From 5e9cd18cf0e33e3c08c2c05622c98fa836a4012c Mon Sep 17 00:00:00 2001
From: Mathieu Piton <27002047+mpiton@users.noreply.github.com>
Date: Sun, 26 Apr 2026 11:31:57 +0200
Subject: [PATCH 1/5] feat(plugin): add report-broken-plugin action with GitHub
 issue pre-fill (task 16)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Plugins now expose a "Report broken plugin" item in the kebab menu of
the Plugin Store row. Clicking it opens the user's default browser at
a pre-filled GitHub issue on the plugin's repository, with diagnostic
metadata (plugin name + version, Vortex version, OS, optional URL
under test, last 50 log lines) inlined into the issue body.

Domain
- `PluginInfo` gains `repository_url: Option<String>` (parsed from a
  new `[plugin].repository` key in `plugin.toml`).
- New `UrlOpener` driven port with platform-native `SystemUrlOpener`
  (xdg-open / open / cmd start), `http(s)://` only by validation so
  the OS launcher never receives `javascript:` / `file://` payloads.
- `build_report_broken_url` is std-only: RFC 3986 unreserved-set
  percent encoder, last 50 log lines kept, GitHub-only repository
  hosts, accepts `.git` suffix, rejects malformed URLs with
  `DomainError::ValidationError`.

Application
- `ReportBrokenPluginCommand` handler returns `AppError::Validation`
  when the manifest carries no `repository_url` and `AppError::NotFound`
  when the plugin is not loaded; the URL is opened off the async
  runtime via `tokio::task::spawn_blocking`.

Adapters
- `manifest.rs` parses `[plugin].repository` (optional, backward
  compatible — plugins without the field still install).
- New Tauri IPC `plugin_report_broken(pluginName, logLines?, testedUrl?)
  -> string` returns the issue URL so the UI can fall back to clipboard
  copy if the launcher fails.

Frontend
- `PluginStoreRow` renders an extra menu item when `onReportBroken` is
  wired (hidden otherwise), and the parent `PluginsView` invokes the
  IPC through `useTauriMutation` with success / error toasts.
- i18n (en/fr): `plugins.action.reportBroken`,
  `plugins.toast.reportBroken{Success,Error}`.

Coverage
- 11 new Rust tests (URL builder edge cases + handler) and 2 new
  Vitest cases for the row's menu entry. cargo test --lib reports
  909 passed, npx vitest run reports 582 passed.
---
 CHANGELOG.md                                  |   1 +
 .../src/adapters/driven/filesystem/mod.rs     |   2 +
 .../adapters/driven/filesystem/url_opener.rs  | 113 +++++
 .../src/adapters/driven/plugin/manifest.rs    |  56 ++-
 src-tauri/src/adapters/driving/tauri_ipc.rs   |  35 +-
 src-tauri/src/application/command_bus.rs      |  20 +-
 src-tauri/src/application/commands/mod.rs     |  24 +
 .../commands/report_broken_plugin.rs          | 446 ++++++++++++++++++
 src-tauri/src/domain/model/plugin.rs          | 284 +++++++++++
 src-tauri/src/domain/ports/driven/mod.rs      |   2 +
 .../src/domain/ports/driven/url_opener.rs     |  18 +
 src-tauri/src/lib.rs                          |  12 +-
 src/i18n/locales/en.json                      |   7 +-
 src/i18n/locales/fr.json                      |   7 +-
 src/views/PluginsView.tsx                     |  21 +-
 src/views/PluginsView/PluginStoreRow.tsx      |  24 +-
 .../__tests__/PluginStoreRow.test.tsx         |  39 +-
 17 files changed, 1075 insertions(+), 36 deletions(-)
 create mode 100644 src-tauri/src/adapters/driven/filesystem/url_opener.rs
 create mode 100644 src-tauri/src/application/commands/report_broken_plugin.rs
 create mode 100644 src-tauri/src/domain/ports/driven/url_opener.rs

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2f9391..9869ac1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- "Report broken plugin" action (PRD-v2 P0.16, task 16): plugins listed in *Plugins → Plugin Store* now expose a *Report broken plugin* item in their kebab menu. Clicking it opens the user's default browser at a pre-filled GitHub issue on the plugin's repository, with diagnostic metadata (plugin name + version, Vortex version, OS, optional URL under test, last 50 log lines) inlined into the issue body. Backend adds a `repository_url` field to `domain::model::plugin::PluginInfo` (parsed from the new `[plugin].repository` key in `plugin.toml`), a `domain::ports::driven::UrlOpener` port plus its platform-native `SystemUrlOpener` adapter (`xdg-open` / `open` / `cmd start`, `http(s)://` only by validation), the std-only `domain::model::plugin::build_report_broken_url` URL builder (RFC 3986 unreserved-set percent encoder, last 50 log lines, GitHub-only repository hosts, accepts `.git` suffix, rejects malformed URLs with `DomainError::ValidationError`), and a `ReportBrokenPluginCommand` handler that returns `AppError::Validation` when a manifest carries no `repository_url`. New Tauri IPC `plugin_report_broken(pluginName, logLines?, testedUrl?) → string` returns the issue URL so the UI can fall back to clipboard copy if the launcher fails. i18n (en/fr): `plugins.action.reportBroken`, `plugins.toast.reportBrokenSuccess`, `plugins.toast.reportBrokenError`. (task 16)
 - Dynamic plugin configuration UI (PRD-v2 P0.15, task 15): plugins declaring a `[config]` block in their `plugin.toml` now expose their schema at runtime. Backend adds `ConfigField` / `ConfigFieldType` / `PluginConfigSchema` to `domain/model/plugin.rs` (typed validation, enum options, `min`/`max` bounds, regex via a std-only matcher — no external import in the domain), a `PluginConfigStore` port (`get_values` / `set_value` / `list_all` / `delete_all`) implemented by `SqlitePluginConfigRepo` backed by the new `plugin_configs (plugin_name, key, value)` table (migration `m20260425_000005_create_plugin_configs`, composite primary key). The manifest parser (`adapters/driven/plugin/manifest.rs`) now extracts `type`, `default`, `options`, `description`, `min`, `max`, `regex` on top of the existing defaults, and rejects defaults that fail their own field validation. CQRS gains `UpdatePluginConfigCommand` (validates against the schema, applies the runtime first then persists, rolls back on failure) and `GetPluginConfigQuery` (returns the schema plus persisted values, dropping any persisted entry that no longer matches the current schema and falling back to manifest defaults). `PluginLoader` is extended with `get_manifest()` and `set_runtime_config()`; `ExtismPluginLoader` implements both by reading from `PluginRegistry` and writing to `SharedHostResources::plugin_configs`, so `get_config(key)` calls from the WASM plugin observe the new value without a reload. At startup, `lib.rs` replays persisted configs onto the in-memory map before plugins are loaded. Frontend adds two components: `PluginConfigField.tsx` (dispatcher renderer: `string` → text input, `boolean` → shadcn switch, `integer`/`float` → numeric input with bounds, `url` → url input, `enum` (and `string` with options) → shadcn select; `aria-describedby` on the control points to the error message) and `PluginConfigDialog.tsx` (loads the schema via `useQuery`, validates each field on the UI side (rejects empty floats, validates JSON arrays) before sending, persists changed values sequentially, guards the schema-reset effect while a save is in flight to avoid clobbering the draft, invalidates the query on success). `PluginsView` queries `plugin_config_get` for each installed plugin (keyed off the unfiltered installed list to avoid churn while typing in search) to decide whether the *Configure* button (Settings icon, next to the *More* menu) should render: a plugin without `[config]` exposes no button. New IPC commands `plugin_config_get(name) → PluginConfigView` and `plugin_config_update(name, key, value)`. i18n (en/fr): `plugins.action.configure`, `plugins.config.{title,description,loading,error,noFields,toast.{saveSuccess,validationFailed}}`. (task 15)
 - History retention with automatic daily purge (PRD-v2 P0.14, task 14): new `history_retention_days` setting (default 30, presets 7 / 30 / 90 / 365 / `0 = unlimited`) exposed in the *General* Settings tab as a `Select` dropdown wired to `settings_update`. Backend ships a `Clock` domain port (`SystemClock` adapter under `adapters/driven/scheduler/`) and a `HistoryPurgeWorker` daemon spawned during Tauri setup that hard-deletes `history` rows where `completed_at < now - retention_days * 86_400`. The worker persists its last run as a Unix-epoch timestamp inside `<app_data_dir>/.history_purge_state` (sentinel filename `HISTORY_PURGE_STATE_FILE`). On startup, the daemon reads the sentinel and either runs immediately (missing/stale) or sleeps for `SECS_PER_DAY - elapsed` so the first post-launch purge stays anchored to the previous successful run instead of drifting up to ~47h after a restart; the recurring loop then ticks every 24h via `tokio::time::interval` with `MissedTickBehavior::Skip`. `retention_days <= 0` is a no-op that does not write the sentinel, so the next run re-fires the moment the user re-enables retention; corrupt sentinels are treated as "never ran" so a stuck file never blocks the scheduler. The worker shares the same `Arc<dyn HistoryRepository>` and `Arc<dyn ConfigStore>` the IPC layer already mutates, so a settings change is observed without restart. Domain helper `normalize_history_retention_days` clamps negatives back to `0` and is now applied at every write boundary — `apply_patch` (so a crafted `settings_update` payload cannot persist a negative) and `From<ConfigDto> for AppConfig` (so a hand-edited `config.toml` is normalized at load) — plus the worker itself for defense-in-depth. (task 14)
 - Change-directory action that moves a download's on-disk file (and its `.vortex-meta` sidecar when present) into a new destination folder (PRD-v2 P0.13, task 13). New Tauri IPC commands `download_change_directory(id, newDestinationDir)` and `download_change_directory_bulk(ids, newDestinationDir)` are backed by `ChangeDirectoryCommand` / `ChangeDirectoryBulkCommand` in the application layer; the bulk variant returns a structured `{ moved: number[], failed: { id, message }[] }` outcome so the UI can keep failed rows selected for retry instead of swallowing partial errors. The handler pauses the download engine for `Downloading` items, relocates the body and the `.vortex-meta` sidecar, persists the new path, then resumes — segments survive the move so the engine picks up exactly where it left off. `Extracting` and `Checking` downloads are rejected because another worker is actively reading the file. The `FileStorage` port grows `move_file`, `move_meta` and `file_exists`; the production `FsFileStorage` adapter prefers `fs::rename` for same-filesystem moves and falls back to copy + size-verify + delete-source for cross-device cases (EXDEV / `ErrorKind::CrossesDevices`), with rollback on any partial failure so the source file always stays intact. New `DomainEvent::DownloadDirectoryChanged { id, newDestinationPath }` is forwarded to the frontend as the `download-directory-changed` event. Frontend ships a reusable `<MoveDialog>` (folder picker via `useBrowseFolder`, current path + selected path preview, confirm disabled until a folder is picked) and a `Move to...` action in the downloads `ActionsBar` selection toolbar that wires the bulk IPC, surfaces success / partial-failure / error toasts and clears or re-narrows the selection accordingly. New i18n keys `downloads.actions.moveSelected`, `downloads.moveDialog.*` and `downloads.toast.{moveSucceeded,movePartial,moveError}` (en/fr). (task 13)
diff --git a/src-tauri/src/adapters/driven/filesystem/mod.rs b/src-tauri/src/adapters/driven/filesystem/mod.rs
index 801c775..6b33e8d 100644
--- a/src-tauri/src/adapters/driven/filesystem/mod.rs
+++ b/src-tauri/src/adapters/driven/filesystem/mod.rs
@@ -4,7 +4,9 @@ mod download_dir;
 mod file_opener;
 mod file_storage;
 mod meta_storage;
+mod url_opener;
 
 pub use download_dir::resolve_system_download_dir;
 pub use file_opener::SystemFileOpener;
 pub use file_storage::FsFileStorage;
+pub use url_opener::SystemUrlOpener;
diff --git a/src-tauri/src/adapters/driven/filesystem/url_opener.rs b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
new file mode 100644
index 0000000..5b81a31
--- /dev/null
+++ b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
@@ -0,0 +1,113 @@
+//! Platform-backed [`UrlOpener`] implementation.
+//!
+//! Mirrors [`super::SystemFileOpener`] but takes a URL string instead of a
+//! filesystem path. The validation rule is conservative: only `http://`
+//! and `https://` are accepted so the OS launcher never receives
+//! `javascript:`, `file://`, or `data:` payloads from a rogue caller.
+
+use std::process::Command;
+
+use crate::domain::error::DomainError;
+use crate::domain::ports::driven::UrlOpener;
+
+pub struct SystemUrlOpener;
+
+impl Default for SystemUrlOpener {
+    fn default() -> Self {
+        Self
+    }
+}
+
+impl SystemUrlOpener {
+    pub fn new() -> Self {
+        Self
+    }
+}
+
+impl UrlOpener for SystemUrlOpener {
+    fn open_url(&self, url: &str) -> Result<(), DomainError> {
+        validate_http_url(url)?;
+
+        #[cfg(target_os = "linux")]
+        let (program, args): (&str, Vec<std::ffi::OsString>) =
+            ("xdg-open", vec![std::ffi::OsString::from(url)]);
+        #[cfg(target_os = "macos")]
+        let (program, args): (&str, Vec<std::ffi::OsString>) =
+            ("open", vec![std::ffi::OsString::from(url)]);
+        #[cfg(target_os = "windows")]
+        let (program, args): (&str, Vec<std::ffi::OsString>) = (
+            "cmd",
+            vec![
+                std::ffi::OsString::from("/C"),
+                std::ffi::OsString::from("start"),
+                std::ffi::OsString::from(""),
+                std::ffi::OsString::from(url),
+            ],
+        );
+
+        run_launcher(program, &args)
+    }
+}
+
+fn validate_http_url(url: &str) -> Result<(), DomainError> {
+    if url.starts_with("http://") || url.starts_with("https://") {
+        Ok(())
+    } else {
+        Err(DomainError::ValidationError(format!(
+            "URL must start with http(s)://, got '{url}'"
+        )))
+    }
+}
+
+#[cfg(not(target_os = "windows"))]
+fn run_launcher(program: &str, args: &[std::ffi::OsString]) -> Result<(), DomainError> {
+    let status = Command::new(program)
+        .args(args)
+        .status()
+        .map_err(|e| DomainError::StorageError(format!("failed to launch {program}: {e}")))?;
+    if !status.success() {
+        return Err(DomainError::StorageError(format!(
+            "{program} exited with status {status}"
+        )));
+    }
+    Ok(())
+}
+
+#[cfg(target_os = "windows")]
+fn run_launcher(program: &str, args: &[std::ffi::OsString]) -> Result<(), DomainError> {
+    let _status = Command::new(program)
+        .args(args)
+        .status()
+        .map_err(|e| DomainError::StorageError(format!("failed to launch {program}: {e}")))?;
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn open_url_rejects_non_http_scheme() {
+        let opener = SystemUrlOpener::new();
+        for bad in [
+            "javascript:alert(1)",
+            "file:///etc/passwd",
+            "data:text/html,<script>",
+            "",
+            "github.com/foo/bar",
+        ] {
+            let err = opener.open_url(bad).unwrap_err();
+            assert!(
+                matches!(err, DomainError::ValidationError(_)),
+                "expected ValidationError for {bad:?}, got {err:?}"
+            );
+        }
+    }
+
+    #[test]
+    fn open_url_accepts_http_and_https() {
+        // Validation only — we don't actually launch anything in CI.
+        assert!(validate_http_url("http://example.com").is_ok());
+        assert!(validate_http_url("https://github.com/foo/bar/issues/new?title=x").is_ok());
+    }
+}
diff --git a/src-tauri/src/adapters/driven/plugin/manifest.rs b/src-tauri/src/adapters/driven/plugin/manifest.rs
index ab2cc1e..416401b 100644
--- a/src-tauri/src/adapters/driven/plugin/manifest.rs
+++ b/src-tauri/src/adapters/driven/plugin/manifest.rs
@@ -28,6 +28,9 @@ struct RawPluginSection {
     description: String,
     _license: Option<String>,
     min_vortex_version: Option<String>,
+    /// Source repository URL surfaced to the host so the "Report broken
+    /// plugin" action knows where to file the issue.
+    repository: Option<String>,
 }
 
 #[derive(Deserialize)]
@@ -79,13 +82,16 @@ pub fn parse_manifest(dir: &Path) -> Result<(PluginManifest, PathBuf), DomainErr
     }
 
     let category = parse_category(&raw.plugin.category)?;
-    let info = PluginInfo::new(
+    let mut info = PluginInfo::new(
         raw.plugin.name,
         raw.plugin.version,
         raw.plugin.description,
         raw.plugin.author,
         category,
     );
+    if let Some(repo) = raw.plugin.repository {
+        info = info.with_repository_url(repo);
+    }
 
     let caps = raw
         .capabilities
@@ -721,4 +727,52 @@ api_key = { type = "string", regex = "^[a-z0-9]+$" }
         let f = manifest.config_schema().get("api_key").unwrap();
         assert_eq!(f.regex(), Some("^[a-z0-9]+$"));
     }
+
+    #[test]
+    fn test_parse_manifest_extracts_repository_url() {
+        let tmp = TempDir::new().unwrap();
+        let plugin_dir = tmp.path().join("with-repo");
+        std::fs::create_dir_all(&plugin_dir).unwrap();
+        write_plugin_toml(
+            &plugin_dir,
+            r#"
+[plugin]
+name = "with-repo"
+version = "1.0.0"
+category = "crawler"
+author = "Alice"
+description = "Has repo URL"
+repository = "https://github.com/alice/with-repo"
+"#,
+        );
+        write_dummy_wasm(&plugin_dir, "with-repo.wasm");
+
+        let (manifest, _) = parse_manifest(&plugin_dir).unwrap();
+        assert_eq!(
+            manifest.info().repository_url(),
+            Some("https://github.com/alice/with-repo")
+        );
+    }
+
+    #[test]
+    fn test_parse_manifest_repository_url_optional() {
+        let tmp = TempDir::new().unwrap();
+        let plugin_dir = tmp.path().join("no-repo");
+        std::fs::create_dir_all(&plugin_dir).unwrap();
+        write_plugin_toml(
+            &plugin_dir,
+            r#"
+[plugin]
+name = "no-repo"
+version = "1.0.0"
+category = "crawler"
+author = "Alice"
+description = "No repo URL"
+"#,
+        );
+        write_dummy_wasm(&plugin_dir, "no-repo.wasm");
+
+        let (manifest, _) = parse_manifest(&plugin_dir).unwrap();
+        assert_eq!(manifest.info().repository_url(), None);
+    }
 }
diff --git a/src-tauri/src/adapters/driving/tauri_ipc.rs b/src-tauri/src/adapters/driving/tauri_ipc.rs
index 89e0d3a..aaa9526 100644
--- a/src-tauri/src/adapters/driving/tauri_ipc.rs
+++ b/src-tauri/src/adapters/driving/tauri_ipc.rs
@@ -19,10 +19,10 @@ use crate::application::commands::{
     ExportHistoryCommand, ExportHistoryFormat, InstallPluginCommand, MoveToBottomCommand,
     MoveToTopCommand, OpenDownloadFileCommand, OpenDownloadFolderCommand, PauseAllDownloadsCommand,
     PauseDownloadCommand, PurgeHistoryCommand, RedownloadCommand, RedownloadSource,
-    RemoveDownloadCommand, ReorderQueueCommand, ResolveLinksCommand, ResolvedLinkDto,
-    ResumeAllDownloadsCommand, ResumeDownloadCommand, RetryDownloadCommand, SetPriorityCommand,
-    StartDownloadCommand, UninstallPluginCommand, UpdateConfigCommand, UpdatePluginConfigCommand,
-    VerifyChecksumCommand, VerifyChecksumOutcome,
+    RemoveDownloadCommand, ReorderQueueCommand, ReportBrokenPluginCommand, ResolveLinksCommand,
+    ResolvedLinkDto, ResumeAllDownloadsCommand, ResumeDownloadCommand, RetryDownloadCommand,
+    SetPriorityCommand, StartDownloadCommand, UninstallPluginCommand, UpdateConfigCommand,
+    UpdatePluginConfigCommand, VerifyChecksumCommand, VerifyChecksumOutcome,
 };
 use crate::application::error::AppError;
 use crate::application::queries::{
@@ -609,6 +609,33 @@ pub async fn plugin_config_update(
         .map_err(|e| e.to_string())
 }
 
+/// Open the user's browser at a pre-filled GitHub issue for a broken plugin.
+///
+/// `log_lines` is the (optional) tail of recent log lines the frontend
+/// has buffered for that plugin; `tested_url` is the URL the user was
+/// trying to download when the failure happened, when known. Returns the
+/// fully-encoded GitHub URL so the frontend can fall back to clipboard
+/// copy if the OS launcher is unavailable.
+#[tauri::command]
+pub async fn plugin_report_broken(
+    state: State<'_, AppState>,
+    plugin_name: String,
+    log_lines: Option<Vec<String>>,
+    tested_url: Option<String>,
+) -> Result<String, String> {
+    state
+        .command_bus
+        .handle_report_broken_plugin(ReportBrokenPluginCommand {
+            plugin_name,
+            log_lines: log_lines.unwrap_or_default(),
+            tested_url,
+            vortex_version: env!("CARGO_PKG_VERSION").to_string(),
+            os: std::env::consts::OS.to_string(),
+        })
+        .await
+        .map_err(|e| e.to_string())
+}
+
 fn store_cache_path() -> Result<std::path::PathBuf, String> {
     dirs::config_dir()
         .ok_or_else(|| "cannot determine config directory — store unavailable".to_string())
diff --git a/src-tauri/src/application/command_bus.rs b/src-tauri/src/application/command_bus.rs
index 9487fa8..2c9a96d 100644
--- a/src-tauri/src/application/command_bus.rs
+++ b/src-tauri/src/application/command_bus.rs
@@ -8,7 +8,7 @@ use std::sync::Arc;
 use crate::domain::ports::driven::{
     ArchiveExtractor, ChecksumComputer, ClipboardObserver, ConfigStore, CredentialStore,
     DownloadEngine, DownloadRepository, EventBus, FileOpener, FileStorage, HistoryRepository,
-    HttpClient, PluginConfigStore, PluginLoader, PluginStoreClient,
+    HttpClient, PluginConfigStore, PluginLoader, PluginStoreClient, UrlOpener,
 };
 
 /// Central dispatcher for CQRS commands.
@@ -30,6 +30,7 @@ pub struct CommandBus {
     plugin_store_client: Option<Arc<dyn PluginStoreClient>>,
     checksum_computer: Option<Arc<dyn ChecksumComputer>>,
     file_opener: Option<Arc<dyn FileOpener>>,
+    url_opener: Option<Arc<dyn UrlOpener>>,
     plugin_config_store: Option<Arc<dyn PluginConfigStore>>,
     /// Serializes queue-position allocation across handlers. Without this,
     /// two concurrent move-to-top/move-to-bottom/start-download calls can
@@ -69,6 +70,7 @@ impl CommandBus {
             plugin_store_client,
             checksum_computer: None,
             file_opener: None,
+            url_opener: None,
             plugin_config_store: None,
             queue_position_lock: tokio::sync::Mutex::new(()),
         }
@@ -189,6 +191,22 @@ impl CommandBus {
     pub(crate) fn file_opener_arc(&self) -> Option<Arc<dyn FileOpener>> {
         self.file_opener.clone()
     }
+
+    /// Builder-style setter for the URL-opener port. Optional so existing
+    /// test fixtures that never invoke the report-broken-plugin handler
+    /// don't have to provide a mock.
+    pub fn with_url_opener(mut self, opener: Arc<dyn UrlOpener>) -> Self {
+        self.url_opener = Some(opener);
+        self
+    }
+
+    pub fn url_opener(&self) -> Option<&dyn UrlOpener> {
+        self.url_opener.as_deref()
+    }
+
+    pub(crate) fn url_opener_arc(&self) -> Option<Arc<dyn UrlOpener>> {
+        self.url_opener.clone()
+    }
 }
 
 #[cfg(test)]
diff --git a/src-tauri/src/application/commands/mod.rs b/src-tauri/src/application/commands/mod.rs
index ffc7d65..dc0af27 100644
--- a/src-tauri/src/application/commands/mod.rs
+++ b/src-tauri/src/application/commands/mod.rs
@@ -19,6 +19,7 @@ mod purge_history;
 mod redownload;
 mod register_local_file;
 mod remove_download;
+mod report_broken_plugin;
 mod resolve_links;
 mod resume_all;
 mod resume_download;
@@ -175,6 +176,29 @@ pub struct UpdateConfigCommand {
 }
 impl Command for UpdateConfigCommand {}
 
+/// Open a pre-filled GitHub issue for a broken plugin.
+///
+/// The handler looks up the plugin's `repository_url` from its manifest,
+/// builds the issue body from the supplied diagnostic context (versions,
+/// OS, recent log lines, the URL the user was testing if any) and hands
+/// the resulting URL to the [`UrlOpener`](crate::domain::ports::driven::UrlOpener)
+/// port. No mutation of plugin state — the command is named `*_report_*`
+/// for clarity, but it is effectively a "side-effecting query" on the
+/// plugin manifest.
+#[derive(Debug)]
+pub struct ReportBrokenPluginCommand {
+    pub plugin_name: String,
+    pub log_lines: Vec<String>,
+    pub tested_url: Option<String>,
+    /// Vortex version reported in the issue body. Provided by the driving
+    /// adapter (typically `env!("CARGO_PKG_VERSION")`) so the application
+    /// layer doesn't bake the host crate's metadata into its own logic.
+    pub vortex_version: String,
+    /// `std::env::consts::OS` (or equivalent) recorded by the caller.
+    pub os: String,
+}
+impl Command for ReportBrokenPluginCommand {}
+
 /// Update a single (key, value) pair on a plugin's persisted configuration.
 ///
 /// The handler validates the value against the manifest schema before
diff --git a/src-tauri/src/application/commands/report_broken_plugin.rs b/src-tauri/src/application/commands/report_broken_plugin.rs
new file mode 100644
index 0000000..0322b9d
--- /dev/null
+++ b/src-tauri/src/application/commands/report_broken_plugin.rs
@@ -0,0 +1,446 @@
+//! `plugin_report_broken` command handler.
+//!
+//! Builds a pre-filled GitHub "new issue" URL for the named plugin and
+//! hands it to the [`UrlOpener`](crate::domain::ports::driven::UrlOpener)
+//! port. The plugin must declare a `repository_url` in its manifest;
+//! otherwise the caller gets a [`AppError::Validation`] explaining what
+//! is missing.
+//!
+//! Diagnostic context (versions, OS, recent logs, URL under test) is
+//! supplied by the driving adapter on every call. The handler stays free
+//! of any reference to the host process so it remains trivially mockable
+//! and platform-agnostic.
+
+use crate::application::command_bus::CommandBus;
+use crate::application::error::AppError;
+use crate::domain::model::plugin::build_report_broken_url;
+
+impl CommandBus {
+    pub async fn handle_report_broken_plugin(
+        &self,
+        cmd: super::ReportBrokenPluginCommand,
+    ) -> Result<String, AppError> {
+        let opener = self
+            .url_opener_arc()
+            .ok_or_else(|| AppError::Plugin("url opener port not configured".to_string()))?;
+
+        let manifest = self
+            .plugin_loader()
+            .list_loaded()?
+            .into_iter()
+            .find(|info| info.name() == cmd.plugin_name)
+            .ok_or_else(|| {
+                AppError::NotFound(format!("plugin '{}' is not loaded", cmd.plugin_name))
+            })?;
+
+        let repo_url = manifest.repository_url().ok_or_else(|| {
+            AppError::Validation(format!(
+                "plugin '{}' has no repository_url in its manifest",
+                cmd.plugin_name
+            ))
+        })?;
+
+        let issue_url = build_report_broken_url(
+            repo_url,
+            manifest.name(),
+            manifest.version(),
+            &cmd.vortex_version,
+            &cmd.os,
+            &cmd.log_lines,
+            cmd.tested_url.as_deref(),
+        )?;
+
+        let url_for_browser = issue_url.clone();
+        tokio::task::spawn_blocking(move || opener.open_url(&url_for_browser))
+            .await
+            .map_err(|e| AppError::Plugin(format!("open_url join error: {e}")))??;
+
+        Ok(issue_url)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::collections::HashMap;
+    use std::path::Path;
+    use std::sync::{Arc, Mutex};
+
+    use super::*;
+    use crate::application::commands::ReportBrokenPluginCommand;
+    use crate::domain::error::DomainError;
+    use crate::domain::event::DomainEvent;
+    use crate::domain::model::archive::{ArchiveEntry, ArchiveFormat, ExtractSummary};
+    use crate::domain::model::config::{AppConfig, ConfigPatch};
+    use crate::domain::model::credential::Credential;
+    use crate::domain::model::download::{Download, DownloadId, DownloadState};
+    use crate::domain::model::http::HttpResponse;
+    use crate::domain::model::meta::DownloadMeta;
+    use crate::domain::model::plugin::{PluginCategory, PluginInfo, PluginManifest};
+    use crate::domain::ports::driven::{
+        ArchiveExtractor, ClipboardObserver, ConfigStore, CredentialStore, DownloadEngine,
+        DownloadRepository, EventBus, FileStorage, HttpClient, PluginLoader, UrlOpener,
+    };
+
+    struct Repo;
+    impl DownloadRepository for Repo {
+        fn find_by_id(&self, _: DownloadId) -> Result<Option<Download>, DomainError> {
+            Ok(None)
+        }
+        fn save(&self, _: &Download) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn delete(&self, _: DownloadId) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn find_by_state(&self, _: DownloadState) -> Result<Vec<Download>, DomainError> {
+            Ok(vec![])
+        }
+    }
+
+    struct Engine;
+    impl DownloadEngine for Engine {
+        fn start(&self, _: &Download) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn pause(&self, _: DownloadId) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn resume(&self, _: DownloadId) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn cancel(&self, _: DownloadId) -> Result<(), DomainError> {
+            Ok(())
+        }
+    }
+
+    struct Bus;
+    impl EventBus for Bus {
+        fn publish(&self, _: DomainEvent) {}
+        fn subscribe(&self, _: Box<dyn Fn(&DomainEvent) + Send + Sync>) {}
+    }
+
+    struct FS;
+    impl FileStorage for FS {
+        fn create_file(&self, _: &Path, _: u64) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn write_segment(&self, _: &Path, _: u64, _: &[u8]) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn read_meta(&self, _: &Path) -> Result<Option<DownloadMeta>, DomainError> {
+            Ok(None)
+        }
+        fn write_meta(&self, _: &Path, _: &DownloadMeta) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn delete_meta(&self, _: &Path) -> Result<(), DomainError> {
+            Ok(())
+        }
+    }
+
+    struct Http;
+    impl HttpClient for Http {
+        fn head(&self, _: &str) -> Result<HttpResponse, DomainError> {
+            Ok(HttpResponse {
+                status_code: 200,
+                headers: HashMap::new(),
+                body: vec![],
+            })
+        }
+        fn get_range(&self, _: &str, _: u64, _: u64) -> Result<Vec<u8>, DomainError> {
+            Ok(vec![])
+        }
+        fn supports_range(&self, _: &str) -> Result<bool, DomainError> {
+            Ok(true)
+        }
+    }
+
+    struct StaticLoader {
+        infos: Vec<PluginInfo>,
+    }
+    impl PluginLoader for StaticLoader {
+        fn load(&self, _: &PluginManifest) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn unload(&self, _: &str) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn resolve_url(&self, _: &str) -> Result<Option<PluginInfo>, DomainError> {
+            Ok(None)
+        }
+        fn list_loaded(&self) -> Result<Vec<PluginInfo>, DomainError> {
+            Ok(self.infos.clone())
+        }
+        fn set_enabled(&self, _: &str, _: bool) -> Result<(), DomainError> {
+            Ok(())
+        }
+    }
+
+    struct Cfg;
+    impl ConfigStore for Cfg {
+        fn get_config(&self) -> Result<AppConfig, DomainError> {
+            Ok(AppConfig::default())
+        }
+        fn update_config(&self, _: ConfigPatch) -> Result<AppConfig, DomainError> {
+            Ok(AppConfig::default())
+        }
+    }
+
+    struct Creds;
+    impl CredentialStore for Creds {
+        fn get(&self, _: &str) -> Result<Option<Credential>, DomainError> {
+            Ok(None)
+        }
+        fn store(&self, _: &str, _: &Credential) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn delete(&self, _: &str) -> Result<(), DomainError> {
+            Ok(())
+        }
+    }
+
+    struct Clip;
+    impl ClipboardObserver for Clip {
+        fn start(&self) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn stop(&self) -> Result<(), DomainError> {
+            Ok(())
+        }
+        fn get_urls(&self) -> Result<Vec<String>, DomainError> {
+            Ok(vec![])
+        }
+    }
+
+    struct Arch;
+    impl ArchiveExtractor for Arch {
+        fn detect_format(&self, _: &Path) -> Result<Option<ArchiveFormat>, DomainError> {
+            Ok(None)
+        }
+        fn can_extract(&self, _: &Path) -> Result<bool, DomainError> {
+            Ok(false)
+        }
+        fn extract(
+            &self,
+            _: &Path,
+            _: &Path,
+            _: Option<&str>,
+        ) -> Result<ExtractSummary, DomainError> {
+            Ok(ExtractSummary {
+                extracted_files: 0,
+                extracted_bytes: 0,
+                duration_ms: 0,
+                warnings: vec![],
+            })
+        }
+        fn list_contents(
+            &self,
+            _: &Path,
+            _: Option<&str>,
+        ) -> Result<Vec<ArchiveEntry>, DomainError> {
+            Ok(vec![])
+        }
+        fn detect_segments(
+            &self,
+            _: &Path,
+        ) -> Result<Option<Vec<std::path::PathBuf>>, DomainError> {
+            Ok(None)
+        }
+    }
+
+    struct RecordingUrlOpener {
+        opened: Mutex<Vec<String>>,
+        result: Mutex<Result<(), DomainError>>,
+    }
+
+    impl RecordingUrlOpener {
+        fn ok() -> Arc<Self> {
+            Arc::new(Self {
+                opened: Mutex::new(Vec::new()),
+                result: Mutex::new(Ok(())),
+            })
+        }
+
+        fn failing(err: DomainError) -> Arc<Self> {
+            Arc::new(Self {
+                opened: Mutex::new(Vec::new()),
+                result: Mutex::new(Err(err)),
+            })
+        }
+    }
+
+    impl UrlOpener for RecordingUrlOpener {
+        fn open_url(&self, url: &str) -> Result<(), DomainError> {
+            self.opened.lock().unwrap().push(url.to_string());
+            self.result.lock().unwrap().clone()
+        }
+    }
+
+    fn build_bus(loader: Arc<StaticLoader>, opener: Option<Arc<dyn UrlOpener>>) -> CommandBus {
+        let bus = CommandBus::new(
+            Arc::new(Repo),
+            Arc::new(Engine),
+            Arc::new(Bus),
+            Arc::new(FS),
+            Arc::new(Http),
+            loader,
+            Arc::new(Cfg),
+            Arc::new(Creds),
+            Arc::new(Clip),
+            Arc::new(Arch),
+            Arc::new(crate::application::test_support::NoopHistoryRepo),
+            None,
+        );
+        match opener {
+            Some(o) => bus.with_url_opener(o),
+            None => bus,
+        }
+    }
+
+    fn info_with_repo(name: &str, version: &str, repo: Option<&str>) -> PluginInfo {
+        let info = PluginInfo::new(
+            name.to_string(),
+            version.to_string(),
+            "desc".to_string(),
+            "author".to_string(),
+            PluginCategory::Hoster,
+        );
+        match repo {
+            Some(r) => info.with_repository_url(r),
+            None => info,
+        }
+    }
+
+    fn cmd(plugin_name: &str) -> ReportBrokenPluginCommand {
+        ReportBrokenPluginCommand {
+            plugin_name: plugin_name.to_string(),
+            log_lines: vec!["ERROR: boom".to_string()],
+            tested_url: Some("https://example.com/x".to_string()),
+            vortex_version: "0.2.0".to_string(),
+            os: "linux".to_string(),
+        }
+    }
+
+    #[tokio::test]
+    async fn handle_report_broken_plugin_opens_prefilled_url() {
+        let loader = Arc::new(StaticLoader {
+            infos: vec![info_with_repo(
+                "vortex-mod-youtube",
+                "1.2.3",
+                Some("https://github.com/mpiton/vortex-mod-youtube"),
+            )],
+        });
+        let opener = RecordingUrlOpener::ok();
+        let bus = build_bus(loader, Some(opener.clone() as Arc<dyn UrlOpener>));
+
+        let url = bus
+            .handle_report_broken_plugin(cmd("vortex-mod-youtube"))
+            .await
+            .unwrap();
+
+        let opened = opener.opened.lock().unwrap();
+        assert_eq!(opened.len(), 1);
+        assert_eq!(opened[0], url);
+        assert!(
+            url.starts_with("https://github.com/mpiton/vortex-mod-youtube/issues/new?"),
+            "unexpected URL: {url}"
+        );
+        assert!(url.contains("Vortex%3A%200.2.0"));
+        assert!(url.contains("OS%3A%20linux"));
+        assert!(url.contains("Tested%20URL%3A"));
+    }
+
+    #[tokio::test]
+    async fn handle_report_broken_plugin_returns_not_found_when_plugin_unknown() {
+        let loader = Arc::new(StaticLoader { infos: vec![] });
+        let opener = RecordingUrlOpener::ok();
+        let bus = build_bus(loader, Some(opener.clone() as Arc<dyn UrlOpener>));
+
+        let err = bus
+            .handle_report_broken_plugin(cmd("vortex-mod-missing"))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, AppError::NotFound(_)), "{err:?}");
+        assert!(opener.opened.lock().unwrap().is_empty());
+    }
+
+    #[tokio::test]
+    async fn handle_report_broken_plugin_validation_error_when_repo_missing() {
+        let loader = Arc::new(StaticLoader {
+            infos: vec![info_with_repo("vortex-mod-foo", "1.0.0", None)],
+        });
+        let opener = RecordingUrlOpener::ok();
+        let bus = build_bus(loader, Some(opener.clone() as Arc<dyn UrlOpener>));
+
+        let err = bus
+            .handle_report_broken_plugin(cmd("vortex-mod-foo"))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, AppError::Validation(_)), "{err:?}");
+        assert!(opener.opened.lock().unwrap().is_empty());
+    }
+
+    #[tokio::test]
+    async fn handle_report_broken_plugin_errors_when_opener_port_missing() {
+        let loader = Arc::new(StaticLoader {
+            infos: vec![info_with_repo(
+                "vortex-mod-x",
+                "1",
+                Some("https://github.com/o/r"),
+            )],
+        });
+        let bus = build_bus(loader, None);
+
+        let err = bus
+            .handle_report_broken_plugin(cmd("vortex-mod-x"))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, AppError::Plugin(_)), "{err:?}");
+    }
+
+    #[tokio::test]
+    async fn handle_report_broken_plugin_propagates_opener_failure() {
+        let loader = Arc::new(StaticLoader {
+            infos: vec![info_with_repo(
+                "vortex-mod-x",
+                "1",
+                Some("https://github.com/o/r"),
+            )],
+        });
+        let opener =
+            RecordingUrlOpener::failing(DomainError::StorageError("xdg-open failed".into()));
+        let bus = build_bus(loader, Some(opener as Arc<dyn UrlOpener>));
+
+        let err = bus
+            .handle_report_broken_plugin(cmd("vortex-mod-x"))
+            .await
+            .unwrap_err();
+        assert!(
+            matches!(err, AppError::Domain(DomainError::StorageError(_))),
+            "{err:?}"
+        );
+    }
+
+    #[tokio::test]
+    async fn handle_report_broken_plugin_rejects_non_github_repo() {
+        let loader = Arc::new(StaticLoader {
+            infos: vec![info_with_repo(
+                "vortex-mod-x",
+                "1",
+                Some("https://gitlab.com/o/r"),
+            )],
+        });
+        let opener = RecordingUrlOpener::ok();
+        let bus = build_bus(loader, Some(opener.clone() as Arc<dyn UrlOpener>));
+
+        let err = bus
+            .handle_report_broken_plugin(cmd("vortex-mod-x"))
+            .await
+            .unwrap_err();
+        assert!(
+            matches!(err, AppError::Validation(_) | AppError::Domain(_)),
+            "{err:?}"
+        );
+        assert!(opener.opened.lock().unwrap().is_empty());
+    }
+}
diff --git a/src-tauri/src/domain/model/plugin.rs b/src-tauri/src/domain/model/plugin.rs
index 314e353..37ef773 100644
--- a/src-tauri/src/domain/model/plugin.rs
+++ b/src-tauri/src/domain/model/plugin.rs
@@ -58,6 +58,7 @@ pub struct PluginInfo {
     author: String,
     category: PluginCategory,
     enabled: bool,
+    repository_url: Option<String>,
 }
 
 impl PluginInfo {
@@ -75,9 +76,15 @@ impl PluginInfo {
             author,
             category,
             enabled: true,
+            repository_url: None,
         }
     }
 
+    pub fn with_repository_url(mut self, url: impl Into<String>) -> Self {
+        self.repository_url = Some(url.into());
+        self
+    }
+
     pub fn enable(&mut self) {
         self.enabled = true;
     }
@@ -109,6 +116,13 @@ impl PluginInfo {
     pub fn category(&self) -> PluginCategory {
         self.category
     }
+
+    /// URL of the source code repository as declared in `plugin.toml [plugin]`.
+    /// Required for the "Report broken plugin" feature; absent for plugins
+    /// that predate manifest schema v2.
+    pub fn repository_url(&self) -> Option<&str> {
+        self.repository_url.as_deref()
+    }
 }
 
 #[derive(Debug, Clone, PartialEq)]
@@ -934,6 +948,131 @@ fn atom_match(atom: &Atom, c: char) -> bool {
     }
 }
 
+// ── Report-broken-plugin URL builder (task 16) ──────────────────
+
+/// Maximum number of trailing log lines included in the issue body.
+/// GitHub silently truncates issue URLs above ~8 KB; keeping the log
+/// budget conservative leaves room for the boilerplate metadata.
+const MAX_LOG_LINES: usize = 50;
+
+/// Construct the GitHub "new issue" URL for a broken plugin report.
+///
+/// Returns a fully encoded URL that the host can hand to a browser. The
+/// caller is responsible for collecting the metadata (versions, OS, recent
+/// log lines, optional URL the user was testing) — this function is pure
+/// transformation: extract `owner/repo` from `repository_url`, build the
+/// title and body, and percent-encode every component.
+///
+/// `repository_url` must point to `https://github.com/{owner}/{repo}` (a
+/// trailing `.git` is stripped). Any other host is rejected so we never
+/// hand the user a 404 issue page on the wrong forge.
+pub fn build_report_broken_url(
+    repository_url: &str,
+    plugin_name: &str,
+    plugin_version: &str,
+    vortex_version: &str,
+    os: &str,
+    log_lines: &[String],
+    tested_url: Option<&str>,
+) -> Result<String, DomainError> {
+    let (owner, repo) = parse_github_owner_repo(repository_url)?;
+
+    let title = format!("[Bug] {plugin_name} {plugin_version}");
+
+    let mut body = String::new();
+    body.push_str(&format!("Plugin: {plugin_name}\n"));
+    body.push_str(&format!("Plugin version: {plugin_version}\n"));
+    body.push_str(&format!("Vortex: {vortex_version}\n"));
+    body.push_str(&format!("OS: {os}\n"));
+    if let Some(url) = tested_url {
+        body.push_str(&format!("Tested URL: {url}\n"));
+    }
+
+    if !log_lines.is_empty() {
+        let start = log_lines.len().saturating_sub(MAX_LOG_LINES);
+        body.push_str("\nRecent logs:\n```\n");
+        for line in &log_lines[start..] {
+            body.push_str(line);
+            body.push('\n');
+        }
+        body.push_str("```\n");
+    }
+
+    Ok(format!(
+        "https://github.com/{owner}/{repo}/issues/new?labels=bug&template=plugin-broken.yml&title={}&body={}",
+        percent_encode(&title),
+        percent_encode(&body),
+    ))
+}
+
+/// Extract `(owner, repo)` from a `https://github.com/{owner}/{repo}` URL.
+/// Strips an optional trailing `.git` and tolerates a single trailing `/`.
+fn parse_github_owner_repo(url: &str) -> Result<(String, String), DomainError> {
+    let rest = url
+        .strip_prefix("https://github.com/")
+        .or_else(|| url.strip_prefix("http://github.com/"))
+        .ok_or_else(|| {
+            DomainError::ValidationError(format!(
+                "repository_url must point to github.com, got '{url}'"
+            ))
+        })?;
+
+    let trimmed = rest.trim_end_matches('/');
+    let mut parts = trimmed.splitn(2, '/');
+    let owner = parts
+        .next()
+        .filter(|s| !s.is_empty())
+        .ok_or_else(|| {
+            DomainError::ValidationError(format!("repository_url missing owner: '{url}'"))
+        })?
+        .to_string();
+    let repo_raw = parts
+        .next()
+        .filter(|s| !s.is_empty() && !s.contains('/'))
+        .ok_or_else(|| {
+            DomainError::ValidationError(format!("repository_url missing repo: '{url}'"))
+        })?;
+    let repo = repo_raw
+        .strip_suffix(".git")
+        .unwrap_or(repo_raw)
+        .to_string();
+
+    if repo.is_empty() {
+        return Err(DomainError::ValidationError(format!(
+            "repository_url missing repo: '{url}'"
+        )));
+    }
+    Ok((owner, repo))
+}
+
+/// Percent-encode a string per RFC 3986 §2.3 unreserved set (ALPHA / DIGIT /
+/// `-` / `.` / `_` / `~`). Everything else becomes `%HH`. Hand-rolled because
+/// the domain layer cannot pull in `percent-encoding` or `url`.
+fn percent_encode(input: &str) -> String {
+    let mut out = String::with_capacity(input.len());
+    for byte in input.as_bytes() {
+        let b = *byte;
+        let is_unreserved =
+            b.is_ascii_alphanumeric() || b == b'-' || b == b'.' || b == b'_' || b == b'~';
+        if is_unreserved {
+            out.push(b as char);
+        } else {
+            out.push('%');
+            out.push(hex_upper(b >> 4));
+            out.push(hex_upper(b & 0x0f));
+        }
+    }
+    out
+}
+
+fn hex_upper(nibble: u8) -> char {
+    match nibble {
+        0..=9 => (b'0' + nibble) as char,
+        10..=15 => (b'A' + (nibble - 10)) as char,
+        _ => unreachable!("nibble must be 0..=15"),
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -1328,4 +1467,149 @@ mod tests {
         assert!(f.validate("0.5").is_ok());
         assert!(f.validate("-3.14").is_ok());
     }
+
+    // ── repository_url + report-broken URL builder (task 16) ────────
+
+    #[test]
+    fn test_plugin_info_with_repository_url_records_value() {
+        let info = make_info().with_repository_url("https://github.com/foo/bar");
+        assert_eq!(info.repository_url(), Some("https://github.com/foo/bar"));
+    }
+
+    #[test]
+    fn test_plugin_info_without_repository_url_defaults_to_none() {
+        let info = make_info();
+        assert_eq!(info.repository_url(), None);
+    }
+
+    #[test]
+    fn test_build_report_broken_url_minimum_metadata_succeeds() {
+        let url = build_report_broken_url(
+            "https://github.com/mpiton/vortex-mod-youtube",
+            "vortex-mod-youtube",
+            "1.2.3",
+            "0.2.0",
+            "linux",
+            &[],
+            None,
+        )
+        .expect("valid input must produce a URL");
+
+        assert!(
+            url.starts_with("https://github.com/mpiton/vortex-mod-youtube/issues/new?"),
+            "URL prefix mismatch: {url}"
+        );
+        assert!(url.contains("labels=bug"), "missing labels: {url}");
+        assert!(
+            url.contains("template=plugin-broken.yml"),
+            "missing template: {url}"
+        );
+    }
+
+    #[test]
+    fn test_build_report_broken_url_encodes_body_metadata() {
+        let logs = vec![
+            "ERROR: failed to fetch https://example.com/?q=foo bar".to_string(),
+            "WARN: retrying & giving up".to_string(),
+        ];
+        let url = build_report_broken_url(
+            "https://github.com/mpiton/vortex-mod-youtube",
+            "vortex-mod-youtube",
+            "1.2.3",
+            "0.2.0",
+            "macos",
+            &logs,
+            Some("https://www.youtube.com/watch?v=dQw4w9WgXcQ"),
+        )
+        .unwrap();
+
+        // Title is URL-encoded (spaces → %20 or +, brackets → %5B/%5D)
+        assert!(
+            url.contains("title=%5BBug%5D%20vortex-mod-youtube%201.2.3"),
+            "encoded title missing: {url}"
+        );
+        // Body must include each metadata field, percent-encoded
+        // "Plugin: " encodes the colon and space the same way every time.
+        assert!(url.contains("Plugin%3A%20vortex-mod-youtube"), "{url}");
+        assert!(url.contains("Vortex%3A%200.2.0"), "{url}");
+        assert!(url.contains("OS%3A%20macos"), "{url}");
+        // Tested URL appears, with embedded `?` inside the body re-encoded
+        // so it does not collide with the outer query string.
+        assert!(url.contains("Tested%20URL%3A"), "{url}");
+        assert!(url.contains("dQw4w9WgXcQ"), "{url}");
+        // Log lines: "&" must become %26, " " must NOT remain raw inside body
+        assert!(url.contains("%26"), "ampersand not encoded: {url}");
+        assert!(!url.contains(" "), "raw space leaked: {url}");
+    }
+
+    #[test]
+    fn test_build_report_broken_url_truncates_logs_to_max() {
+        let logs: Vec<String> = (0..200).map(|i| format!("line {i}")).collect();
+        let url = build_report_broken_url(
+            "https://github.com/owner/repo",
+            "p",
+            "1",
+            "1",
+            "linux",
+            &logs,
+            None,
+        )
+        .unwrap();
+        // Only the *last* MAX_LOG_LINES entries should survive; earlier
+        // ones must be dropped so the URL stays under GitHub's 8 KB limit.
+        assert!(!url.contains("line%200"), "first line should be dropped");
+        assert!(url.contains("line%20199"), "last line should be present");
+    }
+
+    #[test]
+    fn test_build_report_broken_url_rejects_non_github_repo() {
+        let err = build_report_broken_url(
+            "https://gitlab.com/foo/bar",
+            "p",
+            "1",
+            "1",
+            "linux",
+            &[],
+            None,
+        )
+        .unwrap_err();
+        assert!(
+            matches!(err, DomainError::ValidationError(_)),
+            "expected ValidationError, got {err:?}"
+        );
+    }
+
+    #[test]
+    fn test_build_report_broken_url_rejects_missing_owner_repo() {
+        for bad in [
+            "https://github.com/",
+            "https://github.com/onlyowner",
+            "not a url",
+            "",
+        ] {
+            let err = build_report_broken_url(bad, "p", "1", "1", "linux", &[], None);
+            assert!(
+                matches!(err, Err(DomainError::ValidationError(_))),
+                "expected ValidationError for {bad:?}, got {err:?}"
+            );
+        }
+    }
+
+    #[test]
+    fn test_build_report_broken_url_strips_trailing_dot_git() {
+        let url = build_report_broken_url(
+            "https://github.com/owner/repo.git",
+            "p",
+            "1",
+            "1",
+            "linux",
+            &[],
+            None,
+        )
+        .unwrap();
+        assert!(
+            url.starts_with("https://github.com/owner/repo/issues/new?"),
+            "trailing .git not stripped: {url}"
+        );
+    }
 }
diff --git a/src-tauri/src/domain/ports/driven/mod.rs b/src-tauri/src/domain/ports/driven/mod.rs
index 0f74a16..b8750b7 100644
--- a/src-tauri/src/domain/ports/driven/mod.rs
+++ b/src-tauri/src/domain/ports/driven/mod.rs
@@ -20,6 +20,7 @@ pub mod plugin_loader;
 pub mod plugin_read_repository;
 pub mod plugin_store_client;
 pub mod stats_repository;
+pub mod url_opener;
 
 pub use archive_extractor::ArchiveExtractor;
 pub use checksum_computer::ChecksumComputer;
@@ -40,3 +41,4 @@ pub use plugin_loader::PluginLoader;
 pub use plugin_read_repository::PluginReadRepository;
 pub use plugin_store_client::PluginStoreClient;
 pub use stats_repository::StatsRepository;
+pub use url_opener::UrlOpener;
diff --git a/src-tauri/src/domain/ports/driven/url_opener.rs b/src-tauri/src/domain/ports/driven/url_opener.rs
new file mode 100644
index 0000000..5d7b9a0
--- /dev/null
+++ b/src-tauri/src/domain/ports/driven/url_opener.rs
@@ -0,0 +1,18 @@
+//! Port for opening external URLs in the user's default web browser.
+//!
+//! Separate from [`super::FileOpener`] because the underlying mechanism is
+//! different on every platform (Linux: `xdg-open`, macOS: `open`, Windows:
+//! `cmd /C start ""`) and the inputs (URL string vs filesystem path) have
+//! distinct validation rules.
+
+use crate::domain::error::DomainError;
+
+pub trait UrlOpener: Send + Sync {
+    /// Open `url` with the OS-default browser.
+    ///
+    /// `url` must already be a fully-formed `http(s)://` URL — the caller
+    /// is responsible for encoding query strings and validating origin.
+    /// Implementations must reject any other scheme to avoid handing
+    /// `javascript:` / `file://` payloads to the OS launcher.
+    fn open_url(&self, url: &str) -> Result<(), DomainError>;
+}
diff --git a/src-tauri/src/lib.rs b/src-tauri/src/lib.rs
index 23207c0..f5a80c8 100644
--- a/src-tauri/src/lib.rs
+++ b/src-tauri/src/lib.rs
@@ -21,7 +21,7 @@ pub use adapters::driven::event::TokioEventBus;
 pub use adapters::driven::event::spawn_tauri_event_bridge;
 pub use adapters::driven::extractor::VortexArchiveExtractor;
 pub use adapters::driven::filesystem::{
-    FsFileStorage, SystemFileOpener, resolve_system_download_dir,
+    FsFileStorage, SystemFileOpener, SystemUrlOpener, resolve_system_download_dir,
 };
 pub use adapters::driven::logging::download_log_bridge::spawn_download_log_bridge;
 pub use adapters::driven::logging::download_log_store::DownloadLogStore;
@@ -67,9 +67,9 @@ pub use adapters::driving::tauri_ipc::{
     history_delete_entry, history_export, history_get_by_id, history_list,
     history_purge_older_than, history_search, link_resolve, plugin_config_get,
     plugin_config_update, plugin_disable, plugin_enable, plugin_install, plugin_list,
-    plugin_store_install, plugin_store_list, plugin_store_refresh, plugin_store_update,
-    plugin_uninstall, reveal_in_folder, settings_get, settings_update, stats_get,
-    stats_top_modules, status_bar_get,
+    plugin_report_broken, plugin_store_install, plugin_store_list, plugin_store_refresh,
+    plugin_store_update, plugin_uninstall, reveal_in_folder, settings_get, settings_update,
+    stats_get, stats_top_modules, status_bar_get,
 };
 
 #[cfg_attr(mobile, tauri::mobile_entry_point)]
@@ -298,6 +298,8 @@ pub fn run() {
                 Arc::new(crate::adapters::driven::network::StreamingChecksumComputer::new());
             let file_opener: Arc<dyn crate::domain::ports::driven::FileOpener> =
                 Arc::new(SystemFileOpener::new());
+            let url_opener: Arc<dyn crate::domain::ports::driven::UrlOpener> =
+                Arc::new(SystemUrlOpener::new());
             // Clone the Arcs the purge worker will need before the bus
             // takes ownership of `config_store`.
             let config_store_for_purge: Arc<dyn ConfigStore> = config_store.clone();
@@ -319,6 +321,7 @@ pub fn run() {
                 )
                 .with_checksum_computer(checksum_computer)
                 .with_file_opener(file_opener)
+                .with_url_opener(url_opener)
                 .with_plugin_config_store(plugin_config_store.clone()),
             );
 
@@ -430,6 +433,7 @@ pub fn run() {
             plugin_store_update,
             plugin_config_get,
             plugin_config_update,
+            plugin_report_broken,
             link_resolve,
             clipboard_toggle,
             clipboard_state,
diff --git a/src/i18n/locales/en.json b/src/i18n/locales/en.json
index c84814b..8521872 100644
--- a/src/i18n/locales/en.json
+++ b/src/i18n/locales/en.json
@@ -330,7 +330,8 @@
       "more": "More actions",
       "configure": "Configure",
       "refresh": "Check updates",
-      "browseRepo": "Browse repository"
+      "browseRepo": "Browse repository",
+      "reportBroken": "Report broken plugin"
     },
     "search": {
       "placeholder": "Search plugins…"
@@ -359,7 +360,9 @@
       "refreshSuccess": "Plugin list refreshed",
       "disableSuccess": "Plugin disabled",
       "enableSuccess": "Plugin enabled",
-      "uninstallSuccess": "Plugin uninstalled"
+      "uninstallSuccess": "Plugin uninstalled",
+      "reportBrokenSuccess": "Opening GitHub issue for \"{{name}}\"…",
+      "reportBrokenError": "Cannot report \"{{name}}\": {{reason}}"
     },
     "config": {
       "title": "Configure {{name}}",
diff --git a/src/i18n/locales/fr.json b/src/i18n/locales/fr.json
index 31529ee..9da6d04 100644
--- a/src/i18n/locales/fr.json
+++ b/src/i18n/locales/fr.json
@@ -330,7 +330,8 @@
       "more": "Plus d'actions",
       "configure": "Configurer",
       "refresh": "Vérifier les mises à jour",
-      "browseRepo": "Parcourir le dépôt"
+      "browseRepo": "Parcourir le dépôt",
+      "reportBroken": "Signaler un plugin cassé"
     },
     "search": {
       "placeholder": "Rechercher un plugin…"
@@ -359,7 +360,9 @@
       "refreshSuccess": "Liste des plugins rafraîchie",
       "disableSuccess": "Plugin désactivé",
       "enableSuccess": "Plugin activé",
-      "uninstallSuccess": "Plugin désinstallé"
+      "uninstallSuccess": "Plugin désinstallé",
+      "reportBrokenSuccess": "Ouverture de l'issue GitHub pour « {{name}} »…",
+      "reportBrokenError": "Impossible de signaler « {{name}} » : {{reason}}"
     },
     "config": {
       "title": "Configurer {{name}}",
diff --git a/src/views/PluginsView.tsx b/src/views/PluginsView.tsx
index a259abf..5fed8ea 100644
--- a/src/views/PluginsView.tsx
+++ b/src/views/PluginsView.tsx
@@ -98,6 +98,23 @@ export function PluginsView() {
     },
   });
 
+  const reportBrokenMutation = useTauriMutation<
+    string,
+    { pluginName: string; logLines?: string[]; testedUrl?: string }
+  >("plugin_report_broken", {
+    onSuccess: (_url, variables) => {
+      toast.success(t("plugins.toast.reportBrokenSuccess", { name: variables.pluginName }));
+    },
+    onError: (error, variables) => {
+      toast.error(
+        t("plugins.toast.reportBrokenError", {
+          name: variables.pluginName,
+          reason: error.message,
+        }),
+      );
+    },
+  });
+
   const filtered = useMemo(() => {
     const query = search.trim().toLowerCase();
     return entries.filter((e) => {
@@ -112,8 +129,7 @@ export function PluginsView() {
   }, [entries, search, category]);
 
   const enabledCount = useMemo(
-    () =>
-      entries.filter((e) => isInstalled(e.status) && !locallyDisabled.has(e.name)).length,
+    () => entries.filter((e) => isInstalled(e.status) && !locallyDisabled.has(e.name)).length,
     [entries, locallyDisabled],
   );
 
@@ -213,6 +229,7 @@ export function PluginsView() {
                       onEnable={(name) => enableMutation.mutate({ name })}
                       onUninstall={(name) => uninstallMutation.mutate({ name })}
                       onConfigure={(name) => setConfigPluginName(name)}
+                      onReportBroken={(name) => reportBrokenMutation.mutate({ pluginName: name })}
                       hasConfig={hasConfig(entry.name)}
                       isInstalling={isInstalling(entry.name)}
                       isUpdating={isUpdating(entry.name)}
diff --git a/src/views/PluginsView/PluginStoreRow.tsx b/src/views/PluginsView/PluginStoreRow.tsx
index 7bb9f2e..fbd3105 100644
--- a/src/views/PluginsView/PluginStoreRow.tsx
+++ b/src/views/PluginsView/PluginStoreRow.tsx
@@ -25,6 +25,12 @@ interface PluginStoreRowProps {
    * `hasConfig` from the parent's resolution of the schema query).
    */
   onConfigure?: (name: string) => void;
+  /**
+   * Open a pre-filled GitHub issue on the plugin repository. Hidden when
+   * omitted so the parent can short-circuit the action for plugins that
+   * declare no `repository_url` in their manifest.
+   */
+  onReportBroken?: (name: string) => void;
   hasConfig?: boolean;
   isInstalling: boolean;
   isUpdating: boolean;
@@ -50,6 +56,7 @@ export function PluginStoreRow({
   onEnable,
   onUninstall,
   onConfigure,
+  onReportBroken,
   hasConfig = false,
   isInstalling,
   isUpdating,
@@ -110,8 +117,7 @@ export function PluginStoreRow({
             disabled={isUpdating}
             className="h-7 text-[10px] px-2 gap-1 text-warning border-warning/50 hover:bg-warning/10 hover:text-warning"
           >
-            <ArrowUpCircle className="h-3 w-3" />
-            v{entry.version}
+            <ArrowUpCircle className="h-3 w-3" />v{entry.version}
           </Button>
         )}
 
@@ -145,7 +151,7 @@ export function PluginStoreRow({
           </Button>
         )}
 
-        {installed && (onDisable || onEnable || onUninstall) && (
+        {installed && (onDisable || onEnable || onUninstall || onReportBroken) && (
           <DropdownMenu>
             <DropdownMenuTrigger asChild>
               <Button
@@ -169,14 +175,16 @@ export function PluginStoreRow({
                       {t("plugins.action.disable")}
                     </DropdownMenuItem>
                   )}
-              {((isLocallyDisabled ? onEnable : onDisable) && onUninstall) && (
+              {onReportBroken && (
+                <DropdownMenuItem onSelect={() => onReportBroken(entry.name)}>
+                  {t("plugins.action.reportBroken")}
+                </DropdownMenuItem>
+              )}
+              {((isLocallyDisabled ? onEnable : onDisable) || onReportBroken) && onUninstall && (
                 <DropdownMenuSeparator />
               )}
               {onUninstall && (
-                <DropdownMenuItem
-                  variant="destructive"
-                  onSelect={() => onUninstall(entry.name)}
-                >
+                <DropdownMenuItem variant="destructive" onSelect={() => onUninstall(entry.name)}>
                   {t("plugins.action.uninstall")}
                 </DropdownMenuItem>
               )}
diff --git a/src/views/PluginsView/__tests__/PluginStoreRow.test.tsx b/src/views/PluginsView/__tests__/PluginStoreRow.test.tsx
index 3e301a3..3e27462 100644
--- a/src/views/PluginsView/__tests__/PluginStoreRow.test.tsx
+++ b/src/views/PluginsView/__tests__/PluginStoreRow.test.tsx
@@ -72,9 +72,7 @@ describe("PluginStoreRow", () => {
 
   it("does not render an install button when the plugin is already installed", () => {
     renderRow({ status: "installed" });
-    expect(
-      screen.queryByRole("button", { name: /^install(er)?$/i }),
-    ).not.toBeInTheDocument();
+    expect(screen.queryByRole("button", { name: /^install(er)?$/i })).not.toBeInTheDocument();
   });
 
   it("renders an update pill prefixed with v when an update is available", async () => {
@@ -97,7 +95,9 @@ describe("PluginStoreRow", () => {
   it("exposes a disable action in the kebab menu for installed plugins", async () => {
     const user = userEvent.setup();
     const handlers = renderRow({ status: "installed" });
-    await user.click(screen.getByRole("button", { name: /(more actions|plus d['\u2019]actions)/i }));
+    await user.click(
+      screen.getByRole("button", { name: /(more actions|plus d['\u2019]actions)/i }),
+    );
     await user.click(screen.getByRole("menuitem", { name: /(^disable$|désactiver)/i }));
     expect(handlers.onDisable).toHaveBeenCalledWith("vortex-mod-youtube");
   });
@@ -105,7 +105,9 @@ describe("PluginStoreRow", () => {
   it("exposes an uninstall action in the kebab menu for installed plugins", async () => {
     const user = userEvent.setup();
     const handlers = renderRow({ status: "installed" });
-    await user.click(screen.getByRole("button", { name: /(more actions|plus d['\u2019]actions)/i }));
+    await user.click(
+      screen.getByRole("button", { name: /(more actions|plus d['\u2019]actions)/i }),
+    );
     await user.click(screen.getByRole("menuitem", { name: /(uninstall|désinstaller)/i }));
     expect(handlers.onUninstall).toHaveBeenCalledWith("vortex-mod-youtube");
   });
@@ -127,19 +129,32 @@ describe("PluginStoreRow", () => {
 
   it("swaps Disable for Enable in the kebab menu when locally disabled", async () => {
     const user = userEvent.setup();
-    const handlers = renderRow(
-      { status: "installed" },
-      { isLocallyDisabled: true },
-    );
+    const handlers = renderRow({ status: "installed" }, { isLocallyDisabled: true });
     await user.click(
       screen.getByRole("button", { name: /(more actions|plus d['\u2019]actions)/i }),
     );
-    await user.click(
-      screen.getByRole("menuitem", { name: /(^enable$|activer)/i }),
-    );
+    await user.click(screen.getByRole("menuitem", { name: /(^enable$|activer)/i }));
     expect(handlers.onEnable).toHaveBeenCalledWith("vortex-mod-youtube");
     expect(
       screen.queryByRole("menuitem", { name: /(^disable$|désactiver)/i }),
     ).not.toBeInTheDocument();
   });
+
+  it("exposes a report-broken action in the kebab menu for installed plugins", async () => {
+    const user = userEvent.setup();
+    const onReportBroken = vi.fn();
+    renderRow({ status: "installed" }, { onReportBroken });
+    await user.click(screen.getByRole("button", { name: /(more actions|plus d['’]actions)/i }));
+    await user.click(screen.getByRole("menuitem", { name: /(report broken|signaler un plugin)/i }));
+    expect(onReportBroken).toHaveBeenCalledWith("vortex-mod-youtube");
+  });
+
+  it("does not render the report-broken action when no handler is provided", async () => {
+    const user = userEvent.setup();
+    renderRow({ status: "installed" });
+    await user.click(screen.getByRole("button", { name: /(more actions|plus d['’]actions)/i }));
+    expect(
+      screen.queryByRole("menuitem", { name: /(report broken|signaler un plugin)/i }),
+    ).not.toBeInTheDocument();
+  });
 });

From fd8d6de7de872b587d44a9a2aa40a7239e33760d Mon Sep 17 00:00:00 2001
From: Mathieu Piton <27002047+mpiton@users.noreply.github.com>
Date: Sun, 26 Apr 2026 11:57:47 +0200
Subject: [PATCH 2/5] fix: address PR review comments for report-broken-plugin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Frontend gates the menu item on `entry.repository` so plugins without
  a GitHub manifest no longer surface a button that immediately fails.
- Handler falls back to `find_installed_manifest` when `list_loaded`
  doesn't have the plugin — broken (failed-to-load) plugins are the
  whole point of the action and must be reportable.
- Launcher failure is now non-fatal: the URL is always returned so the
  frontend can offer a clipboard fallback when the OS browser is
  unavailable.
- Frontend writes the returned URL to the clipboard on success and
  surfaces a dedicated toast acknowledging the copy.
- Windows launcher swaps `cmd /C start` for
  `rundll32 url.dll,FileProtocolHandler` so URLs containing `&` / `%`
  reach the shell-execute call intact, plus a comment explaining why
  the exit status is intentionally ignored.
---
 .../adapters/driven/filesystem/url_opener.rs  |  18 +++-
 .../adapters/driven/plugin/extism_loader.rs   |  26 +++++
 .../commands/report_broken_plugin.rs          | 101 +++++++++++++++---
 .../src/domain/ports/driven/plugin_loader.rs  |  11 ++
 src/i18n/locales/en.json                      |   1 +
 src/i18n/locales/fr.json                      |   1 +
 src/types/plugin-store.ts                     |   5 +
 src/views/PluginsView.tsx                     |  34 +++++-
 .../__tests__/PluginStoreRow.test.tsx         |   1 +
 .../__tests__/groupByCategory.test.ts         |   1 +
 .../__tests__/usePluginStore.test.ts          |   2 +
 11 files changed, 179 insertions(+), 22 deletions(-)

diff --git a/src-tauri/src/adapters/driven/filesystem/url_opener.rs b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
index 5b81a31..32ad694 100644
--- a/src-tauri/src/adapters/driven/filesystem/url_opener.rs
+++ b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
@@ -34,13 +34,17 @@ impl UrlOpener for SystemUrlOpener {
         #[cfg(target_os = "macos")]
         let (program, args): (&str, Vec<std::ffi::OsString>) =
             ("open", vec![std::ffi::OsString::from(url)]);
+        // `rundll32 url.dll,FileProtocolHandler <URL>` is the canonical
+        // Windows shortcut for "open this URL in the default browser".
+        // Unlike `cmd /C start`, it does NOT pass the URL through the
+        // command interpreter, so query strings containing `&` (issue
+        // body separators) or `%` (percent-encoded characters) reach the
+        // shell-execute call intact.
         #[cfg(target_os = "windows")]
         let (program, args): (&str, Vec<std::ffi::OsString>) = (
-            "cmd",
+            "rundll32",
             vec![
-                std::ffi::OsString::from("/C"),
-                std::ffi::OsString::from("start"),
-                std::ffi::OsString::from(""),
+                std::ffi::OsString::from("url.dll,FileProtocolHandler"),
                 std::ffi::OsString::from(url),
             ],
         );
@@ -75,6 +79,12 @@ fn run_launcher(program: &str, args: &[std::ffi::OsString]) -> Result<(), Domain
 
 #[cfg(target_os = "windows")]
 fn run_launcher(program: &str, args: &[std::ffi::OsString]) -> Result<(), DomainError> {
+    // `rundll32` returns 0 even when the user has no default browser, so
+    // the exit code carries no signal worth checking. We only surface
+    // process-spawn failures (missing binary, sandboxing) — those are
+    // the cases where the URL really did not reach Windows. This mirrors
+    // the rationale documented next to `SystemFileOpener` for the same
+    // reason.
     let _status = Command::new(program)
         .args(args)
         .status()
diff --git a/src-tauri/src/adapters/driven/plugin/extism_loader.rs b/src-tauri/src/adapters/driven/plugin/extism_loader.rs
index 97a5f3b..bf694f7 100644
--- a/src-tauri/src/adapters/driven/plugin/extism_loader.rs
+++ b/src-tauri/src/adapters/driven/plugin/extism_loader.rs
@@ -248,6 +248,32 @@ impl PluginLoader for ExtismPluginLoader {
         Ok(self.registry.list_info())
     }
 
+    fn find_installed_manifest(&self, name: &str) -> Result<Option<PluginInfo>, DomainError> {
+        // Reject any name that could escape `plugins_dir/` so a hostile
+        // caller can't read foreign manifests by passing `../etc/passwd`.
+        if name.is_empty() || name.contains('/') || name.contains('\\') || name.contains("..") {
+            return Err(DomainError::ValidationError(format!(
+                "invalid plugin name: '{name}'"
+            )));
+        }
+        let dir = self.plugins_dir.join(name);
+        if !dir.is_dir() {
+            return Ok(None);
+        }
+        match parse_manifest(&dir) {
+            Ok((manifest, _)) => Ok(Some(manifest.info().clone())),
+            Err(DomainError::PluginError(msg)) => {
+                // A directory is present but the manifest is unreadable —
+                // we surface None rather than an error so the caller can
+                // decide whether to fall back to other lookups (e.g. the
+                // registry-backed store entry) or report NotFound.
+                tracing::debug!("find_installed_manifest('{name}'): manifest unreadable: {msg}");
+                Ok(None)
+            }
+            Err(e) => Err(e),
+        }
+    }
+
     fn set_enabled(&self, name: &str, enabled: bool) -> Result<(), DomainError> {
         self.registry.set_enabled(name, enabled)
     }
diff --git a/src-tauri/src/application/commands/report_broken_plugin.rs b/src-tauri/src/application/commands/report_broken_plugin.rs
index 0322b9d..f354da9 100644
--- a/src-tauri/src/application/commands/report_broken_plugin.rs
+++ b/src-tauri/src/application/commands/report_broken_plugin.rs
@@ -24,14 +24,22 @@ impl CommandBus {
             .url_opener_arc()
             .ok_or_else(|| AppError::Plugin("url opener port not configured".to_string()))?;
 
-        let manifest = self
-            .plugin_loader()
+        // A "broken plugin" is precisely the case where load failed, so
+        // `list_loaded` won't see it. Fall back to the on-disk manifest
+        // before declaring the plugin unknown.
+        let loader = self.plugin_loader();
+        let manifest = match loader
             .list_loaded()?
             .into_iter()
             .find(|info| info.name() == cmd.plugin_name)
-            .ok_or_else(|| {
-                AppError::NotFound(format!("plugin '{}' is not loaded", cmd.plugin_name))
-            })?;
+        {
+            Some(info) => info,
+            None => loader
+                .find_installed_manifest(&cmd.plugin_name)?
+                .ok_or_else(|| {
+                    AppError::NotFound(format!("plugin '{}' is not installed", cmd.plugin_name))
+                })?,
+        };
 
         let repo_url = manifest.repository_url().ok_or_else(|| {
             AppError::Validation(format!(
@@ -50,10 +58,25 @@ impl CommandBus {
             cmd.tested_url.as_deref(),
         )?;
 
+        // Launcher failure must not lose the URL: the frontend uses the
+        // returned value as a clipboard fallback when the OS browser is
+        // unavailable (no graphical session, broken `xdg-open`, etc.).
         let url_for_browser = issue_url.clone();
-        tokio::task::spawn_blocking(move || opener.open_url(&url_for_browser))
-            .await
-            .map_err(|e| AppError::Plugin(format!("open_url join error: {e}")))??;
+        let plugin_name = cmd.plugin_name.clone();
+        let join = tokio::task::spawn_blocking(move || opener.open_url(&url_for_browser)).await;
+        match join {
+            Ok(Ok(())) => {}
+            Ok(Err(e)) => tracing::warn!(
+                error = %e,
+                plugin = %plugin_name,
+                "report_broken_plugin: url opener failed; returning URL for clipboard fallback"
+            ),
+            Err(e) => tracing::warn!(
+                error = %e,
+                plugin = %plugin_name,
+                "report_broken_plugin: url opener task panicked; returning URL for clipboard fallback"
+            ),
+        }
 
         Ok(issue_url)
     }
@@ -157,6 +180,7 @@ mod tests {
 
     struct StaticLoader {
         infos: Vec<PluginInfo>,
+        installed: Vec<PluginInfo>,
     }
     impl PluginLoader for StaticLoader {
         fn load(&self, _: &PluginManifest) -> Result<(), DomainError> {
@@ -171,6 +195,9 @@ mod tests {
         fn list_loaded(&self) -> Result<Vec<PluginInfo>, DomainError> {
             Ok(self.infos.clone())
         }
+        fn find_installed_manifest(&self, name: &str) -> Result<Option<PluginInfo>, DomainError> {
+            Ok(self.installed.iter().find(|i| i.name() == name).cloned())
+        }
         fn set_enabled(&self, _: &str, _: bool) -> Result<(), DomainError> {
             Ok(())
         }
@@ -324,6 +351,7 @@ mod tests {
     #[tokio::test]
     async fn handle_report_broken_plugin_opens_prefilled_url() {
         let loader = Arc::new(StaticLoader {
+            installed: vec![],
             infos: vec![info_with_repo(
                 "vortex-mod-youtube",
                 "1.2.3",
@@ -352,7 +380,10 @@ mod tests {
 
     #[tokio::test]
     async fn handle_report_broken_plugin_returns_not_found_when_plugin_unknown() {
-        let loader = Arc::new(StaticLoader { infos: vec![] });
+        let loader = Arc::new(StaticLoader {
+            infos: vec![],
+            installed: vec![],
+        });
         let opener = RecordingUrlOpener::ok();
         let bus = build_bus(loader, Some(opener.clone() as Arc<dyn UrlOpener>));
 
@@ -364,9 +395,39 @@ mod tests {
         assert!(opener.opened.lock().unwrap().is_empty());
     }
 
+    #[tokio::test]
+    async fn handle_report_broken_plugin_falls_back_to_installed_manifest_when_not_loaded() {
+        // The whole point of "broken plugin" is that the plugin failed to
+        // load. The handler must still find its manifest on disk.
+        let loader = Arc::new(StaticLoader {
+            infos: vec![],
+            installed: vec![info_with_repo(
+                "vortex-mod-broken",
+                "0.1.0",
+                Some("https://github.com/o/vortex-mod-broken"),
+            )],
+        });
+        let opener = RecordingUrlOpener::ok();
+        let bus = build_bus(loader, Some(opener.clone() as Arc<dyn UrlOpener>));
+
+        let url = bus
+            .handle_report_broken_plugin(cmd("vortex-mod-broken"))
+            .await
+            .unwrap();
+
+        assert!(
+            url.starts_with("https://github.com/o/vortex-mod-broken/issues/new?"),
+            "unexpected URL: {url}"
+        );
+        let opened = opener.opened.lock().unwrap();
+        assert_eq!(opened.len(), 1);
+        assert_eq!(opened[0], url);
+    }
+
     #[tokio::test]
     async fn handle_report_broken_plugin_validation_error_when_repo_missing() {
         let loader = Arc::new(StaticLoader {
+            installed: vec![],
             infos: vec![info_with_repo("vortex-mod-foo", "1.0.0", None)],
         });
         let opener = RecordingUrlOpener::ok();
@@ -383,6 +444,7 @@ mod tests {
     #[tokio::test]
     async fn handle_report_broken_plugin_errors_when_opener_port_missing() {
         let loader = Arc::new(StaticLoader {
+            installed: vec![],
             infos: vec![info_with_repo(
                 "vortex-mod-x",
                 "1",
@@ -399,8 +461,12 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn handle_report_broken_plugin_propagates_opener_failure() {
+    async fn handle_report_broken_plugin_returns_url_even_when_launcher_fails() {
+        // When the OS launcher fails (no graphical session, broken
+        // `xdg-open`, …), the handler must still hand back the issue URL
+        // so the frontend can offer a clipboard fallback.
         let loader = Arc::new(StaticLoader {
+            installed: vec![],
             infos: vec![info_with_repo(
                 "vortex-mod-x",
                 "1",
@@ -409,21 +475,26 @@ mod tests {
         });
         let opener =
             RecordingUrlOpener::failing(DomainError::StorageError("xdg-open failed".into()));
-        let bus = build_bus(loader, Some(opener as Arc<dyn UrlOpener>));
+        let bus = build_bus(loader, Some(opener.clone() as Arc<dyn UrlOpener>));
 
-        let err = bus
+        let url = bus
             .handle_report_broken_plugin(cmd("vortex-mod-x"))
             .await
-            .unwrap_err();
+            .unwrap();
+
         assert!(
-            matches!(err, AppError::Domain(DomainError::StorageError(_))),
-            "{err:?}"
+            url.starts_with("https://github.com/o/r/issues/new?"),
+            "unexpected URL: {url}"
         );
+        let opened = opener.opened.lock().unwrap();
+        assert_eq!(opened.len(), 1, "opener should still be invoked once");
+        assert_eq!(opened[0], url);
     }
 
     #[tokio::test]
     async fn handle_report_broken_plugin_rejects_non_github_repo() {
         let loader = Arc::new(StaticLoader {
+            installed: vec![],
             infos: vec![info_with_repo(
                 "vortex-mod-x",
                 "1",
diff --git a/src-tauri/src/domain/ports/driven/plugin_loader.rs b/src-tauri/src/domain/ports/driven/plugin_loader.rs
index c6c4f06..fe212fe 100644
--- a/src-tauri/src/domain/ports/driven/plugin_loader.rs
+++ b/src-tauri/src/domain/ports/driven/plugin_loader.rs
@@ -45,6 +45,17 @@ pub trait PluginLoader: Send + Sync {
     /// List all currently loaded plugins.
     fn list_loaded(&self) -> Result<Vec<PluginInfo>, DomainError>;
 
+    /// Look up an installed plugin's manifest on disk by name, even when
+    /// the plugin is not currently loaded (e.g. it failed to load and is
+    /// the very thing the user wants to report as broken).
+    ///
+    /// Adapters that don't keep a separate on-disk index should still try
+    /// to parse the directory the loader watches; the default `Ok(None)`
+    /// keeps trait-only test loaders compatible.
+    fn find_installed_manifest(&self, _name: &str) -> Result<Option<PluginInfo>, DomainError> {
+        Ok(None)
+    }
+
     /// Enable or disable a loaded plugin by name.
     fn set_enabled(&self, name: &str, enabled: bool) -> Result<(), DomainError>;
 
diff --git a/src/i18n/locales/en.json b/src/i18n/locales/en.json
index 8521872..28656ed 100644
--- a/src/i18n/locales/en.json
+++ b/src/i18n/locales/en.json
@@ -362,6 +362,7 @@
       "enableSuccess": "Plugin enabled",
       "uninstallSuccess": "Plugin uninstalled",
       "reportBrokenSuccess": "Opening GitHub issue for \"{{name}}\"…",
+      "reportBrokenSuccessWithCopy": "Opening GitHub issue for \"{{name}}\"… (URL copied to clipboard)",
       "reportBrokenError": "Cannot report \"{{name}}\": {{reason}}"
     },
     "config": {
diff --git a/src/i18n/locales/fr.json b/src/i18n/locales/fr.json
index 9da6d04..f8f3cd0 100644
--- a/src/i18n/locales/fr.json
+++ b/src/i18n/locales/fr.json
@@ -362,6 +362,7 @@
       "enableSuccess": "Plugin activé",
       "uninstallSuccess": "Plugin désinstallé",
       "reportBrokenSuccess": "Ouverture de l'issue GitHub pour « {{name}} »…",
+      "reportBrokenSuccessWithCopy": "Ouverture de l'issue GitHub pour « {{name}} »… (URL copiée dans le presse-papiers)",
       "reportBrokenError": "Impossible de signaler « {{name}} » : {{reason}}"
     },
     "config": {
diff --git a/src/types/plugin-store.ts b/src/types/plugin-store.ts
index 7044436..a98822d 100644
--- a/src/types/plugin-store.ts
+++ b/src/types/plugin-store.ts
@@ -10,4 +10,9 @@ export interface PluginStoreEntry {
   official: boolean;
   /** "not_installed" | "installed" | "update_available" | "downgrade" */
   status: "not_installed" | "installed" | "update_available" | "downgrade";
+  /**
+   * URL du dépôt GitHub depuis le registre. Vide si le plugin n'expose
+   * pas d'URL — auquel cas l'action "Report broken plugin" est cachée.
+   */
+  repository: string;
 }
diff --git a/src/views/PluginsView.tsx b/src/views/PluginsView.tsx
index 5fed8ea..73f51b7 100644
--- a/src/views/PluginsView.tsx
+++ b/src/views/PluginsView.tsx
@@ -12,6 +12,7 @@ import { useTauriMutation } from "@/api/hooks";
 import { toast } from "@/lib/toast";
 import { Button } from "@/components/ui/button";
 import type { PluginConfigView } from "@/types/plugin-config";
+import type { PluginStoreEntry } from "@/types/plugin-store";
 
 const CATEGORIES = [
   "all",
@@ -102,8 +103,21 @@ export function PluginsView() {
     string,
     { pluginName: string; logLines?: string[]; testedUrl?: string }
   >("plugin_report_broken", {
-    onSuccess: (_url, variables) => {
-      toast.success(t("plugins.toast.reportBrokenSuccess", { name: variables.pluginName }));
+    onSuccess: (url, variables) => {
+      // Best-effort clipboard copy so the user always has the URL even
+      // if the OS launcher silently failed (no graphical session, broken
+      // `xdg-open`, etc.). Clipboard access can be denied by the
+      // platform — we fall back to an info-only toast in that case.
+      void navigator.clipboard
+        .writeText(url)
+        .then(() => {
+          toast.success(
+            t("plugins.toast.reportBrokenSuccessWithCopy", { name: variables.pluginName }),
+          );
+        })
+        .catch(() => {
+          toast.success(t("plugins.toast.reportBrokenSuccess", { name: variables.pluginName }));
+        });
     },
     onError: (error, variables) => {
       toast.error(
@@ -115,6 +129,16 @@ export function PluginsView() {
     },
   });
 
+  // The frontend short-circuits the action for plugins whose registry
+  // entry carries no GitHub repository: the backend would only return
+  // `Validation` and the menu item would advertise an action that
+  // never works. Limiting the test to `github.com` mirrors the domain
+  // validation in `parse_github_owner_repo`.
+  const canReportBroken = (entry: PluginStoreEntry): boolean => {
+    const repo = entry.repository ?? "";
+    return repo.startsWith("https://github.com/") || repo.startsWith("http://github.com/");
+  };
+
   const filtered = useMemo(() => {
     const query = search.trim().toLowerCase();
     return entries.filter((e) => {
@@ -229,7 +253,11 @@ export function PluginsView() {
                       onEnable={(name) => enableMutation.mutate({ name })}
                       onUninstall={(name) => uninstallMutation.mutate({ name })}
                       onConfigure={(name) => setConfigPluginName(name)}
-                      onReportBroken={(name) => reportBrokenMutation.mutate({ pluginName: name })}
+                      onReportBroken={
+                        canReportBroken(entry)
+                          ? (name) => reportBrokenMutation.mutate({ pluginName: name })
+                          : undefined
+                      }
                       hasConfig={hasConfig(entry.name)}
                       isInstalling={isInstalling(entry.name)}
                       isUpdating={isUpdating(entry.name)}
diff --git a/src/views/PluginsView/__tests__/PluginStoreRow.test.tsx b/src/views/PluginsView/__tests__/PluginStoreRow.test.tsx
index 3e27462..7685ec8 100644
--- a/src/views/PluginsView/__tests__/PluginStoreRow.test.tsx
+++ b/src/views/PluginsView/__tests__/PluginStoreRow.test.tsx
@@ -13,6 +13,7 @@ const baseEntry: PluginStoreEntry = {
   category: "crawler",
   official: true,
   status: "installed",
+  repository: "https://github.com/mpiton/vortex-mod-youtube",
 };
 
 function renderRow(
diff --git a/src/views/PluginsView/__tests__/groupByCategory.test.ts b/src/views/PluginsView/__tests__/groupByCategory.test.ts
index 35dfcbf..bc8a18a 100644
--- a/src/views/PluginsView/__tests__/groupByCategory.test.ts
+++ b/src/views/PluginsView/__tests__/groupByCategory.test.ts
@@ -12,6 +12,7 @@ function entry(name: string, category: string): PluginStoreEntry {
     category,
     official: true,
     status: "not_installed",
+    repository: "https://github.com/example/" + name,
   };
 }
 
diff --git a/src/views/PluginsView/__tests__/usePluginStore.test.ts b/src/views/PluginsView/__tests__/usePluginStore.test.ts
index d15cb6d..ec4f6c0 100644
--- a/src/views/PluginsView/__tests__/usePluginStore.test.ts
+++ b/src/views/PluginsView/__tests__/usePluginStore.test.ts
@@ -25,6 +25,7 @@ const mockEntries = [
     category: "crawler",
     official: true,
     status: "installed" as const,
+    repository: "https://github.com/mpiton/vortex-mod-youtube",
   },
   {
     name: "vortex-mod-gallery",
@@ -35,6 +36,7 @@ const mockEntries = [
     category: "hoster",
     official: false,
     status: "update_available" as const,
+    repository: "https://github.com/johndoe/vortex-mod-gallery",
   },
 ];
 

From d55b92565aaa68f8c231a96910f6e2836342a32b Mon Sep 17 00:00:00 2001
From: Mathieu Piton <27002047+mpiton@users.noreply.github.com>
Date: Sun, 26 Apr 2026 12:09:13 +0200
Subject: [PATCH 3/5] fix: harden report-broken-plugin against malformed inputs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- `validate_http_url` rejects scheme-only and missing-authority shapes
  (`https://`, `https:///foo`, `https://?x`) and any whitespace, so
  garbage URLs fail at validation instead of bubbling up as a useless
  launcher error.
- `find_installed_manifest` now uses a metadata-only manifest parser
  that doesn't require `<plugin>.wasm` on disk — the broken-plugin
  flow needs to surface plugins whose binary is missing or corrupted.
- The same path canonicalizes both `plugins_dir` and the candidate
  plugin directory and verifies containment before reading anything,
  so a hostile symlink can't make the loader read a manifest from
  outside the plugins root.
- Frontend guards `navigator.clipboard` before calling `.writeText`:
  the API is undefined in non-secure contexts and falling back to the
  no-copy toast is preferable to a synchronous throw.
---
 .../adapters/driven/filesystem/url_opener.rs  | 48 ++++++++++++++++---
 .../adapters/driven/plugin/extism_loader.rs   | 37 +++++++++++---
 .../src/adapters/driven/plugin/manifest.rs    | 46 +++++++++++++++++-
 src/views/PluginsView.tsx                     | 33 ++++++++-----
 4 files changed, 137 insertions(+), 27 deletions(-)

diff --git a/src-tauri/src/adapters/driven/filesystem/url_opener.rs b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
index 32ad694..a1a012b 100644
--- a/src-tauri/src/adapters/driven/filesystem/url_opener.rs
+++ b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
@@ -54,13 +54,29 @@ impl UrlOpener for SystemUrlOpener {
 }
 
 fn validate_http_url(url: &str) -> Result<(), DomainError> {
-    if url.starts_with("http://") || url.starts_with("https://") {
-        Ok(())
-    } else {
-        Err(DomainError::ValidationError(format!(
-            "URL must start with http(s)://, got '{url}'"
-        )))
+    let rest = url
+        .strip_prefix("https://")
+        .or_else(|| url.strip_prefix("http://"))
+        .ok_or_else(|| {
+            DomainError::ValidationError(format!("URL must start with http(s)://, got '{url}'"))
+        })?;
+
+    // Reject scheme-only inputs (`https://`), missing-authority shapes
+    // (`https:///foo`, `https://?x`, `https://#x`) and any whitespace,
+    // which would derail the OS launcher even though the prefix check
+    // passed.
+    if rest.is_empty()
+        || rest.starts_with('/')
+        || rest.starts_with('?')
+        || rest.starts_with('#')
+        || url.chars().any(char::is_whitespace)
+    {
+        return Err(DomainError::ValidationError(format!(
+            "invalid http(s) URL: '{url}'"
+        )));
     }
+
+    Ok(())
 }
 
 #[cfg(not(target_os = "windows"))]
@@ -120,4 +136,24 @@ mod tests {
         assert!(validate_http_url("http://example.com").is_ok());
         assert!(validate_http_url("https://github.com/foo/bar/issues/new?title=x").is_ok());
     }
+
+    #[test]
+    fn validate_http_url_rejects_missing_authority() {
+        // Scheme-only or no-host shapes used to slip past the prefix check
+        // and bubble up as a useless launcher error.
+        for bad in [
+            "https://",
+            "http://",
+            "https:///etc/passwd",
+            "https://?title=x",
+            "https://#frag",
+            "https:// example.com",
+        ] {
+            let err = validate_http_url(bad).unwrap_err();
+            assert!(
+                matches!(err, DomainError::ValidationError(_)),
+                "expected ValidationError for {bad:?}, got {err:?}"
+            );
+        }
+    }
 }
diff --git a/src-tauri/src/adapters/driven/plugin/extism_loader.rs b/src-tauri/src/adapters/driven/plugin/extism_loader.rs
index bf694f7..698bc02 100644
--- a/src-tauri/src/adapters/driven/plugin/extism_loader.rs
+++ b/src-tauri/src/adapters/driven/plugin/extism_loader.rs
@@ -12,7 +12,7 @@ use crate::domain::ports::driven::plugin_loader::DownloadedFileInfo;
 
 use super::builtin::HttpModule;
 use super::capabilities::{SharedHostResources, build_host_functions};
-use super::manifest::{find_wasm_file, parse_manifest};
+use super::manifest::{find_wasm_file, parse_manifest, parse_manifest_metadata};
 use super::registry::{LoadedPlugin, PluginRegistry};
 
 /// Per-plugin install coordination.
@@ -260,13 +260,36 @@ impl PluginLoader for ExtismPluginLoader {
         if !dir.is_dir() {
             return Ok(None);
         }
-        match parse_manifest(&dir) {
-            Ok((manifest, _)) => Ok(Some(manifest.info().clone())),
+
+        // Symlink containment: even though `name` itself is sanitized,
+        // `plugins_dir/<name>` could be a symlink pointing outside the
+        // root. We canonicalize both sides and require the resolved
+        // plugin directory to live inside the resolved plugins root
+        // before reading anything from it.
+        let canon_root = self.plugins_dir.canonicalize().map_err(|e| {
+            DomainError::PluginError(format!(
+                "failed to canonicalize plugins_dir '{}': {e}",
+                self.plugins_dir.display()
+            ))
+        })?;
+        let canon_dir = dir.canonicalize().map_err(|e| {
+            DomainError::PluginError(format!(
+                "failed to canonicalize plugin dir '{}': {e}",
+                dir.display()
+            ))
+        })?;
+        if !canon_dir.starts_with(&canon_root) {
+            return Err(DomainError::ValidationError(format!(
+                "invalid plugin path outside plugins_dir: '{}'",
+                dir.display()
+            )));
+        }
+
+        // Use the metadata-only parser so a missing/corrupt `.wasm`
+        // file doesn't hide the very plugin the user wants to report.
+        match parse_manifest_metadata(&canon_dir) {
+            Ok(manifest) => Ok(Some(manifest.info().clone())),
             Err(DomainError::PluginError(msg)) => {
-                // A directory is present but the manifest is unreadable —
-                // we surface None rather than an error so the caller can
-                // decide whether to fall back to other lookups (e.g. the
-                // registry-backed store entry) or report NotFound.
                 tracing::debug!("find_installed_manifest('{name}'): manifest unreadable: {msg}");
                 Ok(None)
             }
diff --git a/src-tauri/src/adapters/driven/plugin/manifest.rs b/src-tauri/src/adapters/driven/plugin/manifest.rs
index 416401b..c46f4e9 100644
--- a/src-tauri/src/adapters/driven/plugin/manifest.rs
+++ b/src-tauri/src/adapters/driven/plugin/manifest.rs
@@ -56,6 +56,18 @@ struct RawConfigEntry {
 ///
 /// Returns the domain manifest and the path to the `.wasm` file.
 pub fn parse_manifest(dir: &Path) -> Result<(PluginManifest, PathBuf), DomainError> {
+    let manifest = parse_manifest_metadata(dir)?;
+    let wasm_path = find_wasm_file(dir)?;
+    Ok((manifest, wasm_path))
+}
+
+/// Parse only the `plugin.toml` metadata, with no `.wasm` requirement.
+///
+/// Used by the "report broken plugin" flow: a plugin whose `.wasm` is
+/// missing or corrupted is precisely the case the user wants to file
+/// an issue for, so we must still surface its declared name, version,
+/// and `repository` even when the binary is unusable.
+pub fn parse_manifest_metadata(dir: &Path) -> Result<PluginManifest, DomainError> {
     let toml_path = dir.join("plugin.toml");
     let content = std::fs::read_to_string(&toml_path).map_err(|e| {
         DomainError::PluginError(format!(
@@ -109,8 +121,7 @@ pub fn parse_manifest(dir: &Path) -> Result<(PluginManifest, PathBuf), DomainErr
         manifest = manifest.with_min_version(v);
     }
 
-    let wasm_path = find_wasm_file(dir)?;
-    Ok((manifest, wasm_path))
+    Ok(manifest)
 }
 
 fn parse_category(s: &str) -> Result<PluginCategory, DomainError> {
@@ -452,6 +463,37 @@ description = "No wasm file"
         );
     }
 
+    #[test]
+    fn test_parse_manifest_metadata_succeeds_without_wasm() {
+        // The "report broken plugin" flow leans on this: a plugin whose
+        // `.wasm` is missing or corrupted is exactly what we want to
+        // surface, so the metadata parser must not fail when the binary
+        // is absent.
+        let tmp = TempDir::new().unwrap();
+        let plugin_dir = tmp.path().join("metadata-only");
+        std::fs::create_dir_all(&plugin_dir).unwrap();
+        write_plugin_toml(
+            &plugin_dir,
+            r#"
+[plugin]
+name = "metadata-only"
+version = "0.3.1"
+category = "hoster"
+author = "Eve"
+description = "wasm intentionally missing"
+repository = "https://github.com/eve/metadata-only"
+"#,
+        );
+
+        let manifest = parse_manifest_metadata(&plugin_dir).unwrap();
+        assert_eq!(manifest.info().name(), "metadata-only");
+        assert_eq!(manifest.info().version(), "0.3.1");
+        assert_eq!(
+            manifest.info().repository_url(),
+            Some("https://github.com/eve/metadata-only")
+        );
+    }
+
     #[test]
     fn test_parse_manifest_dir_name_mismatch() {
         let tmp = TempDir::new().unwrap();
diff --git a/src/views/PluginsView.tsx b/src/views/PluginsView.tsx
index 73f51b7..ec82fe9 100644
--- a/src/views/PluginsView.tsx
+++ b/src/views/PluginsView.tsx
@@ -106,18 +106,27 @@ export function PluginsView() {
     onSuccess: (url, variables) => {
       // Best-effort clipboard copy so the user always has the URL even
       // if the OS launcher silently failed (no graphical session, broken
-      // `xdg-open`, etc.). Clipboard access can be denied by the
-      // platform — we fall back to an info-only toast in that case.
-      void navigator.clipboard
-        .writeText(url)
-        .then(() => {
-          toast.success(
-            t("plugins.toast.reportBrokenSuccessWithCopy", { name: variables.pluginName }),
-          );
-        })
-        .catch(() => {
-          toast.success(t("plugins.toast.reportBrokenSuccess", { name: variables.pluginName }));
-        });
+      // `xdg-open`, etc.).
+      //
+      // `navigator.clipboard` itself is undefined in non-secure contexts
+      // and inside webviews that opt out of the API, so we must guard
+      // before the call — accessing `.writeText` on `undefined` would
+      // throw synchronously and break the success toast.
+      const clipboard = navigator.clipboard;
+      if (clipboard?.writeText) {
+        void clipboard
+          .writeText(url)
+          .then(() => {
+            toast.success(
+              t("plugins.toast.reportBrokenSuccessWithCopy", { name: variables.pluginName }),
+            );
+          })
+          .catch(() => {
+            toast.success(t("plugins.toast.reportBrokenSuccess", { name: variables.pluginName }));
+          });
+      } else {
+        toast.success(t("plugins.toast.reportBrokenSuccess", { name: variables.pluginName }));
+      }
     },
     onError: (error, variables) => {
       toast.error(

From b4fe66d11cbf72d5696e6680a5d61f69eaa06e6a Mon Sep 17 00:00:00 2001
From: Mathieu Piton <27002047+mpiton@users.noreply.github.com>
Date: Sun, 26 Apr 2026 12:18:07 +0200
Subject: [PATCH 4/5] fix: reject empty-host authorities in url validator

Forms like `https://:443/path` and `https://user@/x` survived the
prefix / leading-char check even though they carry no usable host.
Strip userinfo, then look at `host[:port]`, with an extra arm for
IPv6 literals so `[]` and an unclosed `[` get rejected too. Tests
cover the new rejection paths plus a few authorities (userinfo,
IPv6) that must still pass.
---
 .../adapters/driven/filesystem/url_opener.rs  | 60 +++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/src-tauri/src/adapters/driven/filesystem/url_opener.rs b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
index a1a012b..9480a6f 100644
--- a/src-tauri/src/adapters/driven/filesystem/url_opener.rs
+++ b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
@@ -76,6 +76,28 @@ fn validate_http_url(url: &str) -> Result<(), DomainError> {
         )));
     }
 
+    // Authority MUST carry a non-empty host. RFC 3986 leaves the door
+    // open for `https://:443/x` (port-only) and `https://user@/x`
+    // (userinfo without host) — both are accepted by the prefix check
+    // but mean nothing to a browser and just produce a launcher error.
+    let authority = rest.split(['/', '?', '#']).next().unwrap_or(rest);
+    let host_port = authority.rsplit('@').next().unwrap_or_default();
+    let host_missing = if let Some(rest) = host_port.strip_prefix('[') {
+        // IPv6 literal: must close with `]` and have at least one byte
+        // between the brackets — `[]` and `[unclosed` are both bogus.
+        match rest.find(']') {
+            None | Some(0) => true,
+            Some(_) => false,
+        }
+    } else {
+        host_port.split(':').next().is_none_or(str::is_empty)
+    };
+    if host_missing {
+        return Err(DomainError::ValidationError(format!(
+            "http(s) URL has empty host: '{url}'"
+        )));
+    }
+
     Ok(())
 }
 
@@ -156,4 +178,42 @@ mod tests {
             );
         }
     }
+
+    #[test]
+    fn validate_http_url_rejects_empty_host_authority() {
+        // Authority shapes that survive the prefix / leading-char check
+        // but still carry no usable host: a stray port, a userinfo block
+        // without a host, or an unclosed/empty IPv6 literal.
+        for bad in [
+            "https://:443/path",
+            "https://@/x",
+            "https://user@/x",
+            "https://user:pwd@/x",
+            "https://[]/foo",
+            "https://[/foo",
+        ] {
+            let err = validate_http_url(bad).unwrap_err();
+            assert!(
+                matches!(err, DomainError::ValidationError(_)),
+                "expected ValidationError for {bad:?}, got {err:?}"
+            );
+        }
+    }
+
+    #[test]
+    fn validate_http_url_accepts_userinfo_and_ipv6() {
+        // Valid authorities should still pass — a userinfo prefix or an
+        // IPv6 literal with a real host must not be classified as empty.
+        for good in [
+            "https://user:pass@example.com/path",
+            "https://[::1]/path",
+            "https://[2001:db8::1]:8080/foo",
+            "http://example.com:8080/x",
+        ] {
+            assert!(
+                validate_http_url(good).is_ok(),
+                "expected {good:?} to validate"
+            );
+        }
+    }
 }

From cd0fe046a6915bcfb1b6ef64774dead39909f9d2 Mon Sep 17 00:00:00 2001
From: Mathieu Piton <27002047+mpiton@users.noreply.github.com>
Date: Sun, 26 Apr 2026 12:27:42 +0200
Subject: [PATCH 5/5] fix: validate port and IPv6 bracket tail in url validator

`https://example.com:abc/x` and `https://[::1]oops/x` slipped past
the empty-host check because the validator only looked at "is the
host present". Parse the authority into `(host, port)` instead:
require digits-only port when present, and only accept `:port` or
nothing after the IPv6 closing bracket. Tests cover the new
rejections.
---
 .../adapters/driven/filesystem/url_opener.rs  | 56 ++++++++++++++++---
 1 file changed, 48 insertions(+), 8 deletions(-)

diff --git a/src-tauri/src/adapters/driven/filesystem/url_opener.rs b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
index 9480a6f..a88ab99 100644
--- a/src-tauri/src/adapters/driven/filesystem/url_opener.rs
+++ b/src-tauri/src/adapters/driven/filesystem/url_opener.rs
@@ -82,21 +82,42 @@ fn validate_http_url(url: &str) -> Result<(), DomainError> {
     // but mean nothing to a browser and just produce a launcher error.
     let authority = rest.split(['/', '?', '#']).next().unwrap_or(rest);
     let host_port = authority.rsplit('@').next().unwrap_or_default();
-    let host_missing = if let Some(rest) = host_port.strip_prefix('[') {
-        // IPv6 literal: must close with `]` and have at least one byte
-        // between the brackets — `[]` and `[unclosed` are both bogus.
-        match rest.find(']') {
-            None | Some(0) => true,
-            Some(_) => false,
+    let (host, port) = if let Some(rest) = host_port.strip_prefix('[') {
+        // Bracketed IPv6 host: require `]`, non-empty literal, and an
+        // optional `:port` tail — anything else (`[::1]oops`) is junk.
+        let end = rest
+            .find(']')
+            .ok_or_else(|| DomainError::ValidationError(format!("invalid http(s) URL: '{url}'")))?;
+        if end == 0 {
+            return Err(DomainError::ValidationError(format!(
+                "http(s) URL has empty host: '{url}'"
+            )));
         }
+        let tail = &rest[end + 1..];
+        if !tail.is_empty() && !tail.starts_with(':') {
+            return Err(DomainError::ValidationError(format!(
+                "invalid http(s) URL: '{url}'"
+            )));
+        }
+        (&rest[..end], tail.strip_prefix(':'))
     } else {
-        host_port.split(':').next().is_none_or(str::is_empty)
+        match host_port.split_once(':') {
+            Some((h, p)) => (h, Some(p)),
+            None => (host_port, None),
+        }
     };
-    if host_missing {
+    if host.is_empty() {
         return Err(DomainError::ValidationError(format!(
             "http(s) URL has empty host: '{url}'"
         )));
     }
+    if let Some(p) = port
+        && (p.is_empty() || !p.bytes().all(|b| b.is_ascii_digit()))
+    {
+        return Err(DomainError::ValidationError(format!(
+            "http(s) URL has non-numeric port: '{url}'"
+        )));
+    }
 
     Ok(())
 }
@@ -216,4 +237,23 @@ mod tests {
             );
         }
     }
+
+    #[test]
+    fn validate_http_url_rejects_malformed_port_or_bracket_tail() {
+        // Port must be all-digits and an IPv6 literal must be followed
+        // by either nothing or `:port` — junk after `]` is invalid.
+        for bad in [
+            "https://example.com:abc/x",
+            "https://example.com:/x",
+            "https://example.com:80a/x",
+            "https://[::1]oops/x",
+            "https://[::1]:abc/x",
+        ] {
+            let err = validate_http_url(bad).unwrap_err();
+            assert!(
+                matches!(err, DomainError::ValidationError(_)),
+                "expected ValidationError for {bad:?}, got {err:?}"
+            );
+        }
+    }
 }