Move faker plugin back to external (plugins-external/faker)

- Add refreshKey to useGit queries so dropdown data refreshes on open
- Convert fetchAll from mutation to query with 10-minute refetch interval
- Re-run status query after fetchAll completes via dataUpdatedAt key
- Use placeholderData to keep previous data during key changes
- Remove disabled state from Push, Pull, and Commit menu items

.github/workflows/flathub.yml

@@ -0,0 +1,52 @@
+name: Update Flathub
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  update-flathub:
+    name: Update Flathub manifest
+    runs-on: ubuntu-latest
+    # Only run for stable releases (skip betas/pre-releases)
+    if: ${{ !github.event.release.prerelease }}
+    steps:
+      - name: Checkout app repo
+        uses: actions/checkout@v4
+
+      - name: Checkout Flathub repo
+        uses: actions/checkout@v4
+        with:
+          repository: flathub/app.yaak.Yaak
+          token: ${{ secrets.FLATHUB_TOKEN }}
+          path: flathub-repo
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install source generators
+        run: |
+          pip install flatpak-node-generator tomlkit aiohttp
+          git clone --depth 1 https://github.com/flatpak/flatpak-builder-tools flatpak/flatpak-builder-tools
+
+      - name: Run update-manifest.sh
+        run: bash flatpak/update-manifest.sh "${{ github.event.release.tag_name }}" flathub-repo
+
+      - name: Commit and push to Flathub
+        working-directory: flathub-repo
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add -A
+          git diff --cached --quiet && echo "No changes to commit" && exit 0
+          git commit -m "Update to ${{ github.event.release.tag_name }}"
+          git push

.gitignore

@@ -44,3 +44,10 @@ crates-tauri/yaak-app/tauri.worktree.conf.json
 # Tauri auto-generated permission files
 **/permissions/autogenerated
 **/permissions/schemas
+
+# Flatpak build artifacts
+flatpak-repo/
+.flatpak-builder/
+flatpak/flatpak-builder-tools/
+flatpak/cargo-sources.json
+flatpak/node-sources.json

MCP_CLIENT_PLAN.md

@@ -1,27 +0,0 @@
-# MCP Client Plan
-
-## Goal
-Add an MCP client mode to Yaak so users can connect to and debug MCP servers.
-
-## Core Design
-- **Protocol layer:** Implement JSON‑RPC framing, message IDs, and notifications as the common core.
-- **Transport interface:** Define an async trait with `connect`, `send`, `receive`, and `close` methods.
-- **Transports:**
-  - Start with **Standard I/O** for local development.
-  - Reuse the existing HTTP stack for **HTTP streaming** next.
-  - Leave hooks for **WebSocket** support later.
-
-## Integration
-- Register MCP as a new request type alongside REST, GraphQL, gRPC, and WebSocket.
-- Allow per‑request transport selection (stdio or HTTP).
-- Map inbound messages into a new MCP response model that feeds existing timeline and debug views.
-
-## Testing and Dog‑fooding
-- Convert Yaak's own MCP server to Standard I/O for local testing.
-- Use it internally to validate protocol behavior and message flow.
-- Add unit and integration tests for JSON‑RPC messaging and transport abstractions.
-
-## Future Refinements
-- Add WebSocket transport support once core paths are stable.
-- Extend timelines for protocol‑level visualization layered over raw transport events.
-- Implement version and capability negotiation between client and server.

crates-cli/yaak-cli/PLAN.md

@@ -1,198 +0,0 @@
-# CLI Command Architecture Plan
-
-## Goal
-
-Redesign the yaak-cli command structure to use a resource-oriented `<resource> <action>`
-pattern that scales well, is discoverable, and supports both human and LLM workflows.
-
-## Command Architecture
-
-### Design Principles
-
-- **Resource-oriented**: top-level commands are nouns, subcommands are verbs
-- **Polymorphic requests**: `request` covers HTTP, gRPC, and WebSocket — the CLI
-  resolves the type via `get_any_request` and adapts behavior accordingly
-- **Simple creation, full-fidelity via JSON**: human-friendly flags for basic creation,
-  `--json` for full control (targeted at LLM and scripting workflows)
-- **Runtime schema introspection**: `request schema` outputs JSON Schema for the request
-  models, with dynamic auth fields populated from loaded plugins at runtime
-- **Destructive actions require confirmation**: `delete` commands prompt for user
-  confirmation before proceeding. Can be bypassed with `--yes` / `-y` for scripting
-
-### Commands
-
-```
-# Top-level shortcut
-yaakcli send <id> [-e <env_id>]          # id can be a request, folder, or workspace
-
-# Resource commands
-yaakcli workspace list
-yaakcli workspace show <id>
-yaakcli workspace create --name <name>
-yaakcli workspace create --json '{"name": "My Workspace"}'
-yaakcli workspace create '{"name": "My Workspace"}'              # positional JSON shorthand
-yaakcli workspace update --json '{"id": "wk_abc", "name": "New Name"}'
-yaakcli workspace delete <id>
-
-yaakcli request list <workspace_id>
-yaakcli request show <id>
-yaakcli request create <workspace_id> --name <name> --url <url> [--method GET]
-yaakcli request create --json '{"workspaceId": "wk_abc", "url": "..."}'
-yaakcli request update --json '{"id": "rq_abc", "url": "https://new.com"}'
-yaakcli request send <id> [-e <env_id>]
-yaakcli request delete <id>
-yaakcli request schema <http|grpc|websocket>
-
-yaakcli folder list <workspace_id>
-yaakcli folder show <id>
-yaakcli folder create <workspace_id> --name <name>
-yaakcli folder create --json '{"workspaceId": "wk_abc", "name": "Auth"}'
-yaakcli folder update --json '{"id": "fl_abc", "name": "New Name"}'
-yaakcli folder delete <id>
-
-yaakcli environment list <workspace_id>
-yaakcli environment show <id>
-yaakcli environment create <workspace_id> --name <name>
-yaakcli environment create --json '{"workspaceId": "wk_abc", "name": "Production"}'
-yaakcli environment update --json '{"id": "ev_abc", ...}'
-yaakcli environment delete <id>
-
-```
-
-### `send` — Top-Level Shortcut
-
-`yaakcli send <id>` is a convenience alias that accepts any sendable ID. It tries
-each type in order via DB lookups (short-circuiting on first match):
-
-1. Request (HTTP, gRPC, or WebSocket via `get_any_request`)
-2. Folder (sends all requests in the folder)
-3. Workspace (sends all requests in the workspace)
-
-ID prefixes exist (e.g. `rq_`, `fl_`, `wk_`) but are not relied upon — resolution
-is purely by DB lookup.
-
-`request send <id>` is the same but restricted to request IDs only.
-
-### Request Send — Polymorphic Behavior
-
-`send` means "execute this request" regardless of protocol:
-
-- **HTTP**: send request, print response, exit
-- **gRPC**: invoke the method; for streaming, stream output to stdout until done/Ctrl+C
-- **WebSocket**: connect, stream messages to stdout until closed/Ctrl+C
-
-### `request schema` — Runtime JSON Schema
-
-Outputs a JSON Schema describing the full request shape, including dynamic fields:
-
-1. Generate base schema from `schemars::JsonSchema` derive on the Rust model structs
-2. Load plugins, collect auth strategy definitions and their form inputs
-3. Merge plugin-defined auth fields into the `authentication` property as a `oneOf`
-4. Output the combined schema as JSON
-
-This lets an LLM call `schema`, read the shape, and construct valid JSON for
-`create --json` or `update --json`.
-
-## Implementation Steps
-
-### Phase 1: Restructure commands (no new functionality)
-
-Refactor `main.rs` into the new resource/action pattern using clap subcommand nesting.
-Existing behavior stays the same, just reorganized. Remove the `get` command.
-
-1. Create module structure: `commands/workspace.rs`, `commands/request.rs`, etc.
-2. Define nested clap enums:
-   ```rust
-   enum Commands {
-       Send(SendArgs),
-       Workspace(WorkspaceArgs),
-       Request(RequestArgs),
-       Folder(FolderArgs),
-       Environment(EnvironmentArgs),
-   }
-   ```
-3. Move existing `Workspaces` logic into `workspace list`
-4. Move existing `Requests` logic into `request list`
-5. Move existing `Send` logic into `request send`
-6. Move existing `Create` logic into `request create`
-7. Delete the `Get` command entirely
-8. Extract shared setup (DB init, plugin init, encryption) into a reusable context struct
-
-### Phase 2: Add missing CRUD commands
-
-1. `workspace show <id>`
-2. `workspace create --name <name>` (and `--json`)
-3. `workspace update --json`
-4. `workspace delete <id>`
-5. `request show <id>` (JSON output of the full request model)
-6. `request delete <id>`
-7. `folder list <workspace_id>`
-8. `folder show <id>`
-9. `folder create <workspace_id> --name <name>` (and `--json`)
-10. `folder update --json`
-11. `folder delete <id>`
-12. `environment list <workspace_id>`
-13. `environment show <id>`
-14. `environment create <workspace_id> --name <name>` (and `--json`)
-15. `environment update --json`
-16. `environment delete <id>`
-
-### Phase 3: JSON input for create/update
-
-Both commands accept JSON via `--json <string>` or as a positional argument (detected
-by leading `{`). They follow the same upsert pattern as the plugin API.
-
-- **`create --json`**: JSON must include `workspaceId`. Must NOT include `id` (or
-  use empty string `""`). Deserializes into the model with defaults for missing fields,
-  then upserts (insert).
-- **`update --json`**: JSON must include `id`. Performs a fetch-merge-upsert:
-  1. Fetch the existing model from DB
-  2. Serialize it to `serde_json::Value`
-  3. Deep-merge the user's partial JSON on top (JSON Merge Patch / RFC 7386 semantics)
-  4. Deserialize back into the typed model
-  5. Upsert (update)
-
-  This matches how the MCP server plugin already does it (fetch existing, spread, override),
-  but the CLI handles the merge server-side so callers don't have to.
-
-  Setting a field to `null` removes it (for `Option<T>` fields), per RFC 7386.
-
-Implementation:
-1. Add `--json` flag and positional JSON detection to `create` commands
-2. Add `update` commands with required `--json` flag
-3. Implement JSON merge utility (or use `json-patch` crate)
-
-### Phase 4: Runtime schema generation
-
-1. Add `schemars` dependency to `yaak-models`
-2. Derive `JsonSchema` on `HttpRequest`, `GrpcRequest`, `WebsocketRequest`, and their
-   nested types (`HttpRequestHeader`, `HttpUrlParameter`, etc.)
-3. Implement `request schema` command:
-   - Generate base schema from schemars
-   - Query plugins for auth strategy form inputs
-   - Convert plugin form inputs into JSON Schema properties
-   - Merge into the `authentication` field
-   - Print to stdout
-
-### Phase 5: Polymorphic send
-
-1. Update `request send` to use `get_any_request` to resolve the request type
-2. Match on `AnyRequest` variant and dispatch to the appropriate sender:
-   - `AnyRequest::HttpRequest` — existing HTTP send logic
-   - `AnyRequest::GrpcRequest` — gRPC invoke (future implementation)
-   - `AnyRequest::WebsocketRequest` — WebSocket connect (future implementation)
-3. gRPC and WebSocket send can initially return "not yet implemented" errors
-
-### Phase 6: Top-level `send` and folder/workspace send
-
-1. Add top-level `yaakcli send <id>` command
-2. Resolve ID by trying DB lookups in order: any_request → folder → workspace
-3. For folder: list all requests in folder, send each
-4. For workspace: list all requests in workspace, send each
-5. Add execution options: `--sequential` (default), `--parallel`, `--fail-fast`
-
-## Crate Changes
-
-- **yaak-cli**: restructure into modules, new clap hierarchy
-- **yaak-models**: add `schemars` dependency, derive `JsonSchema` on model structs
-  (current derives: `Debug, Clone, PartialEq, Serialize, Deserialize, Default, TS`)

crates-tauri/yaak-app/src/render.rs

@@ -38,6 +38,9 @@ pub async fn render_grpc_request<T: TemplateCallback>(
 
     let mut metadata = Vec::new();
     for p in r.metadata.clone() {
+        if !p.enabled {
+            continue;
+        }
         metadata.push(HttpRequestHeader {
             enabled: p.enabled,
             name: parse_and_render(p.name.as_str(), vars, cb, &opt).await?,
@@ -119,6 +122,7 @@ pub async fn render_http_request<T: TemplateCallback>(
 
     let mut body = BTreeMap::new();
     for (k, v) in r.body.clone() {
+        let v = if k == "form" { strip_disabled_form_entries(v) } else { v };
         body.insert(k, render_json_value_raw(v, vars, cb, &opt).await?);
     }
 
@@ -161,3 +165,71 @@ pub async fn render_http_request<T: TemplateCallback>(
 
     Ok(HttpRequest { url, url_parameters, headers, body, authentication, ..r.to_owned() })
 }
+
+/// Strip disabled entries from a JSON array of form objects.
+fn strip_disabled_form_entries(v: Value) -> Value {
+    match v {
+        Value::Array(items) => Value::Array(
+            items
+                .into_iter()
+                .filter(|item| item.get("enabled").and_then(|e| e.as_bool()).unwrap_or(true))
+                .collect(),
+        ),
+        v => v,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use serde_json::json;
+
+    #[test]
+    fn test_strip_disabled_form_entries() {
+        let input = json!([
+            {"enabled": true, "name": "foo", "value": "bar"},
+            {"enabled": false, "name": "disabled", "value": "gone"},
+            {"enabled": true, "name": "baz", "value": "qux"},
+        ]);
+        let result = strip_disabled_form_entries(input);
+        assert_eq!(
+            result,
+            json!([
+                {"enabled": true, "name": "foo", "value": "bar"},
+                {"enabled": true, "name": "baz", "value": "qux"},
+            ])
+        );
+    }
+
+    #[test]
+    fn test_strip_disabled_form_entries_all_disabled() {
+        let input = json!([
+            {"enabled": false, "name": "a", "value": "b"},
+            {"enabled": false, "name": "c", "value": "d"},
+        ]);
+        let result = strip_disabled_form_entries(input);
+        assert_eq!(result, json!([]));
+    }
+
+    #[test]
+    fn test_strip_disabled_form_entries_missing_enabled_defaults_to_kept() {
+        let input = json!([
+            {"name": "no_enabled_field", "value": "kept"},
+            {"enabled": false, "name": "disabled", "value": "gone"},
+        ]);
+        let result = strip_disabled_form_entries(input);
+        assert_eq!(
+            result,
+            json!([
+                {"name": "no_enabled_field", "value": "kept"},
+            ])
+        );
+    }
+
+    #[test]
+    fn test_strip_disabled_form_entries_non_array_passthrough() {
+        let input = json!("just a string");
+        let result = strip_disabled_form_entries(input.clone());
+        assert_eq!(result, input);
+    }
+}

crates-tauri/yaak-app/tauri.release.conf.json

@@ -1,9 +1,6 @@
 {
   "build": {
-    "features": [
-      "updater",
-      "license"
-    ]
+    "features": ["updater", "license"]
   },
   "app": {
     "security": {
@@ -11,12 +8,8 @@
         "default",
         {
           "identifier": "release",
-          "windows": [
-            "*"
-          ],
-          "permissions": [
-            "yaak-license:default"
-          ]
+          "windows": ["*"],
+          "permissions": ["yaak-license:default"]
         }
       ]
     }
@@ -39,14 +32,7 @@
     "createUpdaterArtifacts": true,
     "longDescription": "A cross-platform desktop app for interacting with REST, GraphQL, and gRPC",
     "shortDescription": "Play with APIs, intuitively",
-    "targets": [
-      "app",
-      "appimage",
-      "deb",
-      "dmg",
-      "nsis",
-      "rpm"
-    ],
+    "targets": ["app", "appimage", "deb", "dmg", "nsis", "rpm"],
     "macOS": {
       "minimumSystemVersion": "13.0",
       "exceptionDomain": "",
@@ -58,10 +44,16 @@
     },
     "linux": {
       "deb": {
-        "desktopTemplate": "./template.desktop"
+        "desktopTemplate": "./template.desktop",
+        "files": {
+          "/usr/share/metainfo/app.yaak.Yaak.metainfo.xml": "../../flatpak/app.yaak.Yaak.metainfo.xml"
+        }
       },
       "rpm": {
-        "desktopTemplate": "./template.desktop"
+        "desktopTemplate": "./template.desktop",
+        "files": {
+          "/usr/share/metainfo/app.yaak.Yaak.metainfo.xml": "../../flatpak/app.yaak.Yaak.metainfo.xml"
+        }
       }
     }
   }

crates/yaak-git/index.ts

@@ -32,22 +32,30 @@ export interface GitCallbacks {
 
 const onSuccess = () => queryClient.invalidateQueries({ queryKey: ['git'] });
 
-export function useGit(dir: string, callbacks: GitCallbacks) {
+export function useGit(dir: string, callbacks: GitCallbacks, refreshKey?: string) {
   const mutations = useMemo(() => gitMutations(dir, callbacks), [dir, callbacks]);
+  const fetchAll = useQuery<void, string>({
+    queryKey: ['git', 'fetch_all', dir, refreshKey],
+    queryFn: () => invoke('cmd_git_fetch_all', { dir }),
+    refetchInterval: 10 * 60_000,
+  });
   return [
     {
       remotes: useQuery<GitRemote[], string>({
-        queryKey: ['git', 'remotes', dir],
+        queryKey: ['git', 'remotes', dir, refreshKey],
         queryFn: () => getRemotes(dir),
+        placeholderData: (prev) => prev,
       }),
       log: useQuery<GitCommit[], string>({
-        queryKey: ['git', 'log', dir],
+        queryKey: ['git', 'log', dir, refreshKey],
         queryFn: () => invoke('cmd_git_log', { dir }),
+        placeholderData: (prev) => prev,
       }),
       status: useQuery<GitStatusSummary, string>({
         refetchOnMount: true,
-        queryKey: ['git', 'status', dir],
+        queryKey: ['git', 'status', dir, refreshKey, fetchAll.dataUpdatedAt],
         queryFn: () => invoke('cmd_git_status', { dir }),
+        placeholderData: (prev) => prev,
       }),
     },
     mutations,
@@ -152,10 +160,7 @@ export const gitMutations = (dir: string, callbacks: GitCallbacks) => {
       },
       onSuccess,
     }),
-    fetchAll: createFastMutation<void, string, void>({
-      mutationKey: ['git', 'fetch_all', dir],
-      mutationFn: () => invoke('cmd_git_fetch_all', { dir }),
-    }),
+
     push: createFastMutation<PushResult, string, void>({
       mutationKey: ['git', 'push', dir],
       mutationFn: push,

crates/yaak-templates/build-wasm.cjs

@@ -0,0 +1,8 @@
+const { execSync } = require('node:child_process');
+
+if (process.env.SKIP_WASM_BUILD === '1') {
+  console.log('Skipping wasm-pack build (SKIP_WASM_BUILD=1)');
+  return;
+}
+
+execSync('wasm-pack build --target bundler', { stdio: 'inherit' });

crates/yaak-templates/package.json

@@ -6,7 +6,7 @@
   "scripts": {
     "bootstrap": "npm run build",
     "build": "run-s build:*",
-    "build:pack": "wasm-pack build --target bundler",
+    "build:pack": "node build-wasm.cjs",
     "build:clean": "rimraf ./pkg/.gitignore"
   },
   "devDependencies": {

crates/yaak-ws/src/render.rs

@@ -16,6 +16,9 @@ pub async fn render_websocket_request<T: TemplateCallback>(
 
     let mut url_parameters = Vec::new();
     for p in r.url_parameters.clone() {
+        if !p.enabled {
+            continue;
+        }
         url_parameters.push(HttpUrlParameter {
             enabled: p.enabled,
             name: parse_and_render(&p.name, vars, cb, opt).await?,
@@ -26,6 +29,9 @@ pub async fn render_websocket_request<T: TemplateCallback>(
 
     let mut headers = Vec::new();
     for p in r.headers.clone() {
+        if !p.enabled {
+            continue;
+        }
         headers.push(HttpRequestHeader {
             enabled: p.enabled,
             name: parse_and_render(&p.name, vars, cb, opt).await?,

flatpak/app.yaak.Yaak.metainfo.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<component type="desktop-application">
+  <id>app.yaak.Yaak</id>
+
+  <name>Yaak</name>
+  <summary>An offline, Git friendly API Client</summary>
+
+  <developer id="app.yaak">
+    <name>Yaak</name>
+  </developer>
+
+  <metadata_license>MIT</metadata_license>
+  <project_license>MIT</project_license>
+
+  <url type="homepage">https://yaak.app</url>
+  <url type="bugtracker">https://yaak.app/feedback</url>
+  <url type="contact">https://yaak.app/feedback</url>
+  <url type="vcs-browser">https://github.com/mountain-loop/yaak</url>
+
+  <description>
+    <p>
+      A fast, privacy-first API client for REST, GraphQL, SSE, WebSocket,
+      and gRPC — built with Tauri, Rust, and React.
+    </p>
+    <p>Features include:</p>
+    <ul>
+      <li>REST, GraphQL, SSE, WebSocket, and gRPC support</li>
+      <li>Local-only data, secrets encryption, and zero telemetry</li>
+      <li>Git-friendly plain-text project storage</li>
+      <li>Environment variables and template functions</li>
+      <li>Request chaining and dynamic values</li>
+      <li>OAuth 2.0, Bearer, Basic, API Key, AWS, JWT, and NTLM authentication</li>
+      <li>Import from cURL, Postman, Insomnia, and OpenAPI</li>
+      <li>Extensible plugin system</li>
+    </ul>
+  </description>
+
+  <launchable type="desktop-id">app.yaak.Yaak.desktop</launchable>
+
+  <branding>
+    <color type="primary" scheme_preference="light">#8b32ff</color>
+    <color type="primary" scheme_preference="dark">#c293ff</color>
+  </branding>
+
+  <content_rating type="oars-1.1" />
+
+  <screenshots>
+    <screenshot type="default">
+      <caption>Crafting an API request</caption>
+      <image>https://assets.yaak.app/uploads/screenshot-BLG1w_2310x1326.png</image>
+    </screenshot>
+  </screenshots>
+
+  <releases>
+    <release version="2026.2.0" date="2026-02-10" />
+  </releases>
+</component>

flatpak/fix-lockfile.mjs

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+
+// Adds missing `resolved` and `integrity` fields to npm package-lock.json.
+//
+// npm sometimes omits these fields for nested dependencies inside workspace
+// packages. This breaks offline installs and tools like flatpak-node-generator
+// that need explicit tarball URLs for every package.
+//
+// Based on https://github.com/grant-dennison/npm-package-lock-add-resolved
+// (MIT License, Copyright (c) 2024 Grant Dennison)
+
+import { readFile, writeFile } from "node:fs/promises";
+import { get } from "node:https";
+
+const lockfilePath = process.argv[2] || "package-lock.json";
+
+function fetchJson(url) {
+  return new Promise((resolve, reject) => {
+    get(url, (res) => {
+      let data = "";
+      res.on("data", (chunk) => {
+        data += chunk;
+      });
+      res.on("end", () => {
+        if (res.statusCode === 200) {
+          resolve(JSON.parse(data));
+        } else {
+          reject(`${url} returned ${res.statusCode} ${res.statusMessage}`);
+        }
+      });
+      res.on("error", reject);
+    }).on("error", reject);
+  });
+}
+
+async function fillResolved(name, p) {
+  const version = p.version.replace(/^.*@/, "");
+  console.log(`Retrieving metadata for ${name}@${version}`);
+  const metadataUrl = `https://registry.npmjs.com/${name}/${version}`;
+  const metadata = await fetchJson(metadataUrl);
+  p.resolved = metadata.dist.tarball;
+  p.integrity = metadata.dist.integrity;
+}
+
+let changesMade = false;
+
+async function fillAllResolved(packages) {
+  for (const packagePath in packages) {
+    if (packagePath === "") continue;
+    if (!packagePath.includes("node_modules/")) continue;
+    const p = packages[packagePath];
+    if (p.link) continue;
+    if (!p.inBundle && !p.bundled && (!p.resolved || !p.integrity)) {
+      const packageName =
+        p.name ||
+        /^npm:(.+?)@.+$/.exec(p.version)?.[1] ||
+        packagePath.replace(/^.*node_modules\/(?=.+?$)/, "");
+      await fillResolved(packageName, p);
+      changesMade = true;
+    }
+  }
+}
+
+const oldContents = await readFile(lockfilePath, "utf-8");
+const packageLock = JSON.parse(oldContents);
+
+await fillAllResolved(packageLock.packages ?? []);
+
+if (changesMade) {
+  const newContents = JSON.stringify(packageLock, null, 2) + "\n";
+  await writeFile(lockfilePath, newContents);
+  console.log(`Updated ${lockfilePath}`);
+} else {
+  console.log("No changes needed.");
+}

flatpak/generate-sources.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+#
+# Generate offline dependency source files for Flatpak builds.
+#
+# Prerequisites:
+#   pip install flatpak-node-generator tomlkit aiohttp
+#   Clone https://github.com/flatpak/flatpak-builder-tools (for cargo generator)
+#
+# Usage:
+#   ./flatpak/generate-sources.sh <flathub-repo-path>
+#   ./flatpak/generate-sources.sh ../flathub-repo
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <flathub-repo-path>"
+    echo "Example: $0 ../flathub-repo"
+    exit 1
+fi
+
+FLATHUB_REPO="$(cd "$1" && pwd)"
+
+python3 "$SCRIPT_DIR/flatpak-builder-tools/cargo/flatpak-cargo-generator.py" \
+  -o "$FLATHUB_REPO/cargo-sources.json" "$REPO_ROOT/Cargo.lock"
+
+TMPDIR=$(mktemp -d)
+trap 'rm -rf "$TMPDIR"' EXIT
+
+cp "$REPO_ROOT/package-lock.json" "$TMPDIR/package-lock.json"
+cp "$REPO_ROOT/package.json" "$TMPDIR/package.json"
+
+node "$SCRIPT_DIR/fix-lockfile.mjs" "$TMPDIR/package-lock.json"
+
+node -e "
+  const fs = require('fs');
+  const p = process.argv[1];
+  const d = JSON.parse(fs.readFileSync(p, 'utf-8'));
+  for (const [name, info] of Object.entries(d.packages || {})) {
+    if (name && (info.link || !info.resolved)) delete d.packages[name];
+  }
+  fs.writeFileSync(p, JSON.stringify(d, null, 2));
+" "$TMPDIR/package-lock.json"
+
+flatpak-node-generator --no-requests-cache \
+  -o "$FLATHUB_REPO/node-sources.json" npm "$TMPDIR/package-lock.json"

flatpak/update-manifest.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+#
+# Update the Flathub repo for a new release.
+#
+# Usage:
+#   ./flatpak/update-manifest.sh <version-tag> <flathub-repo-path>
+#   ./flatpak/update-manifest.sh v2026.2.0 ../flathub-repo
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+if [ $# -lt 2 ]; then
+    echo "Usage: $0 <version-tag> <flathub-repo-path>"
+    echo "Example: $0 v2026.2.0 ../flathub-repo"
+    exit 1
+fi
+
+VERSION_TAG="$1"
+VERSION="${VERSION_TAG#v}"
+FLATHUB_REPO="$(cd "$2" && pwd)"
+MANIFEST="$FLATHUB_REPO/app.yaak.Yaak.yml"
+METAINFO="$SCRIPT_DIR/app.yaak.Yaak.metainfo.xml"
+
+if [[ "$VERSION" == *-* ]]; then
+    echo "Skipping pre-release version '$VERSION_TAG' (only stable releases are published to Flathub)"
+    exit 0
+fi
+
+REPO="mountain-loop/yaak"
+COMMIT=$(git ls-remote "https://github.com/$REPO.git" "refs/tags/$VERSION_TAG" | cut -f1)
+
+if [ -z "$COMMIT" ]; then
+    echo "Error: Could not resolve commit for tag $VERSION_TAG"
+    exit 1
+fi
+
+echo "Tag: $VERSION_TAG"
+echo "Commit: $COMMIT"
+
+# Update git tag and commit in the manifest
+sed -i "s|tag: v.*|tag: $VERSION_TAG|" "$MANIFEST"
+sed -i "s|commit: .*|commit: $COMMIT|" "$MANIFEST"
+echo "Updated manifest tag and commit."
+
+# Regenerate offline dependency sources from the tagged lockfiles
+TMPDIR=$(mktemp -d)
+trap 'rm -rf "$TMPDIR"' EXIT
+
+echo "Fetching lockfiles from $VERSION_TAG..."
+curl -fsSL "https://raw.githubusercontent.com/$REPO/$VERSION_TAG/Cargo.lock" -o "$TMPDIR/Cargo.lock"
+curl -fsSL "https://raw.githubusercontent.com/$REPO/$VERSION_TAG/package-lock.json" -o "$TMPDIR/package-lock.json"
+curl -fsSL "https://raw.githubusercontent.com/$REPO/$VERSION_TAG/package.json" -o "$TMPDIR/package.json"
+
+echo "Generating cargo-sources.json..."
+python3 "$SCRIPT_DIR/flatpak-builder-tools/cargo/flatpak-cargo-generator.py" \
+  -o "$FLATHUB_REPO/cargo-sources.json" "$TMPDIR/Cargo.lock"
+
+echo "Generating node-sources.json..."
+node "$SCRIPT_DIR/fix-lockfile.mjs" "$TMPDIR/package-lock.json"
+
+node -e "
+  const fs = require('fs');
+  const p = process.argv[1];
+  const d = JSON.parse(fs.readFileSync(p, 'utf-8'));
+  for (const [name, info] of Object.entries(d.packages || {})) {
+    if (name && (info.link || !info.resolved)) delete d.packages[name];
+  }
+  fs.writeFileSync(p, JSON.stringify(d, null, 2));
+" "$TMPDIR/package-lock.json"
+
+flatpak-node-generator --no-requests-cache \
+  -o "$FLATHUB_REPO/node-sources.json" npm "$TMPDIR/package-lock.json"
+
+# Update metainfo with new release
+TODAY=$(date +%Y-%m-%d)
+sed -i "s|  <releases>|  <releases>\n    <release version=\"$VERSION\" date=\"$TODAY\" />|" "$METAINFO"
+echo "Updated metainfo with release $VERSION."
+
+echo ""
+echo "Done! Review the changes:"
+echo "  $MANIFEST"
+echo "  $METAINFO"
+echo "  $FLATHUB_REPO/cargo-sources.json"
+echo "  $FLATHUB_REPO/node-sources.json"

package-lock.json

@@ -12,7 +12,7 @@
         "packages/plugin-runtime",
         "packages/plugin-runtime-types",
         "plugins-external/mcp-server",
-        "plugins-external/template-function-faker",
+        "plugins-external/faker",
         "plugins-external/httpsnippet",
         "plugins/action-copy-curl",
         "plugins/action-copy-grpcurl",
@@ -3922,13 +3922,6 @@
         "@types/react": "*"
       }
     },
-    "node_modules/@types/shell-quote": {
-      "version": "1.7.5",
-      "resolved": "https://registry.npmjs.org/@types/shell-quote/-/shell-quote-1.7.5.tgz",
-      "integrity": "sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@types/unist": {
       "version": "3.0.3",
       "resolved": "https://registry.npmjs.org/@types/unist/-/unist-3.0.3.tgz",
@@ -4160,6 +4153,10 @@
       "resolved": "plugins/auth-oauth2",
       "link": true
     },
+    "node_modules/@yaak/faker": {
+      "resolved": "plugins-external/faker",
+      "link": true
+    },
     "node_modules/@yaak/filter-jsonpath": {
       "resolved": "plugins/filter-jsonpath",
       "link": true
@@ -13405,6 +13402,7 @@
       "version": "1.8.3",
       "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz",
       "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==",
+      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">= 0.4"
@@ -13413,6 +13411,12 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/shlex": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/shlex/-/shlex-3.0.0.tgz",
+      "integrity": "sha512-jHPXQQk9d/QXCvJuLPYMOYWez3c43sORAgcIEoV7bFv5AJSJRAOyw5lQO12PMfd385qiLRCaDt7OtEzgrIGZUA==",
+      "license": "MIT"
+    },
     "node_modules/should": {
       "version": "13.2.3",
       "resolved": "https://registry.npmjs.org/should/-/should-13.2.3.tgz",
@@ -15953,9 +15957,36 @@
         "undici-types": "~7.16.0"
       }
     },
+    "plugins-external/faker": {
+      "name": "@yaak/faker",
+      "version": "1.1.1",
+      "dependencies": {
+        "@faker-js/faker": "^10.1.0"
+      },
+      "devDependencies": {
+        "@types/node": "^25.0.3",
+        "typescript": "^5.9.3"
+      }
+    },
+    "plugins-external/faker/node_modules/@faker-js/faker": {
+      "version": "10.3.0",
+      "resolved": "https://registry.npmjs.org/@faker-js/faker/-/faker-10.3.0.tgz",
+      "integrity": "sha512-It0Sne6P3szg7JIi6CgKbvTZoMjxBZhcv91ZrqrNuaZQfB5WoqYYbzCUOq89YR+VY8juY9M1vDWmDDa2TzfXCw==",
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fakerjs"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || ^23.5.0 || >=24.0.0",
+        "npm": ">=10"
+      }
+    },
     "plugins-external/httpsnippet": {
       "name": "@yaak/httpsnippet",
-      "version": "1.0.0",
+      "version": "1.0.3",
       "dependencies": {
         "@readme/httpsnippet": "^11.0.0"
       },
@@ -15983,7 +16014,7 @@
     },
     "plugins-external/mcp-server": {
       "name": "@yaak/mcp-server",
-      "version": "0.1.7",
+      "version": "0.2.1",
       "dependencies": {
         "@hono/mcp": "^0.2.3",
         "@hono/node-server": "^1.19.7",
@@ -16080,10 +16111,7 @@
       "name": "@yaak/importer-curl",
       "version": "0.1.0",
       "dependencies": {
-        "shell-quote": "^1.8.1"
-      },
-      "devDependencies": {
-        "@types/shell-quote": "^1.7.5"
+        "shlex": "^3.0.0"
       }
     },
     "plugins/importer-insomnia": {

package.json

@@ -11,7 +11,7 @@
     "packages/plugin-runtime",
     "packages/plugin-runtime-types",
     "plugins-external/mcp-server",
-    "plugins-external/template-function-faker",
+    "plugins-external/faker",
     "plugins-external/httpsnippet",
     "plugins/action-copy-curl",
     "plugins/action-copy-grpcurl",

plugins-external/faker/tests/__snapshots__/init.test.ts.snap

@@ -0,0 +1,233 @@
+// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
+
+exports[`template-function-faker > exports all expected template functions 1`] = `
+[
+  "faker.airline.aircraftType",
+  "faker.airline.airline",
+  "faker.airline.airplane",
+  "faker.airline.airport",
+  "faker.airline.flightNumber",
+  "faker.airline.recordLocator",
+  "faker.airline.seat",
+  "faker.animal.bear",
+  "faker.animal.bird",
+  "faker.animal.cat",
+  "faker.animal.cetacean",
+  "faker.animal.cow",
+  "faker.animal.crocodilia",
+  "faker.animal.dog",
+  "faker.animal.fish",
+  "faker.animal.horse",
+  "faker.animal.insect",
+  "faker.animal.lion",
+  "faker.animal.petName",
+  "faker.animal.rabbit",
+  "faker.animal.rodent",
+  "faker.animal.snake",
+  "faker.animal.type",
+  "faker.color.cmyk",
+  "faker.color.colorByCSSColorSpace",
+  "faker.color.cssSupportedFunction",
+  "faker.color.cssSupportedSpace",
+  "faker.color.hsl",
+  "faker.color.human",
+  "faker.color.hwb",
+  "faker.color.lab",
+  "faker.color.lch",
+  "faker.color.rgb",
+  "faker.color.space",
+  "faker.commerce.department",
+  "faker.commerce.isbn",
+  "faker.commerce.price",
+  "faker.commerce.product",
+  "faker.commerce.productAdjective",
+  "faker.commerce.productDescription",
+  "faker.commerce.productMaterial",
+  "faker.commerce.productName",
+  "faker.commerce.upc",
+  "faker.company.buzzAdjective",
+  "faker.company.buzzNoun",
+  "faker.company.buzzPhrase",
+  "faker.company.buzzVerb",
+  "faker.company.catchPhrase",
+  "faker.company.catchPhraseAdjective",
+  "faker.company.catchPhraseDescriptor",
+  "faker.company.catchPhraseNoun",
+  "faker.company.name",
+  "faker.database.collation",
+  "faker.database.column",
+  "faker.database.engine",
+  "faker.database.mongodbObjectId",
+  "faker.database.type",
+  "faker.date.anytime",
+  "faker.date.between",
+  "faker.date.betweens",
+  "faker.date.birthdate",
+  "faker.date.future",
+  "faker.date.month",
+  "faker.date.past",
+  "faker.date.recent",
+  "faker.date.soon",
+  "faker.date.timeZone",
+  "faker.date.weekday",
+  "faker.finance.accountName",
+  "faker.finance.accountNumber",
+  "faker.finance.amount",
+  "faker.finance.bic",
+  "faker.finance.bitcoinAddress",
+  "faker.finance.creditCardCVV",
+  "faker.finance.creditCardIssuer",
+  "faker.finance.creditCardNumber",
+  "faker.finance.currency",
+  "faker.finance.currencyCode",
+  "faker.finance.currencyName",
+  "faker.finance.currencyNumericCode",
+  "faker.finance.currencySymbol",
+  "faker.finance.ethereumAddress",
+  "faker.finance.iban",
+  "faker.finance.litecoinAddress",
+  "faker.finance.pin",
+  "faker.finance.routingNumber",
+  "faker.finance.transactionDescription",
+  "faker.finance.transactionType",
+  "faker.git.branch",
+  "faker.git.commitDate",
+  "faker.git.commitEntry",
+  "faker.git.commitMessage",
+  "faker.git.commitSha",
+  "faker.hacker.abbreviation",
+  "faker.hacker.adjective",
+  "faker.hacker.ingverb",
+  "faker.hacker.noun",
+  "faker.hacker.phrase",
+  "faker.hacker.verb",
+  "faker.image.avatar",
+  "faker.image.avatarGitHub",
+  "faker.image.dataUri",
+  "faker.image.personPortrait",
+  "faker.image.url",
+  "faker.image.urlLoremFlickr",
+  "faker.image.urlPicsumPhotos",
+  "faker.internet.displayName",
+  "faker.internet.domainName",
+  "faker.internet.domainSuffix",
+  "faker.internet.domainWord",
+  "faker.internet.email",
+  "faker.internet.emoji",
+  "faker.internet.exampleEmail",
+  "faker.internet.httpMethod",
+  "faker.internet.httpStatusCode",
+  "faker.internet.ip",
+  "faker.internet.ipv4",
+  "faker.internet.ipv6",
+  "faker.internet.jwt",
+  "faker.internet.jwtAlgorithm",
+  "faker.internet.mac",
+  "faker.internet.password",
+  "faker.internet.port",
+  "faker.internet.protocol",
+  "faker.internet.url",
+  "faker.internet.userAgent",
+  "faker.internet.username",
+  "faker.location.buildingNumber",
+  "faker.location.cardinalDirection",
+  "faker.location.city",
+  "faker.location.continent",
+  "faker.location.country",
+  "faker.location.countryCode",
+  "faker.location.county",
+  "faker.location.direction",
+  "faker.location.language",
+  "faker.location.latitude",
+  "faker.location.longitude",
+  "faker.location.nearbyGPSCoordinate",
+  "faker.location.ordinalDirection",
+  "faker.location.secondaryAddress",
+  "faker.location.state",
+  "faker.location.street",
+  "faker.location.streetAddress",
+  "faker.location.timeZone",
+  "faker.location.zipCode",
+  "faker.lorem.lines",
+  "faker.lorem.paragraph",
+  "faker.lorem.paragraphs",
+  "faker.lorem.sentence",
+  "faker.lorem.sentences",
+  "faker.lorem.slug",
+  "faker.lorem.text",
+  "faker.lorem.word",
+  "faker.lorem.words",
+  "faker.music.album",
+  "faker.music.artist",
+  "faker.music.genre",
+  "faker.music.songName",
+  "faker.number.bigInt",
+  "faker.number.binary",
+  "faker.number.float",
+  "faker.number.hex",
+  "faker.number.int",
+  "faker.number.octal",
+  "faker.number.romanNumeral",
+  "faker.person.bio",
+  "faker.person.firstName",
+  "faker.person.fullName",
+  "faker.person.gender",
+  "faker.person.jobArea",
+  "faker.person.jobDescriptor",
+  "faker.person.jobTitle",
+  "faker.person.jobType",
+  "faker.person.lastName",
+  "faker.person.middleName",
+  "faker.person.prefix",
+  "faker.person.sex",
+  "faker.person.sexType",
+  "faker.person.suffix",
+  "faker.person.zodiacSign",
+  "faker.phone.imei",
+  "faker.phone.number",
+  "faker.science.chemicalElement",
+  "faker.science.unit",
+  "faker.string.alpha",
+  "faker.string.alphanumeric",
+  "faker.string.binary",
+  "faker.string.fromCharacters",
+  "faker.string.hexadecimal",
+  "faker.string.nanoid",
+  "faker.string.numeric",
+  "faker.string.octal",
+  "faker.string.sample",
+  "faker.string.symbol",
+  "faker.string.ulid",
+  "faker.string.uuid",
+  "faker.system.commonFileExt",
+  "faker.system.commonFileName",
+  "faker.system.commonFileType",
+  "faker.system.cron",
+  "faker.system.directoryPath",
+  "faker.system.fileExt",
+  "faker.system.fileName",
+  "faker.system.filePath",
+  "faker.system.fileType",
+  "faker.system.mimeType",
+  "faker.system.networkInterface",
+  "faker.system.semver",
+  "faker.vehicle.bicycle",
+  "faker.vehicle.color",
+  "faker.vehicle.fuel",
+  "faker.vehicle.manufacturer",
+  "faker.vehicle.model",
+  "faker.vehicle.type",
+  "faker.vehicle.vehicle",
+  "faker.vehicle.vin",
+  "faker.vehicle.vrm",
+  "faker.word.adjective",
+  "faker.word.adverb",
+  "faker.word.conjunction",
+  "faker.word.interjection",
+  "faker.word.noun",
+  "faker.word.preposition",
+  "faker.word.sample",
+  "faker.word.verb",
+  "faker.word.words",
+]
+`;

plugins-external/faker/tests/init.test.ts

@@ -1,9 +1,12 @@
 import { describe, expect, it } from 'vitest';
 
-describe('formatDatetime', () => {
-  it('returns formatted current date', async () => {
-    // Ensure the plugin imports properly
-    const faker = await import('../src/index');
-    expect(faker.plugin.templateFunctions?.length).toBe(226);
+describe('template-function-faker', () => {
+  it('exports all expected template functions', async () => {
+    const { plugin } = await import('../src/index');
+    const names = plugin.templateFunctions?.map((fn) => fn.name).sort() ?? [];
+
+    // Snapshot the full list of exported function names so we catch any
+    // accidental additions, removals, or renames across faker upgrades.
+    expect(names).toMatchSnapshot();
   });
 });

plugins/importer-curl/package.json

@@ -10,9 +10,6 @@
     "test": "vitest --run tests"
   },
   "dependencies": {
-    "shell-quote": "^1.8.1"
-  },
-  "devDependencies": {
-    "@types/shell-quote": "^1.7.5"
+    "shlex": "^3.0.0"
   }
 }

plugins/importer-curl/src/index.ts

@@ -7,8 +7,7 @@ import type {
   PluginDefinition,
   Workspace,
 } from '@yaakapp/api';
-import type { ControlOperator, ParseEntry } from 'shell-quote';
-import { parse } from 'shell-quote';
+import { split } from 'shlex';
 
 type AtLeast<T, K extends keyof T> = Partial<T> & Pick<T, K>;
 
@@ -56,31 +55,89 @@ export const plugin: PluginDefinition = {
 };
 
 /**
- * Decodes escape sequences in shell $'...' strings
- * Handles Unicode escape sequences (\uXXXX) and common escape codes
+ * Splits raw input into individual shell command strings.
+ * Handles line continuations, semicolons, and newline-separated curl commands.
  */
-function decodeShellString(str: string): string {
-  return str
-    .replace(/\\u([0-9a-fA-F]{4})/g, (_, hex) => String.fromCharCode(parseInt(hex, 16)))
-    .replace(/\\x([0-9a-fA-F]{2})/g, (_, hex) => String.fromCharCode(parseInt(hex, 16)))
-    .replace(/\\n/g, '\n')
-    .replace(/\\r/g, '\r')
-    .replace(/\\t/g, '\t')
-    .replace(/\\'/g, "'")
-    .replace(/\\"/g, '"')
-    .replace(/\\\\/g, '\\');
-}
+function splitCommands(rawData: string): string[] {
+  // Join line continuations (backslash-newline, and backslash-CRLF for Windows)
+  const joined = rawData.replace(/\\\r?\n/g, ' ');
 
-/**
- * Checks if a string might contain escape sequences that need decoding
- * If so, decodes them; otherwise returns the string as-is
- */
-function maybeDecodeEscapeSequences(str: string): string {
-  // Check if the string contains escape sequences that shell-quote might not handle
-  if (str.includes('\\u') || str.includes('\\x')) {
-    return decodeShellString(str);
+  // Count consecutive backslashes immediately before position i.
+  // An even count means the quote at i is NOT escaped; odd means it IS escaped.
+  function isEscaped(i: number): boolean {
+    let backslashes = 0;
+    let j = i - 1;
+    while (j >= 0 && joined[j] === '\\') {
+      backslashes++;
+      j--;
+    }
+    return backslashes % 2 !== 0;
   }
-  return str;
+
+  // Split on semicolons and newlines to separate commands
+  const commands: string[] = [];
+  let current = '';
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let inDollarQuote = false;
+
+  for (let i = 0; i < joined.length; i++) {
+    const ch = joined[i]!;
+    const next = joined[i + 1];
+
+    // Track quoting state to avoid splitting inside quoted strings
+    if (!inDoubleQuote && !inDollarQuote && ch === "'" && !inSingleQuote) {
+      inSingleQuote = true;
+      current += ch;
+      continue;
+    }
+    if (inSingleQuote && ch === "'") {
+      inSingleQuote = false;
+      current += ch;
+      continue;
+    }
+    if (!inSingleQuote && !inDollarQuote && ch === '"' && !inDoubleQuote) {
+      inDoubleQuote = true;
+      current += ch;
+      continue;
+    }
+    if (inDoubleQuote && ch === '"' && !isEscaped(i)) {
+      inDoubleQuote = false;
+      current += ch;
+      continue;
+    }
+    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote && ch === '$' && next === "'") {
+      inDollarQuote = true;
+      current += ch + next;
+      i++; // Skip the opening quote
+      continue;
+    }
+    if (inDollarQuote && ch === "'" && !isEscaped(i)) {
+      inDollarQuote = false;
+      current += ch;
+      continue;
+    }
+
+    const inQuote = inSingleQuote || inDoubleQuote || inDollarQuote;
+
+    // Split on ;, newline, or CRLF when not inside quotes and not escaped
+    if (!inQuote && !isEscaped(i) && (ch === ';' || ch === '\n' || (ch === '\r' && next === '\n'))) {
+      if (ch === '\r') i++; // Skip the \n in \r\n
+      if (current.trim()) {
+        commands.push(current.trim());
+      }
+      current = '';
+      continue;
+    }
+
+    current += ch;
+  }
+
+  if (current.trim()) {
+    commands.push(current.trim());
+  }
+
+  return commands;
 }
 
 export function convertCurl(rawData: string) {
@@ -88,68 +145,17 @@ export function convertCurl(rawData: string) {
     return null;
   }
 
-  const commands: ParseEntry[][] = [];
+  const commands: string[][] = splitCommands(rawData).map((cmd) => {
+    const tokens = split(cmd);
 
-  // Replace non-escaped newlines with semicolons to make parsing easier
-  // NOTE: This is really slow in debug build but fast in release mode
-  const normalizedData = rawData.replace(/\ncurl/g, '; curl');
-
-  let currentCommand: ParseEntry[] = [];
-
-  const parsed = parse(normalizedData);
-
-  // Break up `-XPOST` into `-X POST`
-  const normalizedParseEntries = parsed.flatMap((entry) => {
-    if (
-      typeof entry === 'string' &&
-      entry.startsWith('-') &&
-      !entry.startsWith('--') &&
-      entry.length > 2
-    ) {
-      return [entry.slice(0, 2), entry.slice(2)];
-    }
-    return entry;
-  });
-
-  for (const parseEntry of normalizedParseEntries) {
-    if (typeof parseEntry === 'string') {
-      if (parseEntry.startsWith('$')) {
-        // Handle $'...' strings from shell-quote - decode escape sequences
-        currentCommand.push(decodeShellString(parseEntry.slice(1)));
-      } else {
-        // Decode escape sequences that shell-quote might not handle
-        currentCommand.push(maybeDecodeEscapeSequences(parseEntry));
+    // Break up squished arguments like `-XPOST` into `-X POST`
+    return tokens.flatMap((token) => {
+      if (token.startsWith('-') && !token.startsWith('--') && token.length > 2) {
+        return [token.slice(0, 2), token.slice(2)];
       }
-      continue;
-    }
-
-    if ('comment' in parseEntry) {
-      continue;
-    }
-
-    const { op } = parseEntry as { op: 'glob'; pattern: string } | { op: ControlOperator };
-
-    // `;` separates commands
-    if (op === ';') {
-      commands.push(currentCommand);
-      currentCommand = [];
-      continue;
-    }
-
-    if (op?.startsWith('$')) {
-      // Handle the case where literal like -H $'Header: \'Some Quoted Thing\''
-      const str = decodeShellString(op.slice(2, op.length - 1));
-
-      currentCommand.push(str);
-      continue;
-    }
-
-    if (op === 'glob') {
-      currentCommand.push((parseEntry as { op: 'glob'; pattern: string }).pattern);
-    }
-  }
-
-  commands.push(currentCommand);
+      return token;
+    });
+  });
 
   const workspace: ExportResources['workspaces'][0] = {
     model: 'workspace',
@@ -169,12 +175,12 @@ export function convertCurl(rawData: string) {
   };
 }
 
-function importCommand(parseEntries: ParseEntry[], workspaceId: string) {
+function importCommand(parseEntries: string[], workspaceId: string) {
   // ~~~~~~~~~~~~~~~~~~~~~ //
   // Collect all the flags //
   // ~~~~~~~~~~~~~~~~~~~~~ //
   const flagsByName: FlagsByName = {};
-  const singletons: ParseEntry[] = [];
+  const singletons: string[] = [];
 
   // Start at 1 so we can skip the ^curl part
   for (let i = 1; i < parseEntries.length; i++) {

plugins/importer-curl/tests/index.test.ts

@@ -112,9 +112,28 @@ describe('importer-curl', () => {
     });
   });
 
+  test('Imports with Windows CRLF line endings', () => {
+    expect(
+      convertCurl('curl \\\r\n  -X POST \\\r\n  https://yaak.app'),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({ url: 'https://yaak.app', method: 'POST' }),
+        ],
+      },
+    });
+  });
+
+  test('Throws on malformed quotes', () => {
+    expect(() =>
+      convertCurl('curl -X POST -F "a=aaa" -F b=bbb" https://yaak.app'),
+    ).toThrow();
+  });
+
   test('Imports form data', () => {
     expect(
-      convertCurl('curl -X POST -F "a=aaa" -F b=bbb" -F f=@filepath https://yaak.app'),
+      convertCurl('curl -X POST -F "a=aaa" -F b=bbb -F f=@filepath https://yaak.app'),
     ).toEqual({
       resources: {
         workspaces: [baseWorkspace()],
@@ -476,6 +495,130 @@ describe('importer-curl', () => {
     });
   });
 
+  test('Imports JSON body with newlines in $quotes', () => {
+    expect(
+      convertCurl(
+        `curl 'https://yaak.app' -H 'Content-Type: application/json' --data-raw $'{\\n  "foo": "bar",\\n  "baz": "qux"\\n}' -X POST`,
+      ),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            method: 'POST',
+            headers: [{ name: 'Content-Type', value: 'application/json', enabled: true }],
+            bodyType: 'application/json',
+            body: { text: '{\n  "foo": "bar",\n  "baz": "qux"\n}' },
+          }),
+        ],
+      },
+    });
+  });
+
+  test('Handles double-quoted string ending with even backslashes before semicolon', () => {
+    // "C:\\" has two backslashes which escape each other, so the closing " is real.
+    // The ; after should split into a second command.
+    expect(
+      convertCurl(
+        'curl -d "C:\\\\" https://yaak.app;curl https://example.com',
+      ),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            method: 'POST',
+            bodyType: 'application/x-www-form-urlencoded',
+            body: {
+              form: [{ name: 'C:\\', value: '', enabled: true }],
+            },
+            headers: [
+              {
+                name: 'Content-Type',
+                value: 'application/x-www-form-urlencoded',
+                enabled: true,
+              },
+            ],
+          }),
+          baseRequest({ url: 'https://example.com' }),
+        ],
+      },
+    });
+  });
+
+  test('Handles $quoted string ending with a literal backslash before semicolon', () => {
+    // $'C:\\\\' has two backslashes which become one literal backslash.
+    // The closing ' must not be misinterpreted as escaped.
+    // The ; after should split into a second command.
+    expect(
+      convertCurl(
+        "curl -d $'C:\\\\' https://yaak.app;curl https://example.com",
+      ),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            method: 'POST',
+            bodyType: 'application/x-www-form-urlencoded',
+            body: {
+              form: [{ name: 'C:\\', value: '', enabled: true }],
+            },
+            headers: [
+              {
+                name: 'Content-Type',
+                value: 'application/x-www-form-urlencoded',
+                enabled: true,
+              },
+            ],
+          }),
+          baseRequest({ url: 'https://example.com' }),
+        ],
+      },
+    });
+  });
+
+  test('Imports $quoted header with escaped single quotes', () => {
+    expect(
+      convertCurl(
+        `curl https://yaak.app -H $'X-Custom: it\\'s a test'`,
+      ),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            headers: [{ name: 'X-Custom', value: "it's a test", enabled: true }],
+          }),
+        ],
+      },
+    });
+  });
+
+  test('Does not split on escaped semicolon outside quotes', () => {
+    // In shell, \; is a literal semicolon and should not split commands.
+    // This should be treated as a single curl command with the URL "https://yaak.app?a=1;b=2"
+    expect(
+      convertCurl('curl https://yaak.app?a=1\\;b=2'),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            urlParameters: [
+              { name: 'a', value: '1;b=2', enabled: true },
+            ],
+          }),
+        ],
+      },
+    });
+  });
+
   test('Imports multipart form data with text-only fields from --data-raw', () => {
     const curlCommand = `curl 'http://example.com/api' \
   -H 'Content-Type: multipart/form-data; boundary=----FormBoundary123' \

scripts/vendor-node.cjs

@@ -1,4 +1,6 @@
 const path = require('node:path');
+const crypto = require('node:crypto');
+const fs = require('node:fs');
 const decompress = require('decompress');
 const Downloader = require('nodejs-file-downloader');
 const { rmSync, cpSync, mkdirSync, existsSync } = require('node:fs');
@@ -41,6 +43,15 @@ const DST_BIN_MAP = {
   [WIN_ARM]: 'yaaknode.exe',
 };
 
+const SHA256_MAP = {
+  [MAC_ARM]: 'b05aa3a66efe680023f930bd5af3fdbbd542794da5644ca2ad711d68cbd4dc35',
+  [MAC_X64]: '096081b6d6fcdd3f5ba0f5f1d44a47e83037ad2e78eada26671c252fe64dd111',
+  [LNX_ARM]: '0dc93ec5c798b0d347f068db6d205d03dea9a71765e6a53922b682b91265d71f',
+  [LNX_X64]: '58a5ff5cc8f2200e458bea22e329d5c1994aa1b111d499ca46ec2411d58239ca',
+  [WIN_X64]: '5355ae6d7c49eddcfde7d34ac3486820600a831bf81dc3bdca5c8db6a9bb0e76',
+  [WIN_ARM]: 'ce9ee4e547ebdff355beb48e309b166c24df6be0291c9eaf103ce15f3de9e5b4',
+};
+
 const key = `${process.platform}_${process.env.YAAK_TARGET_ARCH ?? process.arch}`;
 
 const destDir = path.join(__dirname, `..`, 'crates-tauri', 'yaak-app', 'vendored', 'node');
@@ -68,6 +79,15 @@ rmSync(tmpDir, { recursive: true, force: true });
     timeout: 1000 * 60 * 2,
   }).download();
 
+  // Verify SHA256
+  const expectedHash = SHA256_MAP[key];
+  const fileBuffer = fs.readFileSync(filePath);
+  const actualHash = crypto.createHash('sha256').update(fileBuffer).digest('hex');
+  if (actualHash !== expectedHash) {
+    throw new Error(`SHA256 mismatch for ${path.basename(filePath)}\n  expected: ${expectedHash}\n  actual:   ${actualHash}`);
+  }
+  console.log('SHA256 verified:', actualHash);
+
   // Decompress to the same directory
   await decompress(filePath, tmpDir, {});
 

scripts/vendor-protoc.cjs

@@ -1,3 +1,5 @@
+const crypto = require('node:crypto');
+const fs = require('node:fs');
 const decompress = require('decompress');
 const Downloader = require('nodejs-file-downloader');
 const path = require('node:path');
@@ -41,6 +43,15 @@ const DST_BIN_MAP = {
   [WIN_ARM]: 'yaakprotoc.exe',
 };
 
+const SHA256_MAP = {
+  [MAC_ARM]: 'db7e66ff7f9080614d0f5505a6b0ac488cf89a15621b6a361672d1332ec2e14e',
+  [MAC_X64]: 'e20b5f930e886da85e7402776a4959efb1ed60c57e72794bcade765e67abaa82',
+  [LNX_ARM]: '6018147740548e0e0f764408c87f4cd040e6e1c1203e13aeacaf811892b604f3',
+  [LNX_X64]: 'f3340e28a83d1c637d8bafdeed92b9f7db6a384c26bca880a6e5217b40a4328b',
+  [WIN_X64]: 'd7a207fb6eec0e4b1b6613be3b7d11905375b6fd1147a071116eb8e9f24ac53b',
+  [WIN_ARM]: 'd7a207fb6eec0e4b1b6613be3b7d11905375b6fd1147a071116eb8e9f24ac53b',
+};
+
 const dstDir = path.join(__dirname, `..`, 'crates-tauri', 'yaak-app', 'vendored', 'protoc');
 const key = `${process.platform}_${process.env.YAAK_TARGET_ARCH ?? process.arch}`;
 console.log(`Vendoring protoc ${VERSION} for ${key}`);
@@ -63,6 +74,15 @@ mkdirSync(dstDir, { recursive: true });
   // Download GitHub release artifact
   const { filePath } = await new Downloader({ url, directory: tmpDir }).download();
 
+  // Verify SHA256
+  const expectedHash = SHA256_MAP[key];
+  const fileBuffer = fs.readFileSync(filePath);
+  const actualHash = crypto.createHash('sha256').update(fileBuffer).digest('hex');
+  if (actualHash !== expectedHash) {
+    throw new Error(`SHA256 mismatch for ${path.basename(filePath)}\n  expected: ${expectedHash}\n  actual:   ${actualHash}`);
+  }
+  console.log('SHA256 verified:', actualHash);
+
   // Decompress to the same directory
   await decompress(filePath, tmpDir, {});
 

src-web/components/git/GitDropdown.tsx

@@ -7,6 +7,7 @@ import { forwardRef } from 'react';
 import { openWorkspaceSettings } from '../../commands/openWorkspaceSettings';
 import { activeWorkspaceAtom, activeWorkspaceMetaAtom } from '../../hooks/useActiveWorkspace';
 import { useKeyValue } from '../../hooks/useKeyValue';
+import { useRandomKey } from '../../hooks/useRandomKey';
 import { sync } from '../../init/sync';
 import { showConfirm, showConfirmDelete } from '../../lib/confirm';
 import { showDialog } from '../../lib/dialog';
@@ -36,6 +37,7 @@ export function GitDropdown() {
 
 function SyncDropdownWithSyncDir({ syncDir }: { syncDir: string }) {
   const workspace = useAtomValue(activeWorkspaceAtom);
+  const [refreshKey, regenerateKey] = useRandomKey();
   const [
     { status, log },
     {
@@ -43,7 +45,6 @@ function SyncDropdownWithSyncDir({ syncDir }: { syncDir: string }) {
       deleteBranch,
       deleteRemoteBranch,
       renameBranch,
-      fetchAll,
       mergeBranch,
       push,
       pull,
@@ -51,7 +52,7 @@ function SyncDropdownWithSyncDir({ syncDir }: { syncDir: string }) {
       resetChanges,
       init,
     },
-  ] = useGit(syncDir, gitCallbacks(syncDir));
+  ] = useGit(syncDir, gitCallbacks(syncDir), refreshKey);
 
   const localBranches = status.data?.localBranches ?? [];
   const remoteBranches = status.data?.remoteBranches ?? [];
@@ -172,7 +173,7 @@ function SyncDropdownWithSyncDir({ syncDir }: { syncDir: string }) {
     { type: 'separator' },
     {
       label: 'Push',
-      disabled: !hasRemotes || ahead === 0,
+      hidden: !hasRemotes,
       leftSlot: <Icon icon="arrow_up_from_line" />,
       waitForOnSelect: true,
       async onSelect() {
@@ -191,7 +192,7 @@ function SyncDropdownWithSyncDir({ syncDir }: { syncDir: string }) {
     },
     {
       label: 'Pull',
-      disabled: !hasRemotes || behind === 0,
+      hidden: !hasRemotes,
       leftSlot: <Icon icon="arrow_down_to_line" />,
       waitForOnSelect: true,
       async onSelect() {
@@ -210,7 +211,7 @@ function SyncDropdownWithSyncDir({ syncDir }: { syncDir: string }) {
     },
     {
       label: 'Commit...',
-      disabled: !hasChanges,
+
       leftSlot: <Icon icon="git_commit_vertical" />,
       onSelect() {
         showDialog({
@@ -502,15 +503,25 @@ function SyncDropdownWithSyncDir({ syncDir }: { syncDir: string }) {
   ];
 
   return (
-    <Dropdown fullWidth items={items} onOpen={fetchAll.mutate}>
+    <Dropdown fullWidth items={items} onOpen={regenerateKey}>
       <GitMenuButton>
         <InlineCode className="flex items-center gap-1">
           <Icon icon="git_branch" size="xs" className="opacity-50" />
           {currentBranch}
         </InlineCode>
         <div className="flex items-center gap-1.5">
-          {ahead > 0 && <span className="text-xs flex items-center gap-0.5"><span className="text-primary">↗</span>{ahead}</span>}
-          {behind > 0 && <span className="text-xs flex items-center gap-0.5"><span className="text-info">↙</span>{behind}</span>}
+          {ahead > 0 && (
+            <span className="text-xs flex items-center gap-0.5">
+              <span className="text-primary">↗</span>
+              {ahead}
+            </span>
+          )}
+          {behind > 0 && (
+            <span className="text-xs flex items-center gap-0.5">
+              <span className="text-info">↙</span>
+              {behind}
+            </span>
+          )}
         </div>
       </GitMenuButton>
     </Dropdown>