Proxylayer
diff --git a/‎src/AzureTray.Plugin.Contracts/AzureTray.Plugin.Contracts.csproj‎
Lines changed: 1 addition & 1 deletion b/‎src/AzureTray.Plugin.Contracts/AzureTray.Plugin.Contracts.csproj‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/AzureTray.Plugin.Contracts/ITrayPlugin.cs‎
Lines changed: 4 additions & 2 deletions b/‎src/AzureTray.Plugin.Contracts/ITrayPlugin.cs‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎src/AzureTray.Plugin.Contracts/PluginApiVersion.cs‎
Lines changed: 43 additions & 6 deletions b/‎src/AzureTray.Plugin.Contracts/PluginApiVersion.cs‎
Lines changed: 43 additions & 6 deletions
diff --git a/‎src/AzureTray.Plugin.Contracts/PluginMenuItem.cs‎
Lines changed: 18 additions & 1 deletion b/‎src/AzureTray.Plugin.Contracts/PluginMenuItem.cs‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎src/AzureTray.Plugin.Contracts/README.md‎
Lines changed: 53 additions & 2 deletions b/‎src/AzureTray.Plugin.Contracts/README.md‎
Lines changed: 53 additions & 2 deletions
diff --git a/‎src/AzureTray.Plugin.LAPS/LapsPlugin.cs‎
Lines changed: 13 additions & 1 deletion b/‎src/AzureTray.Plugin.LAPS/LapsPlugin.cs‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎src/AzureTray.Plugin.PIM/PimPlugin.cs‎
Lines changed: 13 additions & 1 deletion b/‎src/AzureTray.Plugin.PIM/PimPlugin.cs‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎src/AzureTray/Configuration/AuthOptions.cs‎
Lines changed: 6 additions & 0 deletions b/‎src/AzureTray/Configuration/AuthOptions.cs‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/AzureTray/Models/Tenant.cs‎
Lines changed: 10 additions & 1 deletion b/‎src/AzureTray/Models/Tenant.cs‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎src/AzureTray/Notifications/NotificationService.cs‎
Lines changed: 17 additions & 0 deletions b/‎src/AzureTray/Notifications/NotificationService.cs‎
Lines changed: 17 additions & 0 deletions
@@ -15,7 +15,7 @@
          the host's <Version> in Directory.Build.props. The host can ship
          many releases without changing this; we only bump when the
          contracts surface itself changes. Bump when adding members. -->
-    <Version>1.0.0</Version>
+    <Version>1.2.0</Version>
 
     <IsPackable>true</IsPackable>
     <PackageId>AzureTray.Plugin.Contracts</PackageId>
 
@@ -28,8 +28,10 @@ public interface ITrayPlugin
 
     /// <summary>
     /// The <see cref="PluginApiVersion.Current"/> value the plugin was compiled
-    /// against. The host rejects any plugin whose declared value does not match
-    /// its own — keeps ABI mismatches loud and visible.
+    /// against. The host loads the plugin when this falls within its supported
+    /// range [<see cref="PluginApiVersion.MinSupported"/>,
+    /// <see cref="PluginApiVersion.Current"/>] and rejects it (with a logged
+    /// message naming the range) otherwise — keeps ABI mismatches loud and visible.
     /// </summary>
     int ApiVersion { get; }
 
 
@@ -1,13 +1,50 @@
-namespace AzureTray.Plugin.Contracts;
+namespace AzureTray.Plugin.Contracts;
 
 /// <summary>
-/// Contract version gate. Plugins declare <see cref="ITrayPlugin.ApiVersion"/>
-/// equal to <see cref="Current"/> and the host rejects any plugin whose
-/// declared value does not match its own. The value is bumped only on breaking
-/// changes — minor host releases keep loading existing plugins unchanged.
+/// Contract version gate. A plugin declares <see cref="ITrayPlugin.ApiVersion"/>
+/// and the host loads it when that value falls within the supported range
+/// [<see cref="MinSupported"/>, <see cref="Current"/>]. Use
+/// <see cref="IsSupported(int)"/> to test a value against the range.
 /// </summary>
+/// <remarks>
+/// <para>Evolution policy:</para>
+/// <list type="bullet">
+/// <item><description>
+/// Additive, binary-compatible surface changes (new default-interface members,
+/// new optional capability interfaces, new init-only DTO properties) bump
+/// <see cref="Current"/> and leave <see cref="MinSupported"/> alone, so plugins
+/// built against any version still in the window keep loading.
+/// </description></item>
+/// <item><description>
+/// A genuinely breaking change raises <see cref="MinSupported"/> to lock out the
+/// now-incompatible older plugins — the host logs the rejection with the range.
+/// </description></item>
+/// </list>
+/// <para>
+/// The contracts assembly keeps a fixed <c>AssemblyVersion</c>, so an old
+/// plugin always binds to the host's current copy at runtime; this range is the
+/// only thing that decides whether that copy will load it.
+/// </para>
+/// </remarks>
 public static class PluginApiVersion
 {
-    /// <summary>The current contract version. Declare this in <see cref="ITrayPlugin.ApiVersion"/>.</summary>
+    /// <summary>
+    /// The newest contract version. New plugins should declare this in
+    /// <see cref="ITrayPlugin.ApiVersion"/>.
+    /// </summary>
     public const int Current = 2;
+
+    /// <summary>
+    /// The oldest contract version the host still loads. Raise this only when
+    /// dropping support for an old contract shape (a breaking change).
+    /// </summary>
+    public const int MinSupported = 1;
+
+    /// <summary>
+    /// True when a plugin declaring <paramref name="apiVersion"/> is loadable by
+    /// this host — i.e. it falls within
+    /// [<see cref="MinSupported"/>, <see cref="Current"/>].
+    /// </summary>
+    public static bool IsSupported(int apiVersion)
+        => apiVersion >= MinSupported && apiVersion <= Current;
 }
@@ -31,6 +31,14 @@ namespace AzureTray.Plugin.Contracts;
 /// <see cref="Invoke"/> but does not dismiss the menu. Use for refresh-style
 /// actions where the user expects to see the result land in the visible menu.
 /// </para>
+/// <para>
+/// When <see cref="IsFavorite"/> is non-null the host renders a star at the
+/// right edge of the row (☆ for <c>false</c>, ★ for <c>true</c>). Clicking the
+/// star fires <see cref="OnToggleFavorite"/> and flips the glyph in place
+/// without dismissing the menu or triggering the row's primary
+/// <see cref="Invoke"/>/<see cref="Children"/> action. Leave it <c>null</c> on
+/// rows that aren't favoritable so no star is shown.
+/// </para>
 /// </remarks>
 public sealed record PluginMenuItem(
     string Text,
@@ -42,7 +50,9 @@ public sealed record PluginMenuItem(
     bool KeepMenuOpen = false,
     string? Icon = null,
     Func<string, IReadOnlyList<PluginMenuItem>>? SearchProvider = null,
-    string? SearchPlaceholder = null)
+    string? SearchPlaceholder = null,
+    bool? IsFavorite = null,
+    Action? OnToggleFavorite = null)
 {
     /// <summary>A pre-built horizontal divider. Use instead of constructing manually.</summary>
     public static PluginMenuItem Separator { get; } = new(string.Empty, IsSeparator: true);
@@ -52,4 +62,11 @@ public sealed record PluginMenuItem(
     /// Convenience for XAML data binding (chevron visibility).
     /// </summary>
     public bool HasChildren => Children is { Count: > 0 } || SearchProvider is not null;
+
+    /// <summary>
+    /// <c>true</c> when this row should display a favorite star. Convenience for
+    /// XAML data binding (star visibility); mirrors <see cref="IsFavorite"/>
+    /// having a value.
+    /// </summary>
+    public bool ShowFavorite => IsFavorite.HasValue;
 }
@@ -26,14 +26,65 @@ The SDK package for building [AzureTray](https://github.com/Proxylayer/AzureTray
          the contracts assembly into a collectible AssemblyLoadContext;
          shipping a transitive dependency on this package would cause
          duplicate type loads and break the ITrayPlugin cast. -->
-    <PackageReference Include="AzureTray.Plugin.Contracts" Version="0.2.0" PrivateAssets="all" />
+    <PackageReference Include="AzureTray.Plugin.Contracts" Version="1.2.0" PrivateAssets="all" />
   </ItemGroup>
 </Project>
 ```
 
+## Packaging & deployment
+
+### 1. Add the required project property
+
+Add `<CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>` to your `<PropertyGroup>`. This copies every transitive NuGet dependency into the build output so the host can resolve them at runtime without a global package cache.
+
+```xml
+<PropertyGroup>
+  <TargetFramework>net8.0</TargetFramework>
+  <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
+  ...
+</PropertyGroup>
+```
+
+### 2. Publish (recommended) or build
+
+```powershell
+# Produces a self-contained output folder with a .deps.json — the preferred path.
+dotnet publish YourPlugin.csproj -c Release -o ./out
+
+# A plain build also works; the host falls back to sibling-DLL resolution
+# when no .deps.json is present.
+dotnet build YourPlugin.csproj -c Release
+```
+
+Do **not** ship `AzureTray.Plugin.Contracts.dll` in the output — the `PrivateAssets="all"` reference in your `.csproj` already excludes it. The host loads its own copy of that assembly; a second copy causes a type-identity mismatch and the `ITrayPlugin` cast silently fails.
+
+### 3. Install into the plugins folder
+
+The host scans `%LOCALAPPDATA%\AzureTray.Data\plugins\` at startup using two layouts:
+
+| Layout | When to use | Steps |
+|---|---|---|
+| **Subfolder (recommended)** | Any plugin with transitive deps | Create `plugins\<YourPackageId>\`, copy your publish output there. The main DLL **must** be named `<folder-name>.dll` (e.g. `plugins\Acme.Plugin.Foo\Acme.Plugin.Foo.dll`). |
+| **Flat (legacy)** | Single-DLL plugins with no private deps | Drop `YourPlugin.dll` directly in `plugins\`. |
+
+For the subfolder layout the loader first tries `plugins\<folder>\<folder>.dll`; if that name doesn't exist it scans for any DLL in the folder that contains an `ITrayPlugin` implementation. Framework assemblies whose name starts with `System.`, `Microsoft.`, `Azure.`, or `Newtonsoft.` are skipped during the scan.
+
+### 4. Runtime trust mode
+
+The default trust mode is `AllowUnsigned` (development). For your own testing this means no signing is needed. Deployments configured with `RequireSigned` or `RequireTrustedPublisher` will reject the plugin unless it carries a valid Authenticode signature.
+
 ## Version gate
 
-Plugins declare `ITrayPlugin.ApiVersion` and the host rejects any plugin whose value doesn't equal `PluginApiVersion.Current`. The contract version bumps only on breaking changes — minor host releases keep loading existing plugins.
+Plugins declare `ITrayPlugin.ApiVersion` (the `PluginApiVersion.Current` value they were built against). The host loads a plugin when that value falls within its **supported range** `[PluginApiVersion.MinSupported, PluginApiVersion.Current]`; anything outside the range is rejected with a logged message naming the range. Use `PluginApiVersion.IsSupported(int)` to test a value.
+
+Because the contracts assembly keeps a **fixed `AssemblyVersion`**, an old plugin always binds to the host's current contracts copy at runtime — the range is the only thing that decides whether that copy will load it.
+
+How the range moves:
+
+- **Additive, binary-compatible changes** (a new default-interface member, a new optional capability interface, a new init-only property on a record) bump `Current` and leave `MinSupported` alone. Plugins built against any version still in the window keep loading — so you can build against an older API and keep running on newer hosts.
+- **Breaking changes** raise `MinSupported`, intentionally locking out the now-incompatible older plugins. These should be rare; prefer the additive techniques above.
+
+To run a single plugin binary across a span of hosts, build against the lowest API you need and feature-detect newer host capabilities at runtime via `IPluginContext.HostVersion`.
 
 ## More
 
 
@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Concurrent;
+using System.Reflection;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
@@ -65,7 +66,18 @@ public void SetValue(string key, object? value)
 
     public string DisplayName => "LAPS Passwords";
 
-    public string Version => "0.1.0";
+    public string Version { get; } = ResolveVersion();
+    private static string ResolveVersion()
+    {
+        var asm = typeof(LapsPlugin).Assembly;
+        var v = asm.GetCustomAttribute<AssemblyInformationalVersionAttribute>()?.InformationalVersion;
+        if (!string.IsNullOrEmpty(v))
+        {
+            var plus = v.IndexOf('+', StringComparison.Ordinal);
+            return plus >= 0 ? v[..plus] : v;
+        }
+        return asm.GetName().Version?.ToString() ?? "0.0.0";
+    }
 
     public int ApiVersion => PluginApiVersion.Current;
 
 
@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Reflection;
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
@@ -62,7 +63,18 @@ private sealed record TenantWatchers(PendingApprovalWatcher Pending, EligibleRol
 
     public string DisplayName => "Azure PIM";
 
-    public string Version => "0.1.0";
+    public string Version { get; } = ResolveVersion();
+    private static string ResolveVersion()
+    {
+        var asm = typeof(PimPlugin).Assembly;
+        var v = asm.GetCustomAttribute<AssemblyInformationalVersionAttribute>()?.InformationalVersion;
+        if (!string.IsNullOrEmpty(v))
+        {
+            var plus = v.IndexOf('+', StringComparison.Ordinal);
+            return plus >= 0 ? v[..plus] : v;
+        }
+        return asm.GetName().Version?.ToString() ?? "0.0.0";
+    }
 
     public int ApiVersion => PluginApiVersion.Current;
 
 
@@ -10,6 +10,12 @@ public sealed class AuthOptions
 
     public int TokenAcquisitionTimeoutSeconds { get; init; } = 30;
 
+    // How often the background token monitor silently re-probes each ready
+    // tenant to detect a refresh token that expired mid-session. Clamped to a
+    // 30s floor at runtime. Set lower in development to exercise the re-auth
+    // popup / Settings button without waiting for a real expiry.
+    public int TokenMonitorIntervalSeconds { get; init; } = 300;
+
     // Display-name (or prefix) of the app registration the host tries to
     // auto-discover when adding a tenant via "Sign in with Windows" or a
     // domain lookup. After the broker / OIDC step resolves the tenant ID,
 
@@ -18,4 +18,13 @@ public sealed record Tenant(
     string DisplayName,
     string? ClientId,
     string? SignInEmail = null,
-    bool ProbeDisabled = false);
+    bool ProbeDisabled = false)
+{
+    // Transient, runtime-only flag: set when the tenant's token failed to
+    // renew mid-session and interactive sign-in is required (see
+    // ITenantAuthHealth). Drives the "Fix sign-in" button on the Settings row.
+    // [JsonIgnore] keeps it out of the persisted store — it always loads false
+    // and is recomputed from ITenantAuthHealth when the Settings window opens.
+    [System.Text.Json.Serialization.JsonIgnore]
+    public bool NeedsReauth { get; init; }
+}
@@ -138,6 +138,23 @@ private static void PositionWindow(NotificationWindow window, int slot)
         var workArea = SystemParameters.WorkArea;
         window.Width = WindowWidth;
         window.Left = workArea.Right - WindowWidth - EdgeMargin;
+        // Initial estimate based on fixed slot height so the window doesn't
+        // flash at (0,0) before layout completes.
         window.Top = workArea.Bottom - (slot + 1) * (StackSlotHeight + StackSpacing) - EdgeMargin;
+
+        // Re-anchor from the slot's bottom edge once the real height is
+        // known, and again whenever the window resizes (e.g. the Details
+        // expander is opened). This prevents tall notifications from
+        // clipping off the top of the work area.
+        void Reanchor()
+        {
+            if (window.ActualHeight == 0) return;
+            var wa = SystemParameters.WorkArea;
+            var slotBottom = wa.Bottom - slot * (StackSlotHeight + StackSpacing) - EdgeMargin;
+            window.Top = Math.Max(wa.Top + EdgeMargin, slotBottom - window.ActualHeight);
+        }
+
+        window.ContentRendered += (_, _) => Reanchor();
+        window.SizeChanged += (_, _) => Reanchor();
     }
 }