feat: fix notifications on Android 13+/16, add Log tab, fix ON_CHANGE detection

- Request POST_NOTIFICATIONS permission at runtime in MainActivity (primary fix
  for notifications never appearing on Android 13+ phones including Android 16)
- Register all 4 notification channels eagerly in SyncFlowApp.onCreate() instead
  of lazily inside workers
- Add FOREGROUND_SERVICE_SHORT_SERVICE permission + shortService foreground type
  for Android 16 foreground service compatibility
- Add global activity Log tab (new tab 2 in main nav) showing all sync events
  across all pairs, grouped by date with pair name, event icon, and file detail
- Fix FileWatchService ON_CHANGE detection: ContentObserver on SAF tree URIs only
  fires for SAF-API writes, not raw filesystem writes. Now resolves primary:/*
  tree URIs to /storage/emulated/0/* and uses FileObserver for reliable detection
- Bump version to 1.0.21 (build 22)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/release.yml

@@ -0,0 +1,52 @@
+name: Build & Release APK
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+          cache: gradle
+
+      - uses: android-actions/setup-android@v3
+
+      - name: Build debug APK
+        run: |
+          chmod +x gradlew
+          ./gradlew assembleDebug --no-daemon
+
+      - name: Get version name
+        id: ver
+        run: echo "name=$(grep VERSION_NAME version.properties | cut -d= -f2)" >> $GITHUB_OUTPUT
+
+      - name: Rename APK
+        run: |
+          mkdir dist
+          cp app/build/outputs/apk/debug/app-debug.apk \
+             dist/SyncFlow-v${{ steps.ver.outputs.name }}.apk
+
+      - name: Attach APK to release
+        env:
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ github.ref_name }}
+          VERSION: ${{ steps.ver.outputs.name }}
+        run: |
+          RELEASE_ID=$(curl -sf \
+            "https://gitea.khodak.me/api/v1/repos/amir/SyncFlow/releases/tags/$TAG" \
+            -H "Authorization: token $TOKEN" \
+            | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
+          curl -sf -X POST \
+            "https://gitea.khodak.me/api/v1/repos/amir/SyncFlow/releases/$RELEASE_ID/assets" \
+            -H "Authorization: token $TOKEN" \
+            -F "attachment=@dist/SyncFlow-v${VERSION}.apk"
+          echo "APK uploaded to release $TAG"

app/src/main/AndroidManifest.xml

@@ -8,6 +8,7 @@
     <uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE" tools:ignore="ScopedStorage" />
     <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
     <uses-permission android:name="android.permission.FOREGROUND_SERVICE_DATA_SYNC" />
+    <uses-permission android:name="android.permission.FOREGROUND_SERVICE_SHORT_SERVICE" />
     <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
     <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
     <uses-permission android:name="android.permission.WAKE_LOCK" />
@@ -71,13 +72,13 @@
         <!-- File watcher for ON_CHANGE sync pairs -->
         <service
             android:name=".worker.FileWatchService"
-            android:foregroundServiceType="dataSync"
+            android:foregroundServiceType="dataSync|shortService"
             android:exported="false" />
 
         <!-- Required on API 29+ so WorkManager can start a typed foreground service -->
         <service
             android:name="androidx.work.impl.foreground.SystemForegroundService"
-            android:foregroundServiceType="dataSync"
+            android:foregroundServiceType="dataSync|shortService"
             tools:node="merge" />
 
         <!-- Remove WorkManager's default initializer — app uses on-demand init via Configuration.Provider -->

app/src/main/kotlin/com/syncflow/MainActivity.kt

@@ -1,9 +1,12 @@
 package com.syncflow
 
+import android.Manifest
+import android.content.pm.PackageManager
 import android.os.Build
 import android.os.Bundle
 import androidx.activity.compose.setContent
 import androidx.activity.enableEdgeToEdge
+import androidx.activity.result.contract.ActivityResultContracts
 import androidx.appcompat.app.AppCompatActivity
 import androidx.biometric.BiometricManager
 import androidx.biometric.BiometricManager.Authenticators.BIOMETRIC_STRONG
@@ -49,10 +52,14 @@ class MainActivity : AppCompatActivity() {
     private var isLocked by mutableStateOf(false)
     private var showRetry by mutableStateOf(false)
 
+    private val requestNotificationPermission =
+        registerForActivityResult(ActivityResultContracts.RequestPermission()) { /* proceed regardless */ }
+
     override fun onCreate(savedInstanceState: Bundle?) {
         installSplashScreen()
         super.onCreate(savedInstanceState)
         enableEdgeToEdge()
+        requestNotificationPermissionIfNeeded()
         setContent {
             SyncFlowTheme {
                 Surface(modifier = Modifier.fillMaxSize()) {
@@ -127,6 +134,16 @@ class MainActivity : AppCompatActivity() {
             BIOMETRIC_WEAK or DEVICE_CREDENTIAL
     }
 
+    private fun requestNotificationPermissionIfNeeded() {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+            if (ContextCompat.checkSelfPermission(this, Manifest.permission.POST_NOTIFICATIONS)
+                != PackageManager.PERMISSION_GRANTED
+            ) {
+                requestNotificationPermission.launch(Manifest.permission.POST_NOTIFICATIONS)
+            }
+        }
+    }
+
     private fun canAuthenticate(): Boolean {
         if (Build.VERSION.SDK_INT < Build.VERSION_CODES.R)
             return BiometricManager.from(this).canAuthenticate(BIOMETRIC_STRONG) == BiometricManager.BIOMETRIC_SUCCESS

app/src/main/kotlin/com/syncflow/SyncFlowApp.kt

@@ -1,9 +1,18 @@
 package com.syncflow
 
 import android.app.Application
+import android.app.NotificationChannel
+import android.app.NotificationManager
+import android.content.Context
 import androidx.hilt.work.HiltWorkerFactory
 import androidx.work.Configuration
+import com.syncflow.data.db.SyncPairDao
+import com.syncflow.domain.model.ScheduleType
+import com.syncflow.worker.FileWatchService
 import dagger.hilt.android.HiltAndroidApp
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.launch
 import timber.log.Timber
 import javax.inject.Inject
 
@@ -11,10 +20,38 @@ import javax.inject.Inject
 class SyncFlowApp : Application(), Configuration.Provider {
 
     @Inject lateinit var workerFactory: HiltWorkerFactory
+    @Inject lateinit var syncPairDao: SyncPairDao
 
     override fun onCreate() {
         super.onCreate()
         if (BuildConfig.DEBUG) Timber.plant(Timber.DebugTree())
+        createNotificationChannels()
+        // Start file watcher on every app launch for any existing ON_CHANGE pairs
+        CoroutineScope(Dispatchers.IO).launch {
+            val hasOnChange = syncPairDao.getEnabled().any { it.scheduleType == ScheduleType.ON_CHANGE }
+            if (hasOnChange) FileWatchService.start(this@SyncFlowApp)
+        }
+    }
+
+    private fun createNotificationChannels() {
+        val nm = getSystemService(Context.NOTIFICATION_SERVICE) as NotificationManager
+        listOf(
+            NotificationChannel("sync_progress", "Sync progress", NotificationManager.IMPORTANCE_LOW).apply {
+                description = "Shown while a sync is running"
+            },
+            NotificationChannel("sync_complete", "Sync complete", NotificationManager.IMPORTANCE_LOW).apply {
+                description = "Summary after each successful sync"
+            },
+            NotificationChannel("sync_alerts", "Sync errors", NotificationManager.IMPORTANCE_DEFAULT).apply {
+                description = "Alerts for sync failures and conflicts"
+            },
+            NotificationChannel("sync_watching", "File watching", NotificationManager.IMPORTANCE_MIN).apply {
+                description = "Background service watching folders for changes"
+                setShowBadge(false)
+            },
+        ).forEach { channel ->
+            if (nm.getNotificationChannel(channel.id) == null) nm.createNotificationChannel(channel)
+        }
     }
 
     override val workManagerConfiguration: Configuration

app/src/main/kotlin/com/syncflow/data/db/SyncEventDao.kt

@@ -9,6 +9,9 @@ interface SyncEventDao {
     @Query("SELECT * FROM sync_events WHERE syncPairId = :pairId ORDER BY timestamp DESC LIMIT :limit")
     fun observeRecent(pairId: Long, limit: Int = 200): Flow<List<SyncEventEntity>>
 
+    @Query("SELECT * FROM sync_events ORDER BY timestamp DESC LIMIT :limit")
+    fun observeAll(limit: Int = 500): Flow<List<SyncEventEntity>>
+
     @Insert
     suspend fun insert(entity: SyncEventEntity): Long
 

app/src/main/kotlin/com/syncflow/data/providers/ProviderFactory.kt

@@ -7,19 +7,20 @@ import com.syncflow.data.providers.owncloud.OwnCloudProvider
 import com.syncflow.data.providers.onedrive.OneDriveProvider
 import com.syncflow.data.providers.sftp.SftpProvider
 import com.syncflow.data.providers.webdav.WebDavProvider
+import com.syncflow.data.security.CredentialStore
 import com.syncflow.domain.model.CloudAccount
 import com.syncflow.domain.model.ProviderType
 import javax.inject.Inject
 import javax.inject.Singleton
 
 @Singleton
-class ProviderFactory @Inject constructor() {
+class ProviderFactory @Inject constructor(private val credentialStore: CredentialStore) {
     fun create(account: CloudAccount): CloudProvider = when (account.providerType) {
         ProviderType.GOOGLE_DRIVE -> GoogleDriveProvider(account)
         ProviderType.DROPBOX -> DropboxProvider(account)
         ProviderType.ONEDRIVE -> OneDriveProvider(account)
         ProviderType.WEBDAV -> WebDavProvider(account)
-        ProviderType.SFTP -> SftpProvider(account)
+        ProviderType.SFTP -> SftpProvider(account, credentialStore)
         ProviderType.NEXTCLOUD -> NextcloudProvider(account)
         ProviderType.OWNCLOUD -> OwnCloudProvider(account)
         ProviderType.SFTPGO -> WebDavProvider(account)     // SFTPGo exposes WebDAV

app/src/main/kotlin/com/syncflow/data/providers/dropbox/DropboxProvider.kt

@@ -18,9 +18,9 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
     }
     private val client = OkHttpClient()
 
-    private fun apiReq(url: String, bodyJson: String): Request =
+    private fun apiReq(url: String, argJson: JsonObject): Request =
         Request.Builder().url(url)
-            .post(bodyJson.toRequestBody("application/json".toMediaType()))
+            .post(argJson.toString().toRequestBody("application/json".toMediaType()))
             .header("Authorization", "Bearer $token")
             .build()
 
@@ -33,7 +33,8 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
 
     override suspend fun listFiles(remotePath: String): Result<List<RemoteFile>> = runCatching {
         val path = if (remotePath == "/" || remotePath.isBlank()) "" else remotePath
-        val req = apiReq("https://api.dropboxapi.com/2/files/list_folder", """{"path":"$path","recursive":false}""")
+        val arg = buildJsonObject { put("path", path); put("recursive", false) }
+        val req = apiReq("https://api.dropboxapi.com/2/files/list_folder", arg)
         client.newCall(req).execute().use { resp ->
             val body = resp.body?.string() ?: throw Exception("HTTP ${resp.code}")
             if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}: $body")
@@ -44,11 +45,15 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
 
     override suspend fun uploadFile(localStream: InputStream, remotePath: String, sizeBytes: Long, onProgress: (Long) -> Unit): Result<RemoteFile> = runCatching {
         val bytes = localStream.readBytes()
-        val argHeader = """{"path":"${remotePath.normalizeDropbox()}","mode":"overwrite","autorename":false}"""
+        val arg = buildJsonObject {
+            put("path", remotePath.normalizeDropbox())
+            put("mode", "overwrite")
+            put("autorename", false)
+        }
         val req = Request.Builder().url("https://content.dropboxapi.com/2/files/upload")
             .post(bytes.toRequestBody("application/octet-stream".toMediaType()))
             .header("Authorization", "Bearer $token")
-            .header("Dropbox-API-Arg", argHeader).build()
+            .header("Dropbox-API-Arg", arg.toString()).build()
         client.newCall(req).execute().use { resp ->
             val body = resp.body?.string() ?: throw Exception("HTTP ${resp.code}")
             if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}: $body")
@@ -58,11 +63,11 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
     }
 
     override suspend fun downloadFile(remotePath: String, destination: OutputStream, onProgress: (Long) -> Unit): Result<Unit> = runCatching {
-        val argHeader = """{"path":"${remotePath.normalizeDropbox()}"}"""
+        val arg = buildJsonObject { put("path", remotePath.normalizeDropbox()) }
         val req = Request.Builder().url("https://content.dropboxapi.com/2/files/download")
             .post("".toRequestBody())
             .header("Authorization", "Bearer $token")
-            .header("Dropbox-API-Arg", argHeader).build()
+            .header("Dropbox-API-Arg", arg.toString()).build()
         client.newCall(req).execute().use { resp ->
             if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}")
             var total = 0L
@@ -75,17 +80,20 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
     }
 
     override suspend fun deleteFile(remotePath: String): Result<Unit> = runCatching {
-        val req = apiReq("https://api.dropboxapi.com/2/files/delete_v2", """{"path":"${remotePath.normalizeDropbox()}"}""")
+        val arg = buildJsonObject { put("path", remotePath.normalizeDropbox()) }
+        val req = apiReq("https://api.dropboxapi.com/2/files/delete_v2", arg)
         client.newCall(req).execute().use { resp -> if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}") }
     }
 
     override suspend fun createDirectory(remotePath: String): Result<Unit> = runCatching {
-        val req = apiReq("https://api.dropboxapi.com/2/files/create_folder_v2", """{"path":"${remotePath.normalizeDropbox()}"}""")
+        val arg = buildJsonObject { put("path", remotePath.normalizeDropbox()) }
+        val req = apiReq("https://api.dropboxapi.com/2/files/create_folder_v2", arg)
         client.newCall(req).execute().use { resp -> if (!resp.isSuccessful && resp.code != 409) throw Exception("HTTP ${resp.code}") }
     }
 
     override suspend fun getFileMetadata(remotePath: String): Result<RemoteFile> = runCatching {
-        val req = apiReq("https://api.dropboxapi.com/2/files/get_metadata", """{"path":"${remotePath.normalizeDropbox()}"}""")
+        val arg = buildJsonObject { put("path", remotePath.normalizeDropbox()) }
+        val req = apiReq("https://api.dropboxapi.com/2/files/get_metadata", arg)
         client.newCall(req).execute().use { resp ->
             val body = resp.body?.string() ?: throw Exception("HTTP ${resp.code}")
             Json.parseToJsonElement(body).jsonObject.toRemoteFile()
@@ -93,8 +101,11 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
     }
 
     override suspend fun moveFile(fromPath: String, toPath: String): Result<Unit> = runCatching {
-        val req = apiReq("https://api.dropboxapi.com/2/files/move_v2",
-            """{"from_path":"${fromPath.normalizeDropbox()}","to_path":"${toPath.normalizeDropbox()}"}""")
+        val arg = buildJsonObject {
+            put("from_path", fromPath.normalizeDropbox())
+            put("to_path", toPath.normalizeDropbox())
+        }
+        val req = apiReq("https://api.dropboxapi.com/2/files/move_v2", arg)
         client.newCall(req).execute().use { resp -> if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}") }
     }
 

app/src/main/kotlin/com/syncflow/data/providers/google/GoogleDriveProvider.kt

@@ -44,9 +44,11 @@ class GoogleDriveProvider(private val account: CloudAccount) : CloudProvider {
         val name = remotePath.substringAfterLast('/')
         val parentId = if ('/' in remotePath.dropLast(1)) remotePath.substringBeforeLast('/') else "root"
 
-        // Multipart upload
-        val metaPart = """{"name":"$name","parents":["$parentId"]}"""
-            .toRequestBody("application/json".toMediaType())
+        // Multipart upload — use JSON builder to avoid injection via filenames with special chars
+        val metaPart = buildJsonObject {
+            put("name", name)
+            put("parents", buildJsonArray { add(parentId) })
+        }.toString().toRequestBody("application/json".toMediaType())
         val dataPart = bytes.toRequestBody("application/octet-stream".toMediaType())
         val multipart = MultipartBody.Builder()
             .setType(MultipartBody.FORM)
@@ -86,8 +88,11 @@ class GoogleDriveProvider(private val account: CloudAccount) : CloudProvider {
     override suspend fun createDirectory(remotePath: String): Result<Unit> = runCatching {
         val name = remotePath.substringAfterLast('/')
         val parentId = if ('/' in remotePath.dropLast(1)) remotePath.substringBeforeLast('/') else "root"
-        val body = """{"name":"$name","mimeType":"application/vnd.google-apps.folder","parents":["$parentId"]}"""
-            .toRequestBody("application/json".toMediaType())
+        val body = buildJsonObject {
+            put("name", name)
+            put("mimeType", "application/vnd.google-apps.folder")
+            put("parents", buildJsonArray { add(parentId) })
+        }.toString().toRequestBody("application/json".toMediaType())
         val req = auth(Request.Builder().url("https://www.googleapis.com/drive/v3/files").post(body)).build()
         client.newCall(req).execute().use { resp -> if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}") }
     }
@@ -102,7 +107,8 @@ class GoogleDriveProvider(private val account: CloudAccount) : CloudProvider {
 
     override suspend fun moveFile(fromPath: String, toPath: String): Result<Unit> = runCatching {
         val newName = toPath.substringAfterLast('/')
-        val body = """{"name":"$newName"}""".toRequestBody("application/json".toMediaType())
+        val body = buildJsonObject { put("name", newName) }.toString()
+            .toRequestBody("application/json".toMediaType())
         val req = auth(Request.Builder().url("https://www.googleapis.com/drive/v3/files/$fromPath").patch(body)).build()
         client.newCall(req).execute().use { resp -> if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}") }
     }

app/src/main/kotlin/com/syncflow/data/providers/sftp/SftpProvider.kt

@@ -1,6 +1,7 @@
 package com.syncflow.data.providers.sftp
 
 import com.syncflow.data.providers.CloudProvider
+import com.syncflow.data.security.CredentialStore
 import com.syncflow.domain.model.CloudAccount
 import com.syncflow.domain.model.RemoteFile
 import kotlinx.serialization.json.Json
@@ -8,13 +9,12 @@ import kotlinx.serialization.json.jsonObject
 import kotlinx.serialization.json.jsonPrimitive
 import net.schmizz.sshj.SSHClient
 import net.schmizz.sshj.sftp.SFTPClient
-import net.schmizz.sshj.transport.verification.PromiscuousVerifier
 import net.schmizz.sshj.xfer.InMemorySourceFile
 import java.io.InputStream
 import java.io.OutputStream
 import java.time.Instant
 
-class SftpProvider(private val account: CloudAccount) : CloudProvider {
+class SftpProvider(private val account: CloudAccount, private val credentialStore: CredentialStore) : CloudProvider {
 
     private val creds = Json.parseToJsonElement(account.credentialJson).jsonObject
     private val host = account.serverUrl ?: "localhost"
@@ -25,7 +25,7 @@ class SftpProvider(private val account: CloudAccount) : CloudProvider {
 
     private fun <T> withSftp(block: (SFTPClient) -> T): T {
         val ssh = SSHClient()
-        ssh.addHostKeyVerifier(PromiscuousVerifier()) // TODO: replace with proper key pinning
+        ssh.addHostKeyVerifier(TofuHostKeyVerifier(credentialStore))
         ssh.connect(host, port)
         try {
             if (!privateKey.isNullOrBlank()) {

app/src/main/kotlin/com/syncflow/data/providers/sftp/TofuHostKeyVerifier.kt

@@ -0,0 +1,35 @@
+package com.syncflow.data.providers.sftp
+
+import com.syncflow.data.security.CredentialStore
+import net.schmizz.sshj.transport.verification.HostKeyVerifier
+import java.security.MessageDigest
+import java.security.PublicKey
+
+/**
+ * Trust-On-First-Use SSH host key verifier.
+ *
+ * First connection to a host: fingerprint is stored in EncryptedSharedPreferences and accepted.
+ * Subsequent connections: stored fingerprint must match — mismatch aborts (possible MITM).
+ */
+class TofuHostKeyVerifier(private val credentialStore: CredentialStore) : HostKeyVerifier {
+
+    override fun verify(hostname: String, port: Int, key: PublicKey): Boolean {
+        val fingerprint = sha256Fingerprint(key)
+        val stored = credentialStore.getHostFingerprint(hostname, port)
+        return if (stored == null) {
+            credentialStore.saveHostKey(hostname, port, fingerprint)
+            true
+        } else {
+            stored == fingerprint
+        }
+    }
+
+    // Return empty list so sshj uses server preference order for key exchange.
+    // Our verify() will accept or reject whatever algorithm is negotiated.
+    override fun findExistingAlgorithms(hostname: String, port: Int): List<String> = emptyList()
+
+    private fun sha256Fingerprint(key: PublicKey): String {
+        val digest = MessageDigest.getInstance("SHA-256").digest(key.encoded)
+        return digest.joinToString(":") { "%02x".format(it) }
+    }
+}

app/src/main/kotlin/com/syncflow/data/providers/webdav/WebDavProvider.kt

@@ -10,6 +10,7 @@ import kotlinx.serialization.json.Json
 import kotlinx.serialization.json.jsonObject
 import kotlinx.serialization.json.jsonPrimitive
 import okhttp3.*
+import okhttp3.HttpUrl.Companion.toHttpUrlOrNull
 import okhttp3.MediaType.Companion.toMediaType
 import okhttp3.RequestBody.Companion.toRequestBody
 import org.xmlpull.v1.XmlPullParser
@@ -38,9 +39,14 @@ open class WebDavProvider(protected val account: CloudAccount) : CloudProvider {
                     .header("Authorization", Credentials.basic(user, pass))
                     .build()
                 val resp = chain.proceed(req)
-                // follow redirect manually for WebDAV methods (OkHttp skips non-GET/HEAD redirects)
+                // Follow redirects for WebDAV methods (OkHttp skips non-GET/HEAD redirects).
+                // Only follow same-host redirects to prevent credential leakage to a different server.
                 if (resp.code in 301..308) {
                     val location = resp.header("Location") ?: return@addInterceptor resp
+                    val redirectHost = location.toHttpUrlOrNull()?.host
+                    if (redirectHost == null || redirectHost != req.url.host) {
+                        return@addInterceptor resp
+                    }
                     resp.close()
                     val redirectReq = req.newBuilder().url(location).build()
                     chain.proceed(redirectReq)

app/src/main/kotlin/com/syncflow/data/security/CredentialStore.kt

@@ -3,7 +3,7 @@ package com.syncflow.data.security
 import android.content.Context
 import android.content.SharedPreferences
 import androidx.security.crypto.EncryptedSharedPreferences
-import androidx.security.crypto.MasterKey
+import androidx.security.crypto.MasterKeys
 import dagger.hilt.android.qualifiers.ApplicationContext
 import javax.inject.Inject
 import javax.inject.Singleton
@@ -12,13 +12,11 @@ import javax.inject.Singleton
 class CredentialStore @Inject constructor(@ApplicationContext private val context: Context) {
 
     private val prefs: SharedPreferences by lazy {
-        val masterKey = MasterKey.Builder(context)
-            .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
-            .build()
+        val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
         EncryptedSharedPreferences.create(
-            context,
             "syncflow_credentials",
-            masterKey,
+            masterKeyAlias,
+            context,
             EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
             EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM,
         )
@@ -37,7 +35,7 @@ class CredentialStore @Inject constructor(@ApplicationContext private val contex
         prefs.edit().remove(credKey(accountId)).apply()
     }
 
-    // ── PKCE verifiers (OAuth flow) ───────────────────────────────────────────
+    // ── PKCE verifiers and OAuth state (OAuth flow) ───────────────────────────
 
     fun savePkceVerifier(provider: String, verifier: String) {
         prefs.edit().putString(pkceKey(provider), verifier).apply()
@@ -49,8 +47,18 @@ class CredentialStore @Inject constructor(@ApplicationContext private val contex
         prefs.edit().remove(pkceKey(provider)).apply()
     }
 
+    // ── SFTP host key fingerprints (TOFU) ─────────────────────────────────────
+
+    fun saveHostKey(host: String, port: Int, fingerprint: String) {
+        prefs.edit().putString(hostKey(host, port), fingerprint).apply()
+    }
+
+    fun getHostFingerprint(host: String, port: Int): String? =
+        prefs.getString(hostKey(host, port), null)
+
     // ── Key helpers ───────────────────────────────────────────────────────────
 
     private fun credKey(accountId: Long) = "cred_$accountId"
     private fun pkceKey(provider: String) = "pkce_$provider"
+    private fun hostKey(host: String, port: Int) = "sshhost_${host}_$port"
 }

app/src/main/kotlin/com/syncflow/ui/addpair/AddPairViewModel.kt

@@ -1,5 +1,6 @@
 package com.syncflow.ui.addpair
 
+import android.content.Context
 import androidx.lifecycle.SavedStateHandle
 import androidx.lifecycle.ViewModel
 import androidx.lifecycle.viewModelScope
@@ -7,9 +8,10 @@ import com.syncflow.data.db.CloudAccountDao
 import com.syncflow.data.db.SyncPairDao
 import com.syncflow.data.db.entities.CloudAccountEntity
 import com.syncflow.data.db.entities.SyncPairEntity
-import com.syncflow.data.db.entities.toDomain
 import com.syncflow.domain.model.*
+import com.syncflow.worker.FileWatchService
 import dagger.hilt.android.lifecycle.HiltViewModel
+import dagger.hilt.android.qualifiers.ApplicationContext
 import kotlinx.coroutines.flow.*
 import kotlinx.coroutines.launch
 import javax.inject.Inject
@@ -31,7 +33,7 @@ data class AddPairUiState(
     val scheduleType: ScheduleType = ScheduleType.INTERVAL,
     val intervalMinutes: Int = 30,
     val dailyTime: String = "02:00",
-    val weekdays: Int = 0b1111111,           // all 7 days by default
+    val weekdays: Int = 0b1111111,
     // ── Constraints ──────────────────────────────────────────────────────────
     val wifiOnly: Boolean = true,
     val wifiSsid: String = "",
@@ -57,6 +59,7 @@ data class AddPairUiState(
 class AddPairViewModel @Inject constructor(
     private val syncPairDao: SyncPairDao,
     private val accountDao: CloudAccountDao,
+    @ApplicationContext private val context: Context,
     savedState: SavedStateHandle,
 ) : ViewModel() {
 
@@ -147,7 +150,10 @@ class AddPairViewModel @Inject constructor(
                 )
                 if (editPairId == null) syncPairDao.insert(entity) else syncPairDao.update(entity)
             }
-                .onSuccess { _state.update { it.copy(done = true) } }
+                .onSuccess {
+                    if (s.scheduleType == ScheduleType.ON_CHANGE) FileWatchService.start(context)
+                    _state.update { it.copy(done = true) }
+                }
                 .onFailure { e -> _state.update { it.copy(isSaving = false, error = e.message) } }
         }
     }

app/src/main/kotlin/com/syncflow/ui/auth/AccountSetupScreen.kt

@@ -2,6 +2,7 @@ package com.syncflow.ui.auth
 
 import android.accounts.AccountManager
 import android.app.Activity
+import android.view.WindowManager
 import androidx.activity.compose.rememberLauncherForActivityResult
 import androidx.activity.result.contract.ActivityResultContracts
 import androidx.compose.foundation.Image
@@ -201,6 +202,15 @@ private fun CredentialContent(
 ) {
     val provider = state.providerType ?: return
 
+    // Prevent screenshots and screen recording while credentials are visible
+    val activity = LocalContext.current as? Activity
+    DisposableEffect(Unit) {
+        activity?.window?.addFlags(WindowManager.LayoutParams.FLAG_SECURE)
+        onDispose {
+            activity?.window?.clearFlags(WindowManager.LayoutParams.FLAG_SECURE)
+        }
+    }
+
     Column(
         modifier = modifier
             .padding(horizontal = 20.dp)

app/src/main/kotlin/com/syncflow/ui/auth/OAuthHelper.kt

@@ -38,7 +38,9 @@ private fun generateChallenge(verifier: String): String {
 
 fun launchDropboxOAuth(context: Context, credentialStore: CredentialStore, appKey: String) {
     val verifier = generateVerifier()
+    val state = generateVerifier()
     credentialStore.savePkceVerifier("dropbox", verifier)
+    credentialStore.savePkceVerifier("dropbox_state", state)
     val challenge = generateChallenge(verifier)
     val url = "https://www.dropbox.com/oauth2/authorize" +
         "?client_id=$appKey" +
@@ -46,13 +48,16 @@ fun launchDropboxOAuth(context: Context, credentialStore: CredentialStore, appKe
         "&redirect_uri=syncflow%3A%2F%2Foauth%2Fdropbox" +
         "&code_challenge=$challenge" +
         "&code_challenge_method=S256" +
-        "&token_access_type=offline"
+        "&token_access_type=offline" +
+        "&state=$state"
     openCustomTab(context, url)
 }
 
 fun launchOneDriveOAuth(context: Context, credentialStore: CredentialStore, clientId: String) {
     val verifier = generateVerifier()
+    val state = generateVerifier()
     credentialStore.savePkceVerifier("onedrive", verifier)
+    credentialStore.savePkceVerifier("onedrive_state", state)
     val challenge = generateChallenge(verifier)
     val scopes = "Files.ReadWrite+User.Read+offline_access"
     val url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" +
@@ -61,7 +66,8 @@ fun launchOneDriveOAuth(context: Context, credentialStore: CredentialStore, clie
         "&redirect_uri=syncflow%3A%2F%2Foauth%2Fonedrive" +
         "&scope=$scopes" +
         "&code_challenge=$challenge" +
-        "&code_challenge_method=S256"
+        "&code_challenge_method=S256" +
+        "&state=$state"
     openCustomTab(context, url)
 }
 

app/src/main/kotlin/com/syncflow/ui/auth/OAuthRedirectActivity.kt

@@ -28,11 +28,22 @@ class OAuthRedirectActivity : ComponentActivity() {
     private fun handleIntent(intent: Intent) {
         val uri = intent.data ?: run { finish(); return }
         val code = uri.getQueryParameter("code") ?: run { finish(); return }
+        val returnedState = uri.getQueryParameter("state") ?: run { finish(); return }
+
         val provider = when {
             uri.host == "oauth" && uri.path?.contains("dropbox") == true -> "dropbox"
             uri.host == "oauth" && uri.path?.contains("onedrive") == true -> "onedrive"
             else -> run { finish(); return }
         }
+
+        // Validate state before doing anything with the code (CSRF protection)
+        val storedState = credentialStore.getPkceVerifier("${provider}_state")
+        if (storedState == null || returnedState != storedState) {
+            finish()
+            return
+        }
+        credentialStore.removePkceVerifier("${provider}_state")
+
         val appKey = getString(com.syncflow.R.string.dropbox_app_key)
         val odClientId = getString(com.syncflow.R.string.onedrive_client_id)
         lifecycleScope.launch {

app/src/main/kotlin/com/syncflow/ui/home/HomeScreen.kt

@@ -1,5 +1,10 @@
 package com.syncflow.ui.home
 
+import androidx.compose.animation.core.LinearEasing
+import androidx.compose.animation.core.animateFloat
+import androidx.compose.animation.core.infiniteRepeatable
+import androidx.compose.animation.core.rememberInfiniteTransition
+import androidx.compose.animation.core.tween
 import androidx.compose.foundation.BorderStroke
 import androidx.compose.foundation.clickable
 import androidx.compose.foundation.layout.*
@@ -14,6 +19,7 @@ import androidx.compose.runtime.*
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.graphics.Color
+import androidx.compose.ui.graphics.graphicsLayer
 import androidx.compose.ui.unit.dp
 import androidx.hilt.navigation.compose.hiltViewModel
 import com.syncflow.data.db.entities.SyncPairEntity
@@ -159,8 +165,18 @@ private fun SyncPairCard(
                             color = MaterialTheme.colorScheme.onSurfaceVariant,
                         )
                     }
+                    val syncRotation by rememberInfiniteTransition(label = "cardSyncSpin").animateFloat(
+                        initialValue = 0f, targetValue = 360f,
+                        animationSpec = infiniteRepeatable(tween(900, easing = LinearEasing)),
+                        label = "cardRotation",
+                    )
                     FilledTonalIconButton(onClick = onSync, modifier = Modifier.size(36.dp)) {
-                        Icon(Icons.Default.Sync, "Sync now", modifier = Modifier.size(18.dp))
+                        Icon(
+                            Icons.Default.Sync, "Sync now",
+                            modifier = Modifier.size(18.dp).graphicsLayer {
+                                if (pair.lastSyncResult == SyncStatus.SYNCING) rotationZ = syncRotation
+                            },
+                        )
                     }
                 }
             }
@@ -179,10 +195,11 @@ private fun StatusPill(status: SyncStatus) {
         SyncStatus.IDLE     -> Pair(Icons.Outlined.Circle, "Idle")
     }
     val containerColor = status.accentColor
-    val contentColor = when (status) {
-        SyncStatus.IDLE -> MaterialTheme.colorScheme.onSurfaceVariant
-        else -> MaterialTheme.colorScheme.surface
-    }
+    val rotation by rememberInfiniteTransition(label = "syncSpin").animateFloat(
+        initialValue = 0f, targetValue = 360f,
+        animationSpec = infiniteRepeatable(tween(1000, easing = LinearEasing)),
+        label = "rotation",
+    )
     Surface(
         shape = RoundedCornerShape(50),
         color = containerColor.copy(alpha = 0.15f),
@@ -192,7 +209,11 @@ private fun StatusPill(status: SyncStatus) {
             verticalAlignment = Alignment.CenterVertically,
             horizontalArrangement = Arrangement.spacedBy(4.dp),
         ) {
-            Icon(icon, null, Modifier.size(12.dp), tint = containerColor)
+            Icon(
+                icon, null,
+                Modifier.size(12.dp).graphicsLayer { if (status == SyncStatus.SYNCING) rotationZ = rotation },
+                tint = containerColor,
+            )
             Text(label, style = MaterialTheme.typography.labelSmall, color = containerColor)
         }
     }

app/src/main/kotlin/com/syncflow/ui/log/LogScreen.kt

@@ -0,0 +1,178 @@
+package com.syncflow.ui.log
+
+import androidx.compose.foundation.layout.*
+import androidx.compose.foundation.lazy.LazyColumn
+import androidx.compose.foundation.lazy.items
+import androidx.compose.foundation.shape.RoundedCornerShape
+import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.filled.*
+import androidx.compose.material.icons.outlined.Circle
+import androidx.compose.material3.*
+import androidx.compose.runtime.*
+import androidx.compose.ui.Alignment
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.graphics.Color
+import androidx.compose.ui.graphics.vector.ImageVector
+import androidx.compose.ui.unit.dp
+import androidx.hilt.navigation.compose.hiltViewModel
+import com.syncflow.domain.model.SyncEventType
+import java.time.Duration
+import java.time.Instant
+import java.time.ZoneId
+import java.time.format.DateTimeFormatter
+import java.time.format.FormatStyle
+
+@Composable
+fun LogScreen(
+    modifier: Modifier = Modifier,
+    vm: LogViewModel = hiltViewModel(),
+) {
+    val entries by vm.entries.collectAsState()
+
+    if (entries.isEmpty()) {
+        Box(
+            modifier = modifier.fillMaxSize(),
+            contentAlignment = Alignment.Center,
+        ) {
+            Column(
+                horizontalAlignment = Alignment.CenterHorizontally,
+                verticalArrangement = Arrangement.spacedBy(8.dp),
+            ) {
+                Icon(
+                    Icons.Default.Notifications,
+                    contentDescription = null,
+                    modifier = Modifier.size(72.dp),
+                    tint = MaterialTheme.colorScheme.primary.copy(alpha = 0.35f),
+                )
+                Text("No activity yet", style = MaterialTheme.typography.titleMedium)
+                Text(
+                    "Sync events will appear here",
+                    style = MaterialTheme.typography.bodySmall,
+                    color = MaterialTheme.colorScheme.onSurfaceVariant,
+                )
+            }
+        }
+    } else {
+        LazyColumn(
+            modifier = modifier.fillMaxSize(),
+            contentPadding = PaddingValues(horizontal = 16.dp, vertical = 8.dp),
+            verticalArrangement = Arrangement.spacedBy(0.dp),
+        ) {
+            // Group entries by calendar date
+            val grouped = entries.groupBy { entry ->
+                entry.event.timestamp.atZone(ZoneId.systemDefault()).toLocalDate()
+            }
+            grouped.forEach { (date, dayEntries) ->
+                item(key = date.toString()) {
+                    Text(
+                        text = date.toRelativeLabel(),
+                        style = MaterialTheme.typography.labelMedium,
+                        color = MaterialTheme.colorScheme.primary,
+                        modifier = Modifier.padding(top = 16.dp, bottom = 4.dp),
+                    )
+                }
+                items(dayEntries, key = { it.event.id }) { entry ->
+                    LogEntryRow(entry)
+                    HorizontalDivider(
+                        color = MaterialTheme.colorScheme.outline.copy(alpha = 0.3f),
+                        modifier = Modifier.padding(start = 52.dp),
+                    )
+                }
+            }
+            item { Spacer(Modifier.height(80.dp)) }
+        }
+    }
+}
+
+@Composable
+private fun LogEntryRow(entry: LogEntry) {
+    val (icon, tint) = entry.event.eventType.iconAndTint()
+    val timeFmt = DateTimeFormatter.ofLocalizedTime(FormatStyle.SHORT)
+    val timeStr = entry.event.timestamp.atZone(ZoneId.systemDefault()).let { timeFmt.format(it) }
+
+    Row(
+        modifier = Modifier
+            .fillMaxWidth()
+            .padding(vertical = 10.dp),
+        verticalAlignment = Alignment.Top,
+    ) {
+        // Icon bubble
+        Surface(
+            shape = RoundedCornerShape(10.dp),
+            color = tint.copy(alpha = 0.12f),
+            modifier = Modifier.size(36.dp),
+        ) {
+            Box(contentAlignment = Alignment.Center) {
+                Icon(icon, contentDescription = null, Modifier.size(18.dp), tint = tint)
+            }
+        }
+        Spacer(Modifier.width(12.dp))
+        Column(modifier = Modifier.weight(1f)) {
+            Row(
+                modifier = Modifier.fillMaxWidth(),
+                horizontalArrangement = Arrangement.SpaceBetween,
+                verticalAlignment = Alignment.CenterVertically,
+            ) {
+                Text(
+                    entry.pairName,
+                    style = MaterialTheme.typography.labelMedium,
+                    color = MaterialTheme.colorScheme.primary,
+                    modifier = Modifier.weight(1f, fill = false),
+                )
+                Text(
+                    timeStr,
+                    style = MaterialTheme.typography.labelSmall,
+                    color = MaterialTheme.colorScheme.onSurfaceVariant,
+                )
+            }
+            Spacer(Modifier.height(2.dp))
+            Text(
+                text = entry.event.eventType.label(),
+                style = MaterialTheme.typography.bodySmall,
+            )
+            val detail = entry.event.filePath ?: entry.event.message
+            if (detail != null) {
+                Text(
+                    text = detail,
+                    style = MaterialTheme.typography.labelSmall,
+                    color = MaterialTheme.colorScheme.onSurfaceVariant,
+                    maxLines = 1,
+                )
+            }
+        }
+    }
+}
+
+@Composable
+private fun SyncEventType.iconAndTint(): Pair<ImageVector, Color> = when (this) {
+    SyncEventType.SYNC_STARTED     -> Icons.Default.Sync to MaterialTheme.colorScheme.secondary
+    SyncEventType.SYNC_COMPLETED   -> Icons.Default.CheckCircle to MaterialTheme.colorScheme.primary
+    SyncEventType.SYNC_FAILED      -> Icons.Default.Error to MaterialTheme.colorScheme.error
+    SyncEventType.FILE_UPLOADED    -> Icons.Default.CloudUpload to MaterialTheme.colorScheme.secondary
+    SyncEventType.FILE_DOWNLOADED  -> Icons.Default.CloudDownload to MaterialTheme.colorScheme.secondary
+    SyncEventType.FILE_DELETED     -> Icons.Default.DeleteForever to MaterialTheme.colorScheme.tertiary
+    SyncEventType.FILE_SKIPPED     -> Icons.Outlined.Circle to MaterialTheme.colorScheme.onSurfaceVariant
+    SyncEventType.CONFLICT_DETECTED -> Icons.Default.Warning to MaterialTheme.colorScheme.tertiary
+    SyncEventType.CONFLICT_RESOLVED -> Icons.Default.CheckCircle to MaterialTheme.colorScheme.primary
+}
+
+private fun SyncEventType.label(): String = when (this) {
+    SyncEventType.SYNC_STARTED      -> "Sync started"
+    SyncEventType.SYNC_COMPLETED    -> "Sync completed"
+    SyncEventType.SYNC_FAILED       -> "Sync failed"
+    SyncEventType.FILE_UPLOADED     -> "File uploaded"
+    SyncEventType.FILE_DOWNLOADED   -> "File downloaded"
+    SyncEventType.FILE_DELETED      -> "File deleted"
+    SyncEventType.FILE_SKIPPED      -> "File skipped"
+    SyncEventType.CONFLICT_DETECTED -> "Conflict detected"
+    SyncEventType.CONFLICT_RESOLVED -> "Conflict resolved"
+}
+
+private fun java.time.LocalDate.toRelativeLabel(): String {
+    val today = java.time.LocalDate.now()
+    return when {
+        this == today -> "Today"
+        this == today.minusDays(1) -> "Yesterday"
+        else -> DateTimeFormatter.ofLocalizedDate(FormatStyle.MEDIUM).format(this)
+    }
+}

app/src/main/kotlin/com/syncflow/ui/log/LogViewModel.kt

@@ -0,0 +1,29 @@
+package com.syncflow.ui.log
+
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.viewModelScope
+import com.syncflow.data.db.SyncEventDao
+import com.syncflow.data.db.SyncPairDao
+import com.syncflow.data.db.entities.SyncEventEntity
+import dagger.hilt.android.lifecycle.HiltViewModel
+import kotlinx.coroutines.flow.SharingStarted
+import kotlinx.coroutines.flow.combine
+import kotlinx.coroutines.flow.stateIn
+import javax.inject.Inject
+
+data class LogEntry(val event: SyncEventEntity, val pairName: String)
+
+@HiltViewModel
+class LogViewModel @Inject constructor(
+    syncEventDao: SyncEventDao,
+    syncPairDao: SyncPairDao,
+) : ViewModel() {
+
+    val entries = combine(
+        syncEventDao.observeAll(500),
+        syncPairDao.observeAll(),
+    ) { events, pairs ->
+        val pairNames = pairs.associateBy({ it.id }, { it.name })
+        events.map { LogEntry(it, pairNames[it.syncPairId] ?: "Unknown") }
+    }.stateIn(viewModelScope, SharingStarted.WhileSubscribed(5_000), emptyList())
+}

app/src/main/kotlin/com/syncflow/ui/main/MainShell.kt

@@ -20,8 +20,10 @@ import androidx.compose.foundation.pager.rememberPagerState
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.filled.Add
 import androidx.compose.material.icons.filled.ManageAccounts
+import androidx.compose.material.icons.filled.Notifications
 import androidx.compose.material.icons.filled.Sync
 import androidx.compose.material.icons.outlined.ManageAccounts
+import androidx.compose.material.icons.outlined.NotificationsNone
 import androidx.compose.material.icons.outlined.Sync
 import androidx.compose.material3.*
 import androidx.compose.runtime.Composable
@@ -32,6 +34,7 @@ import androidx.compose.ui.res.painterResource
 import androidx.compose.ui.unit.dp
 import com.syncflow.R
 import com.syncflow.ui.home.HomeScreen
+import com.syncflow.ui.log.LogScreen
 import com.syncflow.ui.settings.SettingsScreen
 import kotlinx.coroutines.launch
 
@@ -42,7 +45,7 @@ fun MainShell(
     onPairClick: (Long) -> Unit,
     onAddAccount: () -> Unit,
 ) {
-    val pagerState = rememberPagerState(pageCount = { 2 })
+    val pagerState = rememberPagerState(pageCount = { 3 })
     val scope = rememberCoroutineScope()
     val currentPage = pagerState.currentPage
 
@@ -88,7 +91,18 @@ fun MainShell(
                     onClick = { scope.launch { pagerState.animateScrollToPage(1) } },
                     icon = {
                         Icon(
-                            if (currentPage == 1) Icons.Filled.ManageAccounts else Icons.Outlined.ManageAccounts,
+                            if (currentPage == 1) Icons.Filled.Notifications else Icons.Outlined.NotificationsNone,
+                            contentDescription = null,
+                        )
+                    },
+                    label = { Text("Log") },
+                )
+                NavigationBarItem(
+                    selected = currentPage == 2,
+                    onClick = { scope.launch { pagerState.animateScrollToPage(2) } },
+                    icon = {
+                        Icon(
+                            if (currentPage == 2) Icons.Filled.ManageAccounts else Icons.Outlined.ManageAccounts,
                             contentDescription = null,
                         )
                     },
@@ -120,7 +134,8 @@ fun MainShell(
         ) { page ->
             when (page) {
                 0 -> HomeScreen(onAddPair = onAddPair, onPairClick = onPairClick)
-                1 -> SettingsScreen(onAddAccount = onAddAccount)
+                1 -> LogScreen()
+                2 -> SettingsScreen(onAddAccount = onAddAccount)
             }
         }
     }

app/src/main/kotlin/com/syncflow/ui/pairdetail/PairDetailScreen.kt

@@ -1,5 +1,10 @@
 package com.syncflow.ui.pairdetail
 
+import androidx.compose.animation.core.LinearEasing
+import androidx.compose.animation.core.animateFloat
+import androidx.compose.animation.core.infiniteRepeatable
+import androidx.compose.animation.core.rememberInfiniteTransition
+import androidx.compose.animation.core.tween
 import androidx.compose.foundation.layout.*
 import androidx.compose.foundation.lazy.LazyColumn
 import androidx.compose.foundation.lazy.items
@@ -13,6 +18,7 @@ import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.draw.clip
 import androidx.compose.ui.graphics.Color
+import androidx.compose.ui.graphics.graphicsLayer
 import androidx.compose.ui.unit.dp
 import androidx.hilt.navigation.compose.hiltViewModel
 import com.syncflow.data.db.entities.SyncEventEntity
@@ -143,6 +149,11 @@ private fun StatusBanner(pair: SyncPairEntity) {
         SyncStatus.PARTIAL  -> Triple(Icons.Default.WarningAmber,"Partial",   MaterialTheme.colorScheme.tertiaryContainer)
         SyncStatus.IDLE     -> Triple(Icons.Outlined.Circle,     "Idle",      MaterialTheme.colorScheme.surfaceVariant)
     }
+    val rotation by rememberInfiniteTransition(label = "bannerSpin").animateFloat(
+        initialValue = 0f, targetValue = 360f,
+        animationSpec = infiniteRepeatable(tween(1000, easing = LinearEasing)),
+        label = "bannerRotation",
+    )
     Surface(
         color = containerColor,
         shape = RoundedCornerShape(16.dp),
@@ -152,7 +163,12 @@ private fun StatusBanner(pair: SyncPairEntity) {
             modifier = Modifier.padding(16.dp),
             verticalAlignment = Alignment.CenterVertically,
         ) {
-            Icon(icon, null, modifier = Modifier.size(40.dp))
+            Icon(
+                icon, null,
+                modifier = Modifier.size(40.dp).graphicsLayer {
+                    if (pair.lastSyncResult == SyncStatus.SYNCING) rotationZ = rotation
+                },
+            )
             Spacer(Modifier.width(16.dp))
             Column {
                 Text(label, style = MaterialTheme.typography.titleMedium)

app/src/main/kotlin/com/syncflow/ui/settings/SettingsScreen.kt

@@ -137,11 +137,17 @@ fun SettingsScreen(
             ) {
                 Column(modifier = Modifier.padding(16.dp), verticalArrangement = Arrangement.spacedBy(4.dp)) {
                     Text(
-                        "SyncFlow v${com.syncflow.BuildConfig.VERSION_NAME} — Free, no subscription.",
-                        style = MaterialTheme.typography.bodySmall,
+                        "SyncFlow",
+                        style = MaterialTheme.typography.titleSmall,
                     )
                     Text(
-                        "Open source. No ads. No tracking.",
+                        "Version ${com.syncflow.BuildConfig.VERSION_NAME} (build ${com.syncflow.BuildConfig.VERSION_CODE})",
+                        style = MaterialTheme.typography.bodySmall,
+                        color = MaterialTheme.colorScheme.onSurfaceVariant,
+                    )
+                    Spacer(Modifier.height(2.dp))
+                    Text(
+                        "Free, no subscription. No ads. No tracking.",
                         style = MaterialTheme.typography.bodySmall,
                         color = MaterialTheme.colorScheme.onSurfaceVariant,
                     )

app/src/main/kotlin/com/syncflow/worker/FileWatchService.kt

@@ -10,6 +10,7 @@ import android.os.FileObserver
 import android.os.Handler
 import android.os.IBinder
 import android.os.Looper
+import android.provider.DocumentsContract
 import androidx.core.app.NotificationCompat
 import androidx.work.ExistingWorkPolicy
 import androidx.work.WorkManager
@@ -81,35 +82,25 @@ class FileWatchService : Service() {
             val localPath = pair.localPath
 
             if (localPath.startsWith("content://")) {
-                val treeUri = Uri.parse(localPath)
-                val observer = object : ContentObserver(mainHandler) {
-                    override fun onChange(selfChange: Boolean) = onChangeDetected(pairId, pair.wifiOnly, pair.chargingOnly)
-                    override fun onChange(selfChange: Boolean, uri: Uri?) = onChangeDetected(pairId, pair.wifiOnly, pair.chargingOnly)
-                }
-                contentResolver.registerContentObserver(treeUri, true, observer)
-                contentObservers[pairId] = observer
-                Timber.d("FileWatchService: watching SAF URI for pair $pairId")
-            } else {
-                val dir = File(localPath)
-                if (!dir.exists()) {
-                    Timber.w("FileWatchService: path does not exist for pair $pairId: $localPath")
-                    return@forEach
-                }
-                val mask = FileObserver.CREATE or FileObserver.DELETE or FileObserver.MODIFY or
-                           FileObserver.MOVED_FROM or FileObserver.MOVED_TO
-                val observer = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
-                    object : FileObserver(dir, mask) {
-                        override fun onEvent(event: Int, path: String?) = onChangeDetected(pairId, pair.wifiOnly, pair.chargingOnly)
-                    }
+                // Try to resolve the SAF tree URI to a real filesystem path so we can use
+                // FileObserver. ContentObserver on a DocumentsProvider tree URI only fires
+                // when changes come through the SAF API, not for raw filesystem writes.
+                val realPath = safTreeUriToRealPath(localPath)
+                if (realPath != null) {
+                    watchPath(realPath, pairId, pair.wifiOnly, pair.chargingOnly)
                 } else {
-                    @Suppress("DEPRECATION")
-                    object : FileObserver(localPath, mask) {
-                        override fun onEvent(event: Int, path: String?) = onChangeDetected(pairId, pair.wifiOnly, pair.chargingOnly)
+                    // Fallback: register a ContentObserver for SAF paths that can't be resolved
+                    val treeUri = Uri.parse(localPath)
+                    val observer = object : ContentObserver(mainHandler) {
+                        override fun onChange(selfChange: Boolean) = onChangeDetected(pairId, pair.wifiOnly, pair.chargingOnly)
+                        override fun onChange(selfChange: Boolean, uri: Uri?) = onChangeDetected(pairId, pair.wifiOnly, pair.chargingOnly)
                     }
+                    contentResolver.registerContentObserver(treeUri, true, observer)
+                    contentObservers[pairId] = observer
+                    Timber.d("FileWatchService: watching SAF URI (ContentObserver fallback) for pair $pairId")
                 }
-                observer.startWatching()
-                fileObservers[pairId] = observer
-                Timber.d("FileWatchService: watching filesystem path for pair $pairId: $localPath")
+            } else {
+                watchPath(localPath, pairId, pair.wifiOnly, pair.chargingOnly)
             }
         }
 
@@ -122,6 +113,46 @@ class FileWatchService : Service() {
         }
     }
 
+    private fun safTreeUriToRealPath(uriString: String): String? {
+        return try {
+            val treeUri = Uri.parse(uriString)
+            val docId = DocumentsContract.getTreeDocumentId(treeUri)
+            // docId format is "primary:RelativePath" for primary internal storage
+            if (docId.startsWith("primary:")) {
+                val relative = docId.removePrefix("primary:")
+                "/storage/emulated/0/$relative"
+            } else {
+                null
+            }
+        } catch (e: Exception) {
+            Timber.w("FileWatchService: could not resolve SAF URI to real path: $e")
+            null
+        }
+    }
+
+    private fun watchPath(path: String, pairId: Long, wifiOnly: Boolean, chargingOnly: Boolean) {
+        val dir = File(path)
+        if (!dir.exists()) {
+            Timber.w("FileWatchService: path does not exist for pair $pairId: $path")
+            return
+        }
+        val mask = FileObserver.CREATE or FileObserver.DELETE or FileObserver.MODIFY or
+                   FileObserver.MOVED_FROM or FileObserver.MOVED_TO
+        val observer = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+            object : FileObserver(dir, mask) {
+                override fun onEvent(event: Int, p: String?) = onChangeDetected(pairId, wifiOnly, chargingOnly)
+            }
+        } else {
+            @Suppress("DEPRECATION")
+            object : FileObserver(path, mask) {
+                override fun onEvent(event: Int, p: String?) = onChangeDetected(pairId, wifiOnly, chargingOnly)
+            }
+        }
+        observer.startWatching()
+        fileObservers[pairId] = observer
+        Timber.d("FileWatchService: watching filesystem path for pair $pairId: $path")
+    }
+
     private fun onChangeDetected(pairId: Long, wifiOnly: Boolean, chargingOnly: Boolean) {
         debounceJobs[pairId]?.cancel()
         debounceJobs[pairId] = scope.launch {
@@ -148,7 +179,7 @@ class FileWatchService : Service() {
         val nm = getSystemService(Context.NOTIFICATION_SERVICE) as NotificationManager
         if (nm.getNotificationChannel(CHANNEL_WATCH) == null) {
             nm.createNotificationChannel(
-                NotificationChannel(CHANNEL_WATCH, "File watching", NotificationManager.IMPORTANCE_MIN).apply {
+                NotificationChannel(CHANNEL_WATCH, "File watching", NotificationManager.IMPORTANCE_LOW).apply {
                     description = "Background service watching folders for changes"
                     setShowBadge(false)
                 }

app/src/main/res/drawable/ic_launcher_background.xml

@@ -3,6 +3,7 @@
     <gradient
         android:type="linear"
         android:angle="135"
-        android:startColor="#312E81"
-        android:endColor="#6366F1"/>
+        android:startColor="#2E1065"
+        android:centerColor="#6D28D9"
+        android:endColor="#1E40AF"/>
 </shape>

app/src/main/res/drawable/ic_launcher_foreground.xml

@@ -1,13 +1,70 @@
 <?xml version="1.0" encoding="utf-8"?>
 <vector xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:aapt="http://schemas.android.com/aapt"
     android:width="108dp"
     android:height="108dp"
-    android:viewportWidth="24"
-    android:viewportHeight="24">
+    android:viewportWidth="108"
+    android:viewportHeight="108">
+
+    <!-- Outer soft glow ring -->
     <path
-        android:fillColor="#FFFFFF"
-        android:pathData="M12,4V1L8,5l4,4V6c3.31,0 6,2.69 6,6 0,1.01-0.25,1.97-0.7,2.8l1.46,1.46C19.54,15.03 20,13.57 20,12c0-4.42-3.58-8-8-8z"/>
+        android:pathData="M54,54m-44,0a44,44 0 1,0 88,0a44,44 0 1,0 -88,0"
+        android:fillColor="#12FFFFFF"/>
+
+    <!-- Mid glow ring -->
     <path
-        android:fillColor="#FFFFFF"
-        android:pathData="M12,18c-3.31,0-6,-2.69-6,-6 0,-1.01 0.25,-1.97 0.7,-2.8L5.24,7.74C4.46,8.97 4,10.43 4,12c0,4.42 3.58,8 8,8v3l4,-4-4,-4v3z"/>
+        android:pathData="M54,54m-33,0a33,33 0 1,0 66,0a33,33 0 1,0 -66,0"
+        android:fillColor="#18FFFFFF"/>
+
+    <!-- Inner glow ring -->
+    <path
+        android:pathData="M54,54m-21,0a21,21 0 1,0 42,0a21,21 0 1,0 -42,0"
+        android:fillColor="#10FFFFFF"/>
+
+    <!-- Upload arrow (top-right) — neon cyan → sky blue -->
+    <path android:pathData="M54,18V4.5L36,22.5l18,18V27c14.895,0 27,12.105 27,27 0,4.545-1.125,8.865-3.15,12.6l6.57,6.57C87.93,67.635 90,61.065 90,54c0-19.89-16.11-36-36-36z">
+        <aapt:attr name="android:fillColor">
+            <gradient android:type="linear"
+                android:startX="36" android:startY="4"
+                android:endX="90" android:endY="70"
+                android:startColor="#67E8F9"
+                android:endColor="#38BDF8"/>
+        </aapt:attr>
+    </path>
+
+    <!-- Download arrow (bottom-left) — hot pink → coral -->
+    <path android:pathData="M54,81c-14.895,0-27,-12.105-27,-27 0,-4.545 1.125,-8.865 3.15,-12.6L23.58,34.83C20.07,40.365 18,46.935 18,54c0,19.89 16.11,36 36,36v13.5l18,-18-18,-18v13.5z">
+        <aapt:attr name="android:fillColor">
+            <gradient android:type="linear"
+                android:startX="18" android:startY="35"
+                android:endX="72" android:endY="103"
+                android:startColor="#F472B6"
+                android:endColor="#FB923C"/>
+        </aapt:attr>
+    </path>
+
+    <!-- Center glowing orb -->
+    <path
+        android:pathData="M54,54m-7,0a7,7 0 1,0 14,0a7,7 0 1,0 -14,0"
+        android:fillColor="#60FFFFFF"/>
+    <path
+        android:pathData="M54,54m-4,0a4,4 0 1,0 8,0a4,4 0 1,0 -8,0"
+        android:fillColor="#FFFFFF"/>
+
+    <!-- Cardinal accent sparks -->
+    <!-- Top — cyan -->
+    <path android:pathData="M54,13m-3,0a3,3 0 1,0 6,0a3,3 0 1,0 -6,0" android:fillColor="#22D3EE"/>
+    <!-- Right — indigo -->
+    <path android:pathData="M95,54m-3,0a3,3 0 1,0 6,0a3,3 0 1,0 -6,0" android:fillColor="#818CF8"/>
+    <!-- Bottom — pink -->
+    <path android:pathData="M54,95m-3,0a3,3 0 1,0 6,0a3,3 0 1,0 -6,0" android:fillColor="#F9A8D4"/>
+    <!-- Left — emerald -->
+    <path android:pathData="M13,54m-3,0a3,3 0 1,0 6,0a3,3 0 1,0 -6,0" android:fillColor="#6EE7B7"/>
+
+    <!-- Diagonal mini sparks (45°) -->
+    <path android:pathData="M85,23m-2,0a2,2 0 1,0 4,0a2,2 0 1,0 -4,0" android:fillColor="#A5F3FC"/>
+    <path android:pathData="M85,85m-2,0a2,2 0 1,0 4,0a2,2 0 1,0 -4,0" android:fillColor="#FDBA74"/>
+    <path android:pathData="M23,85m-2,0a2,2 0 1,0 4,0a2,2 0 1,0 -4,0" android:fillColor="#C084FC"/>
+    <path android:pathData="M23,23m-2,0a2,2 0 1,0 4,0a2,2 0 1,0 -4,0" android:fillColor="#86EFAC"/>
+
 </vector>

gradle/libs.versions.toml

@@ -28,8 +28,8 @@ localbroadcastmanager = "1.1.0"
 coil = "2.7.0"
 splashscreen = "1.0.1"
 timber = "5.0.1"
-securityCrypto = "1.1.0-alpha06"
-biometric = "1.2.0-alpha05"
+securityCrypto = "1.0.0"
+biometric = "1.1.0"
 junit = "4.13.2"
 androidxTestExt = "1.2.1"
 espresso = "3.6.1"
@@ -106,7 +106,7 @@ coil-compose = { group = "io.coil-kt", name = "coil-compose", version.ref = "coi
 
 # Security
 security-crypto = { group = "androidx.security", name = "security-crypto", version.ref = "securityCrypto" }
-biometric = { group = "androidx.biometric", name = "biometric-ktx", version.ref = "biometric" }
+biometric = { group = "androidx.biometric", name = "biometric", version.ref = "biometric" }
 
 # Logging
 timber = { group = "com.jakewharton.timber", name = "timber", version.ref = "timber" }

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=file\:///home/amir/gradle/gradle-8.6/gradle-8.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.6-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

gradlew

@@ -1,2 +1,39 @@
-#!/bin/bash
-exec /home/amir/gradle/gradle-8.6/bin/gradle "$@"
+#!/bin/sh
+##############################################################################
+# Gradle wrapper — standard portable launcher
+##############################################################################
+
+app_path=$0
+while [ -h "$app_path" ]; do
+    ls=$( ls -ld "$app_path" )
+    link=${ls#*' -> '}
+    case $link in
+      /*)   app_path=$link ;;
+      *)    app_path=${app_path%"${app_path##*/}"}$link ;;
+    esac
+done
+APP_HOME=$( cd "${app_path%"${app_path##*/}"}." && pwd -P ) || exit
+
+APP_BASE_NAME=${0##*/}
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+if [ -n "$JAVA_HOME" ]; then
+    JAVACMD=$JAVA_HOME/bin/java
+else
+    JAVACMD=java
+fi
+
+MAX_FD=maximum
+case "$( uname )" in
+  Darwin*) ;;
+  *)
+    MAX_FD=$( ulimit -H -n 2>/dev/null ) && ulimit -n "$MAX_FD" 2>/dev/null ;;
+esac
+
+eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS \
+    "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" \
+    -classpath "\"$CLASSPATH\"" \
+    org.gradle.wrapper.GradleWrapperMain '"$@"'
+
+exec "$JAVACMD" "$@"

version.properties

@@ -1,2 +1,2 @@
-VERSION_NAME=1.0.15
-VERSION_CODE=16
+VERSION_NAME=1.0.21
+VERSION_CODE=22