senderInfo.Addresses[0], string(senderInfo.BridgePass)))
+			defer senderIMAPClient.Logout() //nolint:errcheck
+
+			// Connect the recipient IMAP client.
+			recipientIMAPClient, err := eventuallyDial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetIMAPPort())))
+			require.NoError(t, err)
+			require.NoError(t, recipientIMAPClient.Login(recipientInfo.Addresses[0], string(recipientInfo.BridgePass)))
+			defer recipientIMAPClient.Logout() //nolint:errcheck
+
+			// Sender should have 10 messages in the sent folder.
+			// Recipient should have 10 messages in inbox.
+			require.Eventually(t, func() bool {
+				sent, err := senderIMAPClient.Status(`Sent`, []imap.StatusItem{imap.StatusMessages})
+				require.NoError(t, err)
+
+				inbox, err := recipientIMAPClient.Status(`Inbox`, []imap.StatusItem{imap.StatusMessages})
+				require.NoError(t, err)
+
+				return sent.Messages == 10 && inbox.Messages == 10
+			}, 10*time.Second, 100*time.Millisecond)
+		})
+	})
+}
+
+func TestBridge_SendDraftFlags(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		// Create a recipient user.
+		_, _, err := s.CreateUser("recipient", password)
+		require.NoError(t, err)
+
+		// The sender should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](bridge.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			userID, err := bridge.LoginFull(ctx, username, password, nil, nil)
+			require.NoError(t, err)
+
+			require.Equal(t, userID, (<-syncCh).UserID)
+		})
+
+		// Start the bridge.
+		withBridgeWaitForServers(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			// Get the sender user info.
+			userInfo, err := bridge.QueryUserInfo(username)
+			require.NoError(t, err)
+
+			// Connect the sender IMAP client.
+			imapClient, err := eventuallyDial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetIMAPPort())))
+			require.NoError(t, err)
+			require.NoError(t, imapClient.Login(userInfo.Addresses[0], string(userInfo.BridgePass)))
+			defer imapClient.Logout() //nolint:errcheck
+
+			// The message to send.
+			message := fmt.Sprintf("From: %v\r\nDate: 01 Jan 1980 00:00:00 +0000\r\nSubject: Test\r\n\r\nHello world!", userInfo.Addresses[0])
+
+			// Save a draft.
+			require.NoError(t, imapClient.Append("Drafts", []string{imap.DraftFlag}, time.Now(), strings.NewReader(message)))
+
+			// Assert that the draft exists and is marked as a draft.
+			{
+				messages, err := clientFetch(imapClient, "Drafts")
+				require.NoError(t, err)
+				require.Len(t, messages, 1)
+				require.Contains(t, messages[0].Flags, imap.DraftFlag)
+			}
+
+			// Connect the SMTP client.
+			smtpClient, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+			require.NoError(t, err)
+			defer smtpClient.Close() //nolint:errcheck
+
+			// Upgrade to TLS.
+			require.NoError(t, smtpClient.StartTLS(&tls.Config{InsecureSkipVerify: true}))
+
+			// Authorize with SASL PLAIN.
+			require.NoError(t, smtpClient.Auth(sasl.NewPlainClient(
+				userInfo.Addresses[0],
+				userInfo.Addresses[0],
+				string(userInfo.BridgePass)),
+			))
+
+			// Send the message.
+			require.NoError(t, smtpClient.SendMail(
+				userInfo.Addresses[0],
+				[]string{"recipient@" + s.GetDomain()},
+				strings.NewReader(message),
+			))
+
+			// Delete the draft: add the \Deleted flag and expunge.
+			{
+				status, err := imapClient.Select("Drafts", false)
+				require.NoError(t, err)
+				require.Equal(t, uint32(1), status.Messages)
+
+				// Add the \Deleted flag.
+				require.NoError(t, clientStore(imapClient, 1, 1, true, imap.FormatFlagsOp(imap.AddFlags, true), imap.DeletedFlag))
+
+				// Expunge.
+				require.NoError(t, imapClient.Expunge(nil))
+			}
+
+			// Assert that the draft is eventually gone.
+			require.Eventually(t, func() bool {
+				status, err := imapClient.Select("Drafts", false)
+				require.NoError(t, err)
+				return status.Messages == 0
+			}, 10*time.Second, 100*time.Millisecond)
+
+			// Assert that the message is eventually in the sent folder.
+			require.Eventually(t, func() bool {
+				messages, err := clientFetch(imapClient, "Sent")
+				require.NoError(t, err)
+				return len(messages) == 1
+			}, 10*time.Second, 100*time.Millisecond)
+
+			// Assert that the message is not marked as a draft.
+			{
+				messages, err := clientFetch(imapClient, "Sent")
+				require.NoError(t, err)
+				require.Len(t, messages, 1)
+				require.NotContains(t, messages[0].Flags, imap.DraftFlag)
+			}
+		})
+	})
+}
+
+func TestBridge_SendInvite(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		// Create a recipient user.
+		_, _, err := s.CreateUser("recipient", password)
+		require.NoError(t, err)
+
+		// Set "attach public keys" to true for the user.
+		withClient(ctx, t, s, username, password, func(ctx context.Context, client *proton.Client) {
+			settings, err := client.SetAttachPublicKey(ctx, proton.SetAttachPublicKeyReq{AttachPublicKey: true})
+			require.NoError(t, err)
+			require.Equal(t, proton.Bool(true), settings.AttachPublicKey)
+		})
+
+		// The sender should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](bridge.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			userID, err := bridge.LoginFull(ctx, username, password, nil, nil)
+			require.NoError(t, err)
+
+			require.Equal(t, userID, (<-syncCh).UserID)
+		})
+
+		// Start the bridge.
+		withBridgeWaitForServers(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			// Get the sender user info.
+			userInfo, err := bridge.QueryUserInfo(username)
+			require.NoError(t, err)
+
+			// Connect the sender IMAP client.
+			imapClient, err := eventuallyDial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetIMAPPort())))
+			require.NoError(t, err)
+			require.NoError(t, imapClient.Login(userInfo.Addresses[0], string(userInfo.BridgePass)))
+			defer imapClient.Logout() //nolint:errcheck
+
+			// The message to send.
+			b, err := os.ReadFile("testdata/invite.eml")
+			require.NoError(t, err)
+
+			// Save a draft.
+			require.NoError(t, imapClient.Append("Drafts", []string{imap.DraftFlag}, time.Now(), bytes.NewReader(b)))
+
+			// Assert that the draft exists and is marked as a draft.
+			{
+				messages, err := clientFetch(imapClient, "Drafts")
+				require.NoError(t, err)
+				require.Len(t, messages, 1)
+				require.Contains(t, messages[0].Flags, imap.DraftFlag)
+			}
+
+			// Connect the SMTP client.
+			smtpClient, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+			require.NoError(t, err)
+			defer smtpClient.Close() //nolint:errcheck
+
+			// Upgrade to TLS.
+			require.NoError(t, smtpClient.StartTLS(&tls.Config{InsecureSkipVerify: true}))
+
+			// Authorize with SASL PLAIN.
+			require.NoError(t, smtpClient.Auth(sasl.NewPlainClient(
+				userInfo.Addresses[0],
+				userInfo.Addresses[0],
+				string(userInfo.BridgePass)),
+			))
+
+			// Send the message.
+			require.NoError(t, smtpClient.SendMail(
+				userInfo.Addresses[0],
+				[]string{"recipient@" + s.GetDomain()},
+				bytes.NewReader(b),
+			))
+
+			// Delete the draft: add the \Deleted flag and expunge.
+			{
+				status, err := imapClient.Select("Drafts", false)
+				require.NoError(t, err)
+				require.Equal(t, uint32(1), status.Messages)
+
+				// Add the \Deleted flag.
+				require.NoError(t, clientStore(imapClient, 1, 1, true, imap.FormatFlagsOp(imap.AddFlags, true), imap.DeletedFlag))
+
+				// Expunge.
+				require.NoError(t, imapClient.Expunge(nil))
+			}
+
+			// Assert that the draft is eventually gone.
+			require.Eventually(t, func() bool {
+				status, err := imapClient.Select("Drafts", false)
+				require.NoError(t, err)
+				return status.Messages == 0
+			}, 10*time.Second, 100*time.Millisecond)
+
+			// Assert that the message is eventually in the sent folder.
+			require.Eventually(t, func() bool {
+				messages, err := clientFetch(imapClient, "Sent")
+				require.NoError(t, err)
+				return len(messages) == 1
+			}, 10*time.Second, 100*time.Millisecond)
+
+			// Assert that the message is not marked as a draft.
+			{
+				messages, err := clientFetch(imapClient, "Sent")
+				require.NoError(t, err)
+				require.Len(t, messages, 1)
+				require.NotContains(t, messages[0].Flags, imap.DraftFlag)
+			}
+		})
+	})
+}
+
+func TestBridge_SendAddTextBodyPartIfNotExists(t *testing.T) {
+	// NOTE: Prior to GODT-2887, these tests had inline images, however after the implementation to support
+	// inline images new parts are injected to reference inline images without content-id set. The images
+	// in this test have been changed to regular attachments to keep the original checks in place.
+	const messageMultipartWithoutText = `Content-Type: multipart/mixed;
+  boundary="Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84"
+Subject: A new message
+Date: Mon, 13 Mar 2023 16:06:16 +0100
+
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Disposition: attachment;
+  filename=Cat_August_2010-4.jpeg
+Content-Type: image/jpeg;
+  name="Cat_August_2010-4.jpeg"
+Content-Transfer-Encoding: base64
+
+SGVsbG8gd29ybGQ=
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84--
+	`
+
+	const messageMultipartWithText = `Content-Type: multipart/mixed;
+  boundary="Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84"
+Subject: A new message Part2 
+Date: Mon, 13 Mar 2023 16:06:16 +0100
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Disposition: attachment;
+  filename=Cat_August_2010-4.jpeg
+Content-Type: image/jpeg;
+  name="Cat_August_2010-4.jpeg"
+Content-Transfer-Encoding: base64
+
+SGVsbG8gd29ybGQ=
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Type: text/html;charset=utf8
+Content-Transfer-Encoding: quoted-printable
+
+Hello world
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84--
+`
+
+	const messageWithTextOnly = `Content-Type: text/plain;charset=utf8
+Content-Transfer-Encoding: quoted-printable
+Subject: A new message Part3
+Date: Mon, 13 Mar 2023 16:06:16 +0100
+
+Hello world
+
+`
+
+	const messageMultipartWithoutTextWithTextAttachment = `Content-Type: multipart/mixed;
+  boundary="Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84"
+Subject: A new message Part4
+Date: Mon, 13 Mar 2023 16:06:16 +0100
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Type: text/plain; charset=UTF-8; name="text.txt"
+Content-Disposition: attachment; filename="text.txt"
+Content-Transfer-Encoding: base64
+
+SGVsbG8gd29ybGQK
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84--
+`
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		_, _, err := s.CreateUser("recipient", password)
+		require.NoError(t, err)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			senderUserID, err := bridge.LoginFull(ctx, username, password, nil, nil)
+			require.NoError(t, err)
+
+			recipientUserID, err := bridge.LoginFull(ctx, "recipient", password, nil, nil)
+			require.NoError(t, err)
+
+			senderInfo, err := bridge.GetUserInfo(senderUserID)
+			require.NoError(t, err)
+
+			recipientInfo, err := bridge.GetUserInfo(recipientUserID)
+			require.NoError(t, err)
+
+			messages := []string{
+				messageMultipartWithoutText,
+				messageMultipartWithText,
+				messageWithTextOnly,
+				messageMultipartWithoutTextWithTextAttachment,
+			}
+
+			for _, m := range messages {
+				// Dial the server.
+				client, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+				require.NoError(t, err)
+				defer client.Close() //nolint:errcheck
+
+				// Upgrade to TLS.
+				require.NoError(t, client.StartTLS(&tls.Config{InsecureSkipVerify: true}))
+
+				// Authorize with SASL LOGIN.
+				require.NoError(t, client.Auth(sasl.NewLoginClient(
+					senderInfo.Addresses[0],
+					string(senderInfo.BridgePass)),
+				))
+
+				// Send the message.
+				require.NoError(t, client.SendMail(
+					senderInfo.Addresses[0],
+					[]string{recipientInfo.Addresses[0]},
+					strings.NewReader(m),
+				))
+			}
+
+			// Connect the sender IMAP client.
+			senderIMAPClient, err := eventuallyDial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetIMAPPort())))
+			require.NoError(t, err)
+			require.NoError(t, senderIMAPClient.Login(senderInfo.Addresses[0], string(senderInfo.BridgePass)))
+			defer senderIMAPClient.Logout() //nolint:errcheck
+
+			// Connect the recipient IMAP client.
+			recipientIMAPClient, err := eventuallyDial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetIMAPPort())))
+			require.NoError(t, err)
+			require.NoError(t, recipientIMAPClient.Login(recipientInfo.Addresses[0], string(recipientInfo.BridgePass)))
+			defer recipientIMAPClient.Logout() //nolint:errcheck
+
+			require.Eventually(t, func() bool {
+				messages, err := clientFetch(senderIMAPClient, `Sent`, imap.FetchBodyStructure)
+				require.NoError(t, err)
+				if len(messages) != 4 {
+					return false
+				}
+
+				// messages may not be in order
+				for _, message := range messages {
+					switch {
+					case message.Envelope.Subject == "A new message":
+						// The message that was sent should now include an empty text/plain body part since there was none
+						// in the original message.
+						require.Equal(t, 2, len(message.BodyStructure.Parts))
+
+						require.Equal(t, "text", message.BodyStructure.Parts[0].MIMEType)
+						require.Equal(t, "plain", message.BodyStructure.Parts[0].MIMESubType)
+						require.Equal(t, uint32(0), message.BodyStructure.Parts[0].Size)
+						require.Equal(t, "image", message.BodyStructure.Parts[1].MIMEType)
+						require.Equal(t, "jpeg", message.BodyStructure.Parts[1].MIMESubType)
+
+					case message.Envelope.Subject == "A new message Part2":
+						// This message already has a text body, should be unchanged
+						require.Equal(t, 2, len(message.BodyStructure.Parts))
+
+						require.Equal(t, "image", message.BodyStructure.Parts[1].MIMEType)
+						require.Equal(t, "jpeg", message.BodyStructure.Parts[1].MIMESubType)
+						require.Equal(t, "text", message.BodyStructure.Parts[0].MIMEType)
+						require.Equal(t, "html", message.BodyStructure.Parts[0].MIMESubType)
+
+					case message.Envelope.Subject == "A new message Part3":
+						// This message already has a text body, should be unchanged
+						require.Equal(t, 0, len(message.BodyStructure.Parts))
+
+						require.Equal(t, "text", message.BodyStructure.MIMEType)
+						require.Equal(t, "plain", message.BodyStructure.MIMESubType)
+
+					case message.Envelope.Subject == "A new message Part4":
+						// The message that was sent should now include an empty text/plain body part since even though
+						// there was only a text/plain attachment in the original message.
+						require.Equal(t, 2, len(message.BodyStructure.Parts))
+
+						require.Equal(t, "text", message.BodyStructure.Parts[0].MIMEType)
+						require.Equal(t, "plain", message.BodyStructure.Parts[0].MIMESubType)
+						require.Equal(t, uint32(0), message.BodyStructure.Parts[0].Size)
+						require.Equal(t, "text", message.BodyStructure.Parts[1].MIMEType)
+						require.Equal(t, "plain", message.BodyStructure.Parts[1].MIMESubType)
+						require.Equal(t, "attachment", message.BodyStructure.Parts[1].Disposition)
+					}
+				}
+
+				return true
+			}, 10*time.Second, 100*time.Millisecond)
+		})
+	})
+}
+
+func TestBridge_SendInlineImage(t *testing.T) {
+	const messageInlineImageOnly = `Content-Type: multipart/mixed;
+  boundary="Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84"
+Subject: A new message
+Date: Mon, 13 Mar 2023 16:06:16 +0100
+
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Disposition: inline;
+  filename=Cat_August_2010-4.jpeg
+Content-Type: image/jpeg;
+  name="Cat_August_2010-4.jpeg"
+Content-Transfer-Encoding: base64
+
+SGVsbG8gd29ybGQ=
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84--
+	`
+
+	const messageInlineImageWithHTML = `Content-Type: multipart/mixed;
+  boundary="Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84"
+Subject: A new message Part2 
+Date: Mon, 13 Mar 2023 16:06:16 +0100
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Type: text/html;charset=utf8
+Content-Transfer-Encoding: quoted-printable
+
+Hello world
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Disposition: inline;
+  filename=Cat_August_2010-4.jpeg
+Content-Type: image/jpeg;
+  name="Cat_August_2010-4.jpeg"
+Content-Transfer-Encoding: base64
+
+SGVsbG8gd29ybGQ=
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84--
+`
+
+	const messageInlineImageWithText = `Content-Type: multipart/mixed;
+  boundary="Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84"
+Subject: A new message Part3
+Date: Mon, 13 Mar 2023 16:06:16 +0100
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Type: text/plain;charset=utf8
+Content-Transfer-Encoding: quoted-printable
+
+Hello world
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Disposition: inline;
+  filename=Cat_August_2010-4.jpeg
+Content-Type: image/jpeg;
+  name="Cat_August_2010-4.jpeg"
+Content-Transfer-Encoding: base64
+
+SGVsbG8gd29ybGQ=
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84--
+`
+
+	const messageInlineImageFollowedByText = `Content-Type: multipart/mixed;
+  boundary="Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84"
+Subject: A new message Part4
+Date: Mon, 13 Mar 2023 16:06:16 +0100
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Disposition: inline;
+  filename=Cat_August_2010-4.jpeg
+Content-Type: image/jpeg;
+  name="Cat_August_2010-4.jpeg"
+Content-Transfer-Encoding: base64
+
+SGVsbG8gd29ybGQ=
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84
+Content-Type: text/plain;charset=utf8
+Content-Transfer-Encoding: quoted-printable
+
+Hello world
+
+--Apple-Mail=_E7AC06C7-4EB2-4453-8CBB-80F4412A7C84--
+`
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		_, _, err := s.CreateUser("recipient", password)
+		require.NoError(t, err)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			senderUserID, err := bridge.LoginFull(ctx, username, password, nil, nil)
+			require.NoError(t, err)
+
+			recipientUserID, err := bridge.LoginFull(ctx, "recipient", password, nil, nil)
+			require.NoError(t, err)
+
+			senderInfo, err := bridge.GetUserInfo(senderUserID)
+			require.NoError(t, err)
+
+			recipientInfo, err := bridge.GetUserInfo(recipientUserID)
+			require.NoError(t, err)
+
+			messages := []string{
+				messageInlineImageOnly,
+				messageInlineImageWithHTML,
+				messageInlineImageWithText,
+				messageInlineImageFollowedByText,
+			}
+
+			for _, m := range messages {
+				// Dial the server.
+				client, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+				require.NoError(t, err)
+				defer client.Close() //nolint:errcheck
+
+				// Upgrade to TLS.
+				require.NoError(t, client.StartTLS(&tls.Config{InsecureSkipVerify: true}))
+
+				// Authorize with SASL LOGIN.
+				require.NoError(t, client.Auth(sasl.NewLoginClient(
+					senderInfo.Addresses[0],
+					string(senderInfo.BridgePass)),
+				))
+
+				// Send the message.
+				require.NoError(t, client.SendMail(
+					senderInfo.Addresses[0],
+					[]string{recipientInfo.Addresses[0]},
+					strings.NewReader(m),
+				))
+			}
+
+			// Connect the sender IMAP client.
+			senderIMAPClient, err := eventuallyDial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetIMAPPort())))
+			require.NoError(t, err)
+			require.NoError(t, senderIMAPClient.Login(senderInfo.Addresses[0], string(senderInfo.BridgePass)))
+			defer senderIMAPClient.Logout() //nolint:errcheck
+
+			// Connect the recipient IMAP client.
+			recipientIMAPClient, err := eventuallyDial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetIMAPPort())))
+			require.NoError(t, err)
+			require.NoError(t, recipientIMAPClient.Login(recipientInfo.Addresses[0], string(recipientInfo.BridgePass)))
+			defer recipientIMAPClient.Logout() //nolint:errcheck
+
+			require.Eventually(t, func() bool {
+				messages, err := clientFetch(senderIMAPClient, `Sent`, imap.FetchBodyStructure)
+				require.NoError(t, err)
+				if len(messages) != 4 {
+					return false
+				}
+
+				// messages may not be in order
+				for _, message := range messages {
+					require.Equal(t, 1, len(message.BodyStructure.Parts))
+					require.Equal(t, "multipart", message.BodyStructure.MIMEType)
+					require.Equal(t, "mixed", message.BodyStructure.MIMESubType)
+					require.Equal(t, "multipart", message.BodyStructure.Parts[0].MIMEType)
+					require.Equal(t, "related", message.BodyStructure.Parts[0].MIMESubType)
+					require.Len(t, message.BodyStructure.Parts[0].Parts, 2)
+					require.Equal(t, "text", message.BodyStructure.Parts[0].Parts[0].MIMEType)
+					require.Equal(t, "html", message.BodyStructure.Parts[0].Parts[0].MIMESubType)
+					require.Equal(t, "image", message.BodyStructure.Parts[0].Parts[1].MIMEType)
+					require.Equal(t, "jpeg", message.BodyStructure.Parts[0].Parts[1].MIMESubType)
+				}
+
+				return true
+			}, 10*time.Second, 100*time.Millisecond)
+		})
+	})
+}
+
+func TestBridge_SendAddressDisabled(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		recipientUserID, _, err := s.CreateUser("recipient", password)
+		require.NoError(t, err)
+
+		senderUserID, addrID, err := s.CreateUser("sender", password)
+		require.NoError(t, err)
+
+		require.NoError(t, s.ChangeAddressAllowSend(senderUserID, addrID, false))
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			senderUserID, err := bridge.LoginFull(ctx, "sender", password, nil, nil)
+			require.NoError(t, err)
+
+			_, err = bridge.LoginFull(ctx, "recipient", password, nil, nil)
+			require.NoError(t, err)
+
+			recipientInfo, err := bridge.GetUserInfo(recipientUserID)
+			require.NoError(t, err)
+
+			senderInfo, err := bridge.GetUserInfo(senderUserID)
+			require.NoError(t, err)
+
+			// Dial the server.
+			client, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+			require.NoError(t, err)
+			defer client.Close() //nolint:errcheck
+
+			// Upgrade to TLS.
+			require.NoError(t, client.StartTLS(&tls.Config{InsecureSkipVerify: true}))
+			require.NoError(t, client.Auth(sasl.NewLoginClient(
+				senderInfo.Addresses[0],
+				string(senderInfo.BridgePass)),
+			))
+
+			// Send the message.
+			err = client.SendMail(
+				senderInfo.Addresses[0],
+				[]string{recipientInfo.Addresses[0]},
+				strings.NewReader("Subject: Test 1\r\n\r\nHello world!"),
+			)
+
+			smtpErr := smtpservice.NewErrCannotSendFromAddress(senderInfo.Addresses[0])
+			require.Equal(t, fmt.Sprintf("Error: %v", smtpErr.Error()), err.Error())
+		})
+	})
+}
--- a/internal/bridge/sentry_test.go
+++ b/internal/bridge/sentry_test.go
@ -0,0 +1,71 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"testing"
+
+	"github.com/ProtonMail/gluon/liner"
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBridge_Report(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](b.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			// Log in the user.
+			userID, err := b.LoginFull(ctx, username, password, nil, nil)
+			require.NoError(t, err)
+
+			// Wait until the sync has finished.
+			require.Equal(t, userID, (<-syncCh).UserID)
+
+			// Get the IMAP info.
+			info, err := b.GetUserInfo(userID)
+			require.NoError(t, err)
+			require.True(t, info.State == bridge.Connected)
+
+			// Dial the IMAP port.
+			conn, err := net.Dial("tcp", fmt.Sprintf("%v:%v", constants.Host, b.GetIMAPPort()))
+			require.NoError(t, err)
+			defer func() { require.NoError(t, conn.Close()) }()
+
+			// Read lines from the IMAP port.
+			lineCh := liner.New(conn).Lines(func() error { return nil })
+
+			// On connection, we should get the greeting.
+			require.Contains(t, string((<-lineCh).Line), "* OK")
+
+			// Send garbage data.
+			must(conn.Write([]byte("tag garbage\r\n")))
+
+			// Bridge will reply with BAD.
+			require.Contains(t, string((<-lineCh).Line), "tag BAD")
+		})
+	})
+}
--- a/internal/bridge/server_manager_test.go
+++ b/internal/bridge/server_manager_test.go
@ -0,0 +1,137 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"testing"
+
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/emersion/go-smtp"
+	"github.com/stretchr/testify/require"
+)
+
+func TestServerManager_ServersStartWithBridge(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			imapClient, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, bridge.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, imapClient.Logout())
+
+			smtpClient, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+			require.NoError(t, err)
+			smtpClient.Close() //nolint:errcheck
+		})
+	})
+}
+
+func TestServerManager_ServersKeepsRunningfterUserLogsOut(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			userID, err := bridge.LoginFull(ctx, username, password, nil, nil)
+			require.NoError(t, err)
+
+			require.NoError(t, bridge.LogoutUser(ctx, userID))
+
+			imapClient, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, bridge.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, imapClient.Logout())
+
+			smtpClient, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+			require.NoError(t, err)
+			smtpClient.Close() //nolint:errcheck
+		})
+	})
+}
+
+func TestServerManager_ServersDoNotStopWhenThereIsStillOneActiveUser(t *testing.T) {
+	otherPassword := []byte("bar")
+	otherUser := "foo"
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		_, _, err := s.CreateUser(otherUser, otherPassword)
+		require.NoError(t, err)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			_, err := bridge.LoginFull(ctx, username, password, nil, nil)
+			require.NoError(t, err)
+
+			userIDOther, err := bridge.LoginFull(ctx, otherUser, otherPassword, nil, nil)
+			require.NoError(t, err)
+
+			evtCh, cancel := bridge.GetEvents(events.UserDeauth{})
+			defer cancel()
+
+			require.NoError(t, s.RevokeUser(userIDOther))
+
+			waitForEvent(t, evtCh, events.UserDeauth{})
+
+			imapClient, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, bridge.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, imapClient.Logout())
+
+			smtpClient, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+			require.NoError(t, err)
+			smtpClient.Close() //nolint:errcheck
+		})
+	})
+}
+
+func TestServerManager_NetworkLossStopsServers(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			imapWaiter := waitForIMAPServerReady(bridge)
+			defer imapWaiter.Done()
+
+			smtpWaiter := waitForSMTPServerReady(bridge)
+			defer smtpWaiter.Done()
+
+			imapWaiterStop := waitForIMAPServerStopped(bridge)
+			defer imapWaiterStop.Done()
+
+			smtpWaiterStop := waitForSMTPServerStopped(bridge)
+			defer smtpWaiterStop.Done()
+
+			_, err := bridge.LoginFull(ctx, username, password, nil, nil)
+			require.NoError(t, err)
+
+			imapClient, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, bridge.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, imapClient.Logout())
+
+			smtpClient, err := smtp.Dial(net.JoinHostPort(constants.Host, fmt.Sprint(bridge.GetSMTPPort())))
+			require.NoError(t, err)
+			smtpClient.Close() //nolint:errcheck
+
+			netCtl.Disable()
+
+			imapWaiterStop.Wait()
+			smtpWaiterStop.Wait()
+
+			netCtl.Enable()
+
+			imapWaiter.Wait()
+			smtpWaiter.Wait()
+		})
+	})
+}
--- a/internal/bridge/settings.go
+++ b/internal/bridge/settings.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -17,28 +17,324 @@

 package bridge

-import "github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
+import (
+	"context"
+	"fmt"

-func (b *Bridge) Get(key settings.Key) string {
-	return b.settings.Get(key)
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/proton-bridge/v3/internal/kb"
+	"github.com/ProtonMail/proton-bridge/v3/internal/safe"
+	"github.com/ProtonMail/proton-bridge/v3/internal/services/userevents"
+	"github.com/ProtonMail/proton-bridge/v3/internal/updater"
+	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
+)
+
+func (bridge *Bridge) GetKeychainApp() (string, error) {
+	vaultDir, err := bridge.locator.ProvideSettingsPath()
+	if err != nil {
+		return "", err
 	}

-func (b *Bridge) Set(key settings.Key, value string) {
-	b.settings.Set(key, value)
+	return vault.GetHelper(vaultDir)
 }

-func (b *Bridge) GetBool(key settings.Key) bool {
-	return b.settings.GetBool(key)
+func (bridge *Bridge) SetKeychainApp(helper string) error {
+	vaultDir, err := bridge.locator.ProvideSettingsPath()
+	if err != nil {
+		return err
 	}

-func (b *Bridge) SetBool(key settings.Key, value bool) {
-	b.settings.SetBool(key, value)
+	bridge.heartbeat.SetKeyChainPref(helper)
+
+	return vault.SetHelper(vaultDir, helper)
 }

-func (b *Bridge) GetInt(key settings.Key) int {
-	return b.settings.GetInt(key)
+func (bridge *Bridge) GetIMAPPort() int {
+	return bridge.vault.GetIMAPPort()
 }

-func (b *Bridge) SetInt(key settings.Key, value int) {
-	b.settings.SetInt(key, value)
+func (bridge *Bridge) SetIMAPPort(ctx context.Context, newPort int) error {
+	if newPort == bridge.vault.GetIMAPPort() {
+		return nil
+	}
+
+	if err := bridge.vault.SetIMAPPort(newPort); err != nil {
+		return err
+	}
+
+	bridge.heartbeat.SetIMAPPort(newPort)
+
+	return bridge.restartIMAP(ctx)
+}
+
+func (bridge *Bridge) GetIMAPSSL() bool {
+	return bridge.vault.GetIMAPSSL()
+}
+
+func (bridge *Bridge) SetIMAPSSL(ctx context.Context, newSSL bool) error {
+	if newSSL == bridge.vault.GetIMAPSSL() {
+		return nil
+	}
+
+	if err := bridge.vault.SetIMAPSSL(newSSL); err != nil {
+		return err
+	}
+
+	bridge.heartbeat.SetIMAPConnectionMode(newSSL)
+
+	return bridge.restartIMAP(ctx)
+}
+
+func (bridge *Bridge) GetSMTPPort() int {
+	return bridge.vault.GetSMTPPort()
+}
+
+func (bridge *Bridge) SetSMTPPort(ctx context.Context, newPort int) error {
+	if newPort == bridge.vault.GetSMTPPort() {
+		return nil
+	}
+
+	if err := bridge.vault.SetSMTPPort(newPort); err != nil {
+		return err
+	}
+
+	bridge.heartbeat.SetSMTPPort(newPort)
+
+	return bridge.restartSMTP(ctx)
+}
+
+func (bridge *Bridge) GetSMTPSSL() bool {
+	return bridge.vault.GetSMTPSSL()
+}
+
+func (bridge *Bridge) SetSMTPSSL(ctx context.Context, newSSL bool) error {
+	if newSSL == bridge.vault.GetSMTPSSL() {
+		return nil
+	}
+
+	if err := bridge.vault.SetSMTPSSL(newSSL); err != nil {
+		return err
+	}
+
+	bridge.heartbeat.SetSMTPConnectionMode(newSSL)
+
+	return bridge.restartSMTP(ctx)
+}
+
+func (bridge *Bridge) GetGluonCacheDir() string {
+	return bridge.vault.GetGluonCacheDir()
+}
+
+func (bridge *Bridge) GetGluonDataDir() (string, error) {
+	return bridge.locator.ProvideGluonDataPath()
+}
+
+func (bridge *Bridge) SetGluonDir(ctx context.Context, newGluonDir string) error {
+	bridge.usersLock.RLock()
+
+	defer func() {
+		logPkg.Info("Restarting user event loops")
+		for _, u := range bridge.users {
+			u.ResumeEventLoop()
+		}
+
+		bridge.usersLock.RUnlock()
+	}()
+
+	type waiter struct {
+		w  *userevents.EventPollWaiter
+		id string
+	}
+
+	waiters := make([]waiter, 0, len(bridge.users))
+
+	logPkg.Info("Pausing user event loops for gluon dir change")
+	for id, u := range bridge.users {
+		waiters = append(waiters, waiter{w: u.PauseEventLoopWithWaiter(), id: id})
+	}
+
+	logPkg.Info("Waiting on user event loop completion")
+	for _, waiter := range waiters {
+		if err := waiter.w.WaitPollFinished(ctx); err != nil {
+			logPkg.WithError(err).Errorf("Failed to wait on event loop pause for user %v", waiter.id)
+			return fmt.Errorf("failed on event loop pause: %w", err)
+		}
+	}
+
+	logPkg.Info("Changing gluon directory")
+	return bridge.serverManager.SetGluonDir(ctx, newGluonDir)
+}
+
+func (bridge *Bridge) GetProxyAllowed() bool {
+	return bridge.vault.GetProxyAllowed()
+}
+
+func (bridge *Bridge) SetProxyAllowed(allowed bool) error {
+	if allowed {
+		bridge.proxyCtl.AllowProxy()
+	} else {
+		bridge.proxyCtl.DisallowProxy()
+	}
+
+	bridge.heartbeat.SetDoh(allowed)
+
+	return bridge.vault.SetProxyAllowed(allowed)
+}
+
+func (bridge *Bridge) GetShowAllMail() bool {
+	return bridge.vault.GetShowAllMail()
+}
+
+func (bridge *Bridge) SetShowAllMail(show bool) error {
+	return safe.RLockRet(func() error {
+		for _, user := range bridge.users {
+			user.SetShowAllMail(show)
+		}
+
+		bridge.heartbeat.SetShowAllMail(show)
+
+		return bridge.vault.SetShowAllMail(show)
+	}, bridge.usersLock)
+}
+
+func (bridge *Bridge) GetAutostart() bool {
+	return bridge.vault.GetAutostart()
+}
+
+func (bridge *Bridge) SetAutostart(autostart bool) error {
+	if autostart != bridge.vault.GetAutostart() {
+		if err := bridge.vault.SetAutostart(autostart); err != nil {
+			return err
+		}
+
+		bridge.heartbeat.SetAutoStart(autostart)
+	}
+
+	var err error
+	if autostart {
+		// do nothing if already enabled
+		if bridge.autostarter.IsEnabled() {
+			return nil
+		}
+		err = bridge.autostarter.Enable()
+	} else {
+		// do nothing if already disabled
+		if !bridge.autostarter.IsEnabled() {
+			return nil
+		}
+		err = bridge.autostarter.Disable()
+	}
+
+	return err
+}
+
+func (bridge *Bridge) GetUpdateRollout() float64 {
+	return bridge.vault.GetUpdateRollout()
+}
+
+func (bridge *Bridge) GetAutoUpdate() bool {
+	return bridge.vault.GetAutoUpdate()
+}
+
+func (bridge *Bridge) SetAutoUpdate(autoUpdate bool) error {
+	if bridge.vault.GetAutoUpdate() == autoUpdate {
+		return nil
+	}
+
+	if err := bridge.vault.SetAutoUpdate(autoUpdate); err != nil {
+		return err
+	}
+
+	bridge.heartbeat.SetAutoUpdate(autoUpdate)
+
+	bridge.goUpdate()
+
+	return nil
+}
+
+func (bridge *Bridge) GetTelemetryDisabled() bool {
+	return bridge.vault.GetTelemetryDisabled()
+}
+
+func (bridge *Bridge) SetTelemetryDisabled(isDisabled bool) error {
+	if err := bridge.vault.SetTelemetryDisabled(isDisabled); err != nil {
+		return err
+	}
+	// If telemetry is re-enabled locally, try to send the heartbeat.
+	if isDisabled {
+		bridge.heartbeat.stop()
+	} else {
+		bridge.heartbeat.start()
+	}
+
+	return nil
+}
+
+func (bridge *Bridge) GetUpdateChannel() updater.Channel {
+	return bridge.vault.GetUpdateChannel()
+}
+
+func (bridge *Bridge) SetUpdateChannel(channel updater.Channel) error {
+	if bridge.vault.GetUpdateChannel() == channel {
+		return nil
+	}
+
+	if err := bridge.vault.SetUpdateChannel(channel); err != nil {
+		return err
+	}
+
+	bridge.heartbeat.SetBeta(channel)
+
+	bridge.goUpdate()
+
+	return nil
+}
+
+func (bridge *Bridge) GetCurrentVersion() *semver.Version {
+	return bridge.curVersion
+}
+
+func (bridge *Bridge) GetLastVersion() *semver.Version {
+	return bridge.lastVersion
+}
+
+func (bridge *Bridge) GetFirstStart() bool {
+	return bridge.firstStart
+}
+
+func (bridge *Bridge) GetColorScheme() string {
+	return bridge.vault.GetColorScheme()
+}
+
+func (bridge *Bridge) SetColorScheme(colorScheme string) error {
+	return bridge.vault.SetColorScheme(colorScheme)
+}
+
+func (bridge *Bridge) GetKnowledgeBaseSuggestions(userInput string) (kb.ArticleList, error) {
+	return kb.GetSuggestions(userInput)
+}
+
+// FactoryReset deletes all users, wipes the vault, and deletes all files.
+// Note: it does not clear the keychain. The only entry in the keychain is the vault password,
+// which we need at next startup to decrypt the vault.
+func (bridge *Bridge) FactoryReset(ctx context.Context) {
+	// Delete all the users.
+	safe.Lock(func() {
+		for _, user := range bridge.users {
+			bridge.logoutUser(ctx, user, true, true)
+		}
+	}, bridge.usersLock)
+
+	// Wipe the vault.
+	gluonCacheDir, err := bridge.locator.ProvideGluonCachePath()
+	if err != nil {
+		logPkg.WithError(err).Error("Failed to provide gluon dir")
+	} else if err := bridge.vault.Reset(gluonCacheDir); err != nil {
+		logPkg.WithError(err).Error("Failed to reset vault")
+	}
+
+	// Lastly, delete all files except the vault.
+	if err := bridge.locator.Clear(bridge.vault.Path()); err != nil {
+		logPkg.WithError(err).Error("Failed to clear data paths")
+	}
 }
--- a/internal/bridge/settings_test.go
+++ b/internal/bridge/settings_test.go
@ -0,0 +1,208 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBridge_Settings_GluonDir(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			// Create a user.
+			_, err := bridge.LoginFull(context.Background(), username, password, nil, nil)
+			require.NoError(t, err)
+
+			// Create a new location for the Gluon data.
+			newGluonDir := t.TempDir()
+
+			// Move the gluon dir; it should also move the user's data.
+			require.NoError(t, bridge.SetGluonDir(context.Background(), newGluonDir))
+
+			// Check that the new directory is not empty.
+			entries, err := os.ReadDir(newGluonDir)
+			require.NoError(t, err)
+
+			// There should be at least one entry.
+			require.NotEmpty(t, entries)
+		})
+	})
+}
+
+func TestBridge_Settings_GluonDirWithOnGoingEvents(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](bridge.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			_, err := bridge.LoginFull(context.Background(), "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			<-syncCh
+		})
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			createNumMessages(ctx, t, c, addrID, labelID, 200)
+		})
+
+		withBridgeWaitForServers(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			// Create a new location for the Gluon data.
+			newGluonDir := t.TempDir()
+
+			// Move the gluon dir; it should also move the user's data.
+			require.NoError(t, bridge.SetGluonDir(context.Background(), newGluonDir))
+
+			// Check that the new directory is not empty.
+			entries, err := os.ReadDir(newGluonDir)
+			require.NoError(t, err)
+
+			// There should be at least one entry.
+			require.NotEmpty(t, entries)
+		})
+	})
+}
+
+func TestBridge_Settings_IMAPPort(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			curPort := bridge.GetIMAPPort()
+
+			// Set the port to 1144.
+			require.NoError(t, bridge.SetIMAPPort(ctx, 1144))
+
+			// Get the new setting.
+			require.Equal(t, 1144, bridge.GetIMAPPort())
+
+			// Assert that it has changed.
+			require.NotEqual(t, curPort, bridge.GetIMAPPort())
+		})
+	})
+}
+
+func TestBridge_Settings_IMAPSSL(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			// By default, IMAP SSL is disabled.
+			require.False(t, bridge.GetIMAPSSL())
+
+			// Enable IMAP SSL.
+			require.NoError(t, bridge.SetIMAPSSL(ctx, true))
+
+			// Get the new setting.
+			require.True(t, bridge.GetIMAPSSL())
+		})
+	})
+}
+
+func TestBridge_Settings_SMTPPort(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			curPort := bridge.GetSMTPPort()
+
+			// Set the port to 1024.
+			require.NoError(t, bridge.SetSMTPPort(ctx, 1024))
+
+			// Get the new setting.
+			require.Equal(t, 1024, bridge.GetSMTPPort())
+
+			// Assert that it has changed.
+			require.NotEqual(t, curPort, bridge.GetSMTPPort())
+		})
+	})
+}
+
+func TestBridge_Settings_SMTPSSL(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			// By default, SMTP SSL is disabled.
+			require.False(t, bridge.GetSMTPSSL())
+
+			// Enable SMTP SSL.
+			require.NoError(t, bridge.SetSMTPSSL(ctx, true))
+
+			// Get the new setting.
+			require.True(t, bridge.GetSMTPSSL())
+		})
+	})
+}
+
+func TestBridge_Settings_Proxy(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, mocks *bridge.Mocks) {
+			// By default, proxy is allowed.
+			require.False(t, bridge.GetProxyAllowed())
+
+			// Disallow proxy.
+			mocks.ProxyCtl.EXPECT().AllowProxy()
+			require.NoError(t, bridge.SetProxyAllowed(true))
+
+			// Get the new setting.
+			require.True(t, bridge.GetProxyAllowed())
+		})
+	})
+}
+
+func TestBridge_Settings_Autostart(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, mocks *bridge.Mocks) {
+			// By default, autostart is enabled.
+			require.True(t, bridge.GetAutostart())
+
+			// Disable autostart.
+			mocks.Autostarter.EXPECT().IsEnabled().Return(true)
+			mocks.Autostarter.EXPECT().Disable().Return(nil)
+			require.NoError(t, bridge.SetAutostart(false))
+
+			// Get the new setting.
+			require.False(t, bridge.GetAutostart())
+
+			// Re Enable autostart.
+			mocks.Autostarter.EXPECT().IsEnabled().Return(false)
+			mocks.Autostarter.EXPECT().Enable().Return(nil)
+			require.NoError(t, bridge.SetAutostart(true))
+
+			// Get the new setting.
+			require.True(t, bridge.GetAutostart())
+		})
+	})
+}
+
+func TestBridge_Settings_FirstStart(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			// By default, first start is true.
+			require.True(t, bridge.GetFirstStart())
+
+			// the setting of the first start value is managed by bridge itself, so the setter is not exported.
+		})
+	})
+}
--- a/internal/bridge/smtp.go
+++ b/internal/bridge/smtp.go
@ -0,0 +1,57 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge
+
+import (
+	"context"
+	"crypto/tls"
+
+	"github.com/ProtonMail/proton-bridge/v3/internal/identifier"
+)
+
+func (bridge *Bridge) restartSMTP(ctx context.Context) error {
+	return bridge.serverManager.RestartSMTP(ctx)
+}
+
+type bridgeSMTPSettings struct {
+	b *Bridge
+}
+
+func (b *bridgeSMTPSettings) TLSConfig() *tls.Config {
+	return b.b.tlsConfig
+}
+
+func (b *bridgeSMTPSettings) Log() bool {
+	return b.b.logSMTP
+}
+
+func (b *bridgeSMTPSettings) Port() int {
+	return b.b.vault.GetSMTPPort()
+}
+
+func (b *bridgeSMTPSettings) SetPort(i int) error {
+	return b.b.vault.SetSMTPPort(i)
+}
+
+func (b *bridgeSMTPSettings) UseSSL() bool {
+	return b.b.vault.GetSMTPSSL()
+}
+
+func (b *bridgeSMTPSettings) Identifier() identifier.UserAgentUpdater {
+	return &bridgeUserAgentUpdater{Bridge: b.b}
+}
--- a/internal/bridge/store_factory.go
+++ b/internal/bridge/store_factory.go
@ -1,87 +0,0 @@
-// Copyright (c) 2022 Proton AG
-//
-// This file is part of Proton Mail Bridge.
-//
-// Proton Mail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// Proton Mail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
-
-package bridge
-
-import (
-	"fmt"
-	"path/filepath"
-
-	"github.com/ProtonMail/proton-bridge/v2/internal/sentry"
-	"github.com/ProtonMail/proton-bridge/v2/internal/store"
-	"github.com/ProtonMail/proton-bridge/v2/internal/store/cache"
-	"github.com/ProtonMail/proton-bridge/v2/internal/users"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/listener"
-	"github.com/ProtonMail/proton-bridge/v2/pkg/message"
-)
-
-type storeFactory struct {
-	cacheProvider  CacheProvider
-	sentryReporter *sentry.Reporter
-	panicHandler   users.PanicHandler
-	eventListener  listener.Listener
-	events         *store.Events
-	cache          cache.Cache
-	builder        *message.Builder
-}
-
-func newStoreFactory(
-	cacheProvider CacheProvider,
-	sentryReporter *sentry.Reporter,
-	panicHandler users.PanicHandler,
-	eventListener listener.Listener,
-	cache cache.Cache,
-	builder *message.Builder,
-) *storeFactory {
-	return &storeFactory{
-		cacheProvider:  cacheProvider,
-		sentryReporter: sentryReporter,
-		panicHandler:   panicHandler,
-		eventListener:  eventListener,
-		events:         store.NewEvents(cacheProvider.GetIMAPCachePath()),
-		cache:          cache,
-		builder:        builder,
-	}
-}
-
-// New creates new store for given user.
-func (f *storeFactory) New(user store.BridgeUser) (*store.Store, error) {
-	return store.New(
-		f.sentryReporter,
-		f.panicHandler,
-		user,
-		f.eventListener,
-		f.cache,
-		f.builder,
-		getUserStorePath(f.cacheProvider.GetDBDir(), user.ID()),
-		f.events,
-	)
-}
-
-// Remove removes all store files for given user.
-func (f *storeFactory) Remove(userID string) error {
-	return store.RemoveStore(
-		f.events,
-		getUserStorePath(f.cacheProvider.GetDBDir(), userID),
-		userID,
-	)
-}
-
-// getUserStorePath returns the file path of the store database for the given userID.
-func getUserStorePath(storeDir string, userID string) (path string) {
-	return filepath.Join(storeDir, fmt.Sprintf("mailbox-%v.db", userID))
-}
--- a/internal/bridge/sync_test.go
+++ b/internal/bridge/sync_test.go
@ -0,0 +1,836 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/ProtonMail/gluon/async"
+	"github.com/ProtonMail/gluon/rfc822"
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/ProtonMail/proton-bridge/v3/internal/services/imapservice"
+	"github.com/bradenaw/juniper/iterator"
+	"github.com/bradenaw/juniper/stream"
+	"github.com/bradenaw/juniper/xslices"
+	"github.com/emersion/go-imap"
+	"github.com/emersion/go-imap/client"
+	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBridge_Sync(t *testing.T) {
+	numMsg := 1 << 8
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			createNumMessages(ctx, t, c, addrID, labelID, numMsg)
+		})
+
+		var total uint64
+
+		// The initial user should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](bridge.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			// Count how many bytes it takes to fully sync the user.
+			total = countBytesRead(netCtl, func() {
+				userID, err := bridge.LoginFull(ctx, "imap", password, nil, nil)
+				require.NoError(t, err)
+
+				require.Equal(t, userID, (<-syncCh).UserID)
+			})
+		})
+
+		// If we then connect an IMAP client, it should see all the messages.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, _ *bridge.Mocks) {
+			info, err := b.GetUserInfo(userID)
+			require.NoError(t, err)
+			require.True(t, info.State == bridge.Connected)
+
+			client, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, b.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, client.Login(info.Addresses[0], string(info.BridgePass)))
+			defer func() { _ = client.Logout() }()
+
+			status, err := client.Select(`Folders/folder`, false)
+			require.NoError(t, err)
+			require.Equal(t, uint32(numMsg), status.Messages)
+		})
+
+		// Now let's remove the user and simulate a network error.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			require.NoError(t, bridge.DeleteUser(ctx, userID))
+		})
+
+		// Pretend we can only sync 2/3 of the original messages.
+		netCtl.SetReadLimit(2 * total / 3)
+
+		// Login the user; its sync should fail.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, _ *bridge.Mocks) {
+			{
+				syncCh, done := chToType[events.Event, events.SyncFailed](b.GetEvents(events.SyncFailed{}))
+				defer done()
+
+				userID, err := b.LoginFull(ctx, "imap", password, nil, nil)
+				require.NoError(t, err)
+
+				require.Equal(t, userID, (<-syncCh).UserID)
+
+				info, err := b.GetUserInfo(userID)
+				require.NoError(t, err)
+				require.True(t, info.State == bridge.Connected)
+			}
+
+			// Remove the network limit, allowing the sync to finish.
+			netCtl.SetReadLimit(0)
+
+			{
+				syncCh, done := chToType[events.Event, events.SyncFinished](b.GetEvents(events.SyncFinished{}))
+				defer done()
+
+				require.Equal(t, userID, (<-syncCh).UserID)
+
+				info, err := b.GetUserInfo(userID)
+				require.NoError(t, err)
+				require.True(t, info.State == bridge.Connected)
+
+				client, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, b.GetIMAPPort()))
+				require.NoError(t, err)
+				require.NoError(t, client.Login(info.Addresses[0], string(info.BridgePass)))
+				defer func() { _ = client.Logout() }()
+
+				status, err := client.Select(`Folders/folder`, false)
+				require.NoError(t, err)
+				require.Equal(t, uint32(numMsg), status.Messages)
+			}
+		})
+	}, server.WithTLS(false))
+}
+
+// GODT-2215: This test no longer works since it's now possible to import messages into Gluon with bad ContentType header.
+func _TestBridge_Sync_BadMessage(t *testing.T) { //nolint:unused,deadcode
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		var messageIDs []string
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			messageIDs = createMessages(ctx, t, c, addrID, labelID,
+				[]byte("To: someone@pm.me\r\nSubject: Good message\r\n\r\nHello!"),
+				[]byte("To: someone@pm.me\r\nSubject: Bad message\r\nContentType: this is not a valid content type\r\n\r\nHello!"),
+			)
+		})
+
+		// The initial user should be fully synced and should skip the bad message.
+		// We should report the bad message to sentry.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, mocks *bridge.Mocks) {
+			mocks.Reporter.EXPECT().ReportMessageWithContext("Failed to build message (sync)", gomock.Any())
+
+			syncCh, done := chToType[events.Event, events.SyncFinished](bridge.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			userID, err := bridge.LoginFull(ctx, "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			require.Equal(t, userID, (<-syncCh).UserID)
+		})
+
+		// If we then connect an IMAP client, it should see the good message but not the bad one.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, _ *bridge.Mocks) {
+			info, err := b.GetUserInfo(userID)
+			require.NoError(t, err)
+			require.True(t, info.State == bridge.Connected)
+
+			client, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, b.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, client.Login(info.Addresses[0], string(info.BridgePass)))
+			defer func() { _ = client.Logout() }()
+
+			status, err := client.Select(`Folders/folder`, false)
+			require.NoError(t, err)
+			require.Equal(t, uint32(1), status.Messages)
+
+			messages, err := clientFetch(client, `Folders/folder`)
+			require.NoError(t, err)
+			require.Len(t, messages, 1)
+
+			// The bad message should have been skipped.
+			literal, err := io.ReadAll(messages[0].GetBody(must(imap.ParseBodySectionName("BODY[]"))))
+			require.NoError(t, err)
+
+			header, err := rfc822.Parse(literal).ParseHeader()
+			require.NoError(t, err)
+			require.Equal(t, "Good message", header.Get("Subject"))
+			require.Equal(t, messageIDs[0], header.Get("X-Pm-Internal-Id"))
+		})
+	})
+}
+
+func TestBridge_SyncWithOngoingEvents(t *testing.T) {
+	numMsg := 1 << 8
+	messageSplitIndex := numMsg * 2 / 3
+	renmainingMessageCount := numMsg - messageSplitIndex
+
+	messages := make([]string, 0, numMsg)
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			importResults := createNumMessages(ctx, t, c, addrID, labelID, numMsg)
+			for _, v := range importResults {
+				if len(v) != 0 {
+					messages = append(messages, v)
+				}
+			}
+		})
+
+		var total uint64
+
+		// The initial user should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](bridge.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			// Count how many bytes it takes to fully sync the user.
+			total = countBytesRead(netCtl, func() {
+				userID, err := bridge.LoginFull(ctx, "imap", password, nil, nil)
+				require.NoError(t, err)
+
+				require.Equal(t, userID, (<-syncCh).UserID)
+			})
+		})
+
+		// Now let's remove the user and stop the network at 2/3 of the data.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			require.NoError(t, bridge.DeleteUser(ctx, userID))
+		})
+
+		// Pretend we can only sync 2/3 of the original messages.
+		netCtl.SetReadLimit(2 * total / 3)
+
+		// Login the user; its sync should fail.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](b.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			{
+				syncFailedCh, syncFailedDone := chToType[events.Event, events.SyncFailed](b.GetEvents(events.SyncFailed{}))
+				defer syncFailedDone()
+
+				userID, err := b.LoginFull(ctx, "imap", password, nil, nil)
+				require.NoError(t, err)
+
+				require.Equal(t, userID, (<-syncFailedCh).UserID)
+
+				info, err := b.GetUserInfo(userID)
+				require.NoError(t, err)
+				require.True(t, info.State == bridge.Connected)
+			}
+
+			// Create a new mailbox and move that last 1/3 of the messages into it to simulate user
+			// actions during sync.
+			{
+				newLabelID, err := s.CreateLabel(userID, "folder2", "", proton.LabelTypeFolder)
+				require.NoError(t, err)
+
+				messages := messages[messageSplitIndex:]
+
+				withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+					require.NoError(t, c.UnlabelMessages(ctx, messages, labelID))
+					require.NoError(t, c.LabelMessages(ctx, messages, newLabelID))
+				})
+			}
+
+			// Remove the network limit, allowing the sync to finish.
+			netCtl.SetReadLimit(0)
+			{
+				require.Equal(t, userID, (<-syncCh).UserID)
+
+				info, err := b.GetUserInfo(userID)
+				require.NoError(t, err)
+				require.True(t, info.State == bridge.Connected)
+
+				client, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, b.GetIMAPPort()))
+				require.NoError(t, err)
+				require.NoError(t, client.Login(info.Addresses[0], string(info.BridgePass)))
+				defer func() { _ = client.Logout() }()
+
+				// Check that the new messages arrive in the right location.
+				require.Eventually(t, func() bool {
+					status, err := client.Select(`Folders/folder2`, true)
+					if err != nil {
+						return false
+					}
+					if status.Messages != uint32(renmainingMessageCount) {
+						return false
+					}
+
+					return true
+				}, 10*time.Second, 500*time.Millisecond)
+			}
+		})
+	}, server.WithTLS(false))
+}
+
+func TestBridge_CanProcessEventsDuringSync(t *testing.T) {
+	numMsg := 1 << 8
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			createNumMessages(ctx, t, c, addrID, labelID, numMsg)
+		})
+
+		// Simulate 429 to prevent sync from progressing.
+		s.AddStatusHook(func(request *http.Request) (int, bool) {
+			if strings.Contains(request.URL.Path, "/mail/v4/messages/") {
+				return http.StatusTooManyRequests, true
+			}
+
+			return 0, false
+		})
+
+		// The initial user should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncStartedCh, syncStartedDone := chToType[events.Event, events.SyncStarted](bridge.GetEvents(events.SyncStarted{}))
+			defer syncStartedDone()
+
+			addressCreatedCh, addressCreatedDone := chToType[events.Event, events.UserAddressCreated](bridge.GetEvents(events.UserAddressCreated{}))
+			defer addressCreatedDone()
+
+			userID, err := bridge.LoginFull(ctx, "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			require.Equal(t, userID, (<-syncStartedCh).UserID)
+
+			// Create a new address
+			newAddress := "foo@proton.ch"
+			addrID, err := s.CreateAddress(userID, newAddress, password)
+			require.NoError(t, err)
+
+			event := <-addressCreatedCh
+			require.Equal(t, userID, event.UserID)
+			require.Equal(t, newAddress, event.Email)
+			require.Equal(t, addrID, event.AddressID)
+		})
+	}, server.WithTLS(false))
+}
+
+func TestBridge_RefreshDuringSyncRestartSync(t *testing.T) {
+	numMsg := 1 << 8
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			createNumMessages(ctx, t, c, addrID, labelID, numMsg)
+		})
+
+		var refreshPerformed atomic.Bool
+		refreshPerformed.Store(false)
+
+		// Simulate 429 to prevent sync from progressing.
+		s.AddStatusHook(func(request *http.Request) (int, bool) {
+			if strings.Contains(request.URL.Path, "/mail/v4/messages/") {
+				if !refreshPerformed.Load() {
+					return http.StatusTooManyRequests, true
+				}
+			}
+
+			return 0, false
+		})
+
+		// The initial user should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](bridge.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			userID, err := bridge.LoginFull(ctx, "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			syncStartedCh, syncStartedDone := chToType[events.Event, events.SyncStarted](bridge.GetEvents(events.SyncStarted{}))
+			defer syncStartedDone()
+
+			require.Equal(t, userID, (<-syncStartedCh).UserID)
+
+			require.NoError(t, err, s.RefreshUser(userID, proton.RefreshMail))
+			require.Equal(t, userID, (<-syncStartedCh).UserID)
+			refreshPerformed.Store(true)
+
+			require.Equal(t, userID, (<-syncCh).UserID)
+		})
+	}, server.WithTLS(false))
+}
+
+func TestBridge_EventReplayAfterSyncHasFinished(t *testing.T) {
+	numMsg := 1 << 8
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			createNumMessages(ctx, t, c, addrID, labelID, numMsg)
+		})
+
+		addrID1, err := s.CreateAddress(userID, "foo@proton.ch", password)
+		require.NoError(t, err)
+
+		var allowSyncToProgress atomic.Bool
+		allowSyncToProgress.Store(false)
+
+		// Simulate 429 to prevent sync from progressing.
+		s.AddStatusHook(func(request *http.Request) (int, bool) {
+			if request.Method == "GET" && strings.Contains(request.URL.Path, "/mail/v4/messages/") {
+				if !allowSyncToProgress.Load() {
+					return http.StatusTooManyRequests, true
+				}
+			}
+
+			return 0, false
+		})
+
+		// The initial user should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](bridge.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			syncStartedCh, syncStartedDone := chToType[events.Event, events.SyncStarted](bridge.GetEvents(events.SyncStarted{}))
+			defer syncStartedDone()
+
+			addressCreatedCh, addressCreatedDone := chToType[events.Event, events.UserAddressCreated](bridge.GetEvents(events.UserAddressCreated{}))
+			defer addressCreatedDone()
+
+			userID, err := bridge.LoginFull(ctx, "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			require.Equal(t, userID, (<-syncStartedCh).UserID)
+
+			// create 20 more messages and move them to inbox
+			withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+				createNumMessages(ctx, t, c, addrID, proton.InboxLabel, 20)
+			})
+
+			// User AddrID2 event as a check point to see when the new address was created.
+			addrID2, err := s.CreateAddress(userID, "bar@proton.ch", password)
+			require.NoError(t, err)
+
+			allowSyncToProgress.Store(true)
+			require.Equal(t, userID, (<-syncCh).UserID)
+
+			// At most two events can be published, one for the first address, then for the second.
+			// if the second event is not `addrID2` then something went wrong.
+			event := <-addressCreatedCh
+			if event.AddressID == addrID1 {
+				event = <-addressCreatedCh
+			}
+
+			require.Equal(t, addrID2, event.AddressID)
+
+			info, err := bridge.GetUserInfo(userID)
+			require.NoError(t, err)
+
+			client, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, bridge.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, client.Login(info.Addresses[0], string(info.BridgePass)))
+			defer func() { _ = client.Logout() }()
+
+			// Finally check if the 20 messages are in INBOX.
+			status, err := client.Status("INBOX", []imap.StatusItem{imap.StatusMessages})
+			require.NoError(t, err)
+			require.Equal(t, uint32(20), status.Messages)
+
+			// Finally check if the numMsg are in the folder.
+			status, err = client.Status("Folders/folder", []imap.StatusItem{imap.StatusMessages})
+			require.NoError(t, err)
+			require.Equal(t, uint32(numMsg), status.Messages)
+		})
+	}, server.WithTLS(false))
+}
+
+func TestBridge_MessageCreateDuringSync(t *testing.T) {
+	numMsg := 1 << 8
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			createNumMessages(ctx, t, c, addrID, labelID, numMsg)
+		})
+
+		var allowSyncToProgress atomic.Bool
+		allowSyncToProgress.Store(false)
+
+		// Simulate 429 to prevent sync from progressing.
+		s.AddStatusHook(func(request *http.Request) (int, bool) {
+			if request.Method == "GET" && strings.Contains(request.URL.Path, "/mail/v4/messages/") {
+				if !allowSyncToProgress.Load() {
+					return http.StatusTooManyRequests, true
+				}
+			}
+
+			return 0, false
+		})
+
+		// The initial user should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncStartedCh, syncStartedDone := chToType[events.Event, events.SyncStarted](bridge.GetEvents(events.SyncStarted{}))
+			defer syncStartedDone()
+
+			addressCreatedCh, addressCreatedDone := chToType[events.Event, events.UserAddressCreated](bridge.GetEvents(events.UserAddressCreated{}))
+			defer addressCreatedDone()
+
+			userID, err := bridge.LoginFull(ctx, "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			require.Equal(t, userID, (<-syncStartedCh).UserID)
+
+			// create 20 more messages and move them to inbox
+			withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+				createNumMessages(ctx, t, c, addrID, proton.InboxLabel, 20)
+			})
+
+			// User AddrID2 event as a check point to see when the new address was created.
+			addrID, err := s.CreateAddress(userID, "bar@proton.ch", password)
+			require.NoError(t, err)
+
+			// At most two events can be published, one for the first address, then for the second.
+			// if the second event is not `addrID` then something went wrong.
+			event := <-addressCreatedCh
+			require.Equal(t, addrID, event.AddressID)
+			allowSyncToProgress.Store(true)
+
+			info, err := bridge.GetUserInfo(userID)
+			require.NoError(t, err)
+
+			client, err := eventuallyDial(fmt.Sprintf("%v:%v", constants.Host, bridge.GetIMAPPort()))
+			require.NoError(t, err)
+			require.NoError(t, client.Login(info.Addresses[0], string(info.BridgePass)))
+			defer func() { _ = client.Logout() }()
+
+			require.Eventually(t, func() bool {
+				// Finally check if the 20 messages are in INBOX.
+				status, err := client.Status("INBOX", []imap.StatusItem{imap.StatusMessages})
+				require.NoError(t, err)
+
+				return uint32(20) == status.Messages
+			}, 10*time.Second, time.Second)
+		})
+	}, server.WithTLS(false))
+}
+
+func TestBridge_CorruptedVaultClearsPreviousIMAPSyncState(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, vaultKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			createNumMessages(ctx, t, c, addrID, labelID, 100)
+		})
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, vaultKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := chToType[events.Event, events.SyncFinished](bridge.GetEvents(events.SyncFinished{}))
+			defer done()
+
+			var err error
+
+			userID, err = bridge.LoginFull(context.Background(), "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			// Wait for sync to finish
+			require.Equal(t, userID, (<-syncCh).UserID)
+		})
+
+		settingsPath, err := locator.ProvideSettingsPath()
+		require.NoError(t, err)
+
+		syncConfigPath, err := locator.ProvideIMAPSyncConfigPath()
+		require.NoError(t, err)
+
+		syncStatePath := imapservice.GetSyncConfigPath(syncConfigPath, userID)
+		// Check sync state is complete
+		{
+			state, err := imapservice.NewSyncState(syncStatePath)
+			require.NoError(t, err)
+			syncStatus, err := state.GetSyncStatus(context.Background())
+			require.NoError(t, err)
+			require.True(t, syncStatus.IsComplete())
+		}
+
+		// corrupt the vault
+		require.NoError(t, os.WriteFile(filepath.Join(settingsPath, "vault.enc"), []byte("Trash!"), 0o600))
+
+		// Bridge starts but can't find the gluon database dir; there should be no error.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, vaultKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			_, err := bridge.LoginFull(context.Background(), "imap", password, nil, nil)
+			require.NoError(t, err)
+		})
+
+		// Check sync state is reset.
+		{
+			state, err := imapservice.NewSyncState(syncStatePath)
+			require.NoError(t, err)
+			syncStatus, err := state.GetSyncStatus(context.Background())
+			require.NoError(t, err)
+			require.False(t, syncStatus.IsComplete())
+		}
+	})
+}
+
+func TestBridge_AddressOrderChangeDuringSyncInCombinedModeDoesNotTriggerBadEventOnNewMessage(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		// Create a user.
+		userID, addrID, err := s.CreateUser("user", password)
+		require.NoError(t, err)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			userInfoChanged, done := chToType[events.Event, events.UserChanged](bridge.GetEvents(events.UserChanged{}))
+			defer done()
+
+			withClient(ctx, t, s, "user", password, func(ctx context.Context, c *proton.Client) {
+				createNumMessages(ctx, t, c, addrID, proton.InboxLabel, 300)
+			})
+
+			_, err := bridge.LoginFull(ctx, "user", password, nil, nil)
+			require.NoError(t, err)
+
+			info, err := bridge.GetUserInfo(userID)
+			require.NoError(t, err)
+			require.Equal(t, 1, len(info.Addresses))
+			require.Equal(t, info.Addresses[0], "user@proton.local")
+
+			addrID2, err := s.CreateAddress(userID, "foo@"+s.GetDomain(), password)
+			require.NoError(t, err)
+
+			require.NoError(t, s.SetAddressOrder(userID, []string{addrID2, addrID}))
+
+			withClient(ctx, t, s, "user", password, func(ctx context.Context, c *proton.Client) {
+				createNumMessages(ctx, t, c, addrID2, proton.InboxLabel, 1)
+			})
+
+			// Since we can't intercept events at this time, we sleep for a bit to make sure the
+			// new message does not get combined into the event below. This ensures the newly created
+			// goes through the full code flow which triggered the original bad event.
+			time.Sleep(time.Second)
+			require.NoError(t, s.SetAddressOrder(userID, []string{addrID, addrID2}))
+
+			for i := 0; i < 2; i++ {
+				select {
+				case <-ctx.Done():
+					return
+				case e := <-userInfoChanged:
+					require.Equal(t, userID, e.UserID)
+				}
+			}
+		})
+	})
+}
+
+func withClient(ctx context.Context, t *testing.T, s *server.Server, username string, password []byte, fn func(context.Context, *proton.Client)) { //nolint:unparam
+	m := proton.New(
+		proton.WithHostURL(s.GetHostURL()),
+		proton.WithTransport(proton.InsecureTransport()),
+	)
+
+	c, _, err := m.NewClientWithLogin(ctx, username, password)
+	require.NoError(t, err)
+	defer c.Close()
+
+	fn(ctx, c)
+}
+
+func clientFetch(client *client.Client, mailbox string, extraItems ...imap.FetchItem) ([]*imap.Message, error) {
+	status, err := client.Select(mailbox, false)
+	if err != nil {
+		return nil, err
+	}
+
+	if status.Messages == 0 {
+		return nil, nil
+	}
+
+	resCh := make(chan *imap.Message)
+
+	fetchItems := []imap.FetchItem{imap.FetchFlags, imap.FetchEnvelope, imap.FetchUid, imap.FetchBodyStructure, "BODY.PEEK[]"}
+	fetchItems = append(fetchItems, extraItems...)
+
+	go func() {
+		if err := client.Fetch(
+			&imap.SeqSet{Set: []imap.Seq{{Start: 1, Stop: status.Messages}}},
+			fetchItems,
+			resCh,
+		); err != nil {
+			panic(err)
+		}
+	}()
+
+	return iterator.Collect(iterator.Chan(resCh)), nil
+}
+
+func clientStore(client *client.Client, from, to int, isUID bool, item imap.StoreItem, flags ...string) error {
+	var storeFunc func(seqset *imap.SeqSet, item imap.StoreItem, value interface{}, ch chan *imap.Message) error
+
+	if isUID {
+		storeFunc = client.UidStore
+	} else {
+		storeFunc = client.Store
+	}
+
+	return storeFunc(
+		&imap.SeqSet{Set: []imap.Seq{{Start: uint32(from), Stop: uint32(to)}}},
+		item,
+		xslices.Map(flags, func(flag string) interface{} { return flag }),
+		nil,
+	)
+}
+
+func clientList(client *client.Client) []*imap.MailboxInfo {
+	resCh := make(chan *imap.MailboxInfo)
+
+	go func() {
+		if err := client.List("", "*", resCh); err != nil {
+			panic(err)
+		}
+	}()
+
+	return iterator.Collect(iterator.Chan(resCh))
+}
+
+func createNumMessages(ctx context.Context, t *testing.T, c *proton.Client, addrID, labelID string, count int) []string {
+	literal, err := os.ReadFile(filepath.Join("testdata", "text-plain.eml"))
+	require.NoError(t, err)
+
+	return createMessages(ctx, t, c, addrID, labelID, xslices.Repeat(literal, count)...)
+}
+
+func createMessages(ctx context.Context, t *testing.T, c *proton.Client, addrID, labelID string, messages ...[]byte) []string {
+	return createMessagesWithFlags(ctx, t, c, addrID, labelID, 0, messages...)
+}
+
+func createMessagesWithFlags(ctx context.Context, t *testing.T, c *proton.Client, addrID, labelID string, flags proton.MessageFlag, messages ...[]byte) []string {
+	user, err := c.GetUser(ctx)
+	require.NoError(t, err)
+
+	addr, err := c.GetAddresses(ctx)
+	require.NoError(t, err)
+
+	salt, err := c.GetSalts(ctx)
+	require.NoError(t, err)
+
+	keyPass, err := salt.SaltForKey(password, user.Keys.Primary().ID)
+	require.NoError(t, err)
+
+	_, addrKRs, err := proton.Unlock(user, addr, keyPass, async.NoopPanicHandler{})
+	require.NoError(t, err)
+
+	_, ok := addrKRs[addrID]
+	require.True(t, ok)
+
+	var msgFlags proton.MessageFlag
+	if flags == 0 {
+		msgFlags = proton.MessageFlagReceived
+	} else {
+		msgFlags = flags
+	}
+
+	str, err := c.ImportMessages(
+		ctx,
+		addrKRs[addrID],
+		runtime.NumCPU(),
+		runtime.NumCPU(),
+		xslices.Map(messages, func(message []byte) proton.ImportReq {
+			return proton.ImportReq{
+				Metadata: proton.ImportMetadata{
+					AddressID: addrID,
+					LabelIDs:  []string{labelID},
+					Flags:     msgFlags,
+				},
+				Message: message,
+			}
+		})...,
+	)
+	require.NoError(t, err)
+
+	res, err := stream.Collect(ctx, str)
+	require.NoError(t, err)
+
+	return xslices.Map(res, func(res proton.ImportRes) string {
+		return res.MessageID
+	})
+}
+
+func countBytesRead(ctl *proton.NetCtl, fn func()) uint64 {
+	var read uint64
+
+	ctl.OnRead(func(b []byte) {
+		atomic.AddUint64(&read, uint64(len(b)))
+	})
+
+	fn()
+
+	return read
+}
--- a/internal/bridge/sync_unix_test.go
+++ b/internal/bridge/sync_unix_test.go
@ -0,0 +1,82 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+//go:build !windows
+
+package bridge_test
+
+import (
+	"context"
+	"syscall"
+	"testing"
+
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/stretchr/testify/require"
+)
+
+// Disabled due to flakiness.
+func _TestBridge_SyncExistsWithErrorWhenTooManyFilesAreOpen(t *testing.T) { //nolint:unused
+	var rlimitCurrent syscall.Rlimit
+
+	require.NoError(t, syscall.Getrlimit(syscall.RLIMIT_NOFILE, &rlimitCurrent))
+
+	// Restore RLimit for Process at the end of this test
+	defer func() {
+		require.NoError(t, syscall.Setrlimit(syscall.RLIMIT_NOFILE, &rlimitCurrent))
+	}()
+
+	rlimit := syscall.Rlimit{
+		Max: 100,
+		Cur: 100,
+	}
+
+	require.NoError(t, syscall.Setrlimit(syscall.RLIMIT_NOFILE, &rlimit))
+
+	numMsg := 1 << 8
+
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		userID, addrID, err := s.CreateUser("imap", password)
+		require.NoError(t, err)
+
+		labelID, err := s.CreateLabel(userID, "folder", "", proton.LabelTypeFolder)
+		require.NoError(t, err)
+
+		withClient(ctx, t, s, "imap", password, func(ctx context.Context, c *proton.Client) {
+			createNumMessages(ctx, t, c, addrID, labelID, numMsg)
+		})
+
+		// The initial user should be fully synced.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(bridge *bridge.Bridge, _ *bridge.Mocks) {
+			syncCh, done := bridge.GetEvents(events.SyncFailed{})
+			defer done()
+
+			userID, err := bridge.LoginFull(ctx, "imap", password, nil, nil)
+			require.NoError(t, err)
+
+			evt := <-syncCh
+			switch e := evt.(type) {
+			case events.SyncFailed:
+				require.Equal(t, userID, e.UserID)
+			default:
+				require.Fail(t, "Expected events.SyncFailed{}")
+			}
+		})
+	}, server.WithTLS(false))
+}
--- a/internal/bridge/testdata/invite.eml
+++ b/internal/bridge/testdata/invite.eml
@ -0,0 +1,85 @@
+From: <username@proton.local>
+To: <recipient@proton.local>
+Subject: Testing calendar invite
+Date: Fri, 3 Feb 2023 01:04:32 +0100
+Message-ID: <000001d93763$183b74e0$48b25ea0$@proton.local>
+MIME-Version: 1.0
+Content-Type: text/calendar; method=REQUEST;
+	charset="utf-8"
+Content-Transfer-Encoding: 7bit
+X-Mailer: Microsoft Outlook 16.0
+Thread-Index: Adk3Yw5pLdgwsT46RviXb/nfvQlesQAAAmGA
+Content-Language: en-gb
+
+BEGIN:VCALENDAR
+PRODID:-//Microsoft Corporation//Outlook 16.0 MIMEDIR//EN
+VERSION:2.0
+METHOD:REQUEST
+X-MS-OLK-FORCEINSPECTOROPEN:TRUE
+BEGIN:VTIMEZONE
+TZID:Central European Standard Time
+BEGIN:STANDARD
+DTSTART:16011028T030000
+RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
+TZOFFSETFROM:+0200
+TZOFFSETTO:+0100
+END:STANDARD
+BEGIN:DAYLIGHT
+DTSTART:16010325T020000
+RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
+TZOFFSETFROM:+0100
+TZOFFSETTO:+0200
+END:DAYLIGHT
+END:VTIMEZONE
+BEGIN:VEVENT
+ATTENDEE;CN=recipient@proton.local;RSVP=TRUE:mailto:recipient@proton.local
+CLASS:PUBLIC
+CREATED:20230203T000432Z
+DESCRIPTION:qweqweqweqweqweqwe/gn\\n
+DTEND;TZID="Central European Standard Time":20230203T020000
+DTSTAMP:20230203T000432Z
+DTSTART;TZID="Central European Standard Time":20230203T013000
+LAST-MODIFIED:20230203T000432Z
+LOCATION:qweqwe
+ORGANIZER;CN=username@proton.local:mailto:username@proton.local
+PRIORITY:5
+SEQUENCE:0
+SUMMARY;LANGUAGE=en-gb:Testing calendar invite
+TRANSP:OPAQUE
+UID:040000008200E00074C5B7101A82E008000000003080B2796B37D901000000000000000
+	0100000001236CD1CD93CA9449C6FF1AC4DEAC44E
+X-ALT-DESC;FMTTYPE=text/html:<html xmlns:v="urn:schemas-microsoft-com:vml" 
+	xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-mic
+	rosoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/
+	12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Co
+	ntent-Type content="text/html/g; charset=us-ascii"><meta name=Generator con
+	tent="Microsoft Word 15 (filtered medium)"><style><!--/gn/* Font Definition
+	s *//gn@font-face\\n	{font-family:"Cambria Math"\\;\\n	panose-1:2 4 5 3 5 4 6 
+	3 2 4/g;}\\n@font-face\\n	{font-family:Calibri\\;\\n	panose-1:2 15 5 2 2 2 4 3 
+	2 4/g;}\\n/* Style Definitions */\\np.MsoNormal\\, li.MsoNormal\\, div.MsoNorma
+	l/gn	{margin:0cm\\;\\n	font-size:11.0pt\\;\\n	font-family:"Calibri"\\,sans-serif
+	/g;\\n	mso-fareast-language:EN-US\\;}\\nspan.EmailStyle18\\n	{mso-style-type:pe
+	rsonal-compose/g;\\n	font-family:"Calibri"\\,sans-serif\\;\\n	color:windowtext\\
+	;}/gn.MsoChpDefault\\n	{mso-style-type:export-only\\;\\n	font-size:10.0pt\\;}\\n
+	@page WordSection1/gn	{size:612.0pt 792.0pt\\;\\n	margin:72.0pt 72.0pt 72.0pt
+	 72.0pt/g;}\\ndiv.WordSection1\\n	{page:WordSection1\\;}\\n--></style><!--[if g
+	te mso 9]><xml>/gn<o:shapedefaults v:ext="edit" spidmax="1026" />\\n</xml><!
+	[endif]--><!--[if gte mso 9]><xml>/gn<o:shapelayout v:ext="edit">\\n<o:idmap
+	 v:ext="edit" data="1" />/gn</o:shapelayout></xml><![endif]--></head><body 
+	lang=EN-GB link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><di
+	v class=WordSection1><p class=MsoNormal><span lang=EN-US>qweqweqweqweqweqw
+	e<o:p></o:p></span></p></div></body></html>
+X-MICROSOFT-CDO-BUSYSTATUS:TENTATIVE
+X-MICROSOFT-CDO-IMPORTANCE:1
+X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY
+X-MICROSOFT-DISALLOW-COUNTER:FALSE
+X-MS-OLK-AUTOSTARTCHECK:FALSE
+X-MS-OLK-CONFTYPE:0
+BEGIN:VALARM
+TRIGGER:-PT15M
+ACTION:DISPLAY
+DESCRIPTION:Reminder
+END:VALARM
+END:VEVENT
+END:VCALENDAR
+
--- a/internal/bridge/testdata/text-plain.eml
+++ b/internal/bridge/testdata/text-plain.eml
@ -0,0 +1,6 @@
+To: recipient@pm.me
+From: sender@pm.me
+Subject: Test
+Content-Type: text/plain; charset=utf-8
+
+Test
--- a/internal/bridge/tls.go
+++ b/internal/bridge/tls.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -17,48 +17,10 @@

 package bridge

-import (
-	"crypto/tls"
-
-	pkgTLS "github.com/ProtonMail/proton-bridge/v2/internal/config/tls"
-	"github.com/pkg/errors"
-	logrus "github.com/sirupsen/logrus"
-)
-
-func (b *Bridge) GetTLSConfig() (*tls.Config, error) {
-	if !b.tls.HasCerts() {
-		if err := b.generateTLSCerts(); err != nil {
-			return nil, err
-		}
+func (bridge *Bridge) GetBridgeTLSCert() ([]byte, []byte) {
+	return bridge.vault.GetBridgeTLSCert()
 }

-	tlsConfig, err := b.tls.GetConfig()
-	if err == nil {
-		return tlsConfig, nil
-	}
-
-	logrus.WithError(err).Error("Failed to load TLS config, regenerating certificates")
-
-	if err := b.generateTLSCerts(); err != nil {
-		return nil, err
-	}
-
-	return b.tls.GetConfig()
-}
-
-func (b *Bridge) generateTLSCerts() error {
-	template, err := pkgTLS.NewTLSTemplate()
-	if err != nil {
-		return errors.Wrap(err, "failed to generate TLS template")
-	}
-
-	if err := b.tls.GenerateCerts(template); err != nil {
-		return errors.Wrap(err, "failed to generate TLS certs")
-	}
-
-	if err := b.tls.InstallCerts(); err != nil {
-		return errors.Wrap(err, "failed to install TLS certs")
-	}
-
-	return nil
+func (bridge *Bridge) SetBridgeTLSCertPath(certPath, keyPath string) error {
+	return bridge.vault.SetBridgeTLSCertPath(certPath, keyPath)
 }
--- a/internal/bridge/types.go
+++ b/internal/bridge/types.go
@ -1,4 +1,4 @@
-// Copyright (c) 2022 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@ -18,45 +18,43 @@
 package bridge

 import (
-	"github.com/Masterminds/semver/v3"
+	"context"

-	"github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
-	"github.com/ProtonMail/proton-bridge/v2/internal/updater"
+	"github.com/ProtonMail/proton-bridge/v3/internal/updater"
 )

 type Locator interface {
+	ProvideSettingsPath() (string, error)
 	ProvideLogsPath() (string, error)
-
+	ProvideGluonCachePath() (string, error)
+	ProvideGluonDataPath() (string, error)
 	GetLicenseFilePath() string
 	GetDependencyLicensesLink() string
-
-	Clear() error
-	ClearUpdates() error
+	Clear(...string) error
+	ProvideIMAPSyncConfigPath() (string, error)
+	ProvideUnleashCachePath() (string, error)
+	ProvideNotificationsCachePath() (string, error)
 }

-type CacheProvider interface {
-	GetIMAPCachePath() string
-	GetDBDir() string
-	GetDefaultMessageCacheDir() string
+type ProxyController interface {
+	AllowProxy()
+	DisallowProxy()
 }

-type SettingsProvider interface {
-	Get(key settings.Key) string
-	Set(key settings.Key, value string)
+type TLSReporter interface {
+	GetTLSIssueCh() <-chan struct{}
+}

-	GetBool(key settings.Key) bool
-	SetBool(key settings.Key, val bool)
-
-	GetInt(key settings.Key) int
-	SetInt(key settings.Key, val int)
+type Autostarter interface {
+	Enable() error
+	Disable() error
+	IsEnabled() bool
 }

 type Updater interface {
-	Check() (updater.VersionInfo, error)
-	IsDowngrade(updater.VersionInfo) bool
-	InstallUpdate(updater.VersionInfo) error
-}
-
-type Versioner interface {
-	RemoveOtherVersions(*semver.Version) error
+	GetVersionInfoLegacy(context.Context, updater.Downloader, updater.Channel) (updater.VersionInfoLegacy, error)
+	InstallUpdateLegacy(context.Context, updater.Downloader, updater.VersionInfoLegacy) error
+	RemoveOldUpdates() error
+	GetVersionInfo(context.Context, updater.Downloader) (updater.VersionInfo, error)
+	InstallUpdate(context.Context, updater.Downloader, updater.Release) error
 }
--- a/internal/bridge/unleash_test.go
+++ b/internal/bridge/unleash_test.go
@ -0,0 +1,90 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package bridge_test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/ProtonMail/go-proton-api"
+	"github.com/ProtonMail/go-proton-api/server"
+	"github.com/ProtonMail/proton-bridge/v3/internal/bridge"
+	"github.com/ProtonMail/proton-bridge/v3/internal/unleash"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_UnleashService(t *testing.T) {
+	withEnv(t, func(ctx context.Context, s *server.Server, netCtl *proton.NetCtl, locator bridge.Locator, storeKey []byte) {
+		unleash.ModifyPollPeriodAndJitter(500*time.Millisecond, 0)
+
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, _ *bridge.Mocks) {
+			// Initial startup assumes there is no cached feature flags.
+			require.Equal(t, b.GetFeatureFlagValue("test-1"), false)
+			require.Equal(t, b.GetFeatureFlagValue("test-2"), false)
+			require.Equal(t, b.GetFeatureFlagValue("test-3"), false)
+
+			s.PushFeatureFlag("test-1")
+			s.PushFeatureFlag("test-2")
+
+			// Wait for poll.
+			time.Sleep(time.Millisecond * 700)
+			require.Equal(t, b.GetFeatureFlagValue("test-1"), true)
+			require.Equal(t, b.GetFeatureFlagValue("test-2"), true)
+			require.Equal(t, b.GetFeatureFlagValue("test-3"), false)
+
+			s.PushFeatureFlag("test-3")
+			time.Sleep(time.Millisecond * 700) // Wait for poll again
+			require.Equal(t, b.GetFeatureFlagValue("test-1"), true)
+			require.Equal(t, b.GetFeatureFlagValue("test-2"), true)
+			require.Equal(t, b.GetFeatureFlagValue("test-3"), true)
+		})
+
+		// Wait for Bridge to close.
+		time.Sleep(time.Millisecond * 500)
+
+		// Second instance should have a feature flag cache file available. Therefore, all of the flags should evaluate to true on startup.
+		withBridge(ctx, t, s.GetHostURL(), netCtl, locator, storeKey, func(b *bridge.Bridge, _ *bridge.Mocks) {
+			require.Equal(t, b.GetFeatureFlagValue("test-1"), true)
+			require.Equal(t, b.GetFeatureFlagValue("test-2"), true)
+			require.Equal(t, b.GetFeatureFlagValue("test-3"), true)
+
+			s.DeleteFeatureFlags()
+
+			require.Equal(t, b.GetFeatureFlagValue("test-1"), true)
+			require.Equal(t, b.GetFeatureFlagValue("test-2"), true)
+			require.Equal(t, b.GetFeatureFlagValue("test-3"), true)
+
+			time.Sleep(time.Millisecond * 700)
+
+			require.Equal(t, b.GetFeatureFlagValue("test-1"), false)
+			require.Equal(t, b.GetFeatureFlagValue("test-2"), false)
+			require.Equal(t, b.GetFeatureFlagValue("test-3"), false)
+
+			s.PushFeatureFlag("test-3")
+			require.Equal(t, b.GetFeatureFlagValue("test-1"), false)
+			require.Equal(t, b.GetFeatureFlagValue("test-2"), false)
+			require.Equal(t, b.GetFeatureFlagValue("test-3"), false)
+
+			time.Sleep(time.Millisecond * 700)
+			require.Equal(t, b.GetFeatureFlagValue("test-1"), false)
+			require.Equal(t, b.GetFeatureFlagValue("test-2"), false)
+			require.Equal(t, b.GetFeatureFlagValue("test-3"), true)
+		})
+	})
+}
--- a/internal/bridge/updates.go
+++ b/internal/bridge/updates.go
@ -0,0 +1,371 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package bridge
+
+import (
+	"context"
+	"errors"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/ProtonMail/gluon/reporter"
+	"github.com/ProtonMail/proton-bridge/v3/internal/events"
+	"github.com/ProtonMail/proton-bridge/v3/internal/safe"
+	"github.com/ProtonMail/proton-bridge/v3/internal/updater"
+	"github.com/elastic/go-sysinfo"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
+)
+
+func (bridge *Bridge) CheckForUpdates() {
+	bridge.goUpdate()
+}
+
+func (bridge *Bridge) InstallUpdateLegacy(version updater.VersionInfoLegacy) {
+	bridge.installChLegacy <- installJobLegacy{version: version, silent: false}
+}
+
+func (bridge *Bridge) InstallUpdate(release updater.Release) {
+	bridge.installCh <- installJob{Release: release, Silent: false}
+}
+
+func (bridge *Bridge) handleUpdate(version updater.VersionInfo) {
+	updateChannel := bridge.vault.GetUpdateChannel()
+	updateRollout := bridge.vault.GetUpdateRollout()
+	autoUpdateEnabled := bridge.vault.GetAutoUpdate()
+
+	checkSystemVersion := true
+	hostInfo, err := sysinfo.Host()
+	// If we're unable to get host system information we skip the update's minimum/maximum OS version checks
+	if err != nil {
+		checkSystemVersion = false
+		logrus.WithError(err).Error("Failed to obtain host system info while handling updates")
+		if reporterErr := bridge.reporter.ReportMessageWithContext(
+			"Failed to obtain host system info while handling updates",
+			reporter.Context{"error": err},
+		); reporterErr != nil {
+			logrus.WithError(reporterErr).Error("Failed to report update error")
+		}
+	}
+
+	if len(version.Releases) > 0 {
+		// Update latest is only used to update the release notes and landing page URL
+		bridge.publish(events.UpdateLatest{Release: version.Releases[0]})
+	}
+
+	// minAutoUpdateEvent - used to determine the highest compatible update that satisfies the Minimum Bridge version
+	minAutoUpdateEvent := events.UpdateAvailable{
+		Release:    updater.Release{Version: &semver.Version{}},
+		Compatible: false,
+		Silent:     false,
+	}
+
+	// We assume that the version file is always created in descending order
+	// where newer versions are prepended to the top of the releases
+	// The logic for checking update eligibility is as follows:
+	// 1. Check release channel.
+	// 2. Check whether release version is greater.
+	// 3. Check if rollout is larger.
+	// 4. Check OS Version restrictions (provided that restrictions are provided, and we can extract the OS version).
+	// 5. Check Minimum Compatible Bridge Version.
+	// 6. Check if an update package is provided.
+	// 7. Check auto-update.
+	for _, release := range version.Releases {
+		log := logrus.WithFields(logrus.Fields{
+			"current":               bridge.curVersion,
+			"channel":               updateChannel,
+			"update_version":        release.Version,
+			"update_channel":        release.ReleaseCategory,
+			"update_min_auto":       release.MinAuto,
+			"update_rollout":        release.RolloutProportion,
+			"update_min_os_version": release.SystemVersion.Minimum,
+			"update_max_os_version": release.SystemVersion.Maximum,
+		})
+
+		log.Debug("Checking update release")
+
+		if !release.ReleaseCategory.UpdateEligible(updateChannel) {
+			log.Debug("Update does not satisfy update channel requirement")
+			continue
+		}
+
+		if !release.Version.GreaterThan(bridge.curVersion) {
+			log.Debug("Update version is not greater than current version")
+			continue
+		}
+
+		if release.RolloutProportion < updateRollout {
+			log.Debug("Update has not been rolled out yet")
+			continue
+		}
+
+		if checkSystemVersion {
+			shouldContinue, err := release.SystemVersion.IsHostVersionEligible(log, hostInfo, bridge.getHostVersion)
+			if err != nil && shouldContinue {
+				log.WithError(err).Error(
+					"Failed to verify host system version compatibility during release check." +
+						"Error is non-fatal continuing with checks",
+				)
+			} else if err != nil {
+				log.WithError(err).Error("Failed to verify host system version compatibility during update check")
+				continue
+			}
+
+			if !shouldContinue {
+				log.Debug("Host version does not satisfy system requirements for update")
+				continue
+			}
+		}
+
+		if release.MinAuto != nil && bridge.curVersion.LessThan(release.MinAuto) {
+			log.Debug("Update is available but is incompatible with this Bridge version")
+			if release.Version.GreaterThan(minAutoUpdateEvent.Release.Version) {
+				minAutoUpdateEvent.Release = release
+			}
+			continue
+		}
+
+		// Check if we have a provided installer package
+		if found := slices.IndexFunc(release.File, func(file updater.File) bool {
+			return file.Identifier == updater.PackageIdentifier
+		}); found == -1 {
+			log.Error("Update is available but does not contain update package")
+
+			if reporterErr := bridge.reporter.ReportMessageWithContext(
+				"Available update does not contain update package",
+				reporter.Context{"update_version": release.Version},
+			); reporterErr != nil {
+				log.WithError(reporterErr).Error("Failed to report update error")
+			}
+
+			continue
+		}
+
+		if !autoUpdateEnabled {
+			log.Info("An update is available but auto-update is disabled")
+			bridge.publish(events.UpdateAvailable{
+				Release:    release,
+				Compatible: true,
+				Silent:     false,
+			})
+			return
+		}
+
+		// If we've gotten to this point that means an automatic update is available and we should install it
+		safe.RLock(func() {
+			bridge.installCh <- installJob{Release: release, Silent: true}
+		}, bridge.newVersionLock)
+
+		return
+	}
+
+	// If there's a release with a minAuto requirement that we satisfy (alongside all other checks)
+	// then notify the user that a manual update is needed
+	if !minAutoUpdateEvent.Release.Version.Equal(&semver.Version{}) {
+		bridge.publish(minAutoUpdateEvent)
+	}
+
+	bridge.publish(events.UpdateNotAvailable{})
+}
+
+func (bridge *Bridge) handleUpdateLegacy(version updater.VersionInfoLegacy) {
+	log := logrus.WithFields(logrus.Fields{
+		"version": version.Version,
+		"current": bridge.curVersion,
+		"channel": bridge.vault.GetUpdateChannel(),
+	})
+
+	bridge.publish(events.UpdateLatest{
+		VersionLegacy: version,
+	})
+
+	switch {
+	case !version.Version.GreaterThan(bridge.curVersion):
+		log.Debug("No update available")
+
+		bridge.publish(events.UpdateNotAvailable{})
+
+	case version.RolloutProportion < bridge.vault.GetUpdateRollout():
+		log.Info("An update is available but has not been rolled out yet")
+
+		bridge.publish(events.UpdateNotAvailable{})
+
+	case bridge.curVersion.LessThan(version.MinAuto):
+		log.Info("An update is available but is incompatible with this version")
+
+		bridge.publish(events.UpdateAvailable{
+			VersionLegacy: version,
+			Compatible:    false,
+			Silent:        false,
+		})
+
+	case !bridge.vault.GetAutoUpdate():
+		log.Info("An update is available but auto-update is disabled")
+
+		bridge.publish(events.UpdateAvailable{
+			VersionLegacy: version,
+			Compatible:    true,
+			Silent:        false,
+		})
+
+	default:
+		safe.RLock(func() {
+			bridge.installChLegacy <- installJobLegacy{version: version, silent: true}
+		}, bridge.newVersionLock)
+	}
+}
+
+type installJobLegacy struct {
+	version updater.VersionInfoLegacy
+	silent  bool
+}
+
+func (bridge *Bridge) installUpdateLegacy(ctx context.Context, job installJobLegacy) {
+	safe.Lock(func() {
+		log := logrus.WithFields(logrus.Fields{
+			"version": job.version.Version,
+			"current": bridge.curVersion,
+			"channel": bridge.vault.GetUpdateChannel(),
+		})
+
+		if !job.version.Version.GreaterThan(bridge.newVersion) {
+			return
+		}
+
+		log.WithField("silent", job.silent).Info("An update is available")
+
+		bridge.publish(events.UpdateAvailable{
+			VersionLegacy: job.version,
+			Compatible:    true,
+			Silent:        job.silent,
+		})
+
+		err := bridge.updater.InstallUpdateLegacy(ctx, bridge.api, job.version)
+
+		switch {
+		case errors.Is(err, updater.ErrDownloadVerify):
+			// BRIDGE-207: if download or verification fails, we do not want to trigger a manual update. We report in the log and to Sentry
+			// and we fail silently.
+			log.WithError(err).Error("The update could not be installed, but we will fail silently")
+			if reporterErr := bridge.reporter.ReportMessageWithContext(
+				"Cannot download or verify update",
+				reporter.Context{"error": err},
+			); reporterErr != nil {
+				log.WithError(reporterErr).Error("Failed to report update error")
+			}
+
+		case errors.Is(err, updater.ErrUpdateAlreadyInstalled):
+			log.Info("The update was already installed")
+
+		case err != nil:
+			log.WithError(err).Error("The update could not be installed")
+
+			bridge.publish(events.UpdateFailed{
+				VersionLegacy: job.version,
+				Silent:        job.silent,
+				Error:         err,
+			})
+
+		default:
+			log.Info("The update was installed successfully")
+
+			bridge.publish(events.UpdateInstalled{
+				VersionLegacy: job.version,
+				Silent:        job.silent,
+			})
+
+			bridge.newVersion = job.version.Version
+		}
+	}, bridge.newVersionLock)
+}
+
+type installJob struct {
+	Release updater.Release
+	Silent  bool
+}
+
+func (bridge *Bridge) installUpdate(ctx context.Context, job installJob) {
+	safe.Lock(func() {
+		log := logrus.WithFields(logrus.Fields{
+			"version": job.Release.Version,
+			"current": bridge.curVersion,
+			"channel": bridge.vault.GetUpdateChannel(),
+		})
+
+		if !job.Release.Version.GreaterThan(bridge.newVersion) {
+			return
+		}
+
+		log.WithField("silent", job.Silent).Info("An update is available")
+
+		bridge.publish(events.UpdateAvailable{
+			Release:    job.Release,
+			Compatible: true,
+			Silent:     job.Silent,
+		})
+
+		err := bridge.updater.InstallUpdate(ctx, bridge.api, job.Release)
+		switch {
+		case errors.Is(err, updater.ErrReleaseUpdatePackageMissing):
+			log.WithError(err).Error("The update could not be installed but we will fail silently")
+			if reporterErr := bridge.reporter.ReportExceptionWithContext(
+				"Cannot download update, update package is missing",
+				reporter.Context{"error": err},
+			); reporterErr != nil {
+				log.WithError(reporterErr).Error("Failed to report update error")
+			}
+		case errors.Is(err, updater.ErrDownloadVerify):
+			// BRIDGE-207: if download or verification fails, we do not want to trigger a manual update. We report in the log and to Sentry
+			// and we fail silently.
+			log.WithError(err).Error("The update could not be installed, but we will fail silently")
+			if reporterErr := bridge.reporter.ReportMessageWithContext(
+				"Cannot download or verify update",
+				reporter.Context{"error": err},
+			); reporterErr != nil {
+				log.WithError(reporterErr).Error("Failed to report update error")
+			}
+
+		case errors.Is(err, updater.ErrUpdateAlreadyInstalled):
+			log.Info("The update was already installed")
+
+		case err != nil:
+			log.WithError(err).Error("The update could not be installed")
+
+			bridge.publish(events.UpdateFailed{
+				Release: job.Release,
+				Silent:  job.Silent,
+				Error:   err,
+			})
+
+		default:
+			log.Info("The update was installed successfully")
+
+			bridge.publish(events.UpdateInstalled{
+				Release: job.Release,
+				Silent:  job.Silent,
+			})
+
+			bridge.newVersion = job.Release.Version
+		}
+	}, bridge.newVersionLock)
+}
+
+func (bridge *Bridge) RemoveOldUpdates() {
+	if err := bridge.updater.RemoveOldUpdates(); err != nil {
+		logrus.WithError(err).Error("Remove old updates fails")
+	}
+}
--- a/Show More
+++ b/Show More