Add Gitea CI/CD pipeline for beta and prod

.build_number

@@ -1 +1 @@
-0203262044
+0803262237

.gitea/workflows/ci-cd.yml

@@ -0,0 +1,73 @@
+name: Magent CI/CD
+
+on:
+  push:
+    branches:
+      - beta
+      - prod
+  workflow_dispatch:
+
+concurrency:
+  group: magent-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+          cache: npm
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install frontend dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Run backend quality gate
+        run: bash scripts/ci_backend_quality_gate.sh
+
+      - name: Build frontend
+        working-directory: frontend
+        run: npm run build
+
+  deploy-prod:
+    if: github.ref_name == 'prod'
+    needs: verify
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure SSH key
+        env:
+          PROD_SSH_PRIVATE_KEY: ${{ secrets.PROD_SSH_PRIVATE_KEY }}
+          PROD_SSH_KNOWN_HOSTS: ${{ secrets.PROD_SSH_KNOWN_HOSTS }}
+        run: |
+          set -euo pipefail
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          printf '%s' "$PROD_SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          if [ -n "${PROD_SSH_KNOWN_HOSTS:-}" ]; then
+            printf '%s\n' "$PROD_SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+            chmod 644 ~/.ssh/known_hosts
+          fi
+
+      - name: Deploy to AMS-DEV01
+        env:
+          DEPLOY_HOST: ${{ secrets.PROD_SSH_HOST }}
+          DEPLOY_USER: ${{ secrets.PROD_SSH_USER }}
+          DEPLOY_PATH: ${{ secrets.PROD_DEPLOY_PATH }}
+          DEPLOY_SSH_OPTS: -o StrictHostKeyChecking=accept-new
+        run: bash scripts/deploy_ams_dev01.sh

README.md

@@ -64,10 +64,10 @@ QBIT_URL="http://localhost:8080"
 QBIT_USERNAME="..."
 QBIT_PASSWORD="..."
 SQLITE_PATH="data/magent.db"
-JWT_SECRET="change-me"
+JWT_SECRET="replace-with-a-long-random-secret"
 JWT_EXP_MINUTES="720"
-ADMIN_USERNAME="admin"
-ADMIN_PASSWORD="adminadmin"
+ADMIN_USERNAME="set-a-real-admin-username"
+ADMIN_PASSWORD="set-a-long-unique-admin-password"
 ```
 
 ## Screenshots
@@ -112,10 +112,10 @@ $env:QBIT_URL="http://localhost:8080"
 $env:QBIT_USERNAME="..."
 $env:QBIT_PASSWORD="..."
 $env:SQLITE_PATH="data/magent.db"
-$env:JWT_SECRET="change-me"
+$env:JWT_SECRET="replace-with-a-long-random-secret"
 $env:JWT_EXP_MINUTES="720"
-$env:ADMIN_USERNAME="admin"
-$env:ADMIN_PASSWORD="adminadmin"
+$env:ADMIN_USERNAME="set-a-real-admin-username"
+$env:ADMIN_PASSWORD="set-a-long-unique-admin-password"
 ```
 
 ### Frontend (Next.js)
@@ -141,6 +141,26 @@ The frontend proxies `/api/*` to the backend container. Set:
 
 If you prefer the browser to call the backend directly, set `NEXT_PUBLIC_API_BASE` to your public backend URL and ensure CORS is configured.
 
+## Gitea CI/CD
+
+This repo now includes a Gitea Actions workflow at `.gitea/workflows/ci-cd.yml`.
+
+- Push to `beta`: runs the backend unit-test quality gate and a production frontend build.
+- Push to `prod`: runs the same verification, then deploys to Docker on `AMS-DEV01`.
+
+The deploy step ships tracked repository files over SSH, preserves the server's `.env` and `data/`, rebuilds with `docker compose up -d --build`, and smoke-tests:
+
+- `http://127.0.0.1:8000/health`
+- `http://127.0.0.1:3000/login`
+
+Configure these Gitea Actions secrets before enabling the deploy job:
+
+- `PROD_SSH_PRIVATE_KEY`: private key for the deployment account.
+- `PROD_SSH_HOST`: target host, for example `AMS-DEV01`.
+- `PROD_SSH_USER`: target user, for example `zak`.
+- `PROD_DEPLOY_PATH`: target app path, for example `/home/zak/magent`.
+- `PROD_SSH_KNOWN_HOSTS`: optional pinned `known_hosts` entry for stricter host verification.
+
 ## History endpoints
 
 - `GET /requests/{id}/history?limit=10` recent snapshots

backend/app/auth.py

@@ -1,13 +1,15 @@
 from datetime import datetime, timezone
-from typing import Dict, Any, Optional
+from typing import Any, Dict, Optional
 
-from fastapi import Depends, HTTPException, status, Request
+from fastapi import Depends, HTTPException, Request, Response, status
 from fastapi.security import OAuth2PasswordBearer
 
+from .config import settings
 from .db import get_user_by_username, set_user_auth_provider, upsert_user_activity
-from .security import safe_decode_token, TokenError, verify_password
+from .network_security import request_trusts_forwarded_headers
+from .security import TokenError, safe_decode_token, verify_password
 
-oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login")
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login", auto_error=False)
 
 
 def _is_expired(expires_at: str | None) -> bool:
@@ -24,7 +26,10 @@ def _is_expired(expires_at: str | None) -> bool:
         parsed = parsed.replace(tzinfo=timezone.utc)
     return parsed <= datetime.now(timezone.utc)
 
+
 def _extract_client_ip(request: Request) -> str:
+    direct_host = request.client.host if request.client else None
+    if request_trusts_forwarded_headers(direct_host):
         forwarded = request.headers.get("x-forwarded-for")
         if forwarded:
             parts = [part.strip() for part in forwarded.split(",") if part.strip()]
@@ -33,11 +38,67 @@ def _extract_client_ip(request: Request) -> str:
         real_ip = request.headers.get("x-real-ip")
         if real_ip:
             return real_ip.strip()
-    if request.client and request.client.host:
-        return request.client.host
+    if direct_host:
+        return direct_host
     return "unknown"
 
 
+def _cookie_settings() -> dict[str, Any]:
+    samesite = str(settings.auth_cookie_samesite or "lax").strip().lower()
+    if samesite not in {"lax", "strict", "none"}:
+        samesite = "lax"
+    return {
+        "secure": bool(settings.auth_cookie_secure),
+        "httponly": True,
+        "samesite": samesite,
+        "domain": settings.auth_cookie_domain or None,
+        "path": "/",
+    }
+
+
+def _state_cookie_settings() -> dict[str, Any]:
+    cookie = _cookie_settings()
+    cookie["httponly"] = False
+    return cookie
+
+
+def set_auth_cookies(response: Response, token: str) -> None:
+    max_age = max(60, int(settings.jwt_exp_minutes or 720) * 60)
+    response.set_cookie(
+        settings.auth_cookie_name,
+        token,
+        max_age=max_age,
+        **_cookie_settings(),
+    )
+    response.set_cookie(
+        settings.auth_state_cookie_name,
+        "1",
+        max_age=max_age,
+        **_state_cookie_settings(),
+    )
+
+
+def clear_auth_cookies(response: Response) -> None:
+    response.delete_cookie(settings.auth_cookie_name, path="/", domain=settings.auth_cookie_domain or None)
+    response.delete_cookie(
+        settings.auth_state_cookie_name,
+        path="/",
+        domain=settings.auth_cookie_domain or None,
+    )
+
+
+def _extract_access_token(request: Request, oauth_token: Optional[str]) -> Optional[str]:
+    auth_header = request.headers.get("authorization", "")
+    if auth_header.lower().startswith("bearer "):
+        return auth_header.split(" ", 1)[1].strip()
+    if oauth_token:
+        return oauth_token
+    cookie_token = request.cookies.get(settings.auth_cookie_name)
+    if isinstance(cookie_token, str) and cookie_token.strip():
+        return cookie_token.strip()
+    return None
+
+
 def resolve_user_auth_provider(user: Optional[Dict[str, Any]]) -> str:
     if not isinstance(user, dict):
         return "local"
@@ -108,6 +169,7 @@ def _load_current_user_from_token(
 
     return {
         "username": user["username"],
+        "email": user.get("email"),
         "role": user["role"],
         "auth_provider": user.get("auth_provider", "local"),
         "jellyseerr_user_id": user.get("jellyseerr_user_id"),
@@ -121,24 +183,28 @@ def _load_current_user_from_token(
     }
 
 
-def get_current_user(token: str = Depends(oauth2_scheme), request: Request = None) -> Dict[str, Any]:
-    return _load_current_user_from_token(token, request)
-
-
-def get_current_user_event_stream(request: Request) -> Dict[str, Any]:
-    """EventSource cannot send Authorization headers, so allow a short-lived stream token via query."""
-    token = None
-    stream_query_token = None
-    auth_header = request.headers.get("authorization", "")
-    if auth_header.lower().startswith("bearer "):
-        token = auth_header.split(" ", 1)[1].strip()
-    if not token:
-        stream_query_token = request.query_params.get("stream_token")
-    if not token and not stream_query_token:
+def get_current_user(
+    request: Request,
+    token: Optional[str] = Depends(oauth2_scheme),
+) -> Dict[str, Any]:
+    resolved_token = _extract_access_token(request, token)
+    if not resolved_token:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Missing token")
+    return _load_current_user_from_token(resolved_token, request)
+
+
+def get_current_user_event_stream(
+    request: Request,
+    token: Optional[str] = Depends(oauth2_scheme),
+) -> Dict[str, Any]:
+    """EventSource cannot send Authorization headers, so allow a short-lived stream token via query."""
+    resolved_token = _extract_access_token(request, token)
+    stream_query_token = request.query_params.get("stream_token")
+    if resolved_token:
+        # Allow standard bearer tokens for non-browser EventSource clients.
+        return _load_current_user_from_token(resolved_token, None)
+    if not stream_query_token:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Missing token")
-    if token:
-        # Allow standard bearer tokens in Authorization for non-browser EventSource clients.
-        return _load_current_user_from_token(token, None)
     return _load_current_user_from_token(
         str(stream_query_token),
         None,

backend/app/clients/jellyseerr.py

@@ -34,6 +34,24 @@ class JellyseerrClient(ApiClient):
             },
         )
 
+    async def create_request(
+        self,
+        *,
+        media_type: str,
+        media_id: int,
+        seasons: Optional[list[int]] = None,
+        is_4k: Optional[bool] = None,
+    ) -> Optional[Dict[str, Any]]:
+        payload: Dict[str, Any] = {
+            "mediaType": media_type,
+            "mediaId": media_id,
+        }
+        if isinstance(seasons, list) and seasons:
+            payload["seasons"] = seasons
+        if isinstance(is_4k, bool):
+            payload["is4k"] = is_4k
+        return await self.post("/api/v1/request", payload=payload)
+
     async def get_users(self, take: int = 50, skip: int = 0) -> Optional[Dict[str, Any]]:
         return await self.get(
             "/api/v1/user",

backend/app/clients/qbittorrent.py

@@ -52,6 +52,17 @@ class QBittorrentClient(ApiClient):
             response = await client.post(f"{self.base_url}{path}", data=data)
             response.raise_for_status()
 
+    async def is_webui_reachable(self) -> bool:
+        if not self.base_url:
+            return False
+        try:
+            async with httpx.AsyncClient(timeout=10.0, follow_redirects=True) as client:
+                response = await client.get(self.base_url)
+                response.raise_for_status()
+            return True
+        except httpx.HTTPError:
+            return False
+
     async def get_torrents(self) -> Optional[Any]:
         return await self._get("/api/v2/torrents/info")
 

backend/app/config.py

@@ -9,7 +9,10 @@ class Settings(BaseSettings):
     app_name: str = "Magent"
     cors_allow_origin: str = "http://localhost:3000"
     sqlite_path: str = Field(default="data/magent.db", validation_alias=AliasChoices("SQLITE_PATH"))
-    jwt_secret: str = Field(default="change-me", validation_alias=AliasChoices("JWT_SECRET"))
+    sqlite_journal_mode: str = Field(
+        default="DELETE", validation_alias=AliasChoices("SQLITE_JOURNAL_MODE")
+    )
+    jwt_secret: str = Field(default="", validation_alias=AliasChoices("JWT_SECRET"))
     jwt_exp_minutes: int = Field(default=720, validation_alias=AliasChoices("JWT_EXP_MINUTES"))
     api_docs_enabled: bool = Field(default=False, validation_alias=AliasChoices("API_DOCS_ENABLED"))
     auth_rate_limit_window_seconds: int = Field(
@@ -21,8 +24,32 @@ class Settings(BaseSettings):
     auth_rate_limit_max_attempts_user: int = Field(
         default=5, validation_alias=AliasChoices("AUTH_RATE_LIMIT_MAX_ATTEMPTS_USER")
     )
+    password_reset_rate_limit_window_seconds: int = Field(
+        default=300, validation_alias=AliasChoices("PASSWORD_RESET_RATE_LIMIT_WINDOW_SECONDS")
+    )
+    password_reset_rate_limit_max_attempts_ip: int = Field(
+        default=6, validation_alias=AliasChoices("PASSWORD_RESET_RATE_LIMIT_MAX_ATTEMPTS_IP")
+    )
+    password_reset_rate_limit_max_attempts_identifier: int = Field(
+        default=3, validation_alias=AliasChoices("PASSWORD_RESET_RATE_LIMIT_MAX_ATTEMPTS_IDENTIFIER")
+    )
     admin_username: str = Field(default="admin", validation_alias=AliasChoices("ADMIN_USERNAME"))
-    admin_password: str = Field(default="adminadmin", validation_alias=AliasChoices("ADMIN_PASSWORD"))
+    admin_password: str = Field(default="", validation_alias=AliasChoices("ADMIN_PASSWORD"))
+    auth_cookie_name: str = Field(
+        default="magent_auth", validation_alias=AliasChoices("AUTH_COOKIE_NAME")
+    )
+    auth_cookie_secure: bool = Field(
+        default=False, validation_alias=AliasChoices("AUTH_COOKIE_SECURE")
+    )
+    auth_cookie_samesite: str = Field(
+        default="lax", validation_alias=AliasChoices("AUTH_COOKIE_SAMESITE")
+    )
+    auth_cookie_domain: Optional[str] = Field(
+        default=None, validation_alias=AliasChoices("AUTH_COOKIE_DOMAIN")
+    )
+    auth_state_cookie_name: str = Field(
+        default="magent_logged_in", validation_alias=AliasChoices("AUTH_STATE_COOKIE_NAME")
+    )
     log_level: str = Field(default="INFO", validation_alias=AliasChoices("LOG_LEVEL"))
     log_file: str = Field(default="data/magent.log", validation_alias=AliasChoices("LOG_FILE"))
     log_file_max_bytes: int = Field(
@@ -71,6 +98,18 @@ class Settings(BaseSettings):
     site_banner_tone: str = Field(
         default="info", validation_alias=AliasChoices("SITE_BANNER_TONE")
     )
+    site_login_show_jellyfin_login: bool = Field(
+        default=True, validation_alias=AliasChoices("SITE_LOGIN_SHOW_JELLYFIN_LOGIN")
+    )
+    site_login_show_local_login: bool = Field(
+        default=True, validation_alias=AliasChoices("SITE_LOGIN_SHOW_LOCAL_LOGIN")
+    )
+    site_login_show_forgot_password: bool = Field(
+        default=True, validation_alias=AliasChoices("SITE_LOGIN_SHOW_FORGOT_PASSWORD")
+    )
+    site_login_show_signup_link: bool = Field(
+        default=True, validation_alias=AliasChoices("SITE_LOGIN_SHOW_SIGNUP_LINK")
+    )
     site_changelog: Optional[str] = Field(default=CHANGELOG)
 
     magent_application_url: Optional[str] = Field(
@@ -97,6 +136,10 @@ class Settings(BaseSettings):
     magent_proxy_trust_forwarded_headers: bool = Field(
         default=True, validation_alias=AliasChoices("MAGENT_PROXY_TRUST_FORWARDED_HEADERS")
     )
+    magent_proxy_trusted_proxies: str = Field(
+        default="127.0.0.1,::1",
+        validation_alias=AliasChoices("MAGENT_PROXY_TRUSTED_PROXIES"),
+    )
     magent_proxy_forwarded_prefix: Optional[str] = Field(
         default=None, validation_alias=AliasChoices("MAGENT_PROXY_FORWARDED_PREFIX")
     )
@@ -192,6 +235,10 @@ class Settings(BaseSettings):
     magent_notify_webhook_url: Optional[str] = Field(
         default=None, validation_alias=AliasChoices("MAGENT_NOTIFY_WEBHOOK_URL")
     )
+    magent_allow_private_notification_targets: bool = Field(
+        default=False,
+        validation_alias=AliasChoices("MAGENT_ALLOW_PRIVATE_NOTIFICATION_TARGETS"),
+    )
 
     jellyseerr_base_url: Optional[str] = Field(
         default=None, validation_alias=AliasChoices("JELLYSEERR_URL", "JELLYSEERR_BASE_URL")
@@ -264,7 +311,7 @@ class Settings(BaseSettings):
     )
 
     discord_webhook_url: Optional[str] = Field(
-        default="https://discord.com/api/webhooks/1464141924775629033/O_rvCAmIKowR04tyAN54IuMPcQFEiT-ustU3udDaMTlF62PmoI6w4-52H3ZQcjgHQOgt",
+        default=None,
         validation_alias=AliasChoices("DISCORD_WEBHOOK_URL"),
     )
 

backend/app/main.py

@@ -8,7 +8,7 @@ from fastapi import FastAPI, Request
 from fastapi.middleware.cors import CORSMiddleware
 
 from .config import settings
-from .db import init_db
+from .db import has_admin_user, init_db
 from .routers.requests import (
     router as requests_router,
     startup_warmup_requests_cache,
@@ -24,6 +24,7 @@ from .routers.status import router as status_router
 from .routers.feedback import router as feedback_router
 from .routers.site import router as site_router
 from .routers.events import router as events_router
+from .routers.portal import router as portal_router
 from .services.jellyfin_sync import run_daily_jellyfin_sync
 from .logging_config import (
     bind_request_id,
@@ -163,6 +164,34 @@ def _launch_background_task(name: str, coroutine_factory: Callable[[], Awaitable
     _background_tasks.append(task)
 
 
+def _log_security_configuration_warnings() -> None:
+    jwt_secret = str(settings.jwt_secret or "").strip()
+    if not jwt_secret or jwt_secret == "change-me":
+        logger.warning(
+            "security configuration warning: JWT_SECRET is unset or still set to the default value"
+        )
+    admin_password = str(settings.admin_password or "")
+    if not admin_password or admin_password == "adminadmin":
+        logger.warning(
+            "security configuration warning: ADMIN_PASSWORD is unset or still set to the bootstrap default"
+        )
+    if bool(settings.api_docs_enabled):
+        logger.warning(
+            "security configuration warning: API docs are enabled; disable API_DOCS_ENABLED outside controlled environments"
+        )
+
+
+def _enforce_secure_startup_configuration() -> None:
+    jwt_secret = str(settings.jwt_secret or "").strip()
+    if not jwt_secret or jwt_secret == "change-me":
+        raise RuntimeError("JWT_SECRET must be set to a strong, non-default value before startup.")
+    admin_password = str(settings.admin_password or "")
+    if not has_admin_user() and (not admin_password or admin_password == "adminadmin"):
+        raise RuntimeError(
+            "A secure ADMIN_PASSWORD is required on first startup until an admin account exists."
+        )
+
+
 @app.on_event("startup")
 async def startup() -> None:
     configure_logging(
@@ -174,7 +203,9 @@ async def startup() -> None:
         log_background_sync_level=settings.log_background_sync_level,
     )
     logger.info("startup begin app=%s build=%s", settings.app_name, settings.site_build_number)
+    _log_security_configuration_warnings()
     init_db()
+    _enforce_secure_startup_configuration()
     runtime = get_runtime_settings()
     configure_logging(
         runtime.log_level,
@@ -212,3 +243,4 @@ app.include_router(status_router)
 app.include_router(feedback_router)
 app.include_router(site_router)
 app.include_router(events_router)
+app.include_router(portal_router)

backend/app/network_security.py

@@ -0,0 +1,132 @@
+from __future__ import annotations
+
+import ipaddress
+import socket
+from functools import lru_cache
+from typing import Iterable
+from urllib.parse import urlparse
+
+from .config import settings
+
+_METADATA_HOSTS = {
+    "169.254.169.254",
+    "metadata.google.internal",
+    "metadata.azure.internal",
+}
+
+
+def _normalize_text(value: object) -> str:
+    if value is None:
+        return ""
+    return str(value).strip()
+
+
+def _split_csv(value: object) -> list[str]:
+    raw = _normalize_text(value)
+    if not raw:
+        return []
+    return [part.strip() for part in raw.split(",") if part.strip()]
+
+
+def _ip_is_sensitive(ip_obj: ipaddress._BaseAddress) -> bool:
+    return bool(
+        ip_obj.is_loopback
+        or ip_obj.is_link_local
+        or ip_obj.is_multicast
+        or ip_obj.is_unspecified
+        or ip_obj.is_reserved
+        or ip_obj.is_private
+    )
+
+
+@lru_cache(maxsize=256)
+def _resolve_host_ips(host: str) -> tuple[ipaddress._BaseAddress, ...]:
+    resolved: list[ipaddress._BaseAddress] = []
+    for family, _, _, _, sockaddr in socket.getaddrinfo(host, None):
+        if family == socket.AF_INET:
+            resolved.append(ipaddress.ip_address(sockaddr[0]))
+        elif family == socket.AF_INET6:
+            resolved.append(ipaddress.ip_address(sockaddr[0]))
+    return tuple(resolved)
+
+
+def _is_trusted_proxy_host(host: str, trusted_proxies: Iterable[str]) -> bool:
+    candidate = _normalize_text(host)
+    if not candidate:
+        return False
+    try:
+        host_ip = ipaddress.ip_address(candidate)
+    except ValueError:
+        return candidate.lower() in {entry.lower() for entry in trusted_proxies}
+
+    for entry in trusted_proxies:
+        raw = _normalize_text(entry)
+        if not raw:
+            continue
+        try:
+            if "/" in raw:
+                if host_ip in ipaddress.ip_network(raw, strict=False):
+                    return True
+            elif host_ip == ipaddress.ip_address(raw):
+                return True
+        except ValueError:
+            continue
+    return False
+
+
+def request_trusts_forwarded_headers(client_host: str | None) -> bool:
+    if not settings.magent_proxy_enabled or not settings.magent_proxy_trust_forwarded_headers:
+        return False
+    trusted = _split_csv(settings.magent_proxy_trusted_proxies)
+    if not trusted:
+        return False
+    return _is_trusted_proxy_host(client_host or "", trusted)
+
+
+def validate_notification_target_url(
+    url: str,
+    *,
+    allow_private: bool | None = None,
+) -> str:
+    raw = _normalize_text(url)
+    if not raw:
+        raise ValueError("URL cannot be empty.")
+
+    parsed = urlparse(raw)
+    if parsed.scheme not in {"http", "https"}:
+        raise ValueError("URL must use http:// or https://.")
+    if parsed.username or parsed.password:
+        raise ValueError("URL must not embed credentials.")
+    hostname = _normalize_text(parsed.hostname).lower()
+    if not hostname:
+        raise ValueError("URL must include a valid host.")
+
+    allow_private_targets = (
+        settings.magent_allow_private_notification_targets
+        if allow_private is None
+        else bool(allow_private)
+    )
+    if hostname in _METADATA_HOSTS:
+        raise ValueError("Metadata service targets are not allowed.")
+    if hostname == "localhost" and not allow_private_targets:
+        raise ValueError("Local notification targets are not allowed.")
+
+    try:
+        host_ip = ipaddress.ip_address(hostname)
+    except ValueError:
+        host_ip = None
+
+    if host_ip is not None:
+        if _ip_is_sensitive(host_ip) and not allow_private_targets:
+            raise ValueError("Private or local notification targets are not allowed.")
+        return raw
+
+    try:
+        resolved_ips = _resolve_host_ips(hostname)
+    except socket.gaierror as exc:
+        raise ValueError("Host could not be resolved.") from exc
+    if not resolved_ips:
+        raise ValueError("Host could not be resolved.")
+    if not allow_private_targets and any(_ip_is_sensitive(ip_obj) for ip_obj in resolved_ips):
+        raise ValueError("Private or local notification targets are not allowed.")
+    return raw

backend/app/routers/admin.py

@@ -20,6 +20,7 @@ from ..auth import (
     resolve_user_auth_provider,
 )
 from ..config import settings as env_settings
+from ..network_security import validate_notification_target_url
 from ..db import (
     delete_setting,
     get_all_users,
@@ -41,6 +42,7 @@ from ..db import (
     delete_user_activity_by_username,
     set_user_auto_search_enabled,
     set_auto_search_enabled_for_non_admin_users,
+    set_user_email,
     set_user_invite_management_enabled,
     set_invite_management_enabled_for_non_admin_users,
     set_user_profile_id,
@@ -78,6 +80,8 @@ from ..clients.jellyseerr import JellyseerrClient
 from ..services.jellyfin_sync import sync_jellyfin_users
 from ..services.user_cache import (
     build_jellyseerr_candidate_map,
+    extract_jellyseerr_user_email,
+    find_matching_jellyseerr_user,
     get_cached_jellyfin_users,
     get_cached_jellyseerr_users,
     match_jellyseerr_user_id,
@@ -85,9 +89,11 @@ from ..services.user_cache import (
     save_jellyseerr_users_cache,
     clear_user_import_caches,
 )
+from ..security import validate_password_policy
 from ..services.invite_email import (
     TEMPLATE_KEYS as INVITE_EMAIL_TEMPLATE_KEYS,
     get_invite_email_templates,
+    normalize_delivery_email,
     reset_invite_email_template,
     save_invite_email_template,
     send_test_email,
@@ -106,6 +112,16 @@ events_router = APIRouter(prefix="/admin/events", tags=["admin"])
 logger = logging.getLogger(__name__)
 SELF_SERVICE_INVITE_MASTER_ID_KEY = "self_service_invite_master_id"
 
+
+def _require_recipient_email(value: object) -> str:
+    normalized = normalize_delivery_email(value)
+    if normalized:
+        return normalized
+    raise HTTPException(
+        status_code=400,
+        detail="recipient_email is required and must be a valid email address",
+    )
+
 SENSITIVE_KEYS = {
     "magent_ssl_certificate_pem",
     "magent_ssl_private_key_pem",
@@ -138,6 +154,12 @@ URL_SETTING_KEYS = {
     "qbittorrent_base_url",
 }
 
+NOTIFICATION_URL_SETTING_KEYS = {
+    "magent_notify_discord_webhook_url",
+    "magent_notify_push_base_url",
+    "magent_notify_webhook_url",
+}
+
 SETTING_KEYS: List[str] = [
     "magent_application_url",
     "magent_application_port",
@@ -215,6 +237,10 @@ SETTING_KEYS: List[str] = [
     "site_banner_enabled",
     "site_banner_message",
     "site_banner_tone",
+    "site_login_show_jellyfin_login",
+    "site_login_show_local_login",
+    "site_login_show_forgot_password",
+    "site_login_show_signup_link",
 ]
 
 
@@ -640,6 +666,12 @@ async def update_settings(payload: Dict[str, Any]) -> Dict[str, Any]:
             except ValueError as exc:
                 friendly_key = key.replace("_", " ")
                 raise HTTPException(status_code=400, detail=f"{friendly_key}: {exc}") from exc
+        if key in NOTIFICATION_URL_SETTING_KEYS and value_to_store:
+            try:
+                value_to_store = validate_notification_target_url(value_to_store)
+            except ValueError as exc:
+                friendly_key = key.replace("_", " ")
+                raise HTTPException(status_code=400, detail=f"{friendly_key}: {exc}") from exc
         set_setting(key, value_to_store)
         updates += 1
         changed_keys.append(key)
@@ -816,8 +848,12 @@ async def jellyseerr_users_sync() -> Dict[str, Any]:
             continue
         username = user.get("username") or ""
         matched_id = match_jellyseerr_user_id(username, candidate_to_id)
+        matched_seerr_user = find_matching_jellyseerr_user(username, jellyseerr_users)
+        matched_email = extract_jellyseerr_user_email(matched_seerr_user)
         if matched_id is not None:
             set_user_jellyseerr_id(username, matched_id)
+            if matched_email:
+                set_user_email(username, matched_email)
             updated += 1
         else:
             skipped += 1
@@ -854,10 +890,12 @@ async def jellyseerr_users_resync() -> Dict[str, Any]:
         username = _pick_jellyseerr_username(user)
         if not username:
             continue
+        email = extract_jellyseerr_user_email(user)
         created = create_user_if_missing(
             username,
             "jellyseerr-user",
             role="user",
+            email=email,
             auth_provider="jellyseerr",
             jellyseerr_user_id=user_id,
         )
@@ -865,6 +903,8 @@ async def jellyseerr_users_resync() -> Dict[str, Any]:
             imported += 1
         else:
             set_user_jellyseerr_id(username, user_id)
+            if email:
+                set_user_email(username, email)
     return {"status": "ok", "imported": imported, "cleared": cleared}
 
 @router.post("/requests/sync")
@@ -1012,6 +1052,7 @@ async def requests_all(
     take: int = 50,
     skip: int = 0,
     days: Optional[int] = None,
+    stage: str = "all",
     user: Dict[str, str] = Depends(get_current_user),
 ) -> Dict[str, Any]:
     if user.get("role") != "admin":
@@ -1021,8 +1062,9 @@ async def requests_all(
     since_iso = None
     if days is not None and int(days) > 0:
         since_iso = (datetime.now(timezone.utc) - timedelta(days=int(days))).isoformat()
-    rows = get_cached_requests(limit=take, offset=skip, since_iso=since_iso)
-    total = get_cached_requests_count(since_iso=since_iso)
+    status_codes = requests_router.request_stage_filter_codes(stage)
+    rows = get_cached_requests(limit=take, offset=skip, since_iso=since_iso, status_codes=status_codes)
+    total = get_cached_requests_count(since_iso=since_iso, status_codes=status_codes)
     results = []
     for row in rows:
         status = row.get("status")
@@ -1452,12 +1494,15 @@ async def update_users_expiry_bulk(payload: Dict[str, Any]) -> Dict[str, Any]:
 @router.post("/users/{username}/password")
 async def update_user_password(username: str, payload: Dict[str, Any]) -> Dict[str, Any]:
     new_password = payload.get("password") if isinstance(payload, dict) else None
-    if not isinstance(new_password, str) or len(new_password.strip()) < 8:
-        raise HTTPException(status_code=400, detail="Password must be at least 8 characters.")
+    if not isinstance(new_password, str):
+        raise HTTPException(status_code=400, detail="Invalid payload")
+    try:
+        new_password_clean = validate_password_policy(new_password)
+    except ValueError as exc:
+        raise HTTPException(status_code=400, detail=str(exc)) from exc
     user = get_user_by_username(username)
     if not user:
         raise HTTPException(status_code=404, detail="User not found")
-    new_password_clean = new_password.strip()
     user = normalize_user_auth_provider(user)
     auth_provider = resolve_user_auth_provider(user)
     if auth_provider == "local":
@@ -1769,7 +1814,7 @@ async def send_invite_email(payload: Dict[str, Any]) -> Dict[str, Any]:
         if invite is None:
             invite = _resolve_user_invite(user)
 
-    recipient_email = _normalize_optional_text(payload.get("recipient_email"))
+    recipient_email = _require_recipient_email(payload.get("recipient_email"))
     message = _normalize_optional_text(payload.get("message"))
     reason = _normalize_optional_text(payload.get("reason"))
 
@@ -1819,7 +1864,7 @@ async def create_invite(payload: Dict[str, Any], current_user: Dict[str, Any] =
     role = _normalize_role_or_none(payload.get("role"))
     max_uses = _parse_optional_positive_int(payload.get("max_uses"), "max_uses")
     expires_at = _parse_optional_expires_at(payload.get("expires_at"))
-    recipient_email = _normalize_optional_text(payload.get("recipient_email"))
+    recipient_email = _require_recipient_email(payload.get("recipient_email"))
     send_email = bool(payload.get("send_email"))
     delivery_message = _normalize_optional_text(payload.get("message"))
     try:

backend/app/routers/auth.py

@@ -7,7 +7,7 @@ import time
 from threading import Lock
 
 import httpx
-from fastapi import APIRouter, HTTPException, status, Depends, Request
+from fastapi import APIRouter, HTTPException, status, Depends, Request, Response
 from fastapi.security import OAuth2PasswordRequestForm
 
 from ..db import (
@@ -19,6 +19,7 @@ from ..db import (
     get_users_by_username_ci,
     set_user_password,
     set_user_jellyseerr_id,
+    set_user_email,
     set_user_auth_provider,
     get_signup_invite_by_code,
     get_signup_invite_by_id,
@@ -39,17 +40,35 @@ from ..db import (
 from ..runtime import get_runtime_settings
 from ..clients.jellyfin import JellyfinClient
 from ..clients.jellyseerr import JellyseerrClient
-from ..security import create_access_token, verify_password
+from ..security import (
+    PASSWORD_POLICY_MESSAGE,
+    create_access_token,
+    validate_password_policy,
+    verify_password,
+)
 from ..security import create_stream_token
-from ..auth import get_current_user, normalize_user_auth_provider, resolve_user_auth_provider
+from ..auth import (
+    clear_auth_cookies,
+    get_current_user,
+    normalize_user_auth_provider,
+    resolve_user_auth_provider,
+    set_auth_cookies,
+)
 from ..config import settings
+from ..network_security import request_trusts_forwarded_headers
 from ..services.user_cache import (
     build_jellyseerr_candidate_map,
+    extract_jellyseerr_user_email,
+    find_matching_jellyseerr_user,
     get_cached_jellyseerr_users,
     match_jellyseerr_user_id,
     save_jellyfin_users_cache,
 )
-from ..services.invite_email import send_templated_email, smtp_email_config_ready
+from ..services.invite_email import (
+    normalize_delivery_email,
+    send_templated_email,
+    smtp_email_config_ready,
+)
 from ..services.password_reset import (
     PasswordResetUnavailableError,
     apply_password_reset,
@@ -68,9 +87,24 @@ PASSWORD_RESET_GENERIC_MESSAGE = (
 _LOGIN_RATE_LOCK = Lock()
 _LOGIN_ATTEMPTS_BY_IP: dict[str, deque[float]] = defaultdict(deque)
 _LOGIN_ATTEMPTS_BY_USER: dict[str, deque[float]] = defaultdict(deque)
+_RESET_RATE_LOCK = Lock()
+_RESET_ATTEMPTS_BY_IP: dict[str, deque[float]] = defaultdict(deque)
+_RESET_ATTEMPTS_BY_IDENTIFIER: dict[str, deque[float]] = defaultdict(deque)
+
+
+def _require_recipient_email(value: object) -> str:
+    normalized = normalize_delivery_email(value)
+    if normalized:
+        return normalized
+    raise HTTPException(
+        status_code=status.HTTP_400_BAD_REQUEST,
+        detail="recipient_email is required and must be a valid email address.",
+    )
 
 
 def _auth_client_ip(request: Request) -> str:
+    direct_host = request.client.host if request.client else None
+    if request_trusts_forwarded_headers(direct_host):
         forwarded = request.headers.get("x-forwarded-for")
         if isinstance(forwarded, str) and forwarded.strip():
             return forwarded.split(",", 1)[0].strip()
@@ -86,6 +120,10 @@ def _login_rate_key_user(username: str) -> str:
     return (username or "").strip().lower()[:256] or "<empty>"
 
 
+def _password_reset_rate_key_identifier(identifier: str) -> str:
+    return (identifier or "").strip().lower()[:256] or "<empty>"
+
+
 def _prune_attempts(bucket: deque[float], now: float, window_seconds: int) -> None:
     cutoff = now - window_seconds
     while bucket and bucket[0] < cutoff:
@@ -171,6 +209,57 @@ def _enforce_login_rate_limit(request: Request, username: str) -> None:
         )
 
 
+def _record_password_reset_attempt(request: Request, identifier: str) -> None:
+    now = time.monotonic()
+    window = max(int(settings.password_reset_rate_limit_window_seconds or 300), 1)
+    ip_key = _auth_client_ip(request)
+    identifier_key = _password_reset_rate_key_identifier(identifier)
+    with _RESET_RATE_LOCK:
+        ip_bucket = _RESET_ATTEMPTS_BY_IP[ip_key]
+        identifier_bucket = _RESET_ATTEMPTS_BY_IDENTIFIER[identifier_key]
+        _prune_attempts(ip_bucket, now, window)
+        _prune_attempts(identifier_bucket, now, window)
+        ip_bucket.append(now)
+        identifier_bucket.append(now)
+    logger.info("password reset rate event recorded identifier=%s client=%s", identifier_key, ip_key)
+
+
+def _enforce_password_reset_rate_limit(request: Request, identifier: str) -> None:
+    now = time.monotonic()
+    window = max(int(settings.password_reset_rate_limit_window_seconds or 300), 1)
+    max_ip = max(int(settings.password_reset_rate_limit_max_attempts_ip or 6), 1)
+    max_identifier = max(int(settings.password_reset_rate_limit_max_attempts_identifier or 3), 1)
+    ip_key = _auth_client_ip(request)
+    identifier_key = _password_reset_rate_key_identifier(identifier)
+    with _RESET_RATE_LOCK:
+        ip_bucket = _RESET_ATTEMPTS_BY_IP[ip_key]
+        identifier_bucket = _RESET_ATTEMPTS_BY_IDENTIFIER[identifier_key]
+        _prune_attempts(ip_bucket, now, window)
+        _prune_attempts(identifier_bucket, now, window)
+        exceeded = len(ip_bucket) >= max_ip or len(identifier_bucket) >= max_identifier
+        retry_after = 1
+        if exceeded:
+            retry_candidates = []
+            if ip_bucket:
+                retry_candidates.append(max(1, int(window - (now - ip_bucket[0]))))
+            if identifier_bucket:
+                retry_candidates.append(max(1, int(window - (now - identifier_bucket[0]))))
+            if retry_candidates:
+                retry_after = max(retry_candidates)
+    if exceeded:
+        logger.warning(
+            "password reset rate limit exceeded identifier=%s client=%s retry_after=%s",
+            identifier_key,
+            ip_key,
+            retry_after,
+        )
+        raise HTTPException(
+            status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+            detail="Too many password reset attempts. Try again shortly.",
+            headers={"Retry-After": str(retry_after)},
+        )
+
+
 def _normalize_username(value: str) -> str:
     normalized = value.strip().lower()
     if "@" in normalized:
@@ -219,6 +308,13 @@ def _extract_jellyseerr_user_id(response: dict) -> int | None:
     return None
 
 
+def _extract_jellyseerr_response_email(response: dict) -> str | None:
+    if not isinstance(response, dict):
+        return None
+    user_payload = response.get("user") if isinstance(response.get("user"), dict) else response
+    return extract_jellyseerr_user_email(user_payload)
+
+
 def _extract_http_error_detail(exc: Exception) -> str:
     if isinstance(exc, httpx.HTTPStatusError):
         response = exc.response
@@ -271,6 +367,15 @@ def _assert_user_can_login(user: dict | None) -> None:
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User access has expired")
 
 
+def _auth_success_response(response: Response, token: str, user_payload: dict) -> dict:
+    set_auth_cookies(response, token)
+    return {
+        "authenticated": True,
+        "token_type": "cookie",
+        "user": user_payload,
+    }
+
+
 def _public_invite_payload(invite: dict, profile: dict | None = None) -> dict:
     return {
         "code": invite.get("code"),
@@ -493,7 +598,11 @@ def _master_invite_controlled_values(master_invite: dict) -> tuple[int | None, s
 
 
 @router.post("/login")
-async def login(request: Request, form_data: OAuth2PasswordRequestForm = Depends()) -> dict:
+async def login(
+    request: Request,
+    response: Response,
+    form_data: OAuth2PasswordRequestForm = Depends(),
+) -> dict:
     _enforce_login_rate_limit(request, form_data.username)
     logger.info(
         "login attempt provider=local username=%s client=%s",
@@ -542,15 +651,19 @@ async def login(request: Request, form_data: OAuth2PasswordRequestForm = Depends
         user["role"],
         _auth_client_ip(request),
     )
-    return {
-        "access_token": token,
-        "token_type": "bearer",
-        "user": {"username": user["username"], "role": user["role"]},
-    }
+    return _auth_success_response(
+        response,
+        token,
+        {"username": user["username"], "role": user["role"]},
+    )
 
 
 @router.post("/jellyfin/login")
-async def jellyfin_login(request: Request, form_data: OAuth2PasswordRequestForm = Depends()) -> dict:
+async def jellyfin_login(
+    request: Request,
+    response: Response,
+    form_data: OAuth2PasswordRequestForm = Depends(),
+) -> dict:
     _enforce_login_rate_limit(request, form_data.username)
     logger.info(
         "login attempt provider=jellyfin username=%s client=%s",
@@ -569,6 +682,8 @@ async def jellyfin_login(request: Request, form_data: OAuth2PasswordRequestForm
     preferred_match = _pick_preferred_ci_user_match(ci_matches, username)
     canonical_username = str(preferred_match.get("username") or username) if preferred_match else username
     user = preferred_match or get_user_by_username(username)
+    matched_seerr_user = find_matching_jellyseerr_user(canonical_username, jellyseerr_users or [])
+    matched_email = extract_jellyseerr_user_email(matched_seerr_user)
     _assert_user_can_login(user)
     if user and _has_valid_jellyfin_cache(user, password):
         token = create_access_token(canonical_username, "user")
@@ -579,13 +694,13 @@ async def jellyfin_login(request: Request, form_data: OAuth2PasswordRequestForm
             canonical_username,
             _auth_client_ip(request),
         )
-        return {
-            "access_token": token,
-            "token_type": "bearer",
-            "user": {"username": canonical_username, "role": "user"},
-        }
+        return _auth_success_response(
+            response,
+            token,
+            {"username": canonical_username, "role": "user"},
+        )
     try:
-        response = await client.authenticate_by_name(username, password)
+        auth_response = await client.authenticate_by_name(username, password)
     except Exception as exc:
         logger.exception(
             "login upstream error provider=jellyfin username=%s client=%s",
@@ -593,11 +708,17 @@ async def jellyfin_login(request: Request, form_data: OAuth2PasswordRequestForm
             _auth_client_ip(request),
         )
         raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
-    if not isinstance(response, dict) or not response.get("User"):
+    if not isinstance(auth_response, dict) or not auth_response.get("User"):
         _record_login_failure(request, username)
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid Jellyfin credentials")
     if not preferred_match:
-        create_user_if_missing(canonical_username, "jellyfin-user", role="user", auth_provider="jellyfin")
+        create_user_if_missing(
+            canonical_username,
+            "jellyfin-user",
+            role="user",
+            email=matched_email,
+            auth_provider="jellyfin",
+        )
     elif (
         user
         and str(user.get("role") or "user").strip().lower() != "admin"
@@ -605,6 +726,8 @@ async def jellyfin_login(request: Request, form_data: OAuth2PasswordRequestForm
     ):
         set_user_auth_provider(canonical_username, "jellyfin")
         user = get_user_by_username(canonical_username)
+    if matched_email:
+        set_user_email(canonical_username, matched_email)
     user = get_user_by_username(canonical_username)
     _assert_user_can_login(user)
     try:
@@ -627,16 +750,20 @@ async def jellyfin_login(request: Request, form_data: OAuth2PasswordRequestForm
         get_user_by_username(canonical_username).get("jellyseerr_user_id") if get_user_by_username(canonical_username) else None,
         _auth_client_ip(request),
     )
-    return {
-        "access_token": token,
-        "token_type": "bearer",
-        "user": {"username": canonical_username, "role": "user"},
-    }
+    return _auth_success_response(
+        response,
+        token,
+        {"username": canonical_username, "role": "user"},
+    )
 
 
 @router.post("/seerr/login")
 @router.post("/jellyseerr/login")
-async def jellyseerr_login(request: Request, form_data: OAuth2PasswordRequestForm = Depends()) -> dict:
+async def jellyseerr_login(
+    request: Request,
+    response: Response,
+    form_data: OAuth2PasswordRequestForm = Depends(),
+) -> dict:
     _enforce_login_rate_limit(request, form_data.username)
     logger.info(
         "login attempt provider=seerr username=%s client=%s",
@@ -648,7 +775,7 @@ async def jellyseerr_login(request: Request, form_data: OAuth2PasswordRequestFor
     if not client.configured():
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Seerr not configured")
     try:
-        response = await client.login_local(form_data.username, form_data.password)
+        auth_response = await client.login_local(form_data.username, form_data.password)
     except Exception as exc:
         logger.exception(
             "login upstream error provider=seerr username=%s client=%s",
@@ -656,10 +783,11 @@ async def jellyseerr_login(request: Request, form_data: OAuth2PasswordRequestFor
             _auth_client_ip(request),
         )
         raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
-    if not isinstance(response, dict):
+    if not isinstance(auth_response, dict):
         _record_login_failure(request, form_data.username)
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid Seerr credentials")
-    jellyseerr_user_id = _extract_jellyseerr_user_id(response)
+    jellyseerr_user_id = _extract_jellyseerr_user_id(auth_response)
+    jellyseerr_email = _extract_jellyseerr_response_email(auth_response)
     ci_matches = get_users_by_username_ci(form_data.username)
     preferred_match = _pick_preferred_ci_user_match(ci_matches, form_data.username)
     canonical_username = str(preferred_match.get("username") or form_data.username) if preferred_match else form_data.username
@@ -668,13 +796,22 @@ async def jellyseerr_login(request: Request, form_data: OAuth2PasswordRequestFor
             canonical_username,
             "jellyseerr-user",
             role="user",
+            email=jellyseerr_email,
             auth_provider="jellyseerr",
             jellyseerr_user_id=jellyseerr_user_id,
         )
+    elif (
+        preferred_match
+        and str(preferred_match.get("role") or "user").strip().lower() != "admin"
+        and str(preferred_match.get("auth_provider") or "local").strip().lower() not in {"jellyfin", "jellyseerr"}
+    ):
+        set_user_auth_provider(canonical_username, "jellyseerr")
     user = get_user_by_username(canonical_username)
     _assert_user_can_login(user)
     if jellyseerr_user_id is not None:
         set_user_jellyseerr_id(canonical_username, jellyseerr_user_id)
+    if jellyseerr_email:
+        set_user_email(canonical_username, jellyseerr_email)
     token = create_access_token(canonical_username, "user")
     _clear_login_failures(request, form_data.username)
     set_last_login(canonical_username)
@@ -684,11 +821,11 @@ async def jellyseerr_login(request: Request, form_data: OAuth2PasswordRequestFor
         jellyseerr_user_id,
         _auth_client_ip(request),
     )
-    return {
-        "access_token": token,
-        "token_type": "bearer",
-        "user": {"username": canonical_username, "role": "user"},
-    }
+    return _auth_success_response(
+        response,
+        token,
+        {"username": canonical_username, "role": "user"},
+    )
 
 
 @router.get("/me")
@@ -696,6 +833,12 @@ async def me(current_user: dict = Depends(get_current_user)) -> dict:
     return current_user
 
 
+@router.post("/logout")
+async def logout(response: Response) -> dict:
+    clear_auth_cookies(response)
+    return {"status": "ok"}
+
+
 @router.get("/stream-token")
 async def stream_token(current_user: dict = Depends(get_current_user)) -> dict:
     token = create_stream_token(
@@ -725,7 +868,7 @@ async def invite_details(code: str) -> dict:
 
 
 @router.post("/signup")
-async def signup(payload: dict) -> dict:
+async def signup(payload: dict, response: Response) -> dict:
     if not isinstance(payload, dict):
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid payload")
     invite_code = str(payload.get("invite_code") or "").strip()
@@ -735,11 +878,10 @@ async def signup(payload: dict) -> dict:
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invite code is required")
     if not username:
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Username is required")
-    if len(password.strip()) < 8:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail="Password must be at least 8 characters.",
-        )
+    try:
+        password_value = validate_password_policy(password)
+    except ValueError as exc:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(exc)) from exc
     if get_user_by_username(username):
         raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="User already exists")
     logger.info(
@@ -786,7 +928,6 @@ async def signup(payload: dict) -> dict:
         expires_at = (datetime.now(timezone.utc) + timedelta(days=account_expires_days)).isoformat()
 
     runtime = get_runtime_settings()
-    password_value = password.strip()
     auth_provider = "local"
     local_password_value = password_value
     matched_jellyseerr_user_id: int | None = None
@@ -803,14 +944,14 @@ async def signup(payload: dict) -> dict:
             duplicate_like = status_code in {400, 409}
             if duplicate_like:
                 try:
-                    response = await jellyfin_client.authenticate_by_name(username, password_value)
+                    auth_response = await jellyfin_client.authenticate_by_name(username, password_value)
                 except Exception as auth_exc:
                     detail = _extract_http_error_detail(auth_exc) or _extract_http_error_detail(exc)
                     raise HTTPException(
                         status_code=status.HTTP_409_CONFLICT,
                         detail=f"Jellyfin account already exists and could not be authenticated: {detail}",
                     ) from exc
-                if not isinstance(response, dict) or not response.get("User"):
+                if not isinstance(auth_response, dict) or not auth_response.get("User"):
                     raise HTTPException(
                         status_code=status.HTTP_409_CONFLICT,
                         detail="Jellyfin account already exists for that username.",
@@ -839,6 +980,7 @@ async def signup(payload: dict) -> dict:
             username,
             local_password_value,
             role=role,
+            email=normalize_delivery_email(invite.get("recipient_email")) if isinstance(invite, dict) else None,
             auth_provider=auth_provider,
             jellyseerr_user_id=matched_jellyseerr_user_id,
             auto_search_enabled=auto_search_enabled,
@@ -881,17 +1023,17 @@ async def signup(payload: dict) -> dict:
         created_user.get("profile_id") if created_user else None,
         invite.get("code"),
     )
-    return {
-        "access_token": token,
-        "token_type": "bearer",
-        "user": {
+    return _auth_success_response(
+        response,
+        token,
+        {
             "username": username,
             "role": role,
             "auth_provider": created_user.get("auth_provider") if created_user else auth_provider,
             "profile_id": created_user.get("profile_id") if created_user else None,
             "expires_at": created_user.get("expires_at") if created_user else None,
         },
-    }
+    )
 
 
 @router.post("/password/forgot")
@@ -901,6 +1043,8 @@ async def forgot_password(payload: dict, request: Request) -> dict:
     identifier = payload.get("identifier") or payload.get("username") or payload.get("email")
     if not isinstance(identifier, str) or not identifier.strip():
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Username or email is required.")
+    _enforce_password_reset_rate_limit(request, identifier)
+    _record_password_reset_attempt(request, identifier)
 
     ready, detail = smtp_email_config_ready()
     if not ready:
@@ -960,14 +1104,15 @@ async def password_reset(payload: dict) -> dict:
     new_password = payload.get("new_password")
     if not isinstance(token, str) or not token.strip():
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Reset token is required.")
-    if not isinstance(new_password, str) or len(new_password.strip()) < 8:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail="Password must be at least 8 characters.",
-        )
+    if not isinstance(new_password, str):
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=PASSWORD_POLICY_MESSAGE)
+    try:
+        new_password_clean = validate_password_policy(new_password)
+    except ValueError as exc:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(exc)) from exc
 
     try:
-        result = await apply_password_reset(token.strip(), new_password.strip())
+        result = await apply_password_reset(token.strip(), new_password_clean)
     except PasswordResetUnavailableError as exc:
         raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail=str(exc)) from exc
     except ValueError as exc:
@@ -1065,8 +1210,7 @@ async def create_profile_invite(payload: dict, current_user: dict = Depends(get_
         label = str(label).strip() or None
     if description is not None:
         description = str(description).strip() or None
-    if recipient_email is not None:
-        recipient_email = str(recipient_email).strip() or None
+    recipient_email = _require_recipient_email(recipient_email)
     send_email = bool(payload.get("send_email"))
     delivery_message = str(payload.get("message") or "").strip() or None
 
@@ -1156,8 +1300,7 @@ async def update_profile_invite(
         label = str(label).strip() or None
     if description is not None:
         description = str(description).strip() or None
-    if recipient_email is not None:
-        recipient_email = str(recipient_email).strip() or None
+    recipient_email = _require_recipient_email(recipient_email)
     send_email = bool(payload.get("send_email"))
     delivery_message = str(payload.get("message") or "").strip() or None
 
@@ -1232,14 +1375,13 @@ async def change_password(payload: dict, current_user: dict = Depends(get_curren
     new_password = payload.get("new_password") if isinstance(payload, dict) else None
     if not isinstance(current_password, str) or not isinstance(new_password, str):
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid payload")
-    if len(new_password.strip()) < 8:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST, detail="Password must be at least 8 characters."
-        )
+    try:
+        new_password_clean = validate_password_policy(new_password)
+    except ValueError as exc:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(exc)) from exc
     username = str(current_user.get("username") or "").strip()
     if not username:
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid user")
-    new_password_clean = new_password.strip()
     stored_user = normalize_user_auth_provider(get_user_by_username(username))
     auth_provider = resolve_user_auth_provider(stored_user or current_user)
     logger.info("password change requested username=%s provider=%s", username, auth_provider)

backend/app/routers/events.py

@@ -76,6 +76,7 @@ def _request_actions_brief(entries: Any) -> list[dict[str, Any]]:
 async def events_stream(
     request: Request,
     recent_days: int = 90,
+    recent_stage: str = "all",
     user: Dict[str, Any] = Depends(get_current_user_event_stream),
 ) -> StreamingResponse:
     recent_days = max(0, min(int(recent_days or 90), 3650))
@@ -103,6 +104,7 @@ async def events_stream(
                         take=recent_take,
                         skip=0,
                         days=recent_days,
+                        stage=recent_stage,
                         user=user,
                     )
                     results = recent_payload.get("results") if isinstance(recent_payload, dict) else []
@@ -110,6 +112,7 @@ async def events_stream(
                         "type": "home_recent",
                         "ts": datetime.now(timezone.utc).isoformat(),
                         "days": recent_days,
+                        "stage": recent_stage,
                         "results": results if isinstance(results, list) else [],
                     }
                 except Exception as exc:
@@ -117,6 +120,7 @@ async def events_stream(
                         "type": "home_recent",
                         "ts": datetime.now(timezone.utc).isoformat(),
                         "days": recent_days,
+                        "stage": recent_stage,
                         "error": str(exc),
                     }
                 signature = json.dumps(payload, ensure_ascii=True, separators=(",", ":"), default=str)

backend/app/routers/feedback.py

@@ -3,6 +3,7 @@ import httpx
 from fastapi import APIRouter, Depends, HTTPException
 
 from ..auth import get_current_user
+from ..network_security import validate_notification_target_url
 from ..runtime import get_runtime_settings
 
 router = APIRouter(prefix="/feedback", tags=["feedback"], dependencies=[Depends(get_current_user)])
@@ -17,6 +18,10 @@ async def send_feedback(payload: Dict[str, Any], user: Dict[str, str] = Depends(
     )
     if not webhook_url:
         raise HTTPException(status_code=400, detail="Discord webhook not configured")
+    try:
+        webhook_url = validate_notification_target_url(webhook_url)
+    except ValueError as exc:
+        raise HTTPException(status_code=400, detail=str(exc)) from exc
 
     feedback_type = str(payload.get("type") or "").strip().lower()
     if feedback_type not in {"bug", "feature"}:

backend/app/routers/requests.py

@@ -26,7 +26,7 @@ from ..db import (
     get_cached_requests,
     get_cached_requests_since,
     get_cached_request_by_media_id,
-    get_request_cache_by_id,
+    get_request_cache_lookup,
     get_request_cache_payload,
     get_request_cache_last_updated,
     get_request_cache_count,
@@ -35,7 +35,9 @@ from ..db import (
     repair_request_cache_titles,
     prune_duplicate_requests_cache,
     upsert_request_cache,
+    upsert_request_cache_many,
     upsert_artwork_cache_status,
+    upsert_artwork_cache_status_many,
     get_artwork_cache_missing_count,
     get_artwork_cache_status_count,
     get_setting,
@@ -47,7 +49,7 @@ from ..db import (
     clear_seerr_media_failure,
 )
 from ..models import Snapshot, TriageResult, RequestType
-from ..services.snapshot import build_snapshot
+from ..services.snapshot import build_snapshot, jellyfin_item_matches_request
 
 router = APIRouter(prefix="/requests", tags=["requests"], dependencies=[Depends(get_current_user)])
 
@@ -91,6 +93,17 @@ STATUS_LABELS = {
     6: "Partially ready",
 }
 
+REQUEST_STAGE_CODES = {
+    "all": None,
+    "pending": [1],
+    "approved": [2],
+    "declined": [3],
+    "ready": [4],
+    "working": [5],
+    "partial": [6],
+    "in_progress": [2, 5, 6],
+}
+
 
 def _cache_get(key: str) -> Optional[Dict[str, Any]]:
     cached = _detail_cache.get(key)
@@ -105,6 +118,57 @@ def _cache_get(key: str) -> Optional[Dict[str, Any]]:
 
 def _cache_set(key: str, payload: Dict[str, Any]) -> None:
     _detail_cache[key] = (time.time() + CACHE_TTL_SECONDS, payload)
+
+
+def _status_label_with_jellyfin(current_status: Any, jellyfin_available: bool) -> str:
+    if not jellyfin_available:
+        return _status_label(current_status)
+    try:
+        status_code = int(current_status)
+    except (TypeError, ValueError):
+        status_code = None
+    if status_code == 6:
+        return STATUS_LABELS[6]
+    return STATUS_LABELS[4]
+
+
+async def _request_is_available_in_jellyfin(
+    jellyfin: JellyfinClient,
+    title: Optional[str],
+    year: Optional[int],
+    media_type: Optional[str],
+    request_payload: Optional[Dict[str, Any]],
+    availability_cache: Dict[str, bool],
+) -> bool:
+    if not jellyfin.configured() or not title:
+        return False
+    cache_key = f"{media_type or ''}:{title.lower()}:{year or ''}:{request_payload.get('id') if isinstance(request_payload, dict) else ''}"
+    cached_value = availability_cache.get(cache_key)
+    if cached_value is not None:
+        return cached_value
+    types = ["Movie"] if media_type == "movie" else ["Series"]
+    try:
+        search = await jellyfin.search_items(title, types, limit=50)
+    except Exception:
+        availability_cache[cache_key] = False
+        return False
+    if isinstance(search, dict):
+        items = search.get("Items") or search.get("items") or []
+        request_type = RequestType.movie if media_type == "movie" else RequestType.tv
+        for item in items:
+            if not isinstance(item, dict):
+                continue
+            if jellyfin_item_matches_request(
+                item,
+                title=title,
+                year=year,
+                request_type=request_type,
+                request_payload=request_payload,
+            ):
+                availability_cache[cache_key] = True
+                return True
+    availability_cache[cache_key] = False
+    return False
     _failed_detail_cache.pop(key, None)
 
 
@@ -152,6 +216,23 @@ def _status_label(value: Any) -> str:
     return "Unknown"
 
 
+def normalize_request_stage_filter(value: Optional[str]) -> str:
+    if not isinstance(value, str):
+        return "all"
+    normalized = value.strip().lower().replace("-", "_").replace(" ", "_")
+    if not normalized:
+        return "all"
+    if normalized in {"processing", "inprogress"}:
+        normalized = "in_progress"
+    return normalized if normalized in REQUEST_STAGE_CODES else "all"
+
+
+def request_stage_filter_codes(value: Optional[str]) -> Optional[list[int]]:
+    normalized = normalize_request_stage_filter(value)
+    codes = REQUEST_STAGE_CODES.get(normalized)
+    return list(codes) if codes else None
+
+
 def _normalize_username(value: Any) -> Optional[str]:
     if not isinstance(value, str):
         return None
@@ -340,6 +421,34 @@ def _extract_tmdb_lookup(payload: Dict[str, Any]) -> tuple[Optional[int], Option
     return tmdb_id, media_type
 
 
+def _normalize_media_type(value: Any) -> Optional[str]:
+    if not isinstance(value, str):
+        return None
+    normalized = value.strip().lower()
+    if normalized in {"movie", "tv"}:
+        return normalized
+    return None
+
+
+def _normalize_seasons(value: Any) -> list[int]:
+    if value is None:
+        return []
+    if not isinstance(value, list):
+        raise HTTPException(status_code=400, detail="seasons must be an array of positive integers")
+    normalized: list[int] = []
+    for raw in value:
+        try:
+            season = int(raw)
+        except (TypeError, ValueError) as exc:
+            raise HTTPException(
+                status_code=400, detail="seasons must contain only positive integers"
+            ) from exc
+        if season <= 0:
+            raise HTTPException(status_code=400, detail="seasons must contain only positive integers")
+        normalized.append(season)
+    return sorted(set(normalized))
+
+
 def _artwork_missing_for_payload(payload: Dict[str, Any]) -> bool:
     poster_path, backdrop_path = _extract_artwork_paths(payload)
     tmdb_id, media_type = _extract_tmdb_lookup(payload)
@@ -383,26 +492,55 @@ def _upsert_artwork_status(
     poster_cached: Optional[bool] = None,
     backdrop_cached: Optional[bool] = None,
 ) -> None:
+    record = _build_artwork_status_record(payload, cache_mode, poster_cached, backdrop_cached)
+    if not record:
+        return
+    upsert_artwork_cache_status(**record)
+
+
+def _build_request_cache_record(payload: Dict[str, Any], request_payload: Dict[str, Any]) -> Dict[str, Any]:
+    return {
+        "request_id": payload.get("request_id"),
+        "media_id": payload.get("media_id"),
+        "media_type": payload.get("media_type"),
+        "status": payload.get("status"),
+        "title": payload.get("title"),
+        "year": payload.get("year"),
+        "requested_by": payload.get("requested_by"),
+        "requested_by_norm": payload.get("requested_by_norm"),
+        "requested_by_id": payload.get("requested_by_id"),
+        "created_at": payload.get("created_at"),
+        "updated_at": payload.get("updated_at"),
+        "payload_json": json.dumps(request_payload, ensure_ascii=True),
+    }
+
+
+def _build_artwork_status_record(
+    payload: Dict[str, Any],
+    cache_mode: str,
+    poster_cached: Optional[bool] = None,
+    backdrop_cached: Optional[bool] = None,
+) -> Optional[Dict[str, Any]]:
     parsed = _parse_request_payload(payload)
     request_id = parsed.get("request_id")
     if not isinstance(request_id, int):
-        return
+        return None
     tmdb_id, media_type = _extract_tmdb_lookup(payload)
     poster_path, backdrop_path = _extract_artwork_paths(payload)
     has_tmdb = bool(tmdb_id and media_type)
     poster_cached_flag, backdrop_cached_flag = _compute_cached_flags(
         poster_path, backdrop_path, cache_mode, poster_cached, backdrop_cached
     )
-    upsert_artwork_cache_status(
-        request_id=request_id,
-        tmdb_id=tmdb_id,
-        media_type=media_type,
-        poster_path=poster_path,
-        backdrop_path=backdrop_path,
-        has_tmdb=has_tmdb,
-        poster_cached=poster_cached_flag,
-        backdrop_cached=backdrop_cached_flag,
-    )
+    return {
+        "request_id": request_id,
+        "tmdb_id": tmdb_id,
+        "media_type": media_type,
+        "poster_path": poster_path,
+        "backdrop_path": backdrop_path,
+        "has_tmdb": has_tmdb,
+        "poster_cached": poster_cached_flag,
+        "backdrop_cached": backdrop_cached_flag,
+    }
 
 
 def _collect_artwork_cache_disk_stats() -> tuple[int, int]:
@@ -603,6 +741,16 @@ async def _sync_all_requests(client: JellyseerrClient) -> int:
         if not isinstance(items, list) or not items:
             logger.info("Seerr sync completed: no more results at skip=%s", skip)
             break
+        page_request_ids = [
+            payload.get("request_id")
+            for item in items
+            if isinstance(item, dict)
+            for payload in [_parse_request_payload(item)]
+            if isinstance(payload.get("request_id"), int)
+        ]
+        cached_by_request_id = get_request_cache_lookup(page_request_ids)
+        page_cache_records: list[Dict[str, Any]] = []
+        page_artwork_records: list[Dict[str, Any]] = []
         for item in items:
             if not isinstance(item, dict):
                 continue
@@ -610,9 +758,8 @@ async def _sync_all_requests(client: JellyseerrClient) -> int:
             request_id = payload.get("request_id")
             cached_title = None
             if isinstance(request_id, int):
-                if not payload.get("title"):
-                    cached = get_request_cache_by_id(request_id)
-                    if cached and cached.get("title"):
+                cached = cached_by_request_id.get(request_id)
+                if not payload.get("title") and cached and cached.get("title"):
                     cached_title = cached.get("title")
                 needs_details = (
                     not payload.get("title")
@@ -644,25 +791,17 @@ async def _sync_all_requests(client: JellyseerrClient) -> int:
                     payload["title"] = cached_title
             if not isinstance(payload.get("request_id"), int):
                 continue
-            payload_json = json.dumps(item, ensure_ascii=True)
-            upsert_request_cache(
-                request_id=payload.get("request_id"),
-                media_id=payload.get("media_id"),
-                media_type=payload.get("media_type"),
-                status=payload.get("status"),
-                title=payload.get("title"),
-                year=payload.get("year"),
-                requested_by=payload.get("requested_by"),
-                requested_by_norm=payload.get("requested_by_norm"),
-                requested_by_id=payload.get("requested_by_id"),
-                created_at=payload.get("created_at"),
-                updated_at=payload.get("updated_at"),
-                payload_json=payload_json,
-            )
+            page_cache_records.append(_build_request_cache_record(payload, item))
             if isinstance(item, dict):
-                _upsert_artwork_status(item, cache_mode)
+                artwork_record = _build_artwork_status_record(item, cache_mode)
+                if artwork_record:
+                    page_artwork_records.append(artwork_record)
             stored += 1
             _sync_state["stored"] = stored
+        if page_cache_records:
+            upsert_request_cache_many(page_cache_records)
+        if page_artwork_records:
+            upsert_artwork_cache_status_many(page_artwork_records)
         if len(items) < take:
             logger.info("Seerr sync completed: stored=%s", stored)
             break
@@ -721,6 +860,16 @@ async def _sync_delta_requests(client: JellyseerrClient) -> int:
         if not isinstance(items, list) or not items:
             logger.info("Seerr delta sync completed: no more results at skip=%s", skip)
             break
+        page_request_ids = [
+            payload.get("request_id")
+            for item in items
+            if isinstance(item, dict)
+            for payload in [_parse_request_payload(item)]
+            if isinstance(payload.get("request_id"), int)
+        ]
+        cached_by_request_id = get_request_cache_lookup(page_request_ids)
+        page_cache_records: list[Dict[str, Any]] = []
+        page_artwork_records: list[Dict[str, Any]] = []
         page_changed = False
         for item in items:
             if not isinstance(item, dict):
@@ -728,7 +877,7 @@ async def _sync_delta_requests(client: JellyseerrClient) -> int:
             payload = _parse_request_payload(item)
             request_id = payload.get("request_id")
             if isinstance(request_id, int):
-                cached = get_request_cache_by_id(request_id)
+                cached = cached_by_request_id.get(request_id)
                 incoming_updated = payload.get("updated_at")
                 cached_title = cached.get("title") if cached else None
                 if cached and incoming_updated and cached.get("updated_at") == incoming_updated and cached.get("title"):
@@ -762,26 +911,18 @@ async def _sync_delta_requests(client: JellyseerrClient) -> int:
                     payload["title"] = cached_title
             if not isinstance(payload.get("request_id"), int):
                 continue
-            payload_json = json.dumps(item, ensure_ascii=True)
-            upsert_request_cache(
-                request_id=payload.get("request_id"),
-                media_id=payload.get("media_id"),
-                media_type=payload.get("media_type"),
-                status=payload.get("status"),
-                title=payload.get("title"),
-                year=payload.get("year"),
-                requested_by=payload.get("requested_by"),
-                requested_by_norm=payload.get("requested_by_norm"),
-                requested_by_id=payload.get("requested_by_id"),
-                created_at=payload.get("created_at"),
-                updated_at=payload.get("updated_at"),
-                payload_json=payload_json,
-            )
+            page_cache_records.append(_build_request_cache_record(payload, item))
             if isinstance(item, dict):
-                _upsert_artwork_status(item, cache_mode)
+                artwork_record = _build_artwork_status_record(item, cache_mode)
+                if artwork_record:
+                    page_artwork_records.append(artwork_record)
             stored += 1
             page_changed = True
             _sync_state["stored"] = stored
+        if page_cache_records:
+            upsert_request_cache_many(page_cache_records)
+        if page_artwork_records:
+            upsert_artwork_cache_status_many(page_artwork_records)
         if not page_changed:
             unchanged_pages += 1
         else:
@@ -866,6 +1007,8 @@ async def _prefetch_artwork_cache(
             batch = get_request_cache_payloads(limit=limit, offset=offset)
         if not batch:
             break
+        page_cache_records: list[Dict[str, Any]] = []
+        page_artwork_records: list[Dict[str, Any]] = []
         for row in batch:
             payload = row.get("payload")
             if not isinstance(payload, dict):
@@ -893,20 +1036,7 @@ async def _prefetch_artwork_cache(
                     parsed = _parse_request_payload(payload)
                     request_id = parsed.get("request_id")
                     if isinstance(request_id, int):
-                        upsert_request_cache(
-                            request_id=request_id,
-                            media_id=parsed.get("media_id"),
-                            media_type=parsed.get("media_type"),
-                            status=parsed.get("status"),
-                            title=parsed.get("title"),
-                            year=parsed.get("year"),
-                            requested_by=parsed.get("requested_by"),
-                            requested_by_norm=parsed.get("requested_by_norm"),
-                            requested_by_id=parsed.get("requested_by_id"),
-                            created_at=parsed.get("created_at"),
-                            updated_at=parsed.get("updated_at"),
-                            payload_json=json.dumps(payload, ensure_ascii=True),
-                        )
+                        page_cache_records.append(_build_request_cache_record(parsed, payload))
             poster_cached_flag = False
             backdrop_cached_flag = False
             if poster_path:
@@ -921,17 +1051,23 @@ async def _prefetch_artwork_cache(
                     backdrop_cached_flag = bool(await cache_tmdb_image(backdrop_path, "w780"))
                 except httpx.HTTPError:
                     backdrop_cached_flag = False
-            _upsert_artwork_status(
+            artwork_record = _build_artwork_status_record(
                 payload,
                 cache_mode,
                 poster_cached=poster_cached_flag if poster_path else None,
                 backdrop_cached=backdrop_cached_flag if backdrop_path else None,
             )
+            if artwork_record:
+                page_artwork_records.append(artwork_record)
             processed += 1
             if processed % 25 == 0:
                 _artwork_prefetch_state.update(
                     {"processed": processed, "message": f"Cached artwork for {processed} requests"}
                 )
+        if page_cache_records:
+            upsert_request_cache_many(page_cache_records)
+        if page_artwork_records:
+            upsert_artwork_cache_status_many(page_artwork_records)
         offset += limit
 
     total_requests = get_request_cache_count()
@@ -1063,6 +1199,7 @@ def _get_recent_from_cache(
     limit: int,
     offset: int,
     since_iso: Optional[str],
+    status_codes: Optional[list[int]] = None,
 ) -> List[Dict[str, Any]]:
     items = _recent_cache.get("items") or []
     results = []
@@ -1078,6 +1215,8 @@ def _get_recent_from_cache(
             item_dt = _parse_iso_datetime(candidate)
             if not item_dt or item_dt < since_dt:
                 continue
+        if status_codes and item.get("status") not in status_codes:
+            continue
         results.append(item)
     return results[offset : offset + limit]
 
@@ -1235,22 +1374,8 @@ def get_requests_sync_state() -> Dict[str, Any]:
 async def _ensure_request_access(
     client: JellyseerrClient, request_id: int, user: Dict[str, str]
 ) -> None:
-    if user.get("role") == "admin":
+    if user.get("role") == "admin" or user.get("username"):
         return
-    runtime = get_runtime_settings()
-    mode = (runtime.requests_data_source or "prefer_cache").lower()
-    cached = get_request_cache_payload(request_id)
-    if mode != "always_js":
-        if cached is None:
-            logger.debug("access cache miss: request_id=%s mode=%s", request_id, mode)
-            raise HTTPException(status_code=404, detail="Request not found in cache")
-        logger.debug("access cache hit: request_id=%s mode=%s", request_id, mode)
-        if _request_matches_user(cached, user.get("username", "")):
-            return
-        raise HTTPException(status_code=403, detail="Request not accessible for this user")
-    logger.debug("access cache miss: request_id=%s mode=%s", request_id, mode)
-    details = await _get_request_details(client, request_id)
-    if details is None or not _request_matches_user(details, user.get("username", "")):
     raise HTTPException(status_code=403, detail="Request not accessible for this user")
 
 
@@ -1521,6 +1646,7 @@ async def recent_requests(
     take: int = 6,
     skip: int = 0,
     days: int = 90,
+    stage: str = "all",
     user: Dict[str, str] = Depends(get_current_user),
 ) -> dict:
     runtime = get_runtime_settings()
@@ -1542,44 +1668,22 @@ async def recent_requests(
     since_iso = None
     if days > 0:
         since_iso = (datetime.now(timezone.utc) - timedelta(days=days)).isoformat()
+    status_codes = request_stage_filter_codes(stage)
     if _recent_cache_stale():
         _refresh_recent_cache_from_db()
-    rows = _get_recent_from_cache(requested_by, requested_by_id, take, skip, since_iso)
+    rows = _get_recent_from_cache(
+        requested_by,
+        requested_by_id,
+        take,
+        skip,
+        since_iso,
+        status_codes=status_codes,
+    )
     cache_mode = (runtime.artwork_cache_mode or "remote").lower()
     allow_title_hydrate = False
     allow_artwork_hydrate = client.configured()
     jellyfin = JellyfinClient(runtime.jellyfin_base_url, runtime.jellyfin_api_key)
     jellyfin_cache: Dict[str, bool] = {}
-
-    async def _jellyfin_available(
-        title_value: Optional[str], year_value: Optional[int], media_type_value: Optional[str]
-    ) -> bool:
-        if not jellyfin.configured() or not title_value:
-            return False
-        cache_key = f"{media_type_value or ''}:{title_value.lower()}:{year_value or ''}"
-        cached_value = jellyfin_cache.get(cache_key)
-        if cached_value is not None:
-            return cached_value
-        types = ["Movie"] if media_type_value == "movie" else ["Series"]
-        try:
-            search = await jellyfin.search_items(title_value, types)
-        except Exception:
-            jellyfin_cache[cache_key] = False
-            return False
-        if isinstance(search, dict):
-            items = search.get("Items") or search.get("items") or []
-            for item in items:
-                if not isinstance(item, dict):
-                    continue
-                name = item.get("Name") or item.get("title")
-                year = item.get("ProductionYear") or item.get("Year")
-                if name and name.strip().lower() == title_value.strip().lower():
-                    if year_value and year and int(year) != int(year_value):
-                        continue
-                    jellyfin_cache[cache_key] = True
-                    return True
-        jellyfin_cache[cache_key] = False
-        return False
     results = []
     for row in rows:
         status = row.get("status")
@@ -1674,10 +1778,16 @@ async def recent_requests(
                             payload_json=json.dumps(details, ensure_ascii=True),
                         )
         status_label = _status_label(status)
-        if status_label == "Working on it":
-            is_available = await _jellyfin_available(title, year, row.get("media_type"))
-            if is_available:
-                status_label = "Available"
+        if status_label in {"Working on it", "Ready to watch", "Partially ready"}:
+            is_available = await _request_is_available_in_jellyfin(
+                jellyfin,
+                title,
+                year,
+                row.get("media_type"),
+                details if isinstance(details, dict) else None,
+                jellyfin_cache,
+            )
+            status_label = _status_label_with_jellyfin(status, is_available)
         results.append(
             {
                 "id": row.get("request_id"),
@@ -1721,6 +1831,8 @@ async def search_requests(
         pass
 
     results = []
+    jellyfin = JellyfinClient(runtime.jellyfin_base_url, runtime.jellyfin_api_key)
+    jellyfin_cache: Dict[str, bool] = {}
     for item in response.get("results", []):
         media_type = item.get("mediaType")
         title = item.get("title") or item.get("name")
@@ -1733,6 +1845,8 @@ async def search_requests(
         request_id = None
         status = None
         status_label = None
+        requested_by = None
+        accessible = False
         media_info = item.get("mediaInfo") or {}
         media_info_id = media_info.get("id")
         requests = media_info.get("requests")
@@ -1741,27 +1855,31 @@ async def search_requests(
             status = requests[0].get("status")
             status_label = _status_label(status)
         elif isinstance(media_info_id, int):
-            username_norm = _normalize_username(user.get("username", ""))
-            requested_by_id = user.get("jellyseerr_user_id")
-            requested_by = None if user.get("role") == "admin" else username_norm
-            requested_by_id = None if user.get("role") == "admin" else requested_by_id
             cached = get_cached_request_by_media_id(
                 media_info_id,
-                requested_by_norm=requested_by,
-                requested_by_id=requested_by_id,
             )
             if cached:
                 request_id = cached.get("request_id")
                 status = cached.get("status")
                 status_label = _status_label(status)
 
-        if user.get("role") != "admin":
         if isinstance(request_id, int):
+            details = get_request_cache_payload(request_id)
+            if not isinstance(details, dict):
                 details = await _get_request_details(client, request_id)
-                if not _request_matches_user(details, user.get("username", "")):
-                    continue
-            else:
-                continue
+            if user.get("role") == "admin":
+                requested_by = _request_display_name(details)
+            accessible = True
+            if status is not None:
+                is_available = await _request_is_available_in_jellyfin(
+                    jellyfin,
+                    title,
+                    year,
+                    media_type,
+                    details if isinstance(details, dict) else None,
+                    jellyfin_cache,
+                )
+                status_label = _status_label_with_jellyfin(status, is_available)
 
         results.append(
             {
@@ -1772,12 +1890,137 @@ async def search_requests(
                 "requestId": request_id,
                 "status": status,
                 "statusLabel": status_label,
+                "requestedBy": requested_by,
+                "accessible": accessible,
+                "posterPath": item.get("posterPath") or item.get("poster_path"),
+                "backdropPath": item.get("backdropPath") or item.get("backdrop_path"),
             }
         )
 
     return {"results": results}
 
 
+@router.post("/create")
+async def create_request(
+    payload: Dict[str, Any], user: Dict[str, Any] = Depends(get_current_user)
+) -> Dict[str, Any]:
+    runtime = get_runtime_settings()
+    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
+    if not client.configured():
+        raise HTTPException(status_code=400, detail="Seerr not configured")
+
+    media_type = _normalize_media_type(
+        payload.get("mediaType") or payload.get("type") or payload.get("media_type")
+    )
+    if media_type is None:
+        raise HTTPException(status_code=400, detail="mediaType must be 'movie' or 'tv'")
+
+    raw_tmdb_id = payload.get("tmdbId")
+    if raw_tmdb_id is None:
+        raw_tmdb_id = payload.get("mediaId")
+    if raw_tmdb_id is None:
+        raw_tmdb_id = payload.get("id")
+    try:
+        tmdb_id = int(raw_tmdb_id)
+    except (TypeError, ValueError) as exc:
+        raise HTTPException(status_code=400, detail="tmdbId must be a valid integer") from exc
+    if tmdb_id <= 0:
+        raise HTTPException(status_code=400, detail="tmdbId must be a positive integer")
+
+    seasons = _normalize_seasons(payload.get("seasons")) if media_type == "tv" else []
+    raw_is_4k = payload.get("is4k")
+    if raw_is_4k is not None and not isinstance(raw_is_4k, bool):
+        raise HTTPException(status_code=400, detail="is4k must be true or false")
+    is_4k = raw_is_4k if isinstance(raw_is_4k, bool) else None
+
+    try:
+        details = await (client.get_movie(tmdb_id) if media_type == "movie" else client.get_tv(tmdb_id))
+    except httpx.HTTPStatusError as exc:
+        raise HTTPException(status_code=502, detail=_format_upstream_error("Seerr", exc)) from exc
+
+    if not isinstance(details, dict):
+        raise HTTPException(status_code=502, detail="Invalid response from Seerr media lookup")
+
+    media_info = details.get("mediaInfo") if isinstance(details.get("mediaInfo"), dict) else {}
+    requests_list = media_info.get("requests")
+    existing_request: Optional[Dict[str, Any]] = None
+    if isinstance(requests_list, list) and requests_list:
+        first_request = requests_list[0]
+        if isinstance(first_request, dict):
+            existing_request = first_request
+
+    title = details.get("title") or details.get("name")
+    year: Optional[int] = None
+    date_value = details.get("releaseDate") or details.get("firstAirDate")
+    if isinstance(date_value, str) and len(date_value) >= 4 and date_value[:4].isdigit():
+        year = int(date_value[:4])
+
+    if isinstance(existing_request, dict):
+        existing_request_id = _quality_profile_id(existing_request.get("id"))
+        existing_status = existing_request.get("status")
+        if existing_request_id is not None:
+            request_payload = await _get_request_details(client, existing_request_id)
+            if isinstance(request_payload, dict):
+                parsed_payload = _parse_request_payload(request_payload)
+                upsert_request_cache(**_build_request_cache_record(parsed_payload, request_payload))
+                _cache_set(f"request:{existing_request_id}", request_payload)
+                title = parsed_payload.get("title") or title
+                year = parsed_payload.get("year") or year
+            return {
+                "status": "exists",
+                "requestId": existing_request_id,
+                "type": media_type,
+                "tmdbId": tmdb_id,
+                "title": title,
+                "year": year,
+                "statusCode": existing_status,
+                "statusLabel": _status_label(existing_status),
+            }
+
+    try:
+        created = await client.create_request(
+            media_type=media_type,
+            media_id=tmdb_id,
+            seasons=seasons if media_type == "tv" else None,
+            is_4k=is_4k,
+        )
+    except httpx.HTTPStatusError as exc:
+        raise HTTPException(status_code=502, detail=_format_upstream_error("Seerr", exc)) from exc
+
+    if not isinstance(created, dict):
+        raise HTTPException(status_code=502, detail="Invalid response from Seerr request create")
+
+    parsed = _parse_request_payload(created)
+    request_id = _quality_profile_id(parsed.get("request_id"))
+    status_code = parsed.get("status")
+    title = parsed.get("title") or title
+    year = parsed.get("year") or year
+
+    if request_id is not None:
+        upsert_request_cache(**_build_request_cache_record(parsed, created))
+        _cache_set(f"request:{request_id}", created)
+        _recent_cache["updated_at"] = None
+        await asyncio.to_thread(
+            save_action,
+            str(request_id),
+            "request_created",
+            "Create request",
+            "ok",
+            f"{media_type} request created from discovery by {user.get('username')}.",
+        )
+
+    return {
+        "status": "created",
+        "requestId": request_id,
+        "type": media_type,
+        "tmdbId": tmdb_id,
+        "title": title,
+        "year": year,
+        "statusCode": status_code,
+        "statusLabel": _status_label(status_code),
+    }
+
+
 @router.post("/{request_id}/ai/triage", response_model=TriageResult)
 async def ai_triage(request_id: str, user: Dict[str, str] = Depends(get_current_user)) -> TriageResult:
     runtime = get_runtime_settings()

backend/app/routers/site.py

@@ -24,6 +24,12 @@ def _build_site_info(include_changelog: bool) -> Dict[str, Any]:
             "message": banner_message,
             "tone": tone,
         },
+        "login": {
+            "showJellyfinLogin": bool(runtime.site_login_show_jellyfin_login),
+            "showLocalLogin": bool(runtime.site_login_show_local_login),
+            "showForgotPassword": bool(runtime.site_login_show_forgot_password),
+            "showSignupLink": bool(runtime.site_login_show_signup_link),
+        },
     }
     if include_changelog:
         info["changelog"] = (CHANGELOG or "").strip()

backend/app/routers/status.py

@@ -26,6 +26,35 @@ async def _check(name: str, configured: bool, func) -> Dict[str, Any]:
         return {"name": name, "status": "down", "message": str(exc)}
 
 
+async def _check_qbittorrent(qbittorrent: QBittorrentClient) -> Dict[str, Any]:
+    if not qbittorrent.base_url:
+        return {"name": "qBittorrent", "status": "not_configured"}
+    if not qbittorrent.username or not qbittorrent.password:
+        reachable = await qbittorrent.is_webui_reachable()
+        return {
+            "name": "qBittorrent",
+            "status": "degraded" if reachable else "not_configured",
+            "message": "qBittorrent credentials are incomplete" if reachable else "qBittorrent is not fully configured",
+        }
+    try:
+        result = await qbittorrent.get_app_version()
+        return {"name": "qBittorrent", "status": "up", "detail": result}
+    except RuntimeError as exc:
+        if "login failed" in str(exc).lower():
+            reachable = await qbittorrent.is_webui_reachable()
+            if reachable:
+                return {
+                    "name": "qBittorrent",
+                    "status": "degraded",
+                    "message": "qBittorrent is reachable but the saved credentials were rejected",
+                }
+        return {"name": "qBittorrent", "status": "down", "message": str(exc)}
+    except httpx.HTTPError as exc:
+        return {"name": "qBittorrent", "status": "down", "message": str(exc)}
+    except Exception as exc:
+        return {"name": "qBittorrent", "status": "down", "message": str(exc)}
+
+
 @router.get("/services")
 async def services_status() -> Dict[str, Any]:
     runtime = get_runtime_settings()
@@ -71,13 +100,7 @@ async def services_status() -> Dict[str, Any]:
             prowlarr_status["status"] = "degraded"
             prowlarr_status["message"] = "Health warnings"
     services.append(prowlarr_status)
-    services.append(
-        await _check(
-            "qBittorrent",
-            qbittorrent.configured(),
-            qbittorrent.get_app_version,
-        )
-    )
+    services.append(await _check_qbittorrent(qbittorrent))
     services.append(
         await _check(
             "Jellyfin",
@@ -122,10 +145,12 @@ async def test_service(service: str) -> Dict[str, Any]:
         "sonarr": ("Sonarr", sonarr.configured(), sonarr.get_system_status),
         "radarr": ("Radarr", radarr.configured(), radarr.get_system_status),
         "prowlarr": ("Prowlarr", prowlarr.configured(), prowlarr.get_health),
-        "qbittorrent": ("qBittorrent", qbittorrent.configured(), qbittorrent.get_app_version),
         "jellyfin": ("Jellyfin", jellyfin.configured(), jellyfin.get_system_info),
     }
 
+    if service_key == "qbittorrent":
+        return await _check_qbittorrent(qbittorrent)
+
     if service_key not in checks:
         raise HTTPException(status_code=404, detail="Unknown service")
 

backend/app/runtime.py

@@ -4,6 +4,12 @@ from .db import get_settings_overrides
 _INT_FIELDS = {
     "magent_application_port",
     "magent_api_port",
+    "auth_rate_limit_window_seconds",
+    "auth_rate_limit_max_attempts_ip",
+    "auth_rate_limit_max_attempts_user",
+    "password_reset_rate_limit_window_seconds",
+    "password_reset_rate_limit_max_attempts_ip",
+    "password_reset_rate_limit_max_attempts_identifier",
     "sonarr_quality_profile_id",
     "radarr_quality_profile_id",
     "jwt_exp_minutes",
@@ -29,6 +35,10 @@ _BOOL_FIELDS = {
     "magent_notify_webhook_enabled",
     "jellyfin_sync_to_arr",
     "site_banner_enabled",
+    "site_login_show_jellyfin_login",
+    "site_login_show_local_login",
+    "site_login_show_forgot_password",
+    "site_login_show_signup_link",
 }
 _SKIP_OVERRIDE_FIELDS = {"site_build_number", "site_changelog"}
 

backend/app/security.py

@@ -1,13 +1,16 @@
 from datetime import datetime, timedelta, timezone
 from typing import Any, Dict, Optional
 
-from jose import JWTError, jwt
 from passlib.context import CryptContext
+import jwt
+from jwt import InvalidTokenError
 
 from .config import settings
 
 _pwd_context = CryptContext(schemes=["pbkdf2_sha256"], deprecated="auto")
 _ALGORITHM = "HS256"
+MIN_PASSWORD_LENGTH = 8
+PASSWORD_POLICY_MESSAGE = f"Password must be at least {MIN_PASSWORD_LENGTH} characters."
 
 
 def hash_password(password: str) -> str:
@@ -18,6 +21,13 @@ def verify_password(plain_password: str, hashed_password: str) -> bool:
     return _pwd_context.verify(plain_password, hashed_password)
 
 
+def validate_password_policy(password: str) -> str:
+    candidate = password.strip()
+    if len(candidate) < MIN_PASSWORD_LENGTH:
+        raise ValueError(PASSWORD_POLICY_MESSAGE)
+    return candidate
+
+
 def _create_token(
     subject: str,
     role: str,
@@ -34,6 +44,8 @@ def _create_token(
     return jwt.encode(payload, settings.jwt_secret, algorithm=_ALGORITHM)
 
 def create_access_token(subject: str, role: str, expires_minutes: Optional[int] = None) -> str:
+    if not settings.jwt_secret:
+        raise ValueError("JWT_SECRET is not configured")
     minutes = expires_minutes or settings.jwt_exp_minutes
     expires = datetime.now(timezone.utc) + timedelta(minutes=minutes)
     return _create_token(subject, role, expires_at=expires, token_type="access")
@@ -45,6 +57,8 @@ def create_stream_token(subject: str, role: str, expires_seconds: int = 120) ->
 
 
 def decode_token(token: str) -> Dict[str, Any]:
+    if not settings.jwt_secret:
+        raise ValueError("JWT_SECRET is not configured")
     return jwt.decode(token, settings.jwt_secret, algorithms=[_ALGORITHM])
 
 
@@ -55,5 +69,5 @@ class TokenError(Exception):
 def safe_decode_token(token: str) -> Dict[str, Any]:
     try:
         return decode_token(token)
-    except JWTError as exc:
+    except InvalidTokenError as exc:
         raise TokenError("Invalid token") from exc

backend/app/services/diagnostics.py

@@ -16,7 +16,8 @@ from ..clients.qbittorrent import QBittorrentClient
 from ..clients.radarr import RadarrClient
 from ..clients.sonarr import SonarrClient
 from ..config import settings as env_settings
-from ..db import run_integrity_check
+from ..db import get_database_diagnostics
+from ..network_security import validate_notification_target_url
 from ..runtime import get_runtime_settings
 from .invite_email import send_test_email, smtp_email_config_ready, smtp_email_delivery_warning
 
@@ -97,7 +98,12 @@ def _config_status(detail: str) -> str:
 def _discord_config_ready(runtime) -> tuple[bool, str]:
     if not runtime.magent_notify_enabled or not runtime.magent_notify_discord_enabled:
         return False, "Discord notifications are disabled."
-    if _clean_text(runtime.magent_notify_discord_webhook_url) or _clean_text(runtime.discord_webhook_url):
+    webhook_url = _clean_text(runtime.magent_notify_discord_webhook_url) or _clean_text(runtime.discord_webhook_url)
+    if webhook_url:
+        try:
+            validate_notification_target_url(webhook_url)
+        except ValueError as exc:
+            return False, str(exc)
         return True, "ok"
     return False, "Discord webhook URL is required."
 
@@ -113,7 +119,12 @@ def _telegram_config_ready(runtime) -> tuple[bool, str]:
 def _webhook_config_ready(runtime) -> tuple[bool, str]:
     if not runtime.magent_notify_enabled or not runtime.magent_notify_webhook_enabled:
         return False, "Generic webhook notifications are disabled."
-    if _clean_text(runtime.magent_notify_webhook_url):
+    webhook_url = _clean_text(runtime.magent_notify_webhook_url)
+    if webhook_url:
+        try:
+            validate_notification_target_url(webhook_url)
+        except ValueError as exc:
+            return False, str(exc)
         return True, "ok"
     return False, "Generic webhook URL is required."
 
@@ -123,11 +134,21 @@ def _push_config_ready(runtime) -> tuple[bool, str]:
         return False, "Push notifications are disabled."
     provider = _clean_text(runtime.magent_notify_push_provider, "ntfy").lower()
     if provider == "ntfy":
-        if _clean_text(runtime.magent_notify_push_base_url) and _clean_text(runtime.magent_notify_push_topic):
+        push_url = _clean_text(runtime.magent_notify_push_base_url)
+        if push_url and _clean_text(runtime.magent_notify_push_topic):
+            try:
+                validate_notification_target_url(push_url)
+            except ValueError as exc:
+                return False, str(exc)
             return True, "ok"
         return False, "ntfy requires a base URL and topic."
     if provider == "gotify":
-        if _clean_text(runtime.magent_notify_push_base_url) and _clean_text(runtime.magent_notify_push_token):
+        push_url = _clean_text(runtime.magent_notify_push_base_url)
+        if push_url and _clean_text(runtime.magent_notify_push_token):
+            try:
+                validate_notification_target_url(push_url)
+            except ValueError as exc:
+                return False, str(exc)
             return True, "ok"
         return False, "Gotify requires a base URL and app token."
     if provider == "pushover":
@@ -135,7 +156,12 @@ def _push_config_ready(runtime) -> tuple[bool, str]:
             return True, "ok"
         return False, "Pushover requires an application token and user key."
     if provider == "webhook":
-        if _clean_text(runtime.magent_notify_push_base_url):
+        push_url = _clean_text(runtime.magent_notify_push_base_url)
+        if push_url:
+            try:
+                validate_notification_target_url(push_url)
+            except ValueError as exc:
+                return False, str(exc)
             return True, "ok"
         return False, "Webhook relay requires a target URL."
     if provider == "telegram":
@@ -190,6 +216,7 @@ async def _run_http_post(
     params: Optional[Dict[str, Any]] = None,
     headers: Optional[Dict[str, str]] = None,
 ) -> Dict[str, Any]:
+    validate_notification_target_url(url)
     async with httpx.AsyncClient(timeout=15.0, follow_redirects=True) as client:
         response = await client.post(url, json=json_payload, data=data_payload, params=params, headers=headers)
         response.raise_for_status()
@@ -205,12 +232,16 @@ async def _run_http_post(
 
 
 async def _run_database_check() -> Dict[str, Any]:
-    integrity = await asyncio.to_thread(run_integrity_check)
+    detail = await asyncio.to_thread(get_database_diagnostics)
+    integrity = _clean_text(detail.get("integrity_check"), "unknown")
+    requests_cached = detail.get("row_counts", {}).get("requests_cache", 0) if isinstance(detail, dict) else 0
+    wal_size_bytes = detail.get("wal_size_bytes", 0) if isinstance(detail, dict) else 0
+    wal_size_megabytes = round((float(wal_size_bytes or 0) / (1024 * 1024)), 2)
     status = "up" if integrity == "ok" else "degraded"
     return {
         "status": status,
-        "message": f"SQLite integrity_check returned {integrity}",
-        "detail": integrity,
+        "message": f"SQLite {integrity} · {requests_cached} cached requests · WAL {wal_size_megabytes:.2f} MB",
+        "detail": detail,
     }
 
 

backend/app/services/jellyfin_sync.py

@@ -6,12 +6,15 @@ from ..clients.jellyfin import JellyfinClient
 from ..db import (
     create_user_if_missing,
     get_user_by_username,
+    set_user_email,
     set_user_auth_provider,
     set_user_jellyseerr_id,
 )
 from ..runtime import get_runtime_settings
 from .user_cache import (
     build_jellyseerr_candidate_map,
+    extract_jellyseerr_user_email,
+    find_matching_jellyseerr_user,
     get_cached_jellyseerr_users,
     match_jellyseerr_user_id,
     save_jellyfin_users_cache,
@@ -41,10 +44,13 @@ async def sync_jellyfin_users() -> int:
         if not name:
             continue
         matched_id = match_jellyseerr_user_id(name, candidate_map) if candidate_map else None
+        matched_seerr_user = find_matching_jellyseerr_user(name, jellyseerr_users or [])
+        matched_email = extract_jellyseerr_user_email(matched_seerr_user)
         created = create_user_if_missing(
             name,
             "jellyfin-user",
             role="user",
+            email=matched_email,
             auth_provider="jellyfin",
             jellyseerr_user_id=matched_id,
         )
@@ -60,6 +66,8 @@ async def sync_jellyfin_users() -> int:
                 set_user_auth_provider(name, "jellyfin")
             if matched_id is not None:
                 set_user_jellyseerr_id(name, matched_id)
+            if matched_email:
+                set_user_email(name, matched_email)
     return imported
 
 

backend/app/services/notifications.py

@@ -0,0 +1,280 @@
+from __future__ import annotations
+
+import logging
+from typing import Any, Dict, Optional
+from urllib.parse import quote
+
+import httpx
+
+from ..config import settings as env_settings
+from ..db import get_setting
+from ..network_security import validate_notification_target_url
+from ..runtime import get_runtime_settings
+from .invite_email import send_generic_email
+
+logger = logging.getLogger(__name__)
+
+
+def _clean_text(value: Any, fallback: str = "") -> str:
+    if value is None:
+        return fallback
+    if isinstance(value, str):
+        trimmed = value.strip()
+        return trimmed if trimmed else fallback
+    return str(value)
+
+
+def _split_emails(value: str) -> list[str]:
+    if not value:
+        return []
+    parts = [entry.strip() for entry in value.replace(";", ",").split(",")]
+    return [entry for entry in parts if entry and "@" in entry]
+
+
+def _resolve_app_url() -> str:
+    runtime = get_runtime_settings()
+    for candidate in (
+        runtime.magent_application_url,
+        runtime.magent_proxy_base_url,
+        env_settings.cors_allow_origin,
+    ):
+        normalized = _clean_text(candidate)
+        if normalized:
+            return normalized.rstrip("/")
+    port = int(getattr(runtime, "magent_application_port", 3000) or 3000)
+    return f"http://localhost:{port}"
+
+
+def _portal_item_url(item_id: int) -> str:
+    return f"{_resolve_app_url()}/portal?item={item_id}"
+
+
+async def _http_post_json(url: str, payload: Dict[str, Any]) -> Dict[str, Any]:
+    validate_notification_target_url(url)
+    async with httpx.AsyncClient(timeout=12.0) as client:
+        response = await client.post(url, json=payload)
+        response.raise_for_status()
+        try:
+            body = response.json()
+        except ValueError:
+            body = response.text
+    return {"status_code": response.status_code, "body": body}
+
+
+async def _send_discord(title: str, message: str, payload: Dict[str, Any]) -> Dict[str, Any]:
+    runtime = get_runtime_settings()
+    webhook = _clean_text(runtime.magent_notify_discord_webhook_url) or _clean_text(
+        runtime.discord_webhook_url
+    )
+    if not webhook:
+        return {"status": "skipped", "detail": "Discord webhook not configured."}
+    data = {
+        "content": f"**{title}**\n{message}",
+        "embeds": [
+            {
+                "title": title,
+                "description": message,
+                "fields": [
+                    {"name": "Type", "value": _clean_text(payload.get("kind"), "unknown"), "inline": True},
+                    {"name": "Status", "value": _clean_text(payload.get("status"), "unknown"), "inline": True},
+                    {"name": "Priority", "value": _clean_text(payload.get("priority"), "normal"), "inline": True},
+                ],
+                "url": _clean_text(payload.get("item_url")),
+            }
+        ],
+    }
+    result = await _http_post_json(webhook, data)
+    return {"status": "ok", "detail": f"Discord accepted ({result['status_code']})."}
+
+
+async def _send_telegram(title: str, message: str) -> Dict[str, Any]:
+    runtime = get_runtime_settings()
+    bot_token = _clean_text(runtime.magent_notify_telegram_bot_token)
+    chat_id = _clean_text(runtime.magent_notify_telegram_chat_id)
+    if not bot_token or not chat_id:
+        return {"status": "skipped", "detail": "Telegram is not configured."}
+    url = f"https://api.telegram.org/bot{bot_token}/sendMessage"
+    payload = {"chat_id": chat_id, "text": f"{title}\n\n{message}", "disable_web_page_preview": True}
+    result = await _http_post_json(url, payload)
+    return {"status": "ok", "detail": f"Telegram accepted ({result['status_code']})."}
+
+
+async def _send_webhook(payload: Dict[str, Any]) -> Dict[str, Any]:
+    runtime = get_runtime_settings()
+    webhook = _clean_text(runtime.magent_notify_webhook_url)
+    if not webhook:
+        return {"status": "skipped", "detail": "Generic webhook is not configured."}
+    result = await _http_post_json(webhook, payload)
+    return {"status": "ok", "detail": f"Webhook accepted ({result['status_code']})."}
+
+
+async def _send_push(title: str, message: str, payload: Dict[str, Any]) -> Dict[str, Any]:
+    runtime = get_runtime_settings()
+    provider = _clean_text(runtime.magent_notify_push_provider, "ntfy").lower()
+    base_url = _clean_text(runtime.magent_notify_push_base_url)
+    token = _clean_text(runtime.magent_notify_push_token)
+    topic = _clean_text(runtime.magent_notify_push_topic)
+    if provider == "ntfy":
+        if not base_url or not topic:
+            return {"status": "skipped", "detail": "ntfy needs base URL and topic."}
+        validate_notification_target_url(base_url)
+        url = f"{base_url.rstrip('/')}/{quote(topic)}"
+        headers = {"Title": title, "Tags": "magent,portal"}
+        async with httpx.AsyncClient(timeout=12.0) as client:
+            response = await client.post(url, content=message.encode("utf-8"), headers=headers)
+            response.raise_for_status()
+        return {"status": "ok", "detail": f"ntfy accepted ({response.status_code})."}
+    if provider == "gotify":
+        if not base_url or not token:
+            return {"status": "skipped", "detail": "Gotify needs base URL and token."}
+        validate_notification_target_url(base_url)
+        url = f"{base_url.rstrip('/')}/message?token={quote(token)}"
+        body = {"title": title, "message": message, "priority": 5, "extras": {"client::display": {"contentType": "text/plain"}}}
+        result = await _http_post_json(url, body)
+        return {"status": "ok", "detail": f"Gotify accepted ({result['status_code']})."}
+    if provider == "pushover":
+        user_key = _clean_text(runtime.magent_notify_push_user_key)
+        if not token or not user_key:
+            return {"status": "skipped", "detail": "Pushover needs token and user key."}
+        form = {"token": token, "user": user_key, "title": title, "message": message}
+        async with httpx.AsyncClient(timeout=12.0) as client:
+            response = await client.post("https://api.pushover.net/1/messages.json", data=form)
+            response.raise_for_status()
+        return {"status": "ok", "detail": f"Pushover accepted ({response.status_code})."}
+    if provider == "discord":
+        return await _send_discord(title, message, payload)
+    if provider == "telegram":
+        return await _send_telegram(title, message)
+    if provider == "webhook":
+        return await _send_webhook(payload)
+    return {"status": "skipped", "detail": f"Unsupported push provider '{provider}'."}
+
+
+async def _send_email(title: str, message: str, payload: Dict[str, Any]) -> Dict[str, Any]:
+    runtime = get_runtime_settings()
+    recipients = _split_emails(_clean_text(get_setting("portal_notification_recipients")))
+    fallback = _clean_text(runtime.magent_notify_email_from_address)
+    if fallback and fallback not in recipients:
+        recipients.append(fallback)
+    if not recipients:
+        return {"status": "skipped", "detail": "No portal notification recipient is configured."}
+
+    body_text = (
+        f"{title}\n\n"
+        f"{message}\n\n"
+        f"Kind: {_clean_text(payload.get('kind'))}\n"
+        f"Status: {_clean_text(payload.get('status'))}\n"
+        f"Priority: {_clean_text(payload.get('priority'))}\n"
+        f"Requested by: {_clean_text(payload.get('requested_by'))}\n"
+        f"Open: {_clean_text(payload.get('item_url'))}\n"
+    )
+    body_html = (
+        "<div style=\"font-family:Segoe UI,Arial,sans-serif; color:#132033;\">"
+        f"<h2 style=\"margin:0 0 12px;\">{title}</h2>"
+        f"<p style=\"margin:0 0 16px; line-height:1.7;\">{message}</p>"
+        "<table style=\"border-collapse:collapse; width:100%; margin:0 0 16px;\">"
+        f"<tr><td style=\"padding:6px 0; color:#6b778c;\">Kind</td><td style=\"padding:6px 0; font-weight:700;\">{_clean_text(payload.get('kind'))}</td></tr>"
+        f"<tr><td style=\"padding:6px 0; color:#6b778c;\">Status</td><td style=\"padding:6px 0; font-weight:700;\">{_clean_text(payload.get('status'))}</td></tr>"
+        f"<tr><td style=\"padding:6px 0; color:#6b778c;\">Priority</td><td style=\"padding:6px 0; font-weight:700;\">{_clean_text(payload.get('priority'))}</td></tr>"
+        f"<tr><td style=\"padding:6px 0; color:#6b778c;\">Requested by</td><td style=\"padding:6px 0; font-weight:700;\">{_clean_text(payload.get('requested_by'))}</td></tr>"
+        "</table>"
+        f"<a href=\"{_clean_text(payload.get('item_url'))}\" style=\"display:inline-block; padding:10px 16px; border-radius:999px; background:#1c6bff; color:#fff; text-decoration:none; font-weight:700;\">Open portal item</a>"
+        "</div>"
+    )
+    deliveries: list[Dict[str, Any]] = []
+    for recipient in recipients:
+        try:
+            result = await send_generic_email(
+                recipient_email=recipient,
+                subject=title,
+                body_text=body_text,
+                body_html=body_html,
+            )
+            deliveries.append({"recipient": recipient, "status": "ok", **result})
+        except Exception as exc:
+            deliveries.append({"recipient": recipient, "status": "error", "detail": str(exc)})
+    successful = [entry for entry in deliveries if entry.get("status") == "ok"]
+    if successful:
+        return {"status": "ok", "detail": f"Email sent to {len(successful)} recipient(s).", "deliveries": deliveries}
+    return {"status": "error", "detail": "Email delivery failed for all recipients.", "deliveries": deliveries}
+
+
+async def send_portal_notification(
+    *,
+    event_type: str,
+    item: Dict[str, Any],
+    actor_username: str,
+    actor_role: str,
+    note: Optional[str] = None,
+) -> Dict[str, Any]:
+    runtime = get_runtime_settings()
+    if not runtime.magent_notify_enabled:
+        return {"status": "skipped", "detail": "Notifications are disabled.", "channels": {}}
+
+    item_id = int(item.get("id") or 0)
+    title = f"{env_settings.app_name} portal update: {item.get('title') or f'Item #{item_id}'}"
+    message_lines = [
+        f"Event: {event_type}",
+        f"Actor: {actor_username} ({actor_role})",
+        f"Item #{item_id} is now '{_clean_text(item.get('status'), 'unknown')}'.",
+    ]
+    if note:
+        message_lines.append(f"Note: {note}")
+    message_lines.append(f"Open: {_portal_item_url(item_id)}")
+    message = "\n".join(message_lines)
+    payload = {
+        "type": "portal.notification",
+        "event": event_type,
+        "item_id": item_id,
+        "item_url": _portal_item_url(item_id),
+        "kind": _clean_text(item.get("kind")),
+        "status": _clean_text(item.get("status")),
+        "priority": _clean_text(item.get("priority")),
+        "requested_by": _clean_text(item.get("created_by_username")),
+        "actor_username": actor_username,
+        "actor_role": actor_role,
+        "note": note or "",
+    }
+
+    channels: Dict[str, Dict[str, Any]] = {}
+    if runtime.magent_notify_discord_enabled:
+        try:
+            channels["discord"] = await _send_discord(title, message, payload)
+        except Exception as exc:
+            channels["discord"] = {"status": "error", "detail": str(exc)}
+    if runtime.magent_notify_telegram_enabled:
+        try:
+            channels["telegram"] = await _send_telegram(title, message)
+        except Exception as exc:
+            channels["telegram"] = {"status": "error", "detail": str(exc)}
+    if runtime.magent_notify_webhook_enabled:
+        try:
+            channels["webhook"] = await _send_webhook(payload)
+        except Exception as exc:
+            channels["webhook"] = {"status": "error", "detail": str(exc)}
+    if runtime.magent_notify_push_enabled:
+        try:
+            channels["push"] = await _send_push(title, message, payload)
+        except Exception as exc:
+            channels["push"] = {"status": "error", "detail": str(exc)}
+    if runtime.magent_notify_email_enabled:
+        try:
+            channels["email"] = await _send_email(title, message, payload)
+        except Exception as exc:
+            channels["email"] = {"status": "error", "detail": str(exc)}
+
+    successful = [name for name, value in channels.items() if value.get("status") == "ok"]
+    failed = [name for name, value in channels.items() if value.get("status") == "error"]
+    skipped = [name for name, value in channels.items() if value.get("status") == "skipped"]
+    logger.info(
+        "portal notification event=%s item_id=%s successful=%s failed=%s skipped=%s",
+        event_type,
+        item_id,
+        successful,
+        failed,
+        skipped,
+    )
+    overall = "ok" if successful and not failed else "error" if failed and not successful else "partial"
+    if not channels:
+        overall = "skipped"
+    return {"status": overall, "channels": channels}

backend/app/services/password_reset.py

@@ -112,6 +112,9 @@ async def _fetch_all_seerr_users() -> list[dict]:
 
 def _resolve_seerr_user_email(seerr_user: Optional[dict], local_user: Optional[dict]) -> Optional[str]:
     if isinstance(local_user, dict):
+        stored_email = str(local_user.get("email") or "").strip()
+        if "@" in stored_email:
+            return stored_email
         username = str(local_user.get("username") or "").strip()
         if "@" in username:
             return username

backend/app/services/snapshot.py

@@ -1,6 +1,7 @@
 from typing import Any, Dict, List, Optional
 import asyncio
 import logging
+import re
 from datetime import datetime, timezone
 from urllib.parse import quote
 import httpx
@@ -57,6 +58,100 @@ def _pick_first(value: Any) -> Optional[Dict[str, Any]]:
     return None
 
 
+def _normalize_media_title(value: Any) -> Optional[str]:
+    if not isinstance(value, str):
+        return None
+    normalized = re.sub(r"[^a-z0-9]+", " ", value.lower()).strip()
+    return normalized or None
+
+
+def _canonical_provider_key(value: str) -> str:
+    normalized = value.strip().lower()
+    if normalized.endswith("id"):
+        normalized = normalized[:-2]
+    return normalized
+
+
+def extract_request_provider_ids(payload: Any) -> Dict[str, str]:
+    provider_ids: Dict[str, str] = {}
+    candidates: List[Any] = []
+    if isinstance(payload, dict):
+        candidates.append(payload)
+        media = payload.get("media")
+        if isinstance(media, dict):
+            candidates.append(media)
+    for candidate in candidates:
+        if not isinstance(candidate, dict):
+            continue
+        embedded = candidate.get("ProviderIds") or candidate.get("providerIds")
+        if isinstance(embedded, dict):
+            for key, value in embedded.items():
+                if value is None:
+                    continue
+                text = str(value).strip()
+                if text:
+                    provider_ids[_canonical_provider_key(str(key))] = text
+        for key in ("tmdbId", "tvdbId", "imdbId", "tmdb_id", "tvdb_id", "imdb_id"):
+            value = candidate.get(key)
+            if value is None:
+                continue
+            text = str(value).strip()
+            if text:
+                provider_ids[_canonical_provider_key(key)] = text
+    return provider_ids
+
+
+def jellyfin_item_matches_request(
+    item: Dict[str, Any],
+    *,
+    title: Optional[str],
+    year: Optional[int],
+    request_type: RequestType,
+    request_payload: Optional[Dict[str, Any]] = None,
+) -> bool:
+    request_provider_ids = extract_request_provider_ids(request_payload or {})
+    item_provider_ids = extract_request_provider_ids(item)
+
+    provider_priority = ("tmdb", "tvdb", "imdb")
+    for key in provider_priority:
+        request_id = request_provider_ids.get(key)
+        item_id = item_provider_ids.get(key)
+        if request_id and item_id and request_id == item_id:
+            return True
+
+    request_title = _normalize_media_title(title)
+    if not request_title:
+        return False
+
+    item_titles = [
+        _normalize_media_title(item.get("Name")),
+        _normalize_media_title(item.get("OriginalTitle")),
+        _normalize_media_title(item.get("SortName")),
+        _normalize_media_title(item.get("SeriesName")),
+        _normalize_media_title(item.get("title")),
+    ]
+    item_titles = [candidate for candidate in item_titles if candidate]
+
+    item_year = item.get("ProductionYear") or item.get("Year")
+    try:
+        item_year_value = int(item_year) if item_year is not None else None
+    except (TypeError, ValueError):
+        item_year_value = None
+
+    if year and item_year_value and int(year) != item_year_value:
+        return False
+
+    if request_title in item_titles:
+        return True
+
+    if request_type == RequestType.tv:
+        for candidate in item_titles:
+            if candidate and (candidate.startswith(request_title) or request_title.startswith(candidate)):
+                return True
+
+    return False
+
+
 def _extract_http_error_message(exc: httpx.HTTPStatusError) -> Optional[str]:
     response = exc.response
     if response is None:
@@ -513,7 +608,7 @@ async def build_snapshot(request_id: str) -> Snapshot:
     if jellyfin.configured() and snapshot.title:
         types = ["Movie"] if snapshot.request_type == RequestType.movie else ["Series"]
         try:
-            search = await jellyfin.search_items(snapshot.title, types)
+            search = await jellyfin.search_items(snapshot.title, types, limit=50)
         except Exception:
             search = None
         if isinstance(search, dict):
@@ -521,11 +616,13 @@ async def build_snapshot(request_id: str) -> Snapshot:
             for item in items:
                 if not isinstance(item, dict):
                     continue
-                name = item.get("Name") or item.get("title")
-                year = item.get("ProductionYear") or item.get("Year")
-                if name and name.strip().lower() == (snapshot.title or "").strip().lower():
-                    if snapshot.year and year and int(year) != int(snapshot.year):
-                        continue
+                if jellyfin_item_matches_request(
+                    item,
+                    title=snapshot.title,
+                    year=snapshot.year,
+                    request_type=snapshot.request_type,
+                    request_payload=jelly_request,
+                ):
                     jellyfin_available = True
                     jellyfin_item = item
                     break
@@ -646,12 +743,22 @@ async def build_snapshot(request_id: str) -> Snapshot:
         snapshot.state = NormalizedState.added_to_arr
         snapshot.state_reason = "Item is present in Sonarr/Radarr"
 
-    if jellyfin_available and snapshot.state not in {
-        NormalizedState.downloading,
-        NormalizedState.importing,
-    }:
+    if jellyfin_available:
+        missing_episodes = arr_details.get("missingEpisodes")
+        if snapshot.request_type == RequestType.tv and isinstance(missing_episodes, dict) and missing_episodes:
+            snapshot.state = NormalizedState.importing
+            snapshot.state_reason = "Some episodes are available in Jellyfin, but the request is still incomplete."
+            for hop in timeline:
+                if hop.service == "Seerr":
+                    hop.status = "Partially ready"
+        else:
             snapshot.state = NormalizedState.completed
             snapshot.state_reason = "Ready to watch in Jellyfin."
+            for hop in timeline:
+                if hop.service == "Seerr":
+                    hop.status = "Available"
+                elif hop.service == "Sonarr/Radarr" and hop.status not in {"error"}:
+                    hop.status = "available"
 
     snapshot.timeline = timeline
     actions: List[ActionOption] = []

backend/app/services/user_cache.py

@@ -89,6 +89,33 @@ def build_jellyseerr_candidate_map(users: List[Dict[str, Any]]) -> Dict[str, int
     return candidate_to_id
 
 
+def find_matching_jellyseerr_user(
+    identifier: str, users: List[Dict[str, Any]]
+) -> Optional[Dict[str, Any]]:
+    target_handles = set(_normalized_handles(identifier))
+    if not target_handles:
+        return None
+    for user in users:
+        if not isinstance(user, dict):
+            continue
+        for key in ("username", "email", "displayName", "name"):
+            if target_handles.intersection(_normalized_handles(user.get(key))):
+                return user
+    return None
+
+
+def extract_jellyseerr_user_email(user: Optional[Dict[str, Any]]) -> Optional[str]:
+    if not isinstance(user, dict):
+        return None
+    value = user.get("email")
+    if not isinstance(value, str):
+        return None
+    candidate = value.strip()
+    if not candidate or "@" not in candidate:
+        return None
+    return candidate
+
+
 def match_jellyseerr_user_id(
     username: str, candidate_map: Dict[str, int]
 ) -> Optional[int]:

backend/requirements.txt

@@ -3,7 +3,7 @@ uvicorn==0.41.0
 httpx==0.28.1
 pydantic==2.12.5
 pydantic-settings==2.13.1
-python-jose[cryptography]==3.5.0
+PyJWT==2.11.0
 passlib==1.7.4
 python-multipart==0.0.22
 Pillow==12.1.1

backend/tests/test_backend_quality.py

@@ -0,0 +1,246 @@
+import os
+import tempfile
+import unittest
+from unittest.mock import AsyncMock, patch
+
+from fastapi import HTTPException
+from starlette.requests import Request
+
+from backend.app import db
+from backend.app.config import settings
+from backend.app.network_security import request_trusts_forwarded_headers, validate_notification_target_url
+from backend.app.routers import auth as auth_router
+from backend.app.routers import portal as portal_router
+from backend.app.routers import status as status_router
+from backend.app.security import PASSWORD_POLICY_MESSAGE, validate_password_policy
+from backend.app.services import password_reset
+
+
+def _build_request(ip: str = "127.0.0.1", user_agent: str = "backend-test") -> Request:
+    scope = {
+        "type": "http",
+        "http_version": "1.1",
+        "method": "POST",
+        "scheme": "http",
+        "path": "/auth/password/forgot",
+        "raw_path": b"/auth/password/forgot",
+        "query_string": b"",
+        "headers": [(b"user-agent", user_agent.encode("utf-8"))],
+        "client": (ip, 12345),
+        "server": ("testserver", 8000),
+    }
+
+    async def receive() -> dict:
+        return {"type": "http.request", "body": b"", "more_body": False}
+
+    return Request(scope, receive)
+
+
+class TempDatabaseMixin:
+    def setUp(self) -> None:
+        super_method = getattr(super(), "setUp", None)
+        if callable(super_method):
+            super_method()
+        self._tempdir = tempfile.TemporaryDirectory(ignore_cleanup_errors=True)
+        self._original_sqlite_path = settings.sqlite_path
+        self._original_journal_mode = getattr(settings, "sqlite_journal_mode", "DELETE")
+        settings.sqlite_path = os.path.join(self._tempdir.name, "test.db")
+        settings.sqlite_journal_mode = "DELETE"
+        auth_router._LOGIN_ATTEMPTS_BY_IP.clear()
+        auth_router._LOGIN_ATTEMPTS_BY_USER.clear()
+        auth_router._RESET_ATTEMPTS_BY_IP.clear()
+        auth_router._RESET_ATTEMPTS_BY_IDENTIFIER.clear()
+        db.init_db()
+
+    def tearDown(self) -> None:
+        settings.sqlite_path = self._original_sqlite_path
+        settings.sqlite_journal_mode = self._original_journal_mode
+        auth_router._LOGIN_ATTEMPTS_BY_IP.clear()
+        auth_router._LOGIN_ATTEMPTS_BY_USER.clear()
+        auth_router._RESET_ATTEMPTS_BY_IP.clear()
+        auth_router._RESET_ATTEMPTS_BY_IDENTIFIER.clear()
+        self._tempdir.cleanup()
+        super_method = getattr(super(), "tearDown", None)
+        if callable(super_method):
+            super_method()
+
+
+class PasswordPolicyTests(unittest.TestCase):
+    def test_validate_password_policy_rejects_short_passwords(self) -> None:
+        with self.assertRaisesRegex(ValueError, PASSWORD_POLICY_MESSAGE):
+            validate_password_policy("short")
+
+    def test_validate_password_policy_trims_whitespace(self) -> None:
+        self.assertEqual(validate_password_policy("  password123  "), "password123")
+
+
+class NetworkSecurityTests(unittest.TestCase):
+    def test_notification_targets_reject_loopback(self) -> None:
+        with self.assertRaisesRegex(ValueError, "Private or local notification targets are not allowed."):
+            validate_notification_target_url("http://127.0.0.1:8080/webhook")
+
+    def test_forwarded_headers_require_trusted_proxy(self) -> None:
+        original_enabled = settings.magent_proxy_enabled
+        original_trust = settings.magent_proxy_trust_forwarded_headers
+        original_proxies = settings.magent_proxy_trusted_proxies
+        settings.magent_proxy_enabled = True
+        settings.magent_proxy_trust_forwarded_headers = True
+        settings.magent_proxy_trusted_proxies = "127.0.0.1,::1"
+        try:
+            self.assertTrue(request_trusts_forwarded_headers("127.0.0.1"))
+            self.assertFalse(request_trusts_forwarded_headers("203.0.113.10"))
+        finally:
+            settings.magent_proxy_enabled = original_enabled
+            settings.magent_proxy_trust_forwarded_headers = original_trust
+            settings.magent_proxy_trusted_proxies = original_proxies
+
+
+class ServiceStatusTests(unittest.IsolatedAsyncioTestCase):
+    async def test_qbittorrent_incomplete_credentials_report_degraded_when_reachable(self) -> None:
+        client = status_router.QBittorrentClient("http://10.0.0.2:8080", "admin", None)
+        with patch.object(client, "is_webui_reachable", new=AsyncMock(return_value=True)):
+            result = await status_router._check_qbittorrent(client)
+
+        self.assertEqual(result["status"], "degraded")
+        self.assertIn("credentials", result["message"].lower())
+
+    async def test_qbittorrent_rejected_credentials_report_degraded_when_reachable(self) -> None:
+        client = status_router.QBittorrentClient("http://10.0.0.2:8080", "admin", "secret")
+        with patch.object(
+            client,
+            "get_app_version",
+            new=AsyncMock(side_effect=RuntimeError("qBittorrent login failed")),
+        ), patch.object(client, "is_webui_reachable", new=AsyncMock(return_value=True)):
+            result = await status_router._check_qbittorrent(client)
+
+        self.assertEqual(result["status"], "degraded")
+        self.assertIn("credentials", result["message"].lower())
+
+
+class DatabaseEmailTests(TempDatabaseMixin, unittest.TestCase):
+    def test_set_user_email_is_case_insensitive(self) -> None:
+        created = db.create_user_if_missing(
+            "MixedCaseUser",
+            "password123",
+            email=None,
+            auth_provider="local",
+        )
+        self.assertTrue(created)
+        updated = db.set_user_email("mixedcaseuser", "mixed@example.com")
+        self.assertTrue(updated)
+        stored = db.get_user_by_username("MIXEDCASEUSER")
+        self.assertIsNotNone(stored)
+        self.assertEqual(stored.get("email"), "mixed@example.com")
+
+
+class AuthFlowTests(TempDatabaseMixin, unittest.IsolatedAsyncioTestCase):
+    async def test_forgot_password_is_rate_limited(self) -> None:
+        request = _build_request(ip="10.1.2.3")
+        payload = {"identifier": "resetuser@example.com"}
+        with patch.object(auth_router, "smtp_email_config_ready", return_value=(True, "")), patch.object(
+            auth_router,
+            "request_password_reset",
+            new=AsyncMock(return_value={"status": "ok", "issued": False}),
+        ):
+            for _ in range(3):
+                result = await auth_router.forgot_password(payload, request)
+                self.assertEqual(result["status"], "ok")
+
+            with self.assertRaises(HTTPException) as context:
+                await auth_router.forgot_password(payload, request)
+
+        self.assertEqual(context.exception.status_code, 429)
+        self.assertEqual(
+            context.exception.detail,
+            "Too many password reset attempts. Try again shortly.",
+        )
+
+    async def test_request_password_reset_prefers_local_user_email(self) -> None:
+        db.create_user_if_missing(
+            "ResetUser",
+            "password123",
+            email="local@example.com",
+            auth_provider="local",
+        )
+        with patch.object(
+            password_reset,
+            "send_password_reset_email",
+            new=AsyncMock(return_value={"status": "ok"}),
+        ) as send_email:
+            result = await password_reset.request_password_reset("ResetUser")
+
+        self.assertTrue(result["issued"])
+        self.assertEqual(result["recipient_email"], "local@example.com")
+        send_email.assert_awaited_once()
+        self.assertEqual(send_email.await_args.kwargs["recipient_email"], "local@example.com")
+
+    async def test_profile_invite_requires_recipient_email(self) -> None:
+        current_user = {
+            "username": "invite-owner",
+            "role": "user",
+            "invite_management_enabled": True,
+            "profile_id": None,
+        }
+        with self.assertRaises(HTTPException) as context:
+            await auth_router.create_profile_invite({"label": "Missing email"}, current_user)
+
+        self.assertEqual(context.exception.status_code, 400)
+        self.assertEqual(
+            context.exception.detail,
+            "recipient_email is required and must be a valid email address.",
+        )
+
+
+class PortalWorkflowTests(TempDatabaseMixin, unittest.TestCase):
+    def test_legacy_request_status_maps_to_workflow(self) -> None:
+        item = {"kind": "request", "status": "in_progress"}
+        serialized = portal_router._serialize_item(item, {"username": "tester", "role": "user"})
+        workflow = serialized.get("workflow") or {}
+        self.assertEqual(workflow.get("request_status"), "approved")
+        self.assertEqual(workflow.get("media_status"), "processing")
+
+    def test_invalid_pipeline_transition_is_rejected(self) -> None:
+        with self.assertRaises(HTTPException) as context:
+            portal_router._validate_pipeline_transition(
+                "approved",
+                "processing",
+                "pending",
+                "pending",
+            )
+        self.assertEqual(context.exception.status_code, 400)
+
+    def test_portal_workflow_filters(self) -> None:
+        db.create_portal_item(
+            kind="request",
+            title="Request A",
+            description="A",
+            created_by_username="alpha",
+            created_by_id=None,
+            status="processing",
+            workflow_request_status="approved",
+            workflow_media_status="processing",
+        )
+        db.create_portal_item(
+            kind="request",
+            title="Request B",
+            description="B",
+            created_by_username="bravo",
+            created_by_id=None,
+            status="pending",
+            workflow_request_status="pending",
+            workflow_media_status="pending",
+        )
+        processing = db.list_portal_items(
+            kind="request",
+            workflow_request_status="approved",
+            workflow_media_status="processing",
+            limit=10,
+            offset=0,
+        )
+        pending_count = db.count_portal_items(
+            kind="request",
+            workflow_request_status="pending",
+            workflow_media_status="pending",
+        )
+        self.assertEqual(len(processing), 1)
+        self.assertEqual(pending_count, 1)

frontend/app/admin/SettingsPage.tsx

@@ -40,6 +40,10 @@ const SECTION_LABELS: Record<string, string> = {
 const BOOL_SETTINGS = new Set([
   'jellyfin_sync_to_arr',
   'site_banner_enabled',
+  'site_login_show_jellyfin_login',
+  'site_login_show_local_login',
+  'site_login_show_forgot_password',
+  'site_login_show_signup_link',
   'magent_proxy_enabled',
   'magent_proxy_trust_forwarded_headers',
   'magent_ssl_bind_enabled',
@@ -104,7 +108,7 @@ const SECTION_DESCRIPTIONS: Record<string, string> = {
   qbittorrent: 'Downloader connection settings.',
   requests: 'Control how often requests are refreshed and cleaned up.',
   log: 'Activity log for troubleshooting.',
-  site: 'Sitewide banner and version details. The changelog is generated from git history during release builds.',
+  site: 'Sitewide banner, login page visibility, and version details. The changelog is generated from git history during release builds.',
 }
 
 const SETTINGS_SECTION_MAP: Record<string, string | null> = {
@@ -239,6 +243,31 @@ const MAGENT_GROUPS_BY_SECTION: Record<string, Set<string>> = {
   ]),
 }
 
+const SITE_SECTION_GROUPS: Array<{
+  key: string
+  title: string
+  description: string
+  keys: string[]
+}> = [
+  {
+    key: 'site-banner',
+    title: 'Site Banner',
+    description: 'Control the sitewide banner message, tone, and visibility.',
+    keys: ['site_banner_enabled', 'site_banner_tone', 'site_banner_message'],
+  },
+  {
+    key: 'site-login',
+    title: 'Login Page Behaviour',
+    description: 'Control which sign-in and recovery options are shown on the logged-out login page.',
+    keys: [
+      'site_login_show_jellyfin_login',
+      'site_login_show_local_login',
+      'site_login_show_forgot_password',
+      'site_login_show_signup_link',
+    ],
+  },
+]
+
 const SETTING_LABEL_OVERRIDES: Record<string, string> = {
   jellyseerr_base_url: 'Seerr base URL',
   jellyseerr_api_key: 'Seerr API key',
@@ -280,6 +309,10 @@ const SETTING_LABEL_OVERRIDES: Record<string, string> = {
   magent_notify_push_device: 'Device / target',
   magent_notify_webhook_enabled: 'Generic webhook notifications enabled',
   magent_notify_webhook_url: 'Generic webhook URL',
+  site_login_show_jellyfin_login: 'Login page: Jellyfin sign-in',
+  site_login_show_local_login: 'Login page: local Magent sign-in',
+  site_login_show_forgot_password: 'Login page: forgot password',
+  site_login_show_signup_link: 'Login page: invite signup link',
   log_file_max_bytes: 'Log file max size (bytes)',
   log_file_backup_count: 'Rotated log files to keep',
   log_http_client_level: 'Service HTTP log level',
@@ -551,6 +584,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
 
   const settingsSection = SETTINGS_SECTION_MAP[section] ?? null
   const isMagentGroupedSection = section === 'magent' || section === 'general' || section === 'notifications'
+  const isSiteGroupedSection = section === 'site'
   const visibleSections = settingsSection ? [settingsSection] : []
   const isCacheSection = section === 'cache'
   const cacheSettingKeys = new Set(['requests_sync_ttl_minutes', 'requests_data_source'])
@@ -564,6 +598,15 @@ export default function SettingsPage({ section }: SettingsPageProps) {
     'requests_cleanup_time',
     'requests_cleanup_days',
   ]
+  const siteSettingOrder = [
+    'site_banner_enabled',
+    'site_banner_message',
+    'site_banner_tone',
+    'site_login_show_jellyfin_login',
+    'site_login_show_local_login',
+    'site_login_show_forgot_password',
+    'site_login_show_signup_link',
+  ]
   const sortByOrder = (items: AdminSetting[], order: string[]) => {
     const position = new Map(order.map((key, index) => [key, index]))
     return [...items].sort((a, b) => {
@@ -603,6 +646,22 @@ export default function SettingsPage({ section }: SettingsPageProps) {
           })
           return groups
         })()
+      : isSiteGroupedSection
+        ? (() => {
+            const siteItems = groupedSettings.site ?? []
+            const byKey = new Map(siteItems.map((item) => [item.key, item]))
+            return SITE_SECTION_GROUPS.map((group) => {
+              const items = group.keys
+                .map((key) => byKey.get(key))
+                .filter((item): item is AdminSetting => Boolean(item))
+              return {
+                key: group.key,
+                title: group.title,
+                description: group.description,
+                items,
+              }
+            })
+          })()
       : visibleSections.map((sectionKey) => ({
           key: sectionKey,
           title: SECTION_LABELS[sectionKey] ?? sectionKey,
@@ -615,6 +674,9 @@ export default function SettingsPage({ section }: SettingsPageProps) {
             if (sectionKey === 'requests') {
               return sortByOrder(filtered, requestSettingOrder)
             }
+            if (sectionKey === 'site') {
+              return sortByOrder(filtered, siteSettingOrder)
+            }
             return filtered
           })(),
         }))
@@ -748,6 +810,10 @@ export default function SettingsPage({ section }: SettingsPageProps) {
     site_banner_enabled: 'Enable a sitewide banner for announcements.',
     site_banner_message: 'Short banner message for maintenance or updates.',
     site_banner_tone: 'Visual tone for the banner.',
+    site_login_show_jellyfin_login: 'Show the Jellyfin login button on the login page.',
+    site_login_show_local_login: 'Show the local Magent login button on the login page.',
+    site_login_show_forgot_password: 'Show the forgot-password link on the login page.',
+    site_login_show_signup_link: 'Show the invite signup link on the login page.',
     site_changelog: 'One update per line for the public changelog.',
   }
 
@@ -1672,7 +1738,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
               )}
             </div>
             {(sectionGroup.description || SECTION_DESCRIPTIONS[sectionGroup.key]) &&
-              (!settingsSection || isMagentGroupedSection) && (
+              (!settingsSection || isMagentGroupedSection || isSiteGroupedSection) && (
                 <p className="section-subtitle">
                   {sectionGroup.description || SECTION_DESCRIPTIONS[sectionGroup.key]}
                 </p>
@@ -2148,11 +2214,12 @@ export default function SettingsPage({ section }: SettingsPageProps) {
                   const isPemField =
                     setting.key === 'magent_ssl_certificate_pem' ||
                     setting.key === 'magent_ssl_private_key_pem'
+                  const shouldSpanFull = isPemField || setting.key === 'site_banner_message'
                   return (
                     <label
                       key={setting.key}
                       data-helper={helperText || undefined}
-                      className={isPemField ? 'field-span-full' : undefined}
+                      className={shouldSpanFull ? 'field-span-full' : undefined}
                     >
                       <span className="label-row">
                         <span>{labelFromKey(setting.key)}</span>
@@ -2229,14 +2296,6 @@ export default function SettingsPage({ section }: SettingsPageProps) {
                   />
                 </label>
               ) : null}
-              <button
-                type="button"
-                className="settings-action-button"
-                onClick={() => void saveSettingGroup(sectionGroup)}
-                disabled={sectionSaving[sectionGroup.key] || sectionTesting[sectionGroup.key]}
-              >
-                {sectionSaving[sectionGroup.key] ? 'Saving...' : 'Save section'}
-              </button>
               {getSectionTestLabel(sectionGroup.key) ? (
                 <button
                   type="button"
@@ -2249,6 +2308,14 @@ export default function SettingsPage({ section }: SettingsPageProps) {
                     : getSectionTestLabel(sectionGroup.key)}
                 </button>
               ) : null}
+              <button
+                type="button"
+                className="settings-action-button"
+                onClick={() => void saveSettingGroup(sectionGroup)}
+                disabled={sectionSaving[sectionGroup.key] || sectionTesting[sectionGroup.key]}
+              >
+                {sectionSaving[sectionGroup.key] ? 'Saving...' : 'Save section'}
+              </button>
             </div>
           </section>
         ))}

frontend/app/admin/invites/page.tsx

@@ -156,6 +156,8 @@ const formatDate = (value?: string | null) => {
   return date.toLocaleString()
 }
 
+const isValidEmail = (value: string) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value.trim())
+
 const isInviteTraceRowInvited = (row: InviteTraceRow) =>
   Boolean(String(row.inviterUsername || '').trim() || String(row.inviteCode || '').trim())
 
@@ -349,6 +351,17 @@ export default function AdminInviteManagementPage() {
 
   const saveInvite = async (event: React.FormEvent) => {
     event.preventDefault()
+    const recipientEmail = inviteForm.recipient_email.trim()
+    if (!recipientEmail) {
+      setError('Recipient email is required.')
+      setStatus(null)
+      return
+    }
+    if (!isValidEmail(recipientEmail)) {
+      setError('Recipient email must be valid.')
+      setStatus(null)
+      return
+    }
     setInviteSaving(true)
     setError(null)
     setStatus(null)
@@ -363,7 +376,7 @@ export default function AdminInviteManagementPage() {
         max_uses: inviteForm.max_uses || null,
         enabled: inviteForm.enabled,
         expires_at: inviteForm.expires_at || null,
-        recipient_email: inviteForm.recipient_email || null,
+        recipient_email: recipientEmail,
         send_email: inviteForm.send_email,
         message: inviteForm.message || null,
       }
@@ -1607,18 +1620,19 @@ export default function AdminInviteManagementPage() {
               <div className="invite-form-row">
                 <div className="invite-form-row-label">
                   <span>Delivery</span>
-                  <small>Save a recipient email and optionally send the invite immediately.</small>
+                  <small>Recipient email is required. You can optionally send the invite immediately after saving.</small>
                 </div>
                 <div className="invite-form-row-control invite-form-row-control--stacked">
                   <label>
-                    <span>Recipient email</span>
+                    <span>Recipient email (required)</span>
                     <input
                       type="email"
+                      required
                       value={inviteForm.recipient_email}
                       onChange={(e) =>
                         setInviteForm((current) => ({ ...current, recipient_email: e.target.value }))
                       }
-                      placeholder="person@example.com"
+                      placeholder="Required recipient email"
                     />
                   </label>
                   <label>

frontend/app/admin/requests-all/page.tsx

@@ -15,6 +15,17 @@ type RequestRow = {
   createdAt?: string | null
 }
 
+const REQUEST_STAGE_OPTIONS = [
+  { value: 'all', label: 'All stages' },
+  { value: 'pending', label: 'Waiting for approval' },
+  { value: 'approved', label: 'Approved' },
+  { value: 'in_progress', label: 'In progress' },
+  { value: 'working', label: 'Working on it' },
+  { value: 'partial', label: 'Partially ready' },
+  { value: 'ready', label: 'Ready to watch' },
+  { value: 'declined', label: 'Declined' },
+]
+
 const formatDateTime = (value?: string | null) => {
   if (!value) return 'Unknown'
   const date = new Date(value)
@@ -30,6 +41,7 @@ export default function AdminRequestsAllPage() {
   const [error, setError] = useState<string | null>(null)
   const [pageSize, setPageSize] = useState(50)
   const [page, setPage] = useState(1)
+  const [stage, setStage] = useState('all')
 
   const pageCount = useMemo(() => {
     if (!total || pageSize <= 0) return 1
@@ -46,8 +58,15 @@ export default function AdminRequestsAllPage() {
     try {
       const baseUrl = getApiBase()
       const skip = (page - 1) * pageSize
+      const params = new URLSearchParams({
+        take: String(pageSize),
+        skip: String(skip),
+      })
+      if (stage !== 'all') {
+        params.set('stage', stage)
+      }
       const response = await authFetch(
-        `${baseUrl}/admin/requests/all?take=${pageSize}&skip=${skip}`
+        `${baseUrl}/admin/requests/all?${params.toString()}`
       )
       if (!response.ok) {
         if (response.status === 401) {
@@ -74,7 +93,7 @@ export default function AdminRequestsAllPage() {
 
   useEffect(() => {
     void load()
-  }, [page, pageSize])
+  }, [page, pageSize, stage])
 
   useEffect(() => {
     if (page > pageCount) {
@@ -82,6 +101,10 @@ export default function AdminRequestsAllPage() {
     }
   }, [pageCount, page])
 
+  useEffect(() => {
+    setPage(1)
+  }, [stage])
+
   return (
     <AdminShell
       title="All requests"
@@ -98,6 +121,16 @@ export default function AdminRequestsAllPage() {
             <span>{total.toLocaleString()} total</span>
           </div>
           <div className="admin-toolbar-actions">
+            <label className="admin-select">
+              <span>Stage</span>
+              <select value={stage} onChange={(e) => setStage(e.target.value)}>
+                {REQUEST_STAGE_OPTIONS.map((option) => (
+                  <option key={option.value} value={option.value}>
+                    {option.label}
+                  </option>
+                ))}
+              </select>
+            </label>
             <label className="admin-select">
               <span>Per page</span>
               <select value={pageSize} onChange={(e) => setPageSize(Number(e.target.value))}>

frontend/app/feedback/page.tsx

@@ -2,7 +2,7 @@
 
 import { useEffect, useState } from 'react'
 import { useRouter } from 'next/navigation'
-import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
+import { authFetchOrThrow, getApiBase, getToken, UnauthorizedError } from '../lib/auth'
 
 type Profile = {
   username?: string
@@ -24,15 +24,17 @@ export default function FeedbackPage() {
     const load = async () => {
       try {
         const baseUrl = getApiBase()
-        const response = await authFetch(`${baseUrl}/auth/me`)
+        const response = await authFetchOrThrow(`${baseUrl}/auth/me`)
         if (!response.ok) {
-          clearToken()
-          router.push('/login')
-          return
+          throw new Error('Could not load profile.')
         }
         const data = await response.json()
         setProfile({ username: data?.username })
       } catch (error) {
+        if (error instanceof UnauthorizedError) {
+          router.push('/login')
+          return
+        }
         console.error(error)
       }
     }
@@ -49,7 +51,7 @@ export default function FeedbackPage() {
     setSubmitting(true)
     try {
       const baseUrl = getApiBase()
-      const response = await authFetch(`${baseUrl}/feedback`, {
+      const response = await authFetchOrThrow(`${baseUrl}/feedback`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -58,17 +60,16 @@ export default function FeedbackPage() {
         }),
       })
       if (!response.ok) {
-        if (response.status === 401) {
-          clearToken()
-          router.push('/login')
-          return
-        }
         const text = await response.text()
         throw new Error(text || `Request failed: ${response.status}`)
       }
       setMessage('')
       setStatus('Thanks! Your message has been sent.')
     } catch (error) {
+      if (error instanceof UnauthorizedError) {
+        router.push('/login')
+        return
+      }
       console.error(error)
       setStatus('That did not send. Please try again.')
     } finally {

frontend/app/globals.css

@@ -1527,6 +1527,13 @@ button span {
   color: var(--ink-muted);
 }
 
+.recent-filter-group {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 10px;
+  align-items: center;
+}
+
 .recent-filter select {
   padding: 8px 12px;
   font-size: 13px;
@@ -3558,12 +3565,14 @@ button:disabled {
 .user-grid-pill.is-blocked {
   background: rgba(244, 114, 114, 0.14);
   border-color: rgba(244, 114, 114, 0.24);
+  color: #ffd5d5;
 }
 
 .system-pill-degraded,
 .user-grid-pill.is-disabled {
   background: rgba(208, 166, 92, 0.14);
   border-color: rgba(208, 166, 92, 0.22);
+  color: #ffe3a6;
 }
 
 .system-dot {
@@ -6068,6 +6077,52 @@ textarea {
   background: rgba(255, 255, 255, 0.03);
 }
 
+.diagnostic-detail-panel {
+  display: grid;
+  gap: 0.9rem;
+}
+
+.diagnostic-detail-group {
+  display: grid;
+  gap: 0.6rem;
+}
+
+.diagnostic-detail-group h4 {
+  margin: 0;
+  font-size: 0.86rem;
+  letter-spacing: 0.06em;
+  text-transform: uppercase;
+  color: var(--ink-muted);
+}
+
+.diagnostic-detail-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(9rem, 1fr));
+  gap: 0.7rem;
+}
+
+.diagnostic-detail-item {
+  display: grid;
+  gap: 0.2rem;
+  min-width: 0;
+  padding: 0.75rem;
+  border-radius: 0.8rem;
+  border: 1px solid rgba(255, 255, 255, 0.06);
+  background: rgba(255, 255, 255, 0.025);
+}
+
+.diagnostic-detail-item span {
+  font-size: 0.76rem;
+  letter-spacing: 0.05em;
+  text-transform: uppercase;
+  color: var(--muted);
+}
+
+.diagnostic-detail-item strong {
+  line-height: 1.35;
+  overflow-wrap: anywhere;
+}
+
 .diagnostics-rail-metrics {
   display: grid;
   gap: 0.75rem;
@@ -6505,3 +6560,350 @@ textarea {
     grid-template-columns: repeat(2, minmax(0, 1fr));
   }
 }
+
+/* Portal */
+.portal-page {
+  display: grid;
+  gap: 16px;
+}
+
+.portal-workspace-switch {
+  display: inline-flex;
+  gap: 8px;
+  align-items: center;
+}
+
+.portal-workspace-switch button {
+  border: 1px solid var(--line);
+  border-radius: 10px;
+  background: var(--panel-soft);
+  color: var(--text);
+  padding: 8px 12px;
+  font-weight: 600;
+}
+
+.portal-workspace-switch button.is-active {
+  border-color: var(--accent);
+  box-shadow: 0 0 0 1px rgba(107, 146, 255, 0.25);
+  background: rgba(107, 146, 255, 0.12);
+}
+
+.portal-overview-grid {
+  display: grid;
+  grid-template-columns: repeat(4, minmax(0, 1fr));
+  gap: 10px;
+}
+
+.portal-overview-card {
+  border: 1px solid var(--line);
+  border-radius: 10px;
+  background: var(--panel);
+  padding: 12px 14px;
+  display: grid;
+  gap: 4px;
+}
+
+.portal-overview-card span {
+  color: var(--muted);
+  font-size: 0.76rem;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+}
+
+.portal-overview-card strong {
+  font-size: 1.25rem;
+  color: var(--text);
+}
+
+.portal-create-panel {
+  display: grid;
+  gap: 12px;
+}
+
+.portal-discovery-panel {
+  display: grid;
+  gap: 12px;
+}
+
+.portal-discovery-form {
+  display: grid;
+  grid-template-columns: minmax(0, 1fr) 140px;
+  gap: 10px;
+}
+
+.portal-discovery-form input {
+  width: 100%;
+}
+
+.portal-discovery-results {
+  display: grid;
+  gap: 10px;
+}
+
+.portal-discovery-item {
+  display: grid;
+  grid-template-columns: 56px minmax(0, 1fr) auto;
+  gap: 10px;
+  align-items: center;
+  border: 1px solid var(--line);
+  border-radius: 10px;
+  background: var(--panel-soft);
+  padding: 10px;
+}
+
+.portal-discovery-media {
+  width: 56px;
+  height: 84px;
+  border-radius: 6px;
+  overflow: hidden;
+  background: rgba(255, 255, 255, 0.04);
+  border: 1px solid var(--line);
+}
+
+.portal-discovery-media img {
+  width: 100%;
+  height: 100%;
+  object-fit: cover;
+}
+
+.portal-discovery-main {
+  display: grid;
+  gap: 6px;
+}
+
+.portal-discovery-title-row {
+  display: flex;
+  gap: 8px;
+  align-items: center;
+  flex-wrap: wrap;
+}
+
+.portal-discovery-main p {
+  margin: 0;
+  font-size: 0.84rem;
+  color: var(--muted);
+}
+
+.portal-discovery-actions {
+  display: flex;
+  align-items: center;
+}
+
+.poster-fallback {
+  display: grid;
+  place-items: center;
+  width: 100%;
+  height: 100%;
+  color: var(--muted);
+  font-size: 0.66rem;
+  text-align: center;
+  padding: 4px;
+}
+
+.portal-form-grid {
+  display: grid;
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+  gap: 10px;
+}
+
+.portal-field-span-2 {
+  grid-column: span 2;
+}
+
+.portal-toolbar {
+  display: grid;
+  grid-template-columns: 180px minmax(0, 1fr) auto;
+  gap: 10px;
+  align-items: end;
+}
+
+.portal-toolbar label span {
+  display: block;
+  margin-bottom: 6px;
+  font-size: 0.78rem;
+  color: var(--muted);
+}
+
+.portal-search-filter input {
+  width: 100%;
+}
+
+.portal-mine-toggle {
+  align-self: center;
+  margin-top: 20px;
+}
+
+.portal-workspace {
+  display: grid;
+  grid-template-columns: minmax(300px, 360px) minmax(0, 1fr);
+  gap: 12px;
+}
+
+.portal-list-panel,
+.portal-detail-panel {
+  display: grid;
+  gap: 12px;
+  align-content: start;
+}
+
+.portal-item-list {
+  display: grid;
+  gap: 10px;
+  max-height: 900px;
+  overflow: auto;
+  padding-right: 2px;
+}
+
+.portal-item-row {
+  border: 1px solid var(--line);
+  border-radius: 10px;
+  background: var(--panel-soft);
+  padding: 12px;
+  text-align: left;
+  transition: border-color 0.2s ease, box-shadow 0.2s ease;
+}
+
+.portal-item-row.is-active {
+  border-color: var(--accent);
+  box-shadow: 0 0 0 1px rgba(107, 146, 255, 0.25);
+}
+
+.portal-item-row-title {
+  display: flex;
+  gap: 8px;
+  align-items: center;
+  flex-wrap: wrap;
+}
+
+.portal-item-row p {
+  margin: 8px 0;
+  color: var(--muted);
+  font-size: 0.9rem;
+  line-height: 1.45;
+}
+
+.portal-item-row-meta {
+  display: flex;
+  gap: 10px;
+  flex-wrap: wrap;
+  color: var(--muted);
+  font-size: 0.78rem;
+}
+
+.portal-comments-block {
+  border-top: 1px solid var(--line);
+  padding-top: 12px;
+  display: grid;
+  gap: 10px;
+}
+
+.portal-comment-list {
+  display: grid;
+  gap: 8px;
+  max-height: 420px;
+  overflow: auto;
+  padding-right: 2px;
+}
+
+.portal-comment-card {
+  border: 1px solid var(--line);
+  border-radius: 8px;
+  padding: 10px 12px;
+  background: var(--panel-soft);
+}
+
+.portal-comment-card header {
+  display: flex;
+  gap: 8px;
+  flex-wrap: wrap;
+  align-items: center;
+  margin-bottom: 6px;
+  color: var(--muted);
+  font-size: 0.78rem;
+}
+
+.portal-comment-card p {
+  margin: 0;
+  color: var(--text);
+  white-space: pre-wrap;
+  line-height: 1.45;
+}
+
+.portal-comment-form {
+  display: grid;
+  gap: 10px;
+}
+
+@media (max-width: 1200px) {
+  .portal-overview-grid {
+    grid-template-columns: repeat(2, minmax(0, 1fr));
+  }
+
+  .portal-toolbar {
+    grid-template-columns: repeat(2, minmax(0, 1fr));
+  }
+
+  .portal-search-filter,
+  .portal-mine-toggle {
+    grid-column: span 2;
+  }
+
+  .portal-mine-toggle {
+    margin-top: 0;
+  }
+
+  .portal-workspace {
+    grid-template-columns: 1fr;
+  }
+
+  .portal-item-list {
+    max-height: 460px;
+  }
+
+  .portal-discovery-item {
+    grid-template-columns: 56px minmax(0, 1fr);
+  }
+
+  .portal-discovery-actions {
+    grid-column: span 2;
+    justify-content: flex-end;
+  }
+}
+
+@media (max-width: 760px) {
+  .portal-form-grid {
+    grid-template-columns: 1fr;
+  }
+
+  .portal-field-span-2 {
+    grid-column: span 1;
+  }
+
+  .portal-overview-grid,
+  .portal-toolbar {
+    grid-template-columns: 1fr;
+  }
+
+  .portal-search-filter,
+  .portal-mine-toggle {
+    grid-column: span 1;
+  }
+
+  .portal-discovery-form {
+    grid-template-columns: 1fr;
+  }
+
+  .portal-discovery-item {
+    grid-template-columns: 1fr;
+  }
+
+  .portal-discovery-media {
+    width: 72px;
+    height: 108px;
+  }
+
+  .portal-discovery-actions {
+    grid-column: span 1;
+    justify-content: flex-start;
+  }
+}

frontend/app/lib/auth.ts

@@ -1,27 +1,53 @@
+const AUTH_STATE_COOKIE = 'magent_logged_in'
+
 export const getApiBase = () => process.env.NEXT_PUBLIC_API_BASE ?? '/api'
 
-export const getToken = () => {
-  if (typeof window === 'undefined') return null
-  return window.localStorage.getItem('magent_token')
+const setCookie = (name: string, value: string, maxAgeSeconds: number) => {
+  if (typeof document === 'undefined') return
+  document.cookie = `${name}=${value}; Max-Age=${maxAgeSeconds}; Path=/; SameSite=Lax`
 }
 
-export const setToken = (token: string) => {
-  if (typeof window === 'undefined') return
-  window.localStorage.setItem('magent_token', token)
+const clearCookie = (name: string) => {
+  if (typeof document === 'undefined') return
+  document.cookie = `${name}=; Max-Age=0; Path=/; SameSite=Lax`
+}
+
+export const getToken = () => {
+  if (typeof document === 'undefined') return null
+  const cookies = document.cookie.split(';').map((entry) => entry.trim())
+  const marker = cookies.find((entry) => entry.startsWith(`${AUTH_STATE_COOKIE}=`))
+  if (!marker) return null
+  const [, value] = marker.split('=', 2)
+  return value || null
+}
+
+export const setToken = (_token: string) => {
+  setCookie(AUTH_STATE_COOKIE, '1', 60 * 60 * 12)
 }
 
 export const clearToken = () => {
+  clearCookie(AUTH_STATE_COOKIE)
   if (typeof window === 'undefined') return
-  window.localStorage.removeItem('magent_token')
+  const baseUrl = getApiBase()
+  void fetch(`${baseUrl}/auth/logout`, {
+    method: 'POST',
+    credentials: 'include',
+    keepalive: true,
+  }).catch(() => undefined)
+}
+
+export const logout = async () => {
+  const baseUrl = getApiBase()
+  clearCookie(AUTH_STATE_COOKIE)
+  await fetch(`${baseUrl}/auth/logout`, {
+    method: 'POST',
+    credentials: 'include',
+  })
 }
 
 export const authFetch = (input: RequestInfo | URL, init?: RequestInit) => {
-  const token = getToken()
   const headers = new Headers(init?.headers || {})
-  if (token) {
-    headers.set('Authorization', `Bearer ${token}`)
-  }
-  return fetch(input, { ...init, headers })
+  return fetch(input, { ...init, headers, credentials: 'include' })
 }
 
 export const getEventStreamToken = async () => {
@@ -38,3 +64,37 @@ export const getEventStreamToken = async () => {
   }
   return token
 }
+
+export class UnauthorizedError extends Error {
+  constructor() {
+    super('Unauthorized')
+    this.name = 'UnauthorizedError'
+  }
+}
+
+export class ForbiddenError extends Error {
+  constructor() {
+    super('Forbidden')
+    this.name = 'ForbiddenError'
+  }
+}
+
+export const authFetchOrThrow = async (input: RequestInfo | URL, init?: RequestInit) => {
+  const response = await authFetch(input, init)
+  if (response.status === 401) {
+    clearToken()
+    throw new UnauthorizedError()
+  }
+  if (response.status === 403) {
+    throw new ForbiddenError()
+  }
+  return response
+}
+
+export const readResponseText = async (response: Response) => {
+  try {
+    return (await response.text()).trim()
+  } catch {
+    return ''
+  }
+}

frontend/app/login/page.tsx

@@ -1,19 +1,36 @@
 'use client'
 
 import { useRouter } from 'next/navigation'
-import { useState } from 'react'
+import { useEffect, useState } from 'react'
 import { getApiBase, setToken, clearToken } from '../lib/auth'
 import BrandingLogo from '../ui/BrandingLogo'
 
+const DEFAULT_LOGIN_OPTIONS = {
+  showJellyfinLogin: true,
+  showLocalLogin: true,
+  showForgotPassword: true,
+  showSignupLink: true,
+}
+
 export default function LoginPage() {
   const router = useRouter()
   const [username, setUsername] = useState('')
   const [password, setPassword] = useState('')
   const [error, setError] = useState<string | null>(null)
   const [loading, setLoading] = useState(false)
+  const [loginOptions, setLoginOptions] = useState(DEFAULT_LOGIN_OPTIONS)
+  const primaryMode: 'jellyfin' | 'local' | null = loginOptions.showJellyfinLogin
+    ? 'jellyfin'
+    : loginOptions.showLocalLogin
+      ? 'local'
+      : null
 
   const submit = async (event: React.FormEvent, mode: 'local' | 'jellyfin') => {
     event.preventDefault()
+    if (!primaryMode) {
+      setError('Login is currently disabled. Contact an administrator.')
+      return
+    }
     setError(null)
     setLoading(true)
     try {
@@ -25,13 +42,14 @@ export default function LoginPage() {
         method: 'POST',
         headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
         body,
+        credentials: 'include',
       })
       if (!response.ok) {
         throw new Error('Login failed')
       }
       const data = await response.json()
-      if (data?.access_token) {
-        setToken(data.access_token)
+      if (data?.authenticated) {
+        setToken('cookie')
         if (typeof window !== 'undefined') {
           window.location.href = '/'
           return
@@ -48,12 +66,63 @@ export default function LoginPage() {
     }
   }
 
+  useEffect(() => {
+    let active = true
+    const loadLoginOptions = async () => {
+      try {
+        const baseUrl = getApiBase()
+        const response = await fetch(`${baseUrl}/site/public`)
+        if (!response.ok) {
+          return
+        }
+        const data = await response.json()
+        const login = data?.login ?? {}
+        if (!active) return
+        setLoginOptions({
+          showJellyfinLogin: login.showJellyfinLogin !== false,
+          showLocalLogin: login.showLocalLogin !== false,
+          showForgotPassword: login.showForgotPassword !== false,
+          showSignupLink: login.showSignupLink !== false,
+        })
+      } catch (err) {
+        console.error(err)
+      }
+    }
+    void loadLoginOptions()
+    return () => {
+      active = false
+    }
+  }, [])
+
+  const loginHelpText = (() => {
+    if (loginOptions.showJellyfinLogin && loginOptions.showLocalLogin) {
+      return 'Use your Jellyfin account, or sign in with a local Magent admin account.'
+    }
+    if (loginOptions.showJellyfinLogin) {
+      return 'Use your Jellyfin account to sign in.'
+    }
+    if (loginOptions.showLocalLogin) {
+      return 'Use your local Magent admin account to sign in.'
+    }
+    return 'No sign-in methods are currently available. Contact an administrator.'
+  })()
+
   return (
     <main className="card auth-card">
       <BrandingLogo className="brand-logo brand-logo--login" />
       <h1>Sign in</h1>
-      <p className="lede">Use your Jellyfin account, or sign in with a local Magent admin account.</p>
-      <form onSubmit={(event) => submit(event, 'jellyfin')} className="auth-form">
+      <p className="lede">{loginHelpText}</p>
+      <form
+        onSubmit={(event) => {
+          if (!primaryMode) {
+            event.preventDefault()
+            setError('Login is currently disabled. Contact an administrator.')
+            return
+          }
+          void submit(event, primaryMode)
+        }}
+        className="auth-form"
+      >
         <label>
           Username
           <input
@@ -73,10 +142,13 @@ export default function LoginPage() {
         </label>
         {error && <div className="error-banner">{error}</div>}
         <div className="auth-actions">
+          {loginOptions.showJellyfinLogin ? (
             <button type="submit" disabled={loading}>
               {loading ? 'Signing in...' : 'Login with Jellyfin account'}
             </button>
+          ) : null}
         </div>
+        {loginOptions.showLocalLogin ? (
           <button
             type="button"
             className="ghost-button"
@@ -85,12 +157,20 @@ export default function LoginPage() {
           >
             Sign in with Magent account
           </button>
+        ) : null}
+        {loginOptions.showForgotPassword ? (
           <a className="ghost-button" href="/forgot-password">
             Forgot password?
           </a>
+        ) : null}
+        {loginOptions.showSignupLink ? (
           <a className="ghost-button" href="/signup">
             Have an invite? Create your account (Jellyfin + Magent)
           </a>
+        ) : null}
+        {!loginOptions.showJellyfinLogin && !loginOptions.showLocalLogin ? (
+          <div className="error-banner">Login is currently disabled. Contact an administrator.</div>
+        ) : null}
       </form>
     </main>
   )

frontend/app/page.tsx

@@ -22,6 +22,17 @@ const normalizeRecentResults = (items: any[]) =>
       }
     })
 
+const REQUEST_STAGE_OPTIONS = [
+  { value: 'all', label: 'All stages' },
+  { value: 'pending', label: 'Waiting' },
+  { value: 'approved', label: 'Approved' },
+  { value: 'in_progress', label: 'In progress' },
+  { value: 'working', label: 'Working' },
+  { value: 'partial', label: 'Partial' },
+  { value: 'ready', label: 'Ready' },
+  { value: 'declined', label: 'Declined' },
+]
+
 export default function HomePage() {
   const router = useRouter()
   const [query, setQuery] = useState('')
@@ -38,11 +49,20 @@ export default function HomePage() {
   const [recentError, setRecentError] = useState<string | null>(null)
   const [recentLoading, setRecentLoading] = useState(false)
   const [searchResults, setSearchResults] = useState<
-    { title: string; year?: number; type?: string; requestId?: number; statusLabel?: string }[]
+    {
+      title: string
+      year?: number
+      type?: string
+      requestId?: number
+      statusLabel?: string
+      requestedBy?: string | null
+      accessible?: boolean
+    }[]
   >([])
   const [searchError, setSearchError] = useState<string | null>(null)
   const [role, setRole] = useState<string | null>(null)
   const [recentDays, setRecentDays] = useState(90)
+  const [recentStage, setRecentStage] = useState('all')
   const [authReady, setAuthReady] = useState(false)
   const [servicesStatus, setServicesStatus] = useState<
     { overall: string; services: { name: string; status: string; message?: string }[] } | null
@@ -143,9 +163,14 @@ export default function HomePage() {
         setRole(userRole)
         setAuthReady(true)
         const take = userRole === 'admin' ? 50 : 6
-        const response = await authFetch(
-          `${baseUrl}/requests/recent?take=${take}&days=${recentDays}`
-        )
+        const params = new URLSearchParams({
+          take: String(take),
+          days: String(recentDays),
+        })
+        if (recentStage !== 'all') {
+          params.set('stage', recentStage)
+        }
+        const response = await authFetch(`${baseUrl}/requests/recent?${params.toString()}`)
         if (!response.ok) {
           if (response.status === 401) {
             clearToken()
@@ -167,7 +192,7 @@ export default function HomePage() {
     }
 
     load()
-  }, [recentDays])
+  }, [recentDays, recentStage])
 
   useEffect(() => {
     if (!authReady) {
@@ -222,7 +247,14 @@ export default function HomePage() {
       try {
         const streamToken = await getEventStreamToken()
         if (closed) return
-        const streamUrl = `${baseUrl}/events/stream?stream_token=${encodeURIComponent(streamToken)}&recent_days=${encodeURIComponent(String(recentDays))}`
+        const params = new URLSearchParams({
+          stream_token: streamToken,
+          recent_days: String(recentDays),
+        })
+        if (recentStage !== 'all') {
+          params.set('recent_stage', recentStage)
+        }
+        const streamUrl = `${baseUrl}/events/stream?${params.toString()}`
         source = new EventSource(streamUrl)
 
         source.onopen = () => {
@@ -282,7 +314,7 @@ export default function HomePage() {
       setLiveStreamConnected(false)
       source?.close()
     }
-  }, [authReady, recentDays])
+  }, [authReady, recentDays, recentStage])
 
   const runSearch = async (term: string) => {
     try {
@@ -305,6 +337,8 @@ export default function HomePage() {
               type: item.type,
               requestId: item.requestId,
               statusLabel: item.statusLabel,
+              requestedBy: item.requestedBy ?? null,
+              accessible: Boolean(item.accessible),
             }))
           )
         setSearchError(null)
@@ -403,6 +437,7 @@ export default function HomePage() {
             <div className="recent-header">
               <h2>{role === 'admin' ? 'All requests' : 'My recent requests'}</h2>
               {authReady && (
+                <div className="recent-filter-group">
                   <label className="recent-filter">
                     <span>Show</span>
                     <select
@@ -416,6 +451,20 @@ export default function HomePage() {
                       <option value={180}>180 days</option>
                     </select>
                   </label>
+                  <label className="recent-filter">
+                    <span>Stage</span>
+                    <select
+                      value={recentStage}
+                      onChange={(event) => setRecentStage(event.target.value)}
+                    >
+                      {REQUEST_STAGE_OPTIONS.map((option) => (
+                        <option key={option.value} value={option.value}>
+                          {option.label}
+                        </option>
+                      ))}
+                    </select>
+                  </label>
+                </div>
               )}
             </div>
             <div className="recent-grid">
@@ -467,9 +516,10 @@ export default function HomePage() {
         <aside className="side-panel">
           <section className="main-panel find-panel">
             <div className="find-header">
-              <h1>Find my request</h1>
+              <h1>Search all requests</h1>
               <p className="lede">
-                Search by title + year, paste a request number, or pick from your recent requests.
+                Search any request by title + year or request number and see whether it already
+                exists in the system.
               </p>
             </div>
             <div className="find-controls">
@@ -518,14 +568,16 @@ export default function HomePage() {
                       key={`${item.title || 'Untitled'}-${index}`}
                       type="button"
                       disabled={!item.requestId}
-                      onClick={() => item.requestId && router.push(`/requests/${item.requestId}`)}
+                      onClick={() =>
+                        item.requestId && router.push(`/requests/${item.requestId}`)
+                      }
                     >
                       {item.title || 'Untitled'} {item.year ? `(${item.year})` : ''}{' '}
                       {!item.requestId
                         ? '- not requested'
                         : item.statusLabel
                           ? `- ${item.statusLabel}`
-                          : ''}
+                          : '- already requested'}
                     </button>
                   ))
                 )}

frontend/app/portal/issues/page.tsx

@@ -0,0 +1,6 @@
+import PortalClient from '../PortalClient'
+
+export default function IssuePortalPage() {
+  return <PortalClient workspace="issue" />
+}
+

frontend/app/portal/page.tsx

@@ -0,0 +1,6 @@
+import { redirect } from 'next/navigation'
+
+export default function PortalIndexPage() {
+  redirect('/portal/requests')
+}
+

frontend/app/portal/requests/page.tsx

@@ -0,0 +1,6 @@
+import PortalClient from '../PortalClient'
+
+export default function RequestPortalPage() {
+  return <PortalClient workspace="request" />
+}
+

frontend/app/profile/invites/page.tsx

@@ -82,6 +82,8 @@ const formatDate = (value?: string | null) => {
   return date.toLocaleString()
 }
 
+const isValidEmail = (value: string) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value.trim())
+
 export default function ProfileInvitesPage() {
   const router = useRouter()
   const [profile, setProfile] = useState<ProfileInfo | null>(null)
@@ -192,6 +194,17 @@ export default function ProfileInvitesPage() {
 
   const saveInvite = async (event: React.FormEvent) => {
     event.preventDefault()
+    const recipientEmail = inviteForm.recipient_email.trim()
+    if (!recipientEmail) {
+      setInviteError('Recipient email is required.')
+      setInviteStatus(null)
+      return
+    }
+    if (!isValidEmail(recipientEmail)) {
+      setInviteError('Recipient email must be valid.')
+      setInviteStatus(null)
+      return
+    }
     setInviteSaving(true)
     setInviteError(null)
     setInviteStatus(null)
@@ -208,7 +221,7 @@ export default function ProfileInvitesPage() {
             code: inviteForm.code || null,
             label: inviteForm.label || null,
             description: inviteForm.description || null,
-            recipient_email: inviteForm.recipient_email || null,
+            recipient_email: recipientEmail,
             max_uses: inviteForm.max_uses || null,
             expires_at: inviteForm.expires_at || null,
             enabled: inviteForm.enabled,
@@ -438,13 +451,14 @@ export default function ProfileInvitesPage() {
                 <div className="invite-form-row">
                   <div className="invite-form-row-label">
                     <span>Delivery</span>
-                    <small>Save a recipient email and optionally send the invite immediately.</small>
+                    <small>Recipient email is required. You can also send the invite immediately after saving.</small>
                   </div>
                   <div className="invite-form-row-control invite-form-row-control--stacked">
                     <label>
-                      <span>Recipient email</span>
+                      <span>Recipient email (required)</span>
                       <input
                         type="email"
+                        required
                         value={inviteForm.recipient_email}
                         onChange={(event) =>
                           setInviteForm((current) => ({
@@ -452,7 +466,7 @@ export default function ProfileInvitesPage() {
                             recipient_email: event.target.value,
                           }))
                         }
-                        placeholder="friend@example.com"
+                        placeholder="Required recipient email"
                       />
                     </label>
                     <label>

frontend/app/requests/[id]/page.tsx

@@ -369,6 +369,13 @@ export default function RequestTimelinePage() {
   const posterUrl = snapshot.artwork?.poster_url
   const resolvedPoster =
       posterUrl && posterUrl.startsWith('http') ? posterUrl : posterUrl ? `${getApiBase()}${posterUrl}` : null
+  const hasPartialReadyTimeline = snapshot.timeline.some(
+    (hop) => hop.service === 'Seerr' && hop.status === 'Partially ready'
+  )
+  const currentStatusText =
+    snapshot.state === 'IMPORTING' && hasPartialReadyTimeline
+      ? 'Partially ready'
+      : friendlyState(snapshot.state)
 
   return (
     <main className="card">
@@ -400,7 +407,7 @@ export default function RequestTimelinePage() {
       <section className="status-box">
         <div>
           <h2>Status</h2>
-          <p className="status-text">{friendlyState(snapshot.state)}</p>
+          <p className="status-text">{currentStatusText}</p>
         </div>
         <div>
           <h2>What this means</h2>

frontend/app/signup/page.tsx

@@ -106,6 +106,7 @@ function SignupPageContent() {
       const response = await fetch(`${baseUrl}/auth/signup`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
+        credentials: 'include',
         body: JSON.stringify({
           invite_code: inviteCode,
           username: username.trim(),
@@ -117,12 +118,12 @@ function SignupPageContent() {
         throw new Error(text || 'Sign-up failed')
       }
       const data = await response.json()
-      if (data?.access_token) {
-        setToken(data.access_token)
+      if (data?.authenticated) {
+        setToken('cookie')
         window.location.href = '/'
         return
       }
-      throw new Error('Sign-up did not return a token')
+      throw new Error('Sign-up did not complete')
     } catch (err) {
       console.error(err)
       setError(err instanceof Error ? err.message : 'Unable to create account.')

frontend/app/ui/AdminDiagnosticsPanel.tsx

@@ -56,6 +56,21 @@ type AdminDiagnosticsPanelProps = {
   embedded?: boolean
 }
 
+type DatabaseDiagnosticDetail = {
+  integrity_check?: string
+  database_path?: string
+  database_size_bytes?: number
+  wal_size_bytes?: number
+  shm_size_bytes?: number
+  page_size_bytes?: number
+  page_count?: number
+  freelist_pages?: number
+  allocated_bytes?: number
+  free_bytes?: number
+  row_counts?: Record<string, number>
+  timings_ms?: Record<string, number>
+}
+
 const REFRESH_INTERVAL_MS = 30000
 
 const STATUS_LABELS: Record<string, string> = {
@@ -85,6 +100,54 @@ function statusLabel(status: string) {
   return STATUS_LABELS[status] ?? status
 }
 
+function formatBytes(value?: number) {
+  if (typeof value !== 'number' || Number.isNaN(value) || value < 0) {
+    return '0 B'
+  }
+  if (value >= 1024 * 1024 * 1024) {
+    return `${(value / (1024 * 1024 * 1024)).toFixed(2)} GB`
+  }
+  if (value >= 1024 * 1024) {
+    return `${(value / (1024 * 1024)).toFixed(2)} MB`
+  }
+  if (value >= 1024) {
+    return `${(value / 1024).toFixed(1)} KB`
+  }
+  return `${value} B`
+}
+
+function formatDetailLabel(value: string) {
+  return value
+    .replace(/_/g, ' ')
+    .replace(/\b\w/g, (character) => character.toUpperCase())
+}
+
+function asDatabaseDiagnosticDetail(detail: unknown): DatabaseDiagnosticDetail | null {
+  if (!detail || typeof detail !== 'object' || Array.isArray(detail)) {
+    return null
+  }
+  return detail as DatabaseDiagnosticDetail
+}
+
+function renderDatabaseMetricGroup(title: string, values: Array<[string, string]>) {
+  if (values.length === 0) {
+    return null
+  }
+  return (
+    <div className="diagnostic-detail-group">
+      <h4>{title}</h4>
+      <div className="diagnostic-detail-grid">
+        {values.map(([label, value]) => (
+          <div key={`${title}-${label}`} className="diagnostic-detail-item">
+            <span>{label}</span>
+            <strong>{value}</strong>
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}
+
 export default function AdminDiagnosticsPanel({ embedded = false }: AdminDiagnosticsPanelProps) {
   const router = useRouter()
   const [loading, setLoading] = useState(true)
@@ -405,6 +468,43 @@ export default function AdminDiagnosticsPanel({ embedded = false }: AdminDiagnos
                       <span className="system-dot" />
                       <span>{isRunning ? 'Running diagnostic...' : check.message}</span>
                     </div>
+
+                    {check.key === 'database'
+                      ? (() => {
+                          const detail = asDatabaseDiagnosticDetail(check.detail)
+                          if (!detail) {
+                            return null
+                          }
+                          return (
+                            <div className="diagnostic-detail-panel">
+                              {renderDatabaseMetricGroup('Storage', [
+                                ['Database file', formatBytes(detail.database_size_bytes)],
+                                ['WAL file', formatBytes(detail.wal_size_bytes)],
+                                ['Shared memory', formatBytes(detail.shm_size_bytes)],
+                                ['Allocated bytes', formatBytes(detail.allocated_bytes)],
+                                ['Free bytes', formatBytes(detail.free_bytes)],
+                                ['Page size', formatBytes(detail.page_size_bytes)],
+                                ['Page count', `${detail.page_count?.toLocaleString() ?? 0}`],
+                                ['Freelist pages', `${detail.freelist_pages?.toLocaleString() ?? 0}`],
+                              ])}
+                              {renderDatabaseMetricGroup(
+                                'Tables',
+                                Object.entries(detail.row_counts ?? {}).map(([key, value]) => [
+                                  formatDetailLabel(key),
+                                  value.toLocaleString(),
+                                ]),
+                              )}
+                              {renderDatabaseMetricGroup(
+                                'Timings',
+                                Object.entries(detail.timings_ms ?? {}).map(([key, value]) => [
+                                  formatDetailLabel(key),
+                                  `${value.toFixed(1)} ms`,
+                                ]),
+                              )}
+                            </div>
+                          )
+                        })()
+                      : null}
                   </article>
                 )
               })}

frontend/app/ui/HeaderActions.tsx

@@ -42,6 +42,7 @@ export default function HeaderActions() {
       <div className="header-actions-right">
         <a href="/">Requests</a>
         <a href="/profile/invites">Invites</a>
+        <a href="/portal">Portal</a>
       </div>
     </div>
   )

frontend/app/ui/HeaderIdentity.tsx

@@ -1,7 +1,7 @@
 'use client'
 
 import { useEffect, useState } from 'react'
-import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
+import { authFetch, clearToken, getApiBase, getToken, logout } from '../lib/auth'
 
 export default function HeaderIdentity() {
   const [identity, setIdentity] = useState<{ username: string; role?: string } | null>(null)
@@ -49,7 +49,8 @@ export default function HeaderIdentity() {
 
   const label = `${identity.username}${identity.role ? ` (${identity.role})` : ''}`
   const initial = identity.username.slice(0, 1).toUpperCase()
-  const signOut = () => {
+  const signOut = async () => {
+    await logout().catch(() => undefined)
     clearToken()
     if (typeof window !== 'undefined') {
       window.location.href = '/login'
@@ -83,7 +84,7 @@ export default function HeaderIdentity() {
             <a href="/changelog" onClick={() => setOpen(false)}>
               Changelog
             </a>
-            <button type="button" className="signed-in-signout" onClick={signOut}>
+            <button type="button" className="signed-in-signout" onClick={() => void signOut()}>
               Sign out
             </button>
           </div>

frontend/app/users/[id]/page.tsx

@@ -20,6 +20,7 @@ type UserStats = {
 type AdminUser = {
   id?: number
   username: string
+  email?: string | null
   role: string
   auth_provider?: string | null
   last_login_at?: string | null
@@ -459,6 +460,10 @@ export default function UserDetailPage() {
                   </p>
                 </div>
                 <div className="user-detail-meta-grid">
+                  <div className="user-detail-meta-item">
+                    <span className="label">Email</span>
+                    <strong>{user.email || 'Not set'}</strong>
+                  </div>
                   <div className="user-detail-meta-item">
                     <span className="label">Seerr ID</span>
                     <strong>{user.jellyseerr_user_id ?? user.id ?? 'Unknown'}</strong>

frontend/app/users/page.tsx

@@ -9,6 +9,7 @@ import AdminShell from '../ui/AdminShell'
 type AdminUser = {
   id: number
   username: string
+  email?: string | null
   role: string
   authProvider?: string | null
   lastLoginAt?: string | null
@@ -109,6 +110,7 @@ export default function UsersPage() {
         setUsers(
           data.users.map((user: any) => ({
             username: user.username ?? 'Unknown',
+            email: user.email ?? null,
             role: user.role ?? 'user',
             authProvider: user.auth_provider ?? 'local',
             lastLoginAt: user.last_login_at ?? null,
@@ -239,6 +241,7 @@ export default function UsersPage() {
     ? users.filter((user) => {
         const fields = [
           user.username,
+          user.email || '',
           user.role,
           user.authProvider || '',
           user.profileId != null ? String(user.profileId) : '',
@@ -419,6 +422,9 @@ export default function UsersPage() {
                     <strong>{user.username}</strong>
                     <span className="user-grid-meta">{user.role}</span>
                   </div>
+                  <div className="user-directory-subtext">
+                    {user.email || 'No email on file'}
+                  </div>
                   <div className="user-directory-subtext">
                     Login: {user.authProvider || 'local'} • Profile: {user.profileId ?? 'None'}
                   </div>

frontend/next-env.d.ts

@@ -1,2 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
+import "./.next/types/routes.d.ts";
+
+// NOTE: This file should not be edited
+// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

frontend/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "magent-frontend",
-  "version": "0203262044",
+  "version": "0803262237",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "magent-frontend",
-      "version": "0203262044",
+      "version": "0803262237",
       "dependencies": {
         "next": "16.1.6",
         "react": "19.2.4",

frontend/package.json

@@ -1,7 +1,7 @@
 {
   "name": "magent-frontend",
   "private": true,
-  "version": "0203262044",
+  "version": "0803262237",
   "scripts": {
     "dev": "next dev",
     "build": "next build",

scripts/build_release.ps1

@@ -3,6 +3,11 @@ $ErrorActionPreference = "Stop"
 $repoRoot = Resolve-Path "$PSScriptRoot\\.."
 Set-Location $repoRoot
 
+powershell -ExecutionPolicy Bypass -File (Join-Path $repoRoot "scripts\run_backend_quality_gate.ps1")
+if ($LASTEXITCODE -ne 0) {
+    throw "scripts/run_backend_quality_gate.ps1 failed with exit code $LASTEXITCODE."
+}
+
 $now = Get-Date
 $buildNumber = "{0}{1}{2}{3}{4}" -f $now.ToString("dd"), $now.ToString("MM"), $now.ToString("yy"), $now.ToString("HH"), $now.ToString("mm")
 

scripts/ci_backend_quality_gate.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$repo_root"
+
+python_bin="${PYTHON_BIN:-python3}"
+
+echo "Installing backend Python requirements"
+"$python_bin" -m pip install -r backend/requirements.txt
+
+echo "Running Python dependency integrity check"
+"$python_bin" -m pip check
+
+echo "Running backend unit tests"
+"$python_bin" -m unittest discover -s backend/tests -p "test_*.py" -v
+
+echo "Backend quality gate passed"

scripts/deploy_ams_dev01.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$repo_root"
+
+deploy_host="${DEPLOY_HOST:-AMS-DEV01}"
+deploy_user="${DEPLOY_USER:-zak}"
+deploy_path="${DEPLOY_PATH:-/home/${deploy_user}/magent}"
+ssh_opts="${DEPLOY_SSH_OPTS:-"-o StrictHostKeyChecking=accept-new"}"
+timestamp="$(date -u +%Y%m%dT%H%M%SZ)"
+
+remote="${deploy_user}@${deploy_host}"
+
+echo "Deploying tracked repository contents to ${remote}:${deploy_path}"
+
+git archive --format=tar HEAD | ssh ${ssh_opts} "${remote}" "
+  set -e
+  mkdir -p '${deploy_path}'
+  backup_root=\"\${HOME}/magent-backups/${timestamp}\"
+  mkdir -p \"\${backup_root}\"
+  cd '${deploy_path}'
+  for path in backend frontend docker-compose.yml docker-compose.hub.yml Dockerfile README.md docker scripts .build_number .gitattributes .gitignore; do
+    if [ -e \"\$path\" ]; then
+      cp -a \"\$path\" \"\${backup_root}/\"
+    fi
+  done
+  tar -xf - -C '${deploy_path}'
+  docker compose up -d --build
+"
+
+echo "Running remote smoke checks"
+ssh ${ssh_opts} "${remote}" "
+  set -e
+  python3 - <<'PY'
+from urllib import request
+
+checks = [
+    ('http://127.0.0.1:8000/health', 200),
+    ('http://127.0.0.1:3000/login', 200),
+]
+
+for url, expected in checks:
+    with request.urlopen(url, timeout=20) as response:
+        if response.status != expected:
+            raise SystemExit(f'{url} returned {response.status}, expected {expected}')
+        print(url, response.status)
+PY
+"
+
+echo "Deployment completed successfully"

scripts/import_user_emails.py

@@ -0,0 +1,153 @@
+from __future__ import annotations
+
+import argparse
+import csv
+import json
+import sqlite3
+from collections import Counter
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[1]
+DEFAULT_CSV_PATH = ROOT / "data" / "jellyfin_users_normalized.csv"
+DEFAULT_DB_PATH = ROOT / "data" / "magent.db"
+
+
+def _normalize_email(value: object) -> str | None:
+    if not isinstance(value, str):
+        return None
+    candidate = value.strip()
+    if not candidate or "@" not in candidate:
+        return None
+    return candidate
+
+
+def _load_rows(csv_path: Path) -> list[dict[str, str]]:
+    with csv_path.open("r", encoding="utf-8", newline="") as handle:
+        return [dict(row) for row in csv.DictReader(handle)]
+
+
+def _ensure_email_column(conn: sqlite3.Connection) -> None:
+    try:
+        conn.execute("ALTER TABLE users ADD COLUMN email TEXT")
+    except sqlite3.OperationalError:
+        pass
+    conn.execute(
+        """
+        CREATE INDEX IF NOT EXISTS idx_users_email_nocase
+        ON users (email COLLATE NOCASE)
+        """
+    )
+
+
+def _lookup_user(conn: sqlite3.Connection, username: str) -> list[sqlite3.Row]:
+    return conn.execute(
+        """
+        SELECT id, username, email
+        FROM users
+        WHERE username = ? COLLATE NOCASE
+        ORDER BY
+            CASE WHEN username = ? THEN 0 ELSE 1 END,
+            id ASC
+        """,
+        (username, username),
+    ).fetchall()
+
+
+def import_user_emails(csv_path: Path, db_path: Path) -> dict[str, object]:
+    rows = _load_rows(csv_path)
+    username_counts = Counter(
+        str(row.get("Username") or "").strip().lower()
+        for row in rows
+        if str(row.get("Username") or "").strip()
+    )
+    duplicate_usernames = {
+        username for username, count in username_counts.items() if username and count > 1
+    }
+
+    summary: dict[str, object] = {
+        "csv_path": str(csv_path),
+        "db_path": str(db_path),
+        "source_rows": len(rows),
+        "updated": 0,
+        "unchanged": 0,
+        "missing_email": [],
+        "missing_user": [],
+        "duplicate_source_username": [],
+    }
+
+    with sqlite3.connect(db_path) as conn:
+        conn.row_factory = sqlite3.Row
+        _ensure_email_column(conn)
+
+        for row in rows:
+            username = str(row.get("Username") or "").strip()
+            if not username:
+                continue
+            username_key = username.lower()
+            if username_key in duplicate_usernames:
+                cast_list = summary["duplicate_source_username"]
+                assert isinstance(cast_list, list)
+                if username not in cast_list:
+                    cast_list.append(username)
+                continue
+
+            email = _normalize_email(row.get("Email"))
+            if not email:
+                cast_list = summary["missing_email"]
+                assert isinstance(cast_list, list)
+                cast_list.append(username)
+                continue
+
+            matches = _lookup_user(conn, username)
+            if not matches:
+                cast_list = summary["missing_user"]
+                assert isinstance(cast_list, list)
+                cast_list.append(username)
+                continue
+
+            current_emails = {
+                normalized.lower()
+                for normalized in (_normalize_email(row["email"]) for row in matches)
+                if normalized
+            }
+            if current_emails == {email.lower()}:
+                summary["unchanged"] = int(summary["unchanged"]) + 1
+                continue
+
+            conn.execute(
+                """
+                UPDATE users
+                SET email = ?
+                WHERE username = ? COLLATE NOCASE
+                """,
+                (email, username),
+            )
+            summary["updated"] = int(summary["updated"]) + 1
+
+    summary["missing_email_count"] = len(summary["missing_email"])  # type: ignore[arg-type]
+    summary["missing_user_count"] = len(summary["missing_user"])  # type: ignore[arg-type]
+    summary["duplicate_source_username_count"] = len(summary["duplicate_source_username"])  # type: ignore[arg-type]
+    return summary
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description="Import user email addresses into Magent users.")
+    parser.add_argument(
+        "csv_path",
+        nargs="?",
+        default=str(DEFAULT_CSV_PATH),
+        help="CSV file containing Username and Email columns",
+    )
+    parser.add_argument(
+        "--db-path",
+        default=str(DEFAULT_DB_PATH),
+        help="Path to the Magent SQLite database",
+    )
+    args = parser.parse_args()
+    summary = import_user_emails(Path(args.csv_path), Path(args.db_path))
+    print(json.dumps(summary, indent=2, sort_keys=True))
+
+
+if __name__ == "__main__":
+    main()

scripts/process1.ps1

@@ -243,6 +243,10 @@ try {
     $script:CurrentStep = "updating build metadata"
     Update-BuildFiles -BuildNumber $buildNumber
 
+    $script:CurrentStep = "running backend quality gate"
+    powershell -ExecutionPolicy Bypass -File (Join-Path $repoRoot "scripts\run_backend_quality_gate.ps1")
+    Assert-LastExitCode -CommandName "scripts/run_backend_quality_gate.ps1"
+
     $script:CurrentStep = "rebuilding local docker stack"
     docker compose up -d --build
     Assert-LastExitCode -CommandName "docker compose up -d --build"

scripts/run_backend_quality_gate.ps1

@@ -0,0 +1,59 @@
+$ErrorActionPreference = "Stop"
+
+$repoRoot = Resolve-Path "$PSScriptRoot\.."
+Set-Location $repoRoot
+
+function Assert-LastExitCode {
+    param([Parameter(Mandatory = $true)][string]$CommandName)
+
+    if ($LASTEXITCODE -ne 0) {
+        throw "$CommandName failed with exit code $LASTEXITCODE."
+    }
+}
+
+function Get-PythonCommand {
+    $venvPython = Join-Path $repoRoot ".venv\Scripts\python.exe"
+    if (Test-Path $venvPython) {
+        return $venvPython
+    }
+    return "python"
+}
+
+function Ensure-PythonModule {
+    param(
+        [Parameter(Mandatory = $true)][string]$PythonExe,
+        [Parameter(Mandatory = $true)][string]$ModuleName,
+        [Parameter(Mandatory = $true)][string]$PackageName
+    )
+
+    & $PythonExe -c "import importlib.util, sys; sys.exit(0 if importlib.util.find_spec('$ModuleName') else 1)"
+    if ($LASTEXITCODE -eq 0) {
+        return
+    }
+
+    Write-Host "Installing missing Python package: $PackageName"
+    & $PythonExe -m pip install $PackageName
+    Assert-LastExitCode -CommandName "python -m pip install $PackageName"
+}
+
+$pythonExe = Get-PythonCommand
+
+Write-Host "Installing backend Python requirements"
+& $pythonExe -m pip install -r (Join-Path $repoRoot "backend\requirements.txt")
+Assert-LastExitCode -CommandName "python -m pip install -r backend/requirements.txt"
+
+Write-Host "Running Python dependency integrity check"
+& $pythonExe -m pip check
+Assert-LastExitCode -CommandName "python -m pip check"
+
+Ensure-PythonModule -PythonExe $pythonExe -ModuleName "pip_audit" -PackageName "pip-audit"
+
+Write-Host "Running Python vulnerability scan"
+& $pythonExe -m pip_audit -r (Join-Path $repoRoot "backend\requirements.txt") --progress-spinner off --desc
+Assert-LastExitCode -CommandName "python -m pip_audit"
+
+Write-Host "Running backend unit tests"
+& $pythonExe -m unittest discover -s backend/tests -p "test_*.py" -v
+Assert-LastExitCode -CommandName "python -m unittest discover"
+
+Write-Host "Backend quality gate passed"