diff --git a/hosts/fw/modules/web/default.nix b/hosts/fw/modules/web/default.nix
index de51256..31e742c 100644
--- a/hosts/fw/modules/web/default.nix
+++ b/hosts/fw/modules/web/default.nix
@@ -61,9 +61,9 @@ in {
           ./proxies.nix
           # ./matrix.nix
           ./n8n.nix
-          ./piped.nix  # Replaced by Invidious
-          # ./invidious.nix
-          # ./invidious-init-user.nix
+          # ./piped.nix  # Replaced by Invidious
+          ./invidious.nix
+          ./invidious-init-user.nix
         ];
 
         networkPrefix = config.networkPrefix;
diff --git a/hosts/fw/modules/web/invidious.nix b/hosts/fw/modules/web/invidious.nix
index 72b7114..0cf88a0 100644
--- a/hosts/fw/modules/web/invidious.nix
+++ b/hosts/fw/modules/web/invidious.nix
@@ -1,9 +1,15 @@
 { config, pkgs, lib, ... }:
 
+with lib;
 {
   # Invidious - Privacy-focused YouTube frontend
   # Replaces Piped with native NixOS service
 
+  # Secret for Invidious companion authentication
+  sops.secrets.invidious-companion-key = {
+    key = "invidious-companion-key";
+  };
+
   # Main Invidious service
   services.invidious = {
     enable = true;
@@ -52,6 +58,115 @@
     };
   };
 
+  # Use Podman for OCI containers
+  virtualisation.oci-containers.backend = "podman";
+
+  # Create Invidious network for container communication
+  systemd.services.init-invidious-network = {
+    description = "Create Podman network for Invidious companion";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "podman-invidious-companion.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.podman}/bin/podman network exists invidious-net || \
+      ${pkgs.podman}/bin/podman network create --interface-name=podman2 --subnet=10.90.0.0/24 invidious-net
+    '';
+  };
+
+  # Create systemd tmpfiles directory for Invidious config
+  systemd.tmpfiles.rules = [
+    "d /var/lib/invidious 0755 root root - -"
+    "d /run/invidious-companion 0700 root root - -"
+  ];
+
+  # Generate companion environment file with secret key
+  systemd.services.invidious-companion-env-generate = {
+    description = "Generate Invidious companion environment file";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "podman-invidious-companion.service" ];
+    after = [ "init-invidious-network.service" ];
+    requires = [ "init-invidious-network.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      COMPANION_KEY=$(cat ${config.sops.secrets.invidious-companion-key.path})
+      cat > /run/invidious-companion/env <<EOF
+PORT=8282
+HOST=0.0.0.0
+SERVER_SECRET_KEY=$COMPANION_KEY
+EOF
+      chmod 600 /run/invidious-companion/env
+    '';
+  };
+
+  # Invidious Companion container (handles PO token generation and video streams)
+  virtualisation.oci-containers.containers.invidious-companion = {
+    image = "quay.io/invidious/invidious-companion:latest";
+    ports = [ "127.0.0.1:8282:8282" ];
+    volumes = [
+      "invidious-companion-cache:/var/tmp:rw"
+    ];
+    environmentFiles = [
+      "/run/invidious-companion/env"
+    ];
+    extraOptions = [
+      "--pull=newer"
+      "--network=invidious-net"
+      "--cap-drop=ALL"
+      "--security-opt=no-new-privileges:true"
+      "--read-only"
+    ];
+  };
+
+  # Ensure companion container depends on env file generation
+  systemd.services."podman-invidious-companion" = {
+    after = mkAfter [ "invidious-companion-env-generate.service" ];
+    requires = mkAfter [ "invidious-companion-env-generate.service" ];
+  };
+
+  # Generate Invidious companion config with actual secret key
+  systemd.services.invidious-companion-config-generate = {
+    description = "Generate Invidious companion configuration";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "invidious.service" ];
+    after = [ "init-invidious-network.service" ];
+    requires = [ "init-invidious-network.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      mkdir -p /var/lib/invidious
+      COMPANION_KEY=$(cat ${config.sops.secrets.invidious-companion-key.path})
+      cat > /var/lib/invidious/companion-config.json <<EOF
+{
+  "invidious_companion": [
+    {
+      "private_url": "http://127.0.0.1:8282/companion"
+    }
+  ],
+  "invidious_companion_key": "$COMPANION_KEY"
+}
+EOF
+      chmod 644 /var/lib/invidious/companion-config.json
+      chown root:root /var/lib/invidious/companion-config.json
+    '';
+  };
+
+  # Configure Invidious to use companion via extraSettingsFile
+  services.invidious.extraSettingsFile = "/var/lib/invidious/companion-config.json";
+
+  # Ensure Invidious service depends on companion config generation
+  systemd.services.invidious = {
+    after = mkAfter [ "invidious-companion-config-generate.service" ];
+    requires = mkAfter [ "invidious-companion-config-generate.service" ];
+  };
+
   # Override nginx vhost configuration
   services.nginx.virtualHosts."invidious.cloonar.com" = {
     acmeRoot = null;
diff --git a/hosts/fw/modules/web/piped.nix b/hosts/fw/modules/web/piped.nix
index b35f9f8..f4fee9a 100644
--- a/hosts/fw/modules/web/piped.nix
+++ b/hosts/fw/modules/web/piped.nix
@@ -190,9 +190,9 @@ in
     '';
   };
 
-  # Piped Backend Podman container (using custom image with iOS compatibility fixes)
+  # Piped Backend Podman container (using official upstream image)
   virtualisation.oci-containers.containers.piped-backend = {
-    image = "git.cloonar.com/infrastructure/piped-backend:latest";
+    image = "1337kavin/piped:latest";
     ports = [ "127.0.0.1:${toString backendPort}:${toString backendPort}" ];
     volumes = [
       "/var/lib/piped/config/config.properties:/app/config.properties:ro"
@@ -270,6 +270,24 @@ in
       proxyPass = "http://127.0.0.1:${toString backendPort}/";
       proxyWebsockets = true;
       extraConfig = ''
+        # Hide CORS headers from backend to avoid duplicates
+        proxy_hide_header Access-Control-Allow-Origin;
+        proxy_hide_header Access-Control-Allow-Methods;
+        proxy_hide_header Access-Control-Allow-Headers;
+        proxy_hide_header Access-Control-Expose-Headers;
+        proxy_hide_header Access-Control-Allow-Credentials;
+
+        # CORS headers for iOS API requests
+        add_header Access-Control-Allow-Origin * always;
+        add_header Access-Control-Allow-Methods "GET, POST, HEAD, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "Range, Content-Type, Authorization" always;
+        add_header Access-Control-Expose-Headers "Content-Length, Content-Range" always;
+
+        # Handle preflight requests
+        if ($request_method = OPTIONS) {
+          return 204;
+        }
+
         # Increase timeouts for long-running requests
         proxy_connect_timeout 600s;
         proxy_send_timeout 600s;
@@ -281,9 +299,23 @@ in
     locations."/proxy/" = {
       proxyPass = "http://127.0.0.1:${toString proxyPort}/";
       extraConfig = ''
-        # CORS headers for video streaming (restricted to own frontend)
-        # add_header Access-Control-Allow-Origin https://${domain} always;
-        # add_header Access-Control-Allow-Credentials "true" always;
+        # Hide CORS headers from proxy to avoid duplicates
+        proxy_hide_header Access-Control-Allow-Origin;
+        proxy_hide_header Access-Control-Allow-Methods;
+        proxy_hide_header Access-Control-Allow-Headers;
+        proxy_hide_header Access-Control-Expose-Headers;
+        proxy_hide_header Access-Control-Allow-Credentials;
+
+        # CORS headers for iOS HLS video streaming
+        add_header Access-Control-Allow-Origin * always;
+        add_header Access-Control-Allow-Methods "GET, HEAD, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "Range, Content-Type" always;
+        add_header Access-Control-Expose-Headers "Content-Length, Content-Range" always;
+
+        # Handle preflight requests
+        if ($request_method = OPTIONS) {
+          return 204;
+        }
 
         proxy_buffering on;
 
diff --git a/hosts/fw/modules/web/secrets.yaml b/hosts/fw/modules/web/secrets.yaml
index b4ed1cc..7efb33a 100644
--- a/hosts/fw/modules/web/secrets.yaml
+++ b/hosts/fw/modules/web/secrets.yaml
@@ -1,53 +1,54 @@
-borg-passphrase: ENC[AES256_GCM,data:8ufR69AT0KDYCyjlDM8ZteiCaOs9GgTY0GutQIb4zZqGaXmLl8+ZKZfPdISz7s12INIJzQS73Am4L4DSmLt8/Gz0v/Q=,iv:yHE6eSX7E18SthxEpsIsuw3Mab65UvQPSNEDsjQGaGo=,tag:YYC8r9Ci/Ozu+6tqseFn/Q==,type:str]
-borg-ssh-key: ENC[AES256_GCM,data:9YstInAqRioQKUm2AQD1Lm8NNuyjYxfdnbGu8K8wGIaUjNPfQxFe3afv1CndWWzSs0KVZnuV8pja2+F5PwpEvvlEYIV+pdXCcUGTE9VnhmHHcQVrf9bDMgt/yca1bWBmiUJJZnn9SSO1ncUtjWWY0k/thSLylKPhAg6fo94snx8Mo89A9b1xBZfsVTBqi2cgYWZ6VGPmCVcOVv2G89m8qttj8bY1QWFXryGFHiONXwWKLafN0UNmn3++r4h+Dgdm1NX7FNRawt2CbbJ+aXuPNqtPcHJgEL43DA6LQwSK4MB57rh7iUeURBYAfC/HoHnngfPJLl8GHbAZaKlmS4vc/hJW3Or5JpJZIMR6taimYX7kklJys5kHgDoPjUqGucdPh+6d/cVTxFPaBGvIBFStljtgah3IlDyLuHO5bRKjOfZ5qSZpyCg3TZw7+cVN5RHCaIEp8AKlgIKdHTvSsWfXQsnbJ+e3gFe6P+MXC0VARFeRnT4q6ssUTj1hX7X4erwtER9fYD+ogCiDXW981GdJLssWGIy6cIg0F3JP5uOFKmnS/GnmGAyQY3Ukae3b2R3tJiABDjQ4trkBQ0b6KjH85F/KjSAVW43Wx1kO0rUGYdo/RhVVj+8DP3ECnrh2s6CpPT29/kpCSuA7C7bGkiGnDroFt4PbyveqsqlqAR9GQzz0c0u0zowxUZjeTgb76NsFfSSReTmDQ2qZbEBiW6FHe34s+lPZO3wtW6j/Z7aAf1F+EW3uvMqB7Jh9+sbDjarvGgXni5ApQzP+n7T7TOhgDbxU8mql7fb8v6ZGLv4OtQDvpoFAthe0JKY/REN5AQFL4f4oQi+GFVVEh1hZW9zssXZOWHJzlL3jljTTljZFFVBGWOk2livnf/IKs7uV5FWWBRx6MCw3wE/L4Vs3zSIBl6tTDeGOZsRnlGdCGAxIqLkUaM7OGMidyoMYHJbaxyfeLgsY6GJ1pOKIfK1bBYlHibrlq+DARZZTU2G/bdlWZZPsIMpXDo05GgSjMFRWbkL2TBWBLWO+1eaP2tkejZZWaS2Bdv70Zqa+vbJI3vGJN/f2a/kw111sVzhdKHX+F6rDmCuCZBTrxsnmXZIBRW/Kz17OL607zuCHi3s7ruA38WGufnzxacQP+V2qADvkmXtlFB8FkbLxd0RAAKUX+wAQDehN3PWItmdqBakZVXKIOa3Y9sye/tDOUdpMmHqtW9zsHkj+5sL2Zvls9XPzWrwTpR4PL7Vwl84VdeGJqmh+Mpo1wld4/IXX1egBPVABK+h+1A7aD/DKTkcawFDSs6K3o9HWvPZnCSgXhxdoFAQt2bqj9NCxs6ONNc4dQps7hGKMjcjE9UBtacUdlT9twiiGzqoUhqcCJLBqn0hrgt5hg5OQP4vNoNAZJUcZ3LbHBaZcthnSkXAuWVhnuY8gxuBVpZrVq60XQgTeV6ZQHtGBhBc7YYOqfGkudQLQyrysmvaDRoNVbKxE8TqnQfMrvsBBdT3t8iKM/+jZjZ64tMoUXz3O8qWCpChB/mMVB3zEROZptmbCh4foOQuEC4n1/dwWdSFHSNoBjzaApI3CyqQ6taxGM4owuV37RgzAarG4FeUSjSknzGkZUzLynL+3pTtcVKdR+Z7S5leHITZRp1YmLKr8+CTwixDYveSJd0uhy9GITOKS18JHqJPxyP6qrOvopnl+Nm1Oh/eum7hl3KvCHPzn0XT3vgoEzjae3Qct974ACblNMEcY2KTVNMB9ecEkexC/ZoDnacu/VpZx5uVqPpMgdRn59IjutrXPCt48HiEswbKA32kL361/wXKPLuLQ75qbxeNpoBIK95hEIB5SYL47Nz4a7mOTOkBFX6zBoeG1DdPh2jC64pIa7TCg2hk/B9sBg9YdTFp54ngtODSTYoG6tlSEycyR3972KLrpOYFQDMBwh93itxAzr9cHkw+XdHeK86wQXbhAtR6ruerYdbnBNilckFC9VrYQK6TwOJSWzyQMP9EJ4DL3oskh46oodHF/p2OedTd5o/JfI6ctXFFwJPBpQK/k1r8hXRvuSNQHsiey1Urpw1qWMB3l8KyZ7O2rvmr2kRu/QIh/pF4Dlgd0LfYr3MO+0xV7XcIESexZzi/eMdkaVvKeGXjJUmNJhxt6l50Xz6hWJWXFvdfddI9Th6LTUiMHavvMZZNDd8J4+ZD1x4Gk3cEflUiLTiHGPZnKcCbIf4Zra7CNds1VU3+N8jdaB8qjCE/Wdf0A0gcNBbT8hF/4Ypym/iV76NytrNbgF6+1NtH0GQd4+27HLPhnK0QSNkl/tl6UojJh+jy6pVo92GyTY+NEUpfECGfMKcH7OjmkKf8kJXLIzweDRrM6nEXmuEQfN7Zkf1hR/sM38OtMnAw09exZ9OG+uoFG4F0e/myraQaut9nUXGWEdxr+LA4X+ZlJmp0DboURJKrT9jgiy5Kzn++dTXQpeuMpxn0kLMMjzfumS7GdMhj8tpibyku7WeQ61Y7D01cqtzTpHsECiTLhEe3g98RcfH1Zq8DvAKLUnkIXiI0ooo3a3hKBd2m8/tyWijoVLIWhpRUl5ac/DJVwmeEItepKChsQX0ELC4VKAgzuY/a9RyZ0Qd1JUJL0w1aFs4db08ID1cZsq6frY6W/xJGExpZQR2+yzuDeGAPW1rvql8W+I4O97UO4Y4YxiBGgeXbh0ve0lUgm9mORQw+R0hRvcNkvHJC2FC6A/qp4N59OGPNkb2NCBmI/By/iIyFmP+zQKP1X+yktHX+Alez41R68lAlDrGp+5yFEViZTLnnoJoe5AsZBuyz7ij4OIaat8+6TLmeF4hbmiL3rPMAjVKfnumSZoANcPf9gi3hJ3ltKy5jfDUw3+CyVTj9YixPLRTRJjDGgOPWqhKy9UclmAA+wHq+s2D/geEmGmhvuWDw6TrJ9EqrrDNWdd7s4YRe+9C5dgxasP2NtWo5HR0wf+F3SqXyIb9zaj4aalr5Rm7p0fH7GN0Gs7aowoyKfrka6+qe+kXChKT4j+ogyUkn7+pMRnPFdh+652yfle9BADQlbRUssf/a79EUaBDvty1YXrU2BdqKCPR4OxCzyU7/Jfvn7tCPPnPjnLkwMRARwn347dK9T2+7ry8Ik1ezGrKMmGl3+uLcJ1BsNK2nCDZe07mkvRTdq/WI2iS5UGzSurp0nxVe95YzFjOwTy71yDxS5A2tI+/dVynU+McapmJqhBOpPinV8yhVyyAVQSS33iNk0xUhUw8s/MLan1XKjEIra1xgjTpKQWYIMvsza9mwbp8q0rbJv39dgC0L/mZVHbx417BE2HYHrxv3fCwdttuOUOKMZff03v0D1OyKD9X4/bjKPcEfmg3PhL2m004DDkuCpZ4wPZRCSIZ/1qHHk1KVrtnMvplm17tFI654b36TGUf4Ry8zC4iVOYPSpn+WQD+dl02FvfmDkks4TGIVfeav+9h3K14cJEFZKWkiKmELp35a8Yw==,iv:q8vIXAvmoYkvBHItDTiu0e9lUVpxKB0fNhWt2p3x8KU=,tag:m3S47WxDYVCFWxn2HuRN4w==,type:str]
-zammad-key-base: ENC[AES256_GCM,data:rf9yUAaVRLIGapSBa9dWywPbQxOLNNuwB9H2L2eDZ7Hod6YzoOnX2kJmmRN3Q/VoFX4cN1HRBYHnhhaTFSphIlqWt3RMIv29vZAgSBGKqg3l1DAQPiCrXMslQCt1E3BFYMyvfKefscBI14F4C2UDSsyrfUBoEys9hMSU4nsKIXc=,iv:kLJniOc4GwuiOKniS5H2FX89+V2ymN5RClE7hlMKg0s=,tag:+p1dlhgzIMkfOaOvv2gc1w==,type:str]
-invidious-hmac-key: ENC[AES256_GCM,data:6ycC0op/xwFcS07gYupToc4eBpi0+lah1Npv9A==,iv:P8I1rQaaQKM86ykdnp7nR0wVYPV5I2qSe644aqSNews=,tag:L3wD75bTOGxI/aDUpQn86g==,type:str]
-invidious-admin-password: ENC[AES256_GCM,data:nLpb78d3lVb7RkVJQxE+e6kDYvA5+HkvVa0ITaTyBb8+Zap1I6fV9NGohfjrGTPTGg==,iv:0Rsw6kB0pDenltJo65ZVSVq8xvAn6HGsg+X0S5cSRJc=,tag:tGDuhCt8Wtc1ZjVZqhrDFA==,type:str]
-dendrite-private-key: ENC[AES256_GCM,data:I7JRujo8/XeF8zCz6GwOqjqzW/b9ve/+FGiB7GfwRtBF33zAMBoE0kHJNvypvi4sLAB7W+BOiZvSeNU+qTuNlK9poviSbpEoMb8GQH9qL1OBW8gWqc/23h89NVxG/FPNE6eQiERwIcld7jGXuIjnCPu3tSSzrutTMgdgiTiwuMVAO9f0gcnLGWU=,iv:SchQxe8Z/vRzzDSKOJ/IHY+414vZNAyZm26/lhefpuM=,tag:RQpEnlDUuR7dK9Z4xBce+w==,type:str]
-matrix-shared-secret: ENC[AES256_GCM,data:jpgIio7iGrQ8KN5CAgssi2Vufv1CTh74ObOKfwGNAD+odIt+M9fu5LAiByP11tX9X8G3GgNP1zCGSThj,iv:KlAdTN3+3aFlUNbZtHasDfw0Q4D8pIPyxbnkNXuhERw=,tag:otAuKehS/+fMG37lKtqO4w==,type:str]
-n8n-env: ENC[AES256_GCM,data:rKaT9yHFXNNZk2zPPUgcaKWSwL1t8IwsACQYN9nA6uCwZryLgknW9jz57ZQ/YRxHmhARd9ucMZk0uPaHad1Iyf/XZwgUkYsYJYVtL/DU3rb4gRwdU4nvGIKTJH/LdcFMePFd48q3AuZDNXusCd6Haf54XkpJtqKJS8PYv3wbrH+1noTsKf8u4EbBaAwPofdwsFrS6jANbDY+7sf4N5Gvjn9PjaxZza1C5gqqT5Qz3chIBdbAEO8/OY6PZJ/uHtbTcCgxGFZNwzZjIlZdXGbAmzDqOFU+XnESZeW7f1T2OMTBRPdi87AdCvV4mCJVyKi0Sm7oyZKpeUnRwn98xajiEsNpkjzo0gt49w0Hs+EMB08Okg2IXFbCMPFkYX2xCSc=,iv:17jSsSMtLwBmslRN02gz5AXuRonmeA57eCr916h1g9g=,tag:sKyp0ROPB7vliyTwpl8XYQ==,type:str]
-n8n-git-key: ENC[AES256_GCM,data:VUuK35Anwgwh29lGPeBdvKusIlt6Vh96i5aMy+/LVQAGtlrqmFQwK0EmLkMGqMWx924ZpuOlEo5qDriXyvzuue3SBaMlJnSeSETT3UBpDoy+cX+K+KUx5Y8q78l6mD8+uXIZIGqNz3ZQ2HUNtwvcAwlM8jWCpCPvR+e6D3XA51sMICLOMIZjORqE7qqtJpbPiRXrKS7/HL9nR5JcHwx5ukssMUL0iTbHZ9O/AxLW1U/QBFSGluCF0mu2UnvuScCpm05qmLU9COjgDayIh7RHGCDXgTRjol8Kt1pV/bj4WK9h7Nj9kl1sCEhmLn4MMB7CpORfqVY1LX3v10BdDc4o+KQUdRYdKLwWOk7RNbeDzuw1P3hRcwGzcIRusv/xKViEaJv4ju78UuHHU9RoSFxxJP9EqT7VP2hn9F3bhfAZ7DUVXfEqD5bxDwJQOiyLxePuk/JImS3FweAih7/KbPLIqkVuqjcVqH+XUduVmOQks3ZflwskL0C8elJST3zEXEPd8b3Bv0XQD0jMZPFQ+PKg,iv:ZWTWbe4MI8fItYRjxCszBLtLGp1jhO0PrSOmLxfnpok=,tag:C2MxSRYNIEhn06ucRqZkQQ==,type:str]
-phpldapadmin: ENC[AES256_GCM,data:7WSqMdRm6gtndh3LhLQ7H+e32uOwGQLNr3xAVWa3Zsrs4gD6r5QSaqxGJQjwILU/gt3xj8SerDNEQKDOKBooIVm2Oa12tBo/4WAMmJB3rqasmoPuW76wEEaVzPFAV9kxy1inCzcGPnUJlKaxGkF+GNTntiQ6Q/yCkQJHbsPO1j5J7PD18tL7Zm7a3mxp3p1B1uVVPDwKPh/+rguzY33avwjld+MhaBtdrjSv4suRkCsMkJP1YPEP0m3wThd/bVz18x4bF9OkGjiz1qkVbifgKcgW+lY6igLvpC0+u2DkXqNE0pxIlvMdRZM=,iv:id2nNign8ocz+F+e2mU2cL65HIhEPnR6Em6hfzti3PY=,tag:bOyRB4CWxanHVU2pD8xtag==,type:str]
-piped-db-password: ENC[AES256_GCM,data:U6rBTl31hUiuwk9iUtxZ4Gyh1XtloLcDUpXhrfgam7ctwIsHSJLa5knt2LI=,iv:ZfcUmgglfiMmBJz+vzgh8QJ8tGkKbmXWR2ukKlByG0c=,tag:XOSRlBK57WvN6plpZbZr1A==,type:str]
+borg-passphrase: ENC[AES256_GCM,data:seAsFcQcBiIUnkoUYGoY6uEKbjf0TMJZklkE6TFwlHkdzwBqoKD0ASNzsIlrqEkQaLG7zlHpFci6SVnlMjSQsywZ2z8=,iv:E1Z/ttSVUvm8PTXq9lh12I0ogdQwORawm7DsUXh+04Q=,tag:pwZVzgO/MdIrKSNhutT+og==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:9qHlG7ggl8zoLGRr6B7sdLn33ISmRe9SnOQUvFby8UbeSO93XreQw2B/l6vJpX12vWWXMu8H1S0T7CM2BteZLn6SlIhefG2fvKHf+0mwJ6Jd3AU1lrYnyXzHfoliWnt4ikGPyNESPO1VSToupJHX3fb1sRscx27euRVITB4wgFxlyd0/dn+v88EUf0ucLTYSEP1+K8eiY0WLxNiwjl0G0E9hwN5Ze5rKOl0AlFw+7Kif5OXe956kaExmuBLPjlBgxjt49hfZfqZy4uOovg0mslFalOWgZkOCBfJ7k3YYHmsn9+ymCJE4ub2b9GXnSbudipEFQkcYv4pQ/NWFloYZVt6rh7Qm7IdqJu07aAS25vGXptNXbTmmS6fPF/2lXa1GaRT8EhpgsKIZ8LS6VJiCWD5Ela900Mw91xsbkz/CyKLjCIoMONgDwsRieCJoZqirtmj3S9DcOFjxZ/9d9xxD1xgRxl5ourVWoOusd7mWo9X5KEsQQ9wpr32U6NTrQUDR8SYJisWRW/RoTEeDsD5vYUqYn6jXcNT78cA9I1E3Il1zDMogTlBNUpvBjh7euaOj5pDZ1F0SPNLm9XTJ/TbIQd/Xxlmuct6AAEV+2s8gWvo5nQ0yO32Z5QssEfXl9UtNfKlNfukL6scJliQRyNtown9+6XMuRgI/Pm8iXx+aeurbGijnJs6miUI7F2Q9VJU1ioXXXTIQwfe/MijpSLdDggIKbwid3bkkMSsNpEgidodPmm0s94i7KH7tlnaxtY+oILjgT1k0jTBCl7pZ2lsuRs2LehUJ/aD8tuPDgOxB+aYFy8i5C3wWLjcRRAbYCDuTboIY8r7e+n3rIxe+KggsTS2dMthNgCBFJtAb4Dp8V8dtZGrPIfwI/dzAdUtQo11SuSx2TrI8bTH2iy38FXs6t8wGsx3aFuW1jjcMRRY1lIQFnyfcLmUqYNSW48YOT/AqsYklMcyG6UcTPxazm3sUmvmInflJOb14M7+Jb3HEYX4Utr7ic4CdJLPBN1ACOxW28JghCTBFvmrEHiJPIHJj+FHvgHBls3Turf/D3m0uST0dMM3dXpG7dSud0HuyKdt3p0GiDY1cQQ+ppLs/v9idrqK/PlkiTVoNy5rZuXk/XzpdaHRUzkUlg+XifisW1deZxP3/ATjDJBqJniHdCvN4He4iAVCe4Grbp68BhpvmRgowDWZM9qHyShMhyIAh98f+K7jsNnQx55+/rgKDS+TmEKj9WDiTrYmb6knZ+Y2yi4r6bc60yGOQjewe5eAo3bh4V5nQYr4xOUsHxRj+rirtIi9Re7UpDqTghcnwc4F0w838pFOE7XsVC7VcmIfvmBll39imDws2KhWOgIT3j+DCNntwKktU8SW96bQTFFl0Yjt2EwGvAXu4LtcOdH/RMmMd1NKiBWHeUONA7pIwtYY+rSi+TzzB0GkDGpp7Qs/S0va4tpq1rg4cobnLOiBSFrkLaI5F0qJXDPn5vdGflV3ca5oV44P4vozvUEn33mT1l8bi6SPOy9BN4QuRDFAdMnmsUkWU+jERbGb6QzFPzPr2ZRxtlvSRCRoYgLxmBujA4eiecWI0g7JB9Oj4HEmEfO4dSf0MPuatEqfJClglt/VPDAsz65IM9Nei2bub5insfO964vTsEGblf13ZyLmuZLhfRwdhN6+cJdVSHiXtPEkI9h6fbxZDw98X2Kts+NVXiiryUiODEJgCb1frOONCZ3sEpRWilAekxYjTSCwOg6oW/US8s++ljm6kb2vqg9OP/cPa7idwJx/c8VzXFvQZoxCYTMQ482VMfGa5//4JqxuxDBVE2JHEwPnQ+uSgdRs4wJfjL2+CvfeOtlpg7tz8BuKZFEJf5P80nz5tbezae7HxI3OnOdHohlFL9QkeYINDSx0k0C/4Yuc0YfRsqPbZRx8FXLYNrMGSm7WNLnNPJ04i6vhn7vOD6oGcRBfQ8FZMXQsZNZgPKZ+bnh44GpLu2ARBrd76WuNEoxTgw2LgI81pJ3MzcMVb530ePVf8Mq9UrNs6M3V8H5/t1xNm6vfjlhGL+QZbpwXaPBjeU86K7d3r7iZ6W2k/+iLkxLI2bz39kNfAXnci9P/G24P3uhAQWTa5LKG9PhMY9oPkJuJTNAg3ZR0Lycc2Nq3+h0U4mnEtejl6okoyacYUNtXJz5Iy0kKdcEPFgDWzsPya6tgp3/1rHOUk6+iHhmt0o49wrkbmAomNEN5kAN8F7ILAY6wfVU+H02dYM7EOS7TpjC1zy9pSJD1ItgGUTaC/6TXTrVY7L5Hdu8zMteDpqijaNrOY1RUTzURTDx/ga53r+YcozK4lvr4whKl45q2keIMhZF03TmtkQ5VYPjyv7tvo75Z0QotFuzNTb04ChMgDB+VnZzCwuO1lvWXnGB8+fOvr42ZjW9RB+cs8CUz5fLOes0la61+LPZf8KDNj3CURKknwglIJrabfJmquPRiJ9lGHgx4Y4wCcuTHPK8BMooDokBF1eJdLRr7Qn3jupJnqc63fRdHaQQG+PynP7syBROFLg/O0tGT40mc/Z8QBs3J7Eq01aM24RRrM5/5w+2gm5RPKart5eMIItR9BUFuyCvMVjnFKG13YpA5GhL+zJqKof7DacBhJMCRVNsNxsUOh/lkvHhFrvDQREM/cBnRB3ux4TkAeMvRy+0qiEUA+GdDcHn6HkhO+ot0NtWxpG+vZ6hxHMU1+VMw0mk0B/Hmomu+e1LDsl858UKNrNZKrJWUxd6SES5YZRptImaiQkuTtBVU+dzID8Q/aS/XyWIt1ADKmoRRKMM5H/uNSYufPgVYx8RAcpmKo5xpax61go/Vz/dovWFp6/kW7tUALaZDqnBgEto01pmJ9ZFdfYXFnQFifJ9UVFIlPQ33J1K/jDKYBUPSgl57QrG5JJzvnhWs5QxtPiomc2XIPcI+PnI8WNEdkAeMYkUpyoLRn49VPomOPzfm81ygvGOxAJytyI2faILKszSRS5nOw3asHq2ai0Eq6cL7sJu5CP8Ed7/ZspmfOMzQtZxGkZmaItWTN06NMS35qUq0MrOvbOZoXynsTQ9f/QnrITVTUky0Qd7FaYym72ZxlieQWCueKoyjrKxPYz3esryOxRGuTraE23pKgnep9MYgrp1p6GLbAICyMSKDYfwqd98Ren+/gTU9JyCKbpvamS5Vfrt62WFmKk3PR101M1lAA0CdPe0wiU/Dput258Gkq4eLkYzAgyJVMOoUXP+6CKEi2nyDRSAnflgG0/gvB3cg6orj0jAVJ+LfUOwRcO7ARjXlbqxe4sl6L2PiH8TbtXGNqpWwnDGk+8rJXaKcXAVyQxPy1NHiD06O8FUAmhZ4e5PpZ64i6UfKaiPrBuCH1no0CioItOCSNWmyFE3Ztfo3OI5c65+f5JfwqBvfwWdEZBmNeddZfVN74L5ElWk0FaHt4Dm8fw2bC40FqbVU2jbNnTdIRfYJhEPo9VyG0AA==,iv:3O+SAjX/D4k9SUmGKAfriyOAKaH2Jm4tAbfKDOoZts0=,tag:3yeNyl9TjlENfV+IxZkj/w==,type:str]
+zammad-key-base: ENC[AES256_GCM,data:62Gj7zyDGGMTVOv2YvrNVDIX+fxt94KVQ/EJBIqXssM6nrKN7veh4sIoLy3+/KwEMpCL3cnb3x7BKXDndnjulfVuF6pTDUEaiH/8YC5YPp+N3imWRTFYDsCJEkB7AsXkuVCH7f0MoMO3v+56BBYFEAp9E7wVT4Jdid7h56zfzaY=,iv:MMvHSUhNaIZb6XBBXBJlqolmXzPKuiFH0jQxlKnK7GY=,tag:2PPZtcD9wWBI1mokXAfMxw==,type:str]
+invidious-hmac-key: ENC[AES256_GCM,data:UZM6COUUHgLu/OVjkkp7rvzhiXBo5O4V/X+8ig==,iv:VX46ainev8JfGNic9FpnYlP7ZQMpTrMwDH0kW/l776s=,tag:HkQwPt23lHw7TQj9HqFIhw==,type:str]
+invidious-admin-password: ENC[AES256_GCM,data:YEdvUckgHhq23fa0ZDLvZM9/yRiClqT5LsoX6tPhNTi9rKTFUHwNrCKLZAr8dafbaw==,iv:romRuJxhQqSQMNepVS04Fu4e3SpA0yl7P8LUI1R76Iw=,tag:puncGz4EH5qkNfHRzjEdBg==,type:str]
+invidious-companion-key: ENC[AES256_GCM,data:HERKJBEyZbdxLcButZZ+OA==,iv:RHXz3OdnR+6Y/GefC7NoSYAmJ9RrxkCO25jms0E0fRo=,tag:pDtK/LCVnXmCJBHfo9Yz1A==,type:str]
+dendrite-private-key: ENC[AES256_GCM,data:ANQ9bFh4z03C755/Q1CKdPDMkBzqKXS64pJAvj975eMJfsfEXUfX72tRAJL/p3ok7iC4PZkM0Rp+ILjS24PyJHjAzIRLhP1P4NE0PFLQEuIBr7Z5D+s2E9rUDno7HtUSC5/Ht4qPTe7nhwwk+KM+OsuQJHfjm/gRxp3izcuha5qbErW/IWgiy6o=,iv:kwdbrb3UGx/3viNve6Zg1KrE4djt5pO02Nxdl6h7jhA=,tag:EXtYO6+TTnOJxYjelCRvKw==,type:str]
+matrix-shared-secret: ENC[AES256_GCM,data:jDQXFuBtWrDRWG8y/4pT67oNyHmkTyzwvMb9daAmlNBwqNc79fKS28ODbbkcHUkDl2ueDdysLY3l4zmM,iv:tkHi0ufo2rLm88gEPn4I3knl61raFWbYbJvRCl5Vwr0=,tag:JBo1ud52EOWxowStCdU/ug==,type:str]
+n8n-env: ENC[AES256_GCM,data:+pYI9J8wqY19IInhlomeGraw0zTFuHh3q6hPfGmcUrRzijc1xW1qI0sMADoakKrcN4mh/G+DzSu3D5fdWpEME5874xWn4iJvLuySVfjIyAzUWzadv3BDqMVEri6MdQUGuI71eBACb8iYLyHUUcy2Tso/KCPfT84oAJ5DXN3ccUBOKpAcjSbR3f1vuZfKBknAuomYmu2py+lOQnmXYvVbwkbstK77U38OOIJTktJE7BYqqt/m6NbGRZpm2Muu8l/NHHtiK1UeK9LtUlXm98iKC7ZOylQb+zAILhAihAohOaFIni1DRFKVv4FqaoQ2UsfQKyYoqKnbm/UraE27TQ+4Jpi28nbOR4GuZpkF29mZ7e/9OxOcJztgjUW+zKQKXsE=,iv:mmtFUEanzDIKuoOQvJ+Tm/Dn7DKXeXqO5geOFwxyVzo=,tag:8BSrrzu+rX6VpcEhUt32ag==,type:str]
+n8n-git-key: ENC[AES256_GCM,data:owmAGcmEOw3HKVY7QMko7/5gO/6nWkWO5q+R1C/Q0KwPwVLKU/4GKS1TXcIPo+kB74nlgiKJ77hu7GczzJT8qIQp2kYi6OE+y/+sSBx90T5DBjS2CSJWZOuAgJOmaPE7zmEnEK+PQWMwfqgDOi2WnV9g/AH1ZtIVqbrarAX20Ma6Cqxcd8ZvGsA3tG79jhWt3VCXhM0Zy2sIbin7uafgKdBtswbdzTxS3UCVaFpJqFkeK7oKLATP2NC2MuB9V/DxbN3QK3TzRkjxmD+msgEhnVRyCbo6Y1SBbLfIv9QUcdwZ/gSurJGUh8JyfQykDsn2smLocTqtM2vau21LQBS2ODMhIs3+0DNzz2sPK+PNuR1qJVM9El0pe7mpgSP3EP2OQZIPwZgYq5HW825Qsnpslrcb6Rx2Csx01P4Xx4PATX5fGbnAlOTGwm34juOHYkWqPVwUqmx53evv4lNuj8xJi97s2zbIzFpDgOU/+fZ0NM0UYfwI8Vp4UAcKUiOSUzyzNODEfkpQtLAc8oqXq14C,iv:0GtMeydlw3hWzLSoLQfH88STq2lRC01xKRTMaWocsFc=,tag:eVbQnugJ8wMHQAAmRKtEkQ==,type:str]
+phpldapadmin: ENC[AES256_GCM,data:0ce+P1JUQY6PrC/NX3gNIFPBA/1gAqzYTjR+yW7WqeOkmqKI+R/oSNIdnscrbHnz3rrGcCOV7xD0u18YBeiAbLVCxVfLePa04C5l3bGMWmhqGvcrNLoxk6dK/M0FXgf4qoVTBfwsUWDaTHUFTfLgffPFR/Qcpvc0Zl447CTQzGBPr7IfpiioR6Lt8LAyKLyc/C7NezEFZtDhNK9dsFGAAPKGykKGQUW6J3E+hs/iF38lTmUFM1Jo8z71N/2faBYwggoRLFcvZIZA2g1xKPHzUqbvU2lemE7bQiwi50bSGvAb39OszCZhAGo=,iv:zde4W0Jv8gtUuMsctrc7moOjF2ci+U9+7Mx3X0doMJg=,tag:6cyKEeVOUvqhFhznzWgVcg==,type:str]
+piped-db-password: ENC[AES256_GCM,data:AWCGHzXnZ4KPgrzPyJVzyQKBwcAa2NDwfOTiitvoAJ6qG/7eeBieFD1L3MU=,iv:A6YYQBOGzkqPEGWdJmGmaxYlMsTUw6CiwriWWIo6T1M=,tag:ANWKHBKTgfq+sbif0yQ4XA==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bUR0Q3U1ZldrejRSTE5z
-            dU1IeThPYTZPTWVFTXBrOUo4ckJrZlVac0cwCkJ1ODcxRGdzbG0xMFI1ZlhSNWoz
-            aERRcHRMRXNyYVZOcGxJVzA0UGNHeW8KLS0tIG0vUkJVYk9MeWI3cXRUaEQyTUlD
-            bm4xUWxYaDNoMWRZNmhBeDJCQWgva28KTI0NIhKKwAl+5ERTtd+Uv4Vrc61rQXv8
-            OpuwORiKD2hC+eYmdTTbzdRozRmuhW1ZV+jQsAag5a5QMJ1J/4cQvw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNVBOdGZHbmc2b2UyVGNj
+            aVJkV2RwYVlvTzBURndiVTVhOFFJRDVEckJ3CndyVk50UGUxNDE1dS9rblQ5VkZh
+            aGtYZitMNDhDUi9xczQ4cGNXK1NvOGsKLS0tIFVHSWErVHhma09BcFlzd2x1ZTBj
+            eXN6NlpjdDNVci9oQTZGRTJ3ZHNHencK53kJSr3udGgPUsaDxYny6gkWXRCldSfM
+            kGYpeGMh2CGc9x5x2L3JlS3EbGPerblva/6wvmoszI2uL/hZzU/g8g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3RDlsR3RQcWZNSnlBRkx3
-            YTFRQ1Z6VytGd3MrdXM1L1BwZ2xIWHdYWFJ3CnFSczJTelh1NitldDhubEZmMngz
-            bUhnOEQ1a3dNZmxKTlhRWVRKbFMyZGMKLS0tIDFja2psQnJmOG95RWpkL0RkeSta
-            clAvTnR3TWJaTXRqNFM3RnhyMnEzcWsKp4iGnlaGqF81vTCtr7QHfT0TF+zeT2fG
-            Xp/fgcUvubAvLWkaLxymF+8DXSZEipKy/M3sikiYEXBUP9WKdL92NA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZDJUVXo3bkY0Mzc1RDNG
+            RXZBRXVSVXpDKzJFdWNpS1RqcEdQUEF5d3hrCkNqcC9CY1I0RzRWdGcwREpzbEt5
+            d1liOVZEWUEzTWxzZU8vaTZFQzNWQ2sKLS0tIDNYeEt1RlozaGdYNnhpWmZwMGVE
+            c256c284cmFhUWhQeE5rY3JDY3liekUKIPl8/qYgp2JlVjw5t5PnvS4II+YU1V+C
+            K7WOVpqIGi5F4Taa3SOtNBzRs7jbdTEE231C4zwZnBucZoX9gGVC+w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSUI5MHJSajB0MjJUNHhZ
-            L3BLN09aMjRxQTh6Q3MxaktzcGJGSDlVZVRZCloxRW1yWlYwd0hGRVFYNzdidnF2
-            U0EwMnhyY21mT0Z4eUc4Q2VHMmxCTk0KLS0tIFdVeDlVZzB4OWlXY0hBVUJyUnNq
-            U1g1MXRhTlYyTktTOTRhSVN3V1kya0kKTTxtLGwaTsZ2QhZbYeE777Fj3FJJPmbo
-            obE8R5CGiHT+1qrR9TqA/UKWwd7zWNruHQT3O8qhjbWKyurmqUxlqw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTTERxOHJxTW5Gdk45Ukxx
+            MjkzWFpuSmdBT1psbWFsSENBVURnb2pObzBFCkZNY3dEeHVSbWpKUVlRSnVEWk9r
+            cUs4NHNRSWd2OGZ3R2tqcDZqR3I1SmMKLS0tIC8wTkpBUW5PLzFidVJkcFVIL3pP
+            elhqbCtTN0FyYVdBNEhyTkVacHEyY0kKJam6XZgN7INkIThBPyZ+vi4xhknY7GVJ
+            57aIYLI6xMvs5E+120qVjXxoo29kzs2uwnKzlbAqMJIY/eoDWW33XQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHK0JsQ3d1MWt0a1pjVHNT
-            dE52K2IrTyswbTMyYiszbjBvZExvcGNNUGs4CjB2Z0p3WUEyOHU2UFloNHRIcVVa
-            OExQN1p0UzRJaEtMMFhZWjhPZWhOclUKLS0tIGZDb0pTYnZ2ek02S3c1OXhBVjZ1
-            dE9JSGJKd0JKQVE4eXN2UWh5WHVUc2MKWjLJFNm7Ithf1qEOMBb6pxRp91dR1MzP
-            0En9N1BxtK/LP66OVWTl6c7rnmx/domdt5YRQusXuWDL3yg05hEfqA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTUJHTnJOL2pJM0ViVEZh
+            SzdNdjlScG1OMDlTSTlLSXdOcTJwOUpWeFJBCjA4UEpFaEZNRGRMSENHWXdyd2RE
+            akE3T00wUC84Y0JSSldkaGh3TU5CL2cKLS0tIHpURHdSMnRBVHNrSk44ZzBUQTRC
+            QlRRcFVzby9namhkOGJ6Zk9TVGxMbDQKEyd9Tf67JclHM+kWZxpXl+g3+cMimfHI
+            VfeF0z7zBcPuLb6xIzEHmXDn6Z3EeCYOq975nQde2JSpmKIZagerhw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-03T00:25:45Z"
-    mac: ENC[AES256_GCM,data:pJPxZS3FIXyQuo65ya4osPZCGz09fpQ4FDzl2rVj95Xg5nWokEqFh9HJdp8YgWTa71PsxJEZSguYtpORrTNtn/yp1/GhdzZgf8gZhzl0TZhna/Yc6anrOJpdLE0RICBDUJC78heeWJe9QWguiDu5y+WHn+q8khHG2dyvOOUza68=,iv:Of8DcXBhBxDtEi+tFVYFVy5g3RpgJ2mykAvTsLtL19c=,tag:o4IkNmzHS/qhrMBXt2PMbw==,type:str]
+    lastmodified: "2025-11-03T12:45:54Z"
+    mac: ENC[AES256_GCM,data:1+D1VGQ19gAfEL30hUN6BeBxVnYLvkQ1lV48WHeTcM0mlWl9z1KI6eencwNfHw04fnJzt9VNOClw+p8ekRTygUnUOMSEh9QQCGuCaFU7s+vRwtafO4t5Ip00b5P+TM3HEbSFNBRO19+Btqk1sfYZv1u3YemST/v57Y9tk/yx09c=,iv:Ea1KnGony2CvGHB5x0PBqLSb8faxTVbjDPo1F1Sf9bo=,tag:hduJprCw11FJB0bpF8dSHA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0
diff --git a/scripts/update-ai-mailer-hash b/scripts/update-ai-mailer-hash
new file mode 100755
index 0000000..aaabf3f
--- /dev/null
+++ b/scripts/update-ai-mailer-hash
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+# Check if commit hash is provided
+if [ $# -ne 1 ]; then
+    echo -e "${RED}Error: Commit hash required${NC}"
+    echo "Usage: $0 <commit-hash>"
+    echo "Example: $0 6de059dca7cc9c053b56f26ff14edb77083fad73"
+    exit 1
+fi
+
+COMMIT_HASH="$1"
+
+# Validate commit hash format (basic check for 40-char hex or 7+ char short hash)
+if ! [[ "$COMMIT_HASH" =~ ^[0-9a-f]{7,40}$ ]]; then
+    echo -e "${RED}Error: Invalid commit hash format${NC}"
+    echo "Commit hash must be 7-40 hexadecimal characters"
+    exit 1
+fi
+
+echo -e "${GREEN}==> Updating ai-mailer to commit: ${COMMIT_HASH}${NC}"
+
+# File to update
+PKG_FILE="$REPO_ROOT/utils/pkgs/ai-mailer.nix"
+
+if [ ! -f "$PKG_FILE" ]; then
+    echo -e "${RED}Error: Package file not found: $PKG_FILE${NC}"
+    exit 1
+fi
+
+# Step 1: Update rev in package file
+echo -e "${YELLOW}Step 1: Updating rev in package file...${NC}"
+sed -i "s/rev = \"[0-9a-f]\{7,40\}\";/rev = \"$COMMIT_HASH\";/" "$PKG_FILE"
+echo "  ✓ Updated rev in $PKG_FILE"
+
+# Step 2: Set sha256 to lib.fakeHash to trigger hash discovery
+echo -e "${YELLOW}Step 2: Setting sha256 to lib.fakeHash...${NC}"
+sed -i 's/sha256 = "sha256-[^"]*";/sha256 = lib.fakeHash;/' "$PKG_FILE"
+echo "  ✓ Updated sha256 in $PKG_FILE"
+
+# Step 3: Build package to discover the correct source hash
+echo -e "${YELLOW}Step 3: Building package to discover source hash...${NC}"
+BUILD_OUTPUT=$(NIXPKGS_ALLOW_UNFREE=1 nix-build --impure -E "with import <nixpkgs> { config.allowUnfree = true; }; callPackage $PKG_FILE { }" 2>&1 || true)
+
+# Extract source hash from error message
+SOURCE_HASH=$(echo "$BUILD_OUTPUT" | grep -oP '\s+got:\s+\Ksha256-[A-Za-z0-9+/=]+' | head -1)
+
+if [ -z "$SOURCE_HASH" ]; then
+    echo -e "${RED}Error: Failed to extract source hash from build output${NC}"
+    echo "Build output:"
+    echo "$BUILD_OUTPUT"
+    exit 1
+fi
+
+echo "  ✓ Discovered sha256: $SOURCE_HASH"
+
+# Step 4: Update package file with the correct source hash
+echo -e "${YELLOW}Step 4: Updating sha256 in package file...${NC}"
+sed -i "s|sha256 = lib\.fakeHash;|sha256 = \"$SOURCE_HASH\";|" "$PKG_FILE"
+echo "  ✓ Updated sha256 in $PKG_FILE"
+
+# Step 5: Set vendorHash to lib.fakeHash to trigger hash discovery
+echo -e "${YELLOW}Step 5: Setting vendorHash to lib.fakeHash...${NC}"
+sed -i 's/vendorHash = "sha256-[^"]*";/vendorHash = lib.fakeHash;/' "$PKG_FILE"
+echo "  ✓ Updated vendorHash in $PKG_FILE"
+
+# Step 6: Build package to discover the correct vendor hash
+echo -e "${YELLOW}Step 6: Building package to discover vendor hash...${NC}"
+BUILD_OUTPUT=$(NIXPKGS_ALLOW_UNFREE=1 nix-build --impure -E "with import <nixpkgs> { config.allowUnfree = true; }; callPackage $PKG_FILE { }" 2>&1 || true)
+
+# Extract vendor hash from error message
+VENDOR_HASH=$(echo "$BUILD_OUTPUT" | grep -oP '\s+got:\s+\Ksha256-[A-Za-z0-9+/=]+' | head -1)
+
+if [ -z "$VENDOR_HASH" ]; then
+    echo -e "${RED}Error: Failed to extract vendor hash from build output${NC}"
+    echo "Build output:"
+    echo "$BUILD_OUTPUT"
+    exit 1
+fi
+
+echo "  ✓ Discovered vendorHash: $VENDOR_HASH"
+
+# Step 7: Update package file with the correct vendor hash
+echo -e "${YELLOW}Step 7: Updating vendorHash in package file...${NC}"
+sed -i "s|vendorHash = lib\.fakeHash;|vendorHash = \"$VENDOR_HASH\";|" "$PKG_FILE"
+echo "  ✓ Updated vendorHash in $PKG_FILE"
+
+# Step 8: Verify the build succeeds
+echo -e "${YELLOW}Step 8: Verifying build with correct hashes...${NC}"
+if NIXPKGS_ALLOW_UNFREE=1 nix-build --impure -E "with import <nixpkgs> { config.allowUnfree = true; }; callPackage $PKG_FILE { }" > /dev/null 2>&1; then
+    echo "  ✓ Build verification successful"
+else
+    echo -e "${RED}Error: Build verification failed${NC}"
+    exit 1
+fi
+
+# Step 9: Test configuration for fw host (which uses ai-mailer)
+echo -e "${YELLOW}Step 9: Testing fw configuration...${NC}"
+cd "$REPO_ROOT"
+if ./scripts/test-configuration fw > /dev/null 2>&1; then
+    echo "  ✓ Configuration test passed"
+else
+    echo -e "${RED}Warning: Configuration test failed${NC}"
+    echo "This may be due to missing secrets or other issues unrelated to the hash update."
+fi
+
+# Success summary
+echo -e "${GREEN}"
+echo "======================================"
+echo "✓ ai-mailer updated successfully!"
+echo "======================================"
+echo "Commit:      $COMMIT_HASH"
+echo "SourceHash:  $SOURCE_HASH"
+echo "VendorHash:  $VENDOR_HASH"
+echo -e "${NC}"
+echo "Next steps:"
+echo "  1. Review changes: git diff $PKG_FILE"
+echo "  2. Test locally if needed"
+echo "  3. Commit changes: git add $PKG_FILE && git commit -m 'update: ai-mailer to $COMMIT_HASH'"
+echo "  4. Push to trigger automatic deployment"
diff --git a/utils/pkgs/ai-mailer.nix b/utils/pkgs/ai-mailer.nix
index eb10d82..9cefb34 100644
--- a/utils/pkgs/ai-mailer.nix
+++ b/utils/pkgs/ai-mailer.nix
@@ -6,8 +6,8 @@ buildGoModule rec {
 
   src = fetchgit {
     url = "https://git.cloonar.com/Paraclub/ai-mailer.git";
-    rev = "56c9f764fcea2834fefac28f446b86c52f3274bd";
-    sha256 = "sha256-zOabK0OWh0iHEL0kMC74i4rYnUlry57dGQE4k/wqDG0=";
+    rev = "6de059dca7cc9c053b56f26ff14edb77083fad73";
+    sha256 = "sha256-EPW0yLu1XHejEsU25ACO5FjxxCneVMlLmy1ZEHYqFtQ=";
   };
 
   vendorHash = "sha256-h4RaB891GXAkgObZHYil6BOvbYp6yJSRxRj40Fhchmw=";