hardening

2026-05-16 10:44:20 +00:00
40 changed files with 488 additions and 1812 deletions
@@ -1 +0,0 @@
 251260452
@@ -64,10 +64,10 @@ QBIT_URL="http://localhost:8080"
 QBIT_USERNAME="..."
 QBIT_PASSWORD="..."
 SQLITE_PATH="data/magent.db"
-JWT_SECRET="change-me"
+JWT_SECRET="replace-with-a-long-random-secret"
 JWT_EXP_MINUTES="720"
-ADMIN_USERNAME="admin"
+ADMIN_USERNAME="set-a-real-admin-username"
-ADMIN_PASSWORD="adminadmin"
+ADMIN_PASSWORD="set-a-long-unique-admin-password"
 ```
 ## Screenshots
@@ -112,10 +112,10 @@ $env:QBIT_URL="http://localhost:8080"
 $env:QBIT_USERNAME="..."
 $env:QBIT_PASSWORD="..."
 $env:SQLITE_PATH="data/magent.db"
-$env:JWT_SECRET="change-me"
+$env:JWT_SECRET="replace-with-a-long-random-secret"
 $env:JWT_EXP_MINUTES="720"
-$env:ADMIN_USERNAME="admin"
+$env:ADMIN_USERNAME="set-a-real-admin-username"
-$env:ADMIN_PASSWORD="adminadmin"
+$env:ADMIN_PASSWORD="set-a-long-unique-admin-password"
 ```
 ### Frontend (Next.js)
@@ -2,11 +2,8 @@ FROM python:3.12-slim
 WORKDIR /app
 ARG BUILD_NUMBER=dev
 ENV PYTHONDONTWRITEBYTECODE=1 \
-    PYTHONUNBUFFERED=1 \
+    PYTHONUNBUFFERED=1
    SITE_BUILD_NUMBER=${BUILD_NUMBER}
 COPY backend/requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
@@ -26,7 +26,7 @@ def triage_snapshot(snapshot: Snapshot) -> TriageResult:
        recommendations.append(
            TriageRecommendation(
                action_id="readd_to_arr",
-                title="Push to Sonarr/Radarr",
+                title="Add it to the library queue",
                reason="Sonarr/Radarr has not created the entry for this request.",
                risk="medium",
            )
@@ -1,28 +1,15 @@
 from typing import Dict, Any
-from fastapi import Depends, HTTPException, status, Request
+from fastapi import Depends, HTTPException, status
 from fastapi.security import OAuth2PasswordBearer
-from .db import get_user_by_username, upsert_user_activity
+from .db import get_user_by_username
 from .security import safe_decode_token, TokenError
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login")
 def _extract_client_ip(request: Request) -> str:
    forwarded = request.headers.get("x-forwarded-for")
    if forwarded:
        parts = [part.strip() for part in forwarded.split(",") if part.strip()]
        if parts:
            return parts[0]
    real_ip = request.headers.get("x-real-ip")
    if real_ip:
        return real_ip.strip()
    if request.client and request.client.host:
        return request.client.host
    return "unknown"
-
+def get_current_user(token: str = Depends(oauth2_scheme)) -> Dict[str, Any]:
 def get_current_user(token: str = Depends(oauth2_scheme), request: Request = None) -> Dict[str, Any]:
    try:
        payload = safe_decode_token(token)
    except TokenError as exc:
@@ -38,11 +25,6 @@ def get_current_user(token: str = Depends(oauth2_scheme), request: Request = Non
    if user.get("is_blocked"):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
    if request is not None:
        ip = _extract_client_ip(request)
        user_agent = request.headers.get("user-agent", "unknown")
        upsert_user_activity(user["username"], ip, user_agent)
    return {
        "username": user["username"],
        "role": user["role"],
@@ -58,13 +58,3 @@ class JellyfinClient(ApiClient):
            response = await client.get(url, headers=headers)
            response.raise_for_status()
            return response.json()
    async def refresh_library(self, recursive: bool = True) -> None:
        if not self.base_url or not self.api_key:
            return None
        url = f"{self.base_url}/Library/Refresh"
        headers = {"X-Emby-Token": self.api_key}
        params = {"Recursive": "true" if recursive else "false"}
        async with httpx.AsyncClient(timeout=10.0) as client:
            response = await client.post(url, headers=headers, params=params)
            response.raise_for_status()
@@ -1,6 +1,5 @@
 from typing import Any, Dict, Optional
 import httpx
 import logging
 from .base import ApiClient
@@ -9,7 +8,6 @@ class QBittorrentClient(ApiClient):
        super().__init__(base_url, None)
        self.username = username
        self.password = password
        self.logger = logging.getLogger(__name__)
    def configured(self) -> bool:
        return bool(self.base_url and self.username and self.password)
@@ -74,14 +72,6 @@ class QBittorrentClient(ApiClient):
            raise
    async def add_torrent_url(self, url: str, category: Optional[str] = None) -> None:
        url_host = None
        if isinstance(url, str) and "://" in url:
            url_host = url.split("://", 1)[-1].split("/", 1)[0]
        self.logger.warning(
            "qBittorrent add_torrent_url invoked: category=%s host=%s",
            category,
            url_host or "unknown",
        )
        data: Dict[str, Any] = {"urls": url}
        if category:
            data["category"] = category
@@ -21,9 +21,6 @@ class RadarrClient(ApiClient):
    async def get_queue(self, movie_id: int) -> Optional[Dict[str, Any]]:
        return await self.get("/api/v3/queue", params={"movieId": movie_id})
    async def get_indexers(self) -> Optional[Dict[str, Any]]:
        return await self.get("/api/v3/indexer")
    async def search(self, movie_id: int) -> Optional[Dict[str, Any]]:
        return await self.post("/api/v3/command", payload={"name": "MoviesSearch", "movieIds": [movie_id]})
@@ -46,12 +43,3 @@ class RadarrClient(ApiClient):
    async def grab_release(self, guid: str, indexer_id: int) -> Optional[Dict[str, Any]]:
        return await self.post("/api/v3/release", payload={"guid": guid, "indexerId": indexer_id})
    async def push_release(self, payload: Dict[str, Any]) -> Optional[Dict[str, Any]]:
        return await self.post("/api/v3/release/push", payload=payload)
    async def download_release(self, guid: str, indexer_id: int) -> Optional[Dict[str, Any]]:
        return await self.post(
            "/api/v3/command",
            payload={"name": "DownloadRelease", "guid": guid, "indexerId": indexer_id},
        )
@@ -18,9 +18,6 @@ class SonarrClient(ApiClient):
    async def get_queue(self, series_id: int) -> Optional[Dict[str, Any]]:
        return await self.get("/api/v3/queue", params={"seriesId": series_id})
    async def get_indexers(self) -> Optional[Dict[str, Any]]:
        return await self.get("/api/v3/indexer")
    async def get_episodes(self, series_id: int) -> Optional[Dict[str, Any]]:
        return await self.get("/api/v3/episode", params={"seriesId": series_id})
@@ -53,12 +50,3 @@ class SonarrClient(ApiClient):
    async def grab_release(self, guid: str, indexer_id: int) -> Optional[Dict[str, Any]]:
        return await self.post("/api/v3/release", payload={"guid": guid, "indexerId": indexer_id})
    async def push_release(self, payload: Dict[str, Any]) -> Optional[Dict[str, Any]]:
        return await self.post("/api/v3/release/push", payload=payload)
    async def download_release(self, guid: str, indexer_id: int) -> Optional[Dict[str, Any]]:
        return await self.post(
            "/api/v3/command",
            payload={"name": "DownloadRelease", "guid": guid, "indexerId": indexer_id},
        )
@@ -8,10 +8,10 @@ class Settings(BaseSettings):
    app_name: str = "Magent"
    cors_allow_origin: str = "http://localhost:3000"
    sqlite_path: str = Field(default="data/magent.db", validation_alias=AliasChoices("SQLITE_PATH"))
-    jwt_secret: str = Field(default="change-me", validation_alias=AliasChoices("JWT_SECRET"))
+    jwt_secret: Optional[str] = Field(default=None, validation_alias=AliasChoices("JWT_SECRET"))
    jwt_exp_minutes: int = Field(default=720, validation_alias=AliasChoices("JWT_EXP_MINUTES"))
-    admin_username: str = Field(default="admin", validation_alias=AliasChoices("ADMIN_USERNAME"))
+    admin_username: Optional[str] = Field(default=None, validation_alias=AliasChoices("ADMIN_USERNAME"))
-    admin_password: str = Field(default="adminadmin", validation_alias=AliasChoices("ADMIN_PASSWORD"))
+    admin_password: Optional[str] = Field(default=None, validation_alias=AliasChoices("ADMIN_PASSWORD"))
    log_level: str = Field(default="INFO", validation_alias=AliasChoices("LOG_LEVEL"))
    log_file: str = Field(default="data/magent.log", validation_alias=AliasChoices("LOG_FILE"))
    requests_sync_ttl_minutes: int = Field(
@@ -38,21 +38,6 @@ class Settings(BaseSettings):
    artwork_cache_mode: str = Field(
        default="remote", validation_alias=AliasChoices("ARTWORK_CACHE_MODE")
    )
    site_build_number: Optional[str] = Field(
        default=None, validation_alias=AliasChoices("SITE_BUILD_NUMBER")
    )
    site_banner_enabled: bool = Field(
        default=False, validation_alias=AliasChoices("SITE_BANNER_ENABLED")
    )
    site_banner_message: Optional[str] = Field(
        default=None, validation_alias=AliasChoices("SITE_BANNER_MESSAGE")
    )
    site_banner_tone: str = Field(
        default="info", validation_alias=AliasChoices("SITE_BANNER_TONE")
    )
    site_changelog: Optional[str] = Field(
        default=None, validation_alias=AliasChoices("SITE_CHANGELOG")
    )
    jellyseerr_base_url: Optional[str] = Field(
        default=None, validation_alias=AliasChoices("JELLYSEERR_URL", "JELLYSEERR_BASE_URL")
@@ -85,10 +70,6 @@ class Settings(BaseSettings):
    sonarr_root_folder: Optional[str] = Field(
        default=None, validation_alias=AliasChoices("SONARR_ROOT_FOLDER")
    )
    sonarr_qbittorrent_category: Optional[str] = Field(
        default="sonarr",
        validation_alias=AliasChoices("SONARR_QBITTORRENT_CATEGORY"),
    )
    radarr_base_url: Optional[str] = Field(
        default=None, validation_alias=AliasChoices("RADARR_URL", "RADARR_BASE_URL")
@@ -102,10 +83,6 @@ class Settings(BaseSettings):
    radarr_root_folder: Optional[str] = Field(
        default=None, validation_alias=AliasChoices("RADARR_ROOT_FOLDER")
    )
    radarr_qbittorrent_category: Optional[str] = Field(
        default="radarr",
        validation_alias=AliasChoices("RADARR_QBITTORRENT_CATEGORY"),
    )
    prowlarr_base_url: Optional[str] = Field(
        default=None, validation_alias=AliasChoices("PROWLARR_URL", "PROWLARR_BASE_URL")
@@ -125,7 +102,7 @@ class Settings(BaseSettings):
    )
    discord_webhook_url: Optional[str] = Field(
-        default="https://discord.com/api/webhooks/1464141924775629033/O_rvCAmIKowR04tyAN54IuMPcQFEiT-ustU3udDaMTlF62PmoI6w4-52H3ZQcjgHQOgt",
+        default=None,
        validation_alias=AliasChoices("DISCORD_WEBHOOK_URL"),
    )
@@ -61,9 +61,7 @@ def init_db() -> None:
                auth_provider TEXT NOT NULL DEFAULT 'local',
                created_at TEXT NOT NULL,
                last_login_at TEXT,
-                is_blocked INTEGER NOT NULL DEFAULT 0,
+                is_blocked INTEGER NOT NULL DEFAULT 0
                jellyfin_password_hash TEXT,
                last_jellyfin_auth_at TEXT
            )
            """
        )
@@ -105,32 +103,6 @@ def init_db() -> None:
            ON requests_cache (requested_by_norm)
            """
        )
        conn.execute(
            """
            CREATE TABLE IF NOT EXISTS user_activity (
                id INTEGER PRIMARY KEY AUTOINCREMENT,
                username TEXT NOT NULL,
                ip TEXT NOT NULL,
                user_agent TEXT NOT NULL,
                first_seen_at TEXT NOT NULL,
                last_seen_at TEXT NOT NULL,
                hit_count INTEGER NOT NULL DEFAULT 1,
                UNIQUE(username, ip, user_agent)
            )
            """
        )
        conn.execute(
            """
            CREATE INDEX IF NOT EXISTS idx_user_activity_username
            ON user_activity (username)
            """
        )
        conn.execute(
            """
            CREATE INDEX IF NOT EXISTS idx_user_activity_last_seen
            ON user_activity (last_seen_at)
            """
        )
        try:
            conn.execute("ALTER TABLE users ADD COLUMN last_login_at TEXT")
        except sqlite3.OperationalError:
@@ -143,14 +115,6 @@ def init_db() -> None:
            conn.execute("ALTER TABLE users ADD COLUMN auth_provider TEXT NOT NULL DEFAULT 'local'")
        except sqlite3.OperationalError:
            pass
        try:
            conn.execute("ALTER TABLE users ADD COLUMN jellyfin_password_hash TEXT")
        except sqlite3.OperationalError:
            pass
        try:
            conn.execute("ALTER TABLE users ADD COLUMN last_jellyfin_auth_at TEXT")
        except sqlite3.OperationalError:
            pass
    _backfill_auth_providers()
    ensure_admin_user()
@@ -287,8 +251,7 @@ def get_user_by_username(username: str) -> Optional[Dict[str, Any]]:
    with _connect() as conn:
        row = conn.execute(
            """
-            SELECT id, username, password_hash, role, auth_provider, created_at, last_login_at,
+            SELECT id, username, password_hash, role, auth_provider, created_at, last_login_at, is_blocked
                   is_blocked, jellyfin_password_hash, last_jellyfin_auth_at
            FROM users
            WHERE username = ?
            """,
@@ -305,8 +268,6 @@ def get_user_by_username(username: str) -> Optional[Dict[str, Any]]:
        "created_at": row[5],
        "last_login_at": row[6],
        "is_blocked": bool(row[7]),
        "jellyfin_password_hash": row[8],
        "last_jellyfin_auth_at": row[9],
    }
@@ -370,6 +331,8 @@ def verify_user_password(username: str, password: str) -> Optional[Dict[str, Any
    user = get_user_by_username(username)
    if not user:
        return None
    if user.get("auth_provider") != "local":
        return None
    if not verify_password(password, user["password_hash"]):
        return None
    return user
@@ -386,22 +349,6 @@ def set_user_password(username: str, password: str) -> None:
        )
 def set_jellyfin_auth_cache(username: str, password: str) -> None:
    if not username or not password:
        return
    password_hash = hash_password(password)
    timestamp = datetime.now(timezone.utc).isoformat()
    with _connect() as conn:
        conn.execute(
            """
            UPDATE users
            SET jellyfin_password_hash = ?, last_jellyfin_auth_at = ?
            WHERE username = ?
            """,
            (password_hash, timestamp, username),
        )
 def _backfill_auth_providers() -> None:
    with _connect() as conn:
        rows = conn.execute(
@@ -432,164 +379,6 @@ def _backfill_auth_providers() -> None:
        )
 def upsert_user_activity(username: str, ip: str, user_agent: str) -> None:
    if not username:
        return
    ip_value = ip.strip() if isinstance(ip, str) and ip.strip() else "unknown"
    agent_value = (
        user_agent.strip() if isinstance(user_agent, str) and user_agent.strip() else "unknown"
    )
    timestamp = datetime.now(timezone.utc).isoformat()
    with _connect() as conn:
        conn.execute(
            """
            INSERT INTO user_activity (username, ip, user_agent, first_seen_at, last_seen_at, hit_count)
            VALUES (?, ?, ?, ?, ?, 1)
            ON CONFLICT(username, ip, user_agent)
            DO UPDATE SET last_seen_at = excluded.last_seen_at, hit_count = hit_count + 1
            """,
            (username, ip_value, agent_value, timestamp, timestamp),
        )
 def get_user_activity(username: str, limit: int = 5) -> list[Dict[str, Any]]:
    limit = max(1, min(limit, 20))
    with _connect() as conn:
        rows = conn.execute(
            """
            SELECT ip, user_agent, first_seen_at, last_seen_at, hit_count
            FROM user_activity
            WHERE username = ?
            ORDER BY last_seen_at DESC
            LIMIT ?
            """,
            (username, limit),
        ).fetchall()
    results: list[Dict[str, Any]] = []
    for row in rows:
        results.append(
            {
                "ip": row[0],
                "user_agent": row[1],
                "first_seen_at": row[2],
                "last_seen_at": row[3],
                "hit_count": row[4],
            }
        )
    return results
 def get_user_activity_summary(username: str) -> Dict[str, Any]:
    with _connect() as conn:
        last_row = conn.execute(
            """
            SELECT ip, user_agent, last_seen_at
            FROM user_activity
            WHERE username = ?
            ORDER BY last_seen_at DESC
            LIMIT 1
            """,
            (username,),
        ).fetchone()
        count_row = conn.execute(
            """
            SELECT COUNT(*)
            FROM user_activity
            WHERE username = ?
            """,
            (username,),
        ).fetchone()
    return {
        "last_ip": last_row[0] if last_row else None,
        "last_user_agent": last_row[1] if last_row else None,
        "last_seen_at": last_row[2] if last_row else None,
        "device_count": int(count_row[0] or 0) if count_row else 0,
    }
 def get_user_request_stats(username_norm: str) -> Dict[str, Any]:
    if not username_norm:
        return {
            "total": 0,
            "ready": 0,
            "pending": 0,
            "approved": 0,
            "working": 0,
            "partial": 0,
            "declined": 0,
            "in_progress": 0,
            "last_request_at": None,
        }
    with _connect() as conn:
        total_row = conn.execute(
            """
            SELECT COUNT(*)
            FROM requests_cache
            WHERE requested_by_norm = ?
            """,
            (username_norm,),
        ).fetchone()
        status_rows = conn.execute(
            """
            SELECT status, COUNT(*)
            FROM requests_cache
            WHERE requested_by_norm = ?
            GROUP BY status
            """,
            (username_norm,),
        ).fetchall()
        last_row = conn.execute(
            """
            SELECT MAX(created_at)
            FROM requests_cache
            WHERE requested_by_norm = ?
            """,
            (username_norm,),
        ).fetchone()
    counts = {int(row[0]): int(row[1]) for row in status_rows if row[0] is not None}
    pending = counts.get(1, 0)
    approved = counts.get(2, 0)
    declined = counts.get(3, 0)
    ready = counts.get(4, 0)
    working = counts.get(5, 0)
    partial = counts.get(6, 0)
    in_progress = approved + working + partial
    return {
        "total": int(total_row[0] or 0) if total_row else 0,
        "ready": ready,
        "pending": pending,
        "approved": approved,
        "working": working,
        "partial": partial,
        "declined": declined,
        "in_progress": in_progress,
        "last_request_at": last_row[0] if last_row else None,
    }
 def get_global_request_leader() -> Optional[Dict[str, Any]]:
    with _connect() as conn:
        row = conn.execute(
            """
            SELECT requested_by_norm, MAX(requested_by) as display_name, COUNT(*) as total
            FROM requests_cache
            WHERE requested_by_norm IS NOT NULL AND requested_by_norm != ''
            GROUP BY requested_by_norm
            ORDER BY total DESC
            LIMIT 1
            """
        ).fetchone()
    if not row:
        return None
    return {"username": row[1] or row[0], "total": int(row[2] or 0)}
 def get_global_request_total() -> int:
    with _connect() as conn:
        row = conn.execute("SELECT COUNT(*) FROM requests_cache").fetchone()
    return int(row[0] or 0)
 def upsert_request_cache(
    request_id: int,
    media_id: Optional[int],
@@ -822,22 +611,6 @@ def get_request_cache_count() -> int:
    return int(row[0] or 0)
 def update_request_cache_title(
    request_id: int, title: str, year: Optional[int] = None
 ) -> None:
    if not title:
        return
    with _connect() as conn:
        conn.execute(
            """
            UPDATE requests_cache
            SET title = ?, year = COALESCE(?, year)
            WHERE request_id = ?
            """,
            (title, year, request_id),
        )
 def prune_duplicate_requests_cache() -> int:
    with _connect() as conn:
        cursor = conn.execute(
@@ -1,10 +1,11 @@
 import asyncio
 from contextlib import asynccontextmanager
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 from .config import settings
-from .db import init_db, set_setting
+from .db import init_db
 from .routers.requests import (
    router as requests_router,
    startup_warmup_requests_cache,
@@ -18,12 +19,52 @@ from .routers.images import router as images_router
 from .routers.branding import router as branding_router
 from .routers.status import router as status_router
 from .routers.feedback import router as feedback_router
 from .routers.site import router as site_router
 from .services.jellyfin_sync import run_daily_jellyfin_sync
 from .logging_config import configure_logging
 from .runtime import get_runtime_settings
-app = FastAPI(title=settings.app_name)
+
 def validate_security_settings() -> None:
    issues = []
    jwt_secret = (settings.jwt_secret or "").strip()
    admin_username = (settings.admin_username or "").strip()
    admin_password = (settings.admin_password or "").strip()
    if not jwt_secret:
        issues.append("JWT_SECRET is required")
    if not admin_username:
        issues.append("ADMIN_USERNAME is required")
    if not admin_password:
        issues.append("ADMIN_PASSWORD is required")
    if jwt_secret == "change-me":
        issues.append("JWT_SECRET must not use the default placeholder")
    if admin_password == "adminadmin":
        issues.append("ADMIN_PASSWORD must not use the default placeholder")
    if issues:
        raise RuntimeError("Unsafe Magent security configuration: " + "; ".join(issues))
@asynccontextmanager
 async def lifespan(_: FastAPI):
    validate_security_settings()
    init_db()
    runtime = get_runtime_settings()
    configure_logging(runtime.log_level, runtime.log_file)
    background_tasks = [
        asyncio.create_task(run_daily_jellyfin_sync(), name="daily-jellyfin-sync"),
        asyncio.create_task(startup_warmup_requests_cache(), name="startup-warmup-requests-cache"),
        asyncio.create_task(run_requests_delta_loop(), name="requests-delta-loop"),
        asyncio.create_task(run_daily_requests_full_sync(), name="daily-requests-full-sync"),
        asyncio.create_task(run_daily_db_cleanup(), name="daily-db-cleanup"),
    ]
    try:
        yield
    finally:
        for task in background_tasks:
            task.cancel()
        await asyncio.gather(*background_tasks, return_exceptions=True)
 app = FastAPI(title=settings.app_name, lifespan=lifespan)
 app.add_middleware(
    CORSMiddleware,
@@ -38,19 +79,6 @@ app.add_middleware(
 async def health() -> dict:
    return {"status": "ok"}
@app.on_event("startup")
 async def startup() -> None:
    init_db()
    if settings.site_build_number and settings.site_build_number.strip():
        set_setting("site_build_number", settings.site_build_number.strip())
    runtime = get_runtime_settings()
    configure_logging(runtime.log_level, runtime.log_file)
    asyncio.create_task(run_daily_jellyfin_sync())
    asyncio.create_task(startup_warmup_requests_cache())
    asyncio.create_task(run_requests_delta_loop())
    asyncio.create_task(run_daily_requests_full_sync())
    asyncio.create_task(run_daily_db_cleanup())
 app.include_router(requests_router)
 app.include_router(auth_router)
@@ -59,4 +87,3 @@ app.include_router(images_router)
 app.include_router(branding_router)
 app.include_router(status_router)
 app.include_router(feedback_router)
 app.include_router(site_router)
@@ -20,7 +20,6 @@ from ..db import (
    clear_requests_cache,
    clear_history,
    cleanup_history,
    update_request_cache_title,
 )
 from ..runtime import get_runtime_settings
 from ..clients.sonarr import SonarrClient
@@ -57,12 +56,10 @@ SETTING_KEYS: List[str] = [
    "sonarr_api_key",
    "sonarr_quality_profile_id",
    "sonarr_root_folder",
    "sonarr_qbittorrent_category",
    "radarr_base_url",
    "radarr_api_key",
    "radarr_quality_profile_id",
    "radarr_root_folder",
    "radarr_qbittorrent_category",
    "prowlarr_base_url",
    "prowlarr_api_key",
    "qbittorrent_base_url",
@@ -77,11 +74,6 @@ SETTING_KEYS: List[str] = [
    "requests_cleanup_time",
    "requests_cleanup_days",
    "requests_data_source",
    "site_build_number",
    "site_banner_enabled",
    "site_banner_message",
    "site_banner_tone",
    "site_changelog",
 ]
 def _normalize_root_folders(folders: Any) -> List[Dict[str, Any]]:
@@ -282,28 +274,7 @@ async def read_logs(lines: int = 200) -> Dict[str, Any]:
@router.get("/requests/cache")
 async def requests_cache(limit: int = 50) -> Dict[str, Any]:
-    rows = get_request_cache_overview(limit)
+    return {"rows": get_request_cache_overview(limit)}
    missing_titles = [row for row in rows if not row.get("title")]
    if missing_titles:
        runtime = get_runtime_settings()
        client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
        if client.configured():
            for row in missing_titles:
                request_id = row.get("request_id")
                if not isinstance(request_id, int):
                    continue
                details = await requests_router._get_request_details(client, request_id)
                if not isinstance(details, dict):
                    continue
                payload = requests_router._parse_request_payload(details)
                title = payload.get("title")
                if not title:
                    continue
                row["title"] = title
                if payload.get("year"):
                    row["year"] = payload.get("year")
                update_request_cache_title(request_id, title, payload.get("year"))
    return {"rows": rows}
@router.post("/branding/logo")
@@ -1,4 +1,4 @@
-from datetime import datetime, timedelta, timezone
+from secrets import token_urlsafe
 from fastapi import APIRouter, HTTPException, status, Depends
 from fastapi.security import OAuth2PasswordRequestForm
@@ -9,55 +9,26 @@ from ..db import (
    set_last_login,
    get_user_by_username,
    set_user_password,
    set_jellyfin_auth_cache,
    get_user_activity,
    get_user_activity_summary,
    get_user_request_stats,
    get_global_request_leader,
    get_global_request_total,
 )
 from ..runtime import get_runtime_settings
 from ..clients.jellyfin import JellyfinClient
 from ..clients.jellyseerr import JellyseerrClient
-from ..security import create_access_token, verify_password
+from ..security import create_access_token
 from ..auth import get_current_user
 router = APIRouter(prefix="/auth", tags=["auth"])
 def _normalize_username(value: str) -> str:
    return value.strip().lower()
 def _is_recent_jellyfin_auth(last_auth_at: str) -> bool:
    if not last_auth_at:
        return False
    try:
        parsed = datetime.fromisoformat(last_auth_at)
    except ValueError:
        return False
    if parsed.tzinfo is None:
        parsed = parsed.replace(tzinfo=timezone.utc)
    age = datetime.now(timezone.utc) - parsed
    return age <= timedelta(days=7)
 def _has_valid_jellyfin_cache(user: dict, password: str) -> bool:
    if not user or not password:
        return False
    cached_hash = user.get("jellyfin_password_hash")
    last_auth_at = user.get("last_jellyfin_auth_at")
    if not cached_hash or not last_auth_at:
        return False
    if not verify_password(password, cached_hash):
        return False
    return _is_recent_jellyfin_auth(last_auth_at)
@router.post("/login")
 async def login(form_data: OAuth2PasswordRequestForm = Depends()) -> dict:
    user = verify_user_password(form_data.username, form_data.password)
    if not user:
        existing = get_user_by_username(form_data.username)
        if existing and existing.get("auth_provider") != "local":
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail=f"Use the {existing.get('auth_provider')} sign-in flow for this account",
            )
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")
    if user.get("is_blocked"):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
@@ -76,25 +47,18 @@ async def jellyfin_login(form_data: OAuth2PasswordRequestForm = Depends()) -> di
    client = JellyfinClient(runtime.jellyfin_base_url, runtime.jellyfin_api_key)
    if not client.configured():
        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Jellyfin not configured")
    username = form_data.username
    password = form_data.password
    user = get_user_by_username(username)
    if user and user.get("is_blocked"):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
    if user and _has_valid_jellyfin_cache(user, password):
        token = create_access_token(username, "user")
        set_last_login(username)
        return {"access_token": token, "token_type": "bearer", "user": {"username": username, "role": "user"}}
    try:
-        response = await client.authenticate_by_name(username, password)
+        response = await client.authenticate_by_name(form_data.username, form_data.password)
    except Exception as exc:
        raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
    if not isinstance(response, dict) or not response.get("User"):
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid Jellyfin credentials")
-    create_user_if_missing(username, "jellyfin-user", role="user", auth_provider="jellyfin")
+    create_user_if_missing(form_data.username, token_urlsafe(32), role="user", auth_provider="jellyfin")
-    user = get_user_by_username(username)
+    user = get_user_by_username(form_data.username)
    if user and user.get("is_blocked"):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
    if user and user.get("auth_provider") == "jellyfin":
        set_user_password(form_data.username, token_urlsafe(32))
    try:
        users = await client.get_users()
        if isinstance(users, list):
@@ -103,13 +67,12 @@ async def jellyfin_login(form_data: OAuth2PasswordRequestForm = Depends()) -> di
                    continue
                name = user.get("Name")
                if isinstance(name, str) and name:
-                    create_user_if_missing(name, "jellyfin-user", role="user", auth_provider="jellyfin")
+                    create_user_if_missing(name, token_urlsafe(32), role="user", auth_provider="jellyfin")
    except Exception:
        pass
-    set_jellyfin_auth_cache(username, password)
+    token = create_access_token(form_data.username, "user")
-    token = create_access_token(username, "user")
+    set_last_login(form_data.username)
-    set_last_login(username)
+    return {"access_token": token, "token_type": "bearer", "user": {"username": form_data.username, "role": "user"}}
    return {"access_token": token, "token_type": "bearer", "user": {"username": username, "role": "user"}}
@router.post("/jellyseerr/login")
@@ -125,10 +88,12 @@ async def jellyseerr_login(form_data: OAuth2PasswordRequestForm = Depends()) ->
        raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
    if not isinstance(response, dict):
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid Jellyseerr credentials")
-    create_user_if_missing(form_data.username, "jellyseerr-user", role="user", auth_provider="jellyseerr")
+    create_user_if_missing(form_data.username, token_urlsafe(32), role="user", auth_provider="jellyseerr")
    user = get_user_by_username(form_data.username)
    if user and user.get("is_blocked"):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
    if user and user.get("auth_provider") == "jellyseerr":
        set_user_password(form_data.username, token_urlsafe(32))
    token = create_access_token(form_data.username, "user")
    set_last_login(form_data.username)
    return {"access_token": token, "token_type": "bearer", "user": {"username": form_data.username, "role": "user"}}
@@ -139,32 +104,6 @@ async def me(current_user: dict = Depends(get_current_user)) -> dict:
    return current_user
@router.get("/profile")
 async def profile(current_user: dict = Depends(get_current_user)) -> dict:
    username = current_user.get("username") or ""
    username_norm = _normalize_username(username) if username else ""
    stats = get_user_request_stats(username_norm)
    global_total = get_global_request_total()
    share = (stats.get("total", 0) / global_total) if global_total else 0
    activity_summary = get_user_activity_summary(username) if username else {}
    activity_recent = get_user_activity(username, limit=5) if username else []
    stats_payload = {
        **stats,
        "share": share,
        "global_total": global_total,
    }
    if current_user.get("role") == "admin":
        stats_payload["most_active_user"] = get_global_request_leader()
    return {
        "user": current_user,
        "stats": stats_payload,
        "activity": {
            **activity_summary,
            "recent": activity_recent,
        },
    }
@router.post("/password")
 async def change_password(payload: dict, current_user: dict = Depends(get_current_user)) -> dict:
    if current_user.get("auth_provider") != "local":
@@ -68,7 +68,6 @@ _artwork_prefetch_state: Dict[str, Any] = {
    "finished_at": None,
 }
 _artwork_prefetch_task: Optional[asyncio.Task] = None
 _media_endpoint_supported: Optional[bool] = None
 STATUS_LABELS = {
    1: "Waiting for approval",
@@ -270,17 +269,10 @@ async def _hydrate_title_from_tmdb(
 async def _hydrate_media_details(client: JellyseerrClient, media_id: Optional[int]) -> Optional[Dict[str, Any]]:
    if not media_id:
        return None
    global _media_endpoint_supported
    if _media_endpoint_supported is False:
        return None
    try:
        details = await client.get_media(int(media_id))
-    except httpx.HTTPStatusError as exc:
+    except httpx.HTTPStatusError:
        if exc.response is not None and exc.response.status_code == 405:
            _media_endpoint_supported = False
            logger.info("Jellyseerr media endpoint rejected GET requests; skipping media lookups.")
        return None
    _media_endpoint_supported = True
    return details if isinstance(details, dict) else None
@@ -401,23 +393,14 @@ async def _sync_all_requests(client: JellyseerrClient) -> int:
                continue
            payload = _parse_request_payload(item)
            request_id = payload.get("request_id")
            cached_title = None
            if isinstance(request_id, int):
                if not payload.get("title"):
                    cached = get_request_cache_by_id(request_id)
                    if cached and cached.get("title"):
                        cached_title = cached.get("title")
                if not payload.get("title") or not payload.get("media_id"):
                    logger.debug("Jellyseerr sync hydrate request_id=%s", request_id)
                    details = await _get_request_details(client, request_id)
                    if isinstance(details, dict):
                        payload = _parse_request_payload(details)
                        item = details
-                if (
+                if not payload.get("title") and payload.get("media_id"):
                    not payload.get("title")
                    and payload.get("media_id")
                    and (not payload.get("tmdb_id") or not payload.get("media_type"))
                ):
                    media_details = await _hydrate_media_details(client, payload.get("media_id"))
                    if isinstance(media_details, dict):
                        media_title = media_details.get("title") or media_details.get("name")
@@ -445,7 +428,7 @@ async def _sync_all_requests(client: JellyseerrClient) -> int:
                    if isinstance(details, dict):
                        item = details
                        payload = _parse_request_payload(details)
-                if not payload.get("title") and payload.get("tmdb_id") and payload.get("media_type"):
+                if not payload.get("title") and payload.get("tmdb_id"):
                    hydrated_title, hydrated_year = await _hydrate_title_from_tmdb(
                        client, payload.get("media_type"), payload.get("tmdb_id")
                    )
@@ -453,8 +436,6 @@ async def _sync_all_requests(client: JellyseerrClient) -> int:
                        payload["title"] = hydrated_title
                    if hydrated_year:
                        payload["year"] = hydrated_year
                if not payload.get("title") and cached_title:
                    payload["title"] = cached_title
            if not isinstance(payload.get("request_id"), int):
                continue
            payload_json = json.dumps(item, ensure_ascii=True)
@@ -535,7 +516,6 @@ async def _sync_delta_requests(client: JellyseerrClient) -> int:
            if isinstance(request_id, int):
                cached = get_request_cache_by_id(request_id)
                incoming_updated = payload.get("updated_at")
                cached_title = cached.get("title") if cached else None
                if cached and incoming_updated and cached.get("updated_at") == incoming_updated and cached.get("title"):
                    continue
                if not payload.get("title") or not payload.get("media_id"):
@@ -543,11 +523,7 @@ async def _sync_delta_requests(client: JellyseerrClient) -> int:
                    if isinstance(details, dict):
                        payload = _parse_request_payload(details)
                        item = details
-                if (
+                if not payload.get("title") and payload.get("media_id"):
                    not payload.get("title")
                    and payload.get("media_id")
                    and (not payload.get("tmdb_id") or not payload.get("media_type"))
                ):
                    media_details = await _hydrate_media_details(client, payload.get("media_id"))
                    if isinstance(media_details, dict):
                        media_title = media_details.get("title") or media_details.get("name")
@@ -575,7 +551,7 @@ async def _sync_delta_requests(client: JellyseerrClient) -> int:
                    if isinstance(details, dict):
                        payload = _parse_request_payload(details)
                        item = details
-                if not payload.get("title") and payload.get("tmdb_id") and payload.get("media_type"):
+                if not payload.get("title") and payload.get("tmdb_id"):
                    hydrated_title, hydrated_year = await _hydrate_title_from_tmdb(
                        client, payload.get("media_type"), payload.get("tmdb_id")
                    )
@@ -583,8 +559,6 @@ async def _sync_delta_requests(client: JellyseerrClient) -> int:
                        payload["title"] = hydrated_title
                    if hydrated_year:
                        payload["year"] = hydrated_year
                if not payload.get("title") and cached_title:
                    payload["title"] = cached_title
            if not isinstance(payload.get("request_id"), int):
                continue
            payload_json = json.dumps(item, ensure_ascii=True)
@@ -965,15 +939,15 @@ async def _ensure_request_access(
 ) -> None:
    if user.get("role") == "admin":
        return
    runtime = get_runtime_settings()
    mode = (runtime.requests_data_source or "prefer_cache").lower()
    cached = get_request_cache_payload(request_id)
-    if mode != "always_js" and cached is not None:
+    if cached is not None:
-        logger.debug("access cache hit: request_id=%s mode=%s", request_id, mode)
+        logger.debug("access cache hit: request_id=%s", request_id)
        if _request_matches_user(cached, user.get("username", "")):
            return
        raise HTTPException(status_code=403, detail="Request not accessible for this user")
-    logger.debug("access cache miss: request_id=%s mode=%s", request_id, mode)
+    if not client.configured():
        raise HTTPException(status_code=403, detail="Request access cannot be verified")
    logger.debug("access cache miss: request_id=%s", request_id)
    details = await _get_request_details(client, request_id)
    if details is None or not _request_matches_user(details, user.get("username", "")):
        raise HTTPException(status_code=403, detail="Request not accessible for this user")
@@ -1025,148 +999,6 @@ def _normalize_categories(categories: Any) -> List[str]:
    return names
 def _normalize_indexer_name(value: Optional[str]) -> str:
    if not isinstance(value, str):
        return ""
    return "".join(ch for ch in value.lower().strip() if ch.isalnum())
 def _log_arr_http_error(service_label: str, action: str, exc: httpx.HTTPStatusError) -> None:
    if exc.response is None:
        logger.warning("%s %s failed: %s", service_label, action, exc)
        return
    status = exc.response.status_code
    body = exc.response.text
    if isinstance(body, str):
        body = body.strip()
        if len(body) > 800:
            body = f"{body[:800]}...(truncated)"
    logger.warning("%s %s failed: status=%s body=%s", service_label, action, status, body)
 def _format_rejections(rejections: Any) -> Optional[str]:
    if isinstance(rejections, str):
        return rejections.strip() or None
    if isinstance(rejections, list):
        reasons = []
        for item in rejections:
            reason = None
            if isinstance(item, dict):
                reason = (
                    item.get("reason")
                    or item.get("message")
                    or item.get("errorMessage")
                )
            if not reason and item is not None:
                reason = str(item)
            if isinstance(reason, str) and reason.strip():
                reasons.append(reason.strip())
        if reasons:
            return "; ".join(reasons)
    return None
 def _release_push_accepted(response: Any) -> tuple[bool, Optional[str]]:
    if not isinstance(response, dict):
        return True, None
    rejections = response.get("rejections") or response.get("rejectionReasons")
    reason = _format_rejections(rejections)
    if reason:
        return False, reason
    if response.get("rejected") is True:
        return False, "rejected"
    if response.get("downloadAllowed") is False:
        return False, "download not allowed"
    if response.get("approved") is False:
        return False, "not approved"
    return True, None
 def _resolve_arr_indexer_id(
    indexers: Any, indexer_name: Optional[str], indexer_id: Optional[int], service_label: str
 ) -> Optional[int]:
    if not isinstance(indexers, list):
        return None
    if not indexer_name:
        if indexer_id is None:
            return None
        by_id = next(
            (item for item in indexers if isinstance(item, dict) and item.get("id") == indexer_id),
            None,
        )
        if by_id and by_id.get("id") is not None:
            logger.debug("%s indexer id match: %s", service_label, by_id.get("id"))
            return int(by_id["id"])
        return None
    target = indexer_name.lower().strip()
    target_compact = _normalize_indexer_name(indexer_name)
    exact = next(
        (
            item
            for item in indexers
            if isinstance(item, dict)
            and str(item.get("name", "")).lower().strip() == target
        ),
        None,
    )
    if exact and exact.get("id") is not None:
        logger.debug("%s indexer match: '%s' -> %s", service_label, indexer_name, exact.get("id"))
        return int(exact["id"])
    compact = next(
        (
            item
            for item in indexers
            if isinstance(item, dict)
            and _normalize_indexer_name(str(item.get("name", ""))) == target_compact
        ),
        None,
    )
    if compact and compact.get("id") is not None:
        logger.debug("%s indexer compact match: '%s' -> %s", service_label, indexer_name, compact.get("id"))
        return int(compact["id"])
    contains = next(
        (
            item
            for item in indexers
            if isinstance(item, dict)
            and target in str(item.get("name", "")).lower()
        ),
        None,
    )
    if contains and contains.get("id") is not None:
        logger.debug("%s indexer contains match: '%s' -> %s", service_label, indexer_name, contains.get("id"))
        return int(contains["id"])
    logger.warning(
        "%s indexer not found for name '%s'. Check indexer names in the Arr app.",
        service_label,
        indexer_name,
    )
    return None
 async def _fallback_qbittorrent_download(download_url: Optional[str], category: str) -> bool:
    if not download_url:
        return False
    runtime = get_runtime_settings()
    client = QBittorrentClient(
        runtime.qbittorrent_base_url,
        runtime.qbittorrent_username,
        runtime.qbittorrent_password,
    )
    if not client.configured():
        return False
    await client.add_torrent_url(download_url, category=category)
    return True
 def _resolve_qbittorrent_category(value: Optional[str], default: str) -> str:
    if isinstance(value, str):
        cleaned = value.strip()
        if cleaned:
            return cleaned
    return default
 def _filter_prowlarr_results(results: Any, request_type: RequestType) -> List[Dict[str, Any]]:
    if not isinstance(results, list):
        return []
@@ -1235,8 +1067,7 @@ async def _resolve_root_folder_path(client: Any, root_folder: str, service_name:
 async def get_snapshot(request_id: str, user: Dict[str, str] = Depends(get_current_user)) -> Snapshot:
    runtime = get_runtime_settings()
    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if client.configured():
+    await _ensure_request_access(client, int(request_id), user)
        await _ensure_request_access(client, int(request_id), user)
    return await build_snapshot(request_id)
@@ -1495,8 +1326,7 @@ async def search_requests(
 async def ai_triage(request_id: str, user: Dict[str, str] = Depends(get_current_user)) -> TriageResult:
    runtime = get_runtime_settings()
    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if client.configured():
+    await _ensure_request_access(client, int(request_id), user)
        await _ensure_request_access(client, int(request_id), user)
    snapshot = await build_snapshot(request_id)
    return triage_snapshot(snapshot)
@@ -1505,8 +1335,7 @@ async def ai_triage(request_id: str, user: Dict[str, str] = Depends(get_current_
 async def action_search(request_id: str, user: Dict[str, str] = Depends(get_current_user)) -> dict:
    runtime = get_runtime_settings()
    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if client.configured():
+    await _ensure_request_access(client, int(request_id), user)
        await _ensure_request_access(client, int(request_id), user)
    snapshot = await build_snapshot(request_id)
    prowlarr_results: List[Dict[str, Any]] = []
    prowlarr = ProwlarrClient(runtime.prowlarr_base_url, runtime.prowlarr_api_key)
@@ -1536,8 +1365,7 @@ async def action_search(request_id: str, user: Dict[str, str] = Depends(get_curr
 async def action_search_auto(request_id: str, user: Dict[str, str] = Depends(get_current_user)) -> dict:
    runtime = get_runtime_settings()
    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if client.configured():
+    await _ensure_request_access(client, int(request_id), user)
        await _ensure_request_access(client, int(request_id), user)
    snapshot = await build_snapshot(request_id)
    arr_item = snapshot.raw.get("arr", {}).get("item")
    if not isinstance(arr_item, dict):
@@ -1586,8 +1414,7 @@ async def action_search_auto(request_id: str, user: Dict[str, str] = Depends(get
 async def action_resume(request_id: str, user: Dict[str, str] = Depends(get_current_user)) -> dict:
    runtime = get_runtime_settings()
    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if client.configured():
+    await _ensure_request_access(client, int(request_id), user)
        await _ensure_request_access(client, int(request_id), user)
    snapshot = await build_snapshot(request_id)
    queue = snapshot.raw.get("arr", {}).get("queue")
    download_ids = _download_ids(_queue_records(queue))
@@ -1633,8 +1460,7 @@ async def action_resume(request_id: str, user: Dict[str, str] = Depends(get_curr
 async def action_readd(request_id: str, user: Dict[str, str] = Depends(get_current_user)) -> dict:
    runtime = get_runtime_settings()
    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if client.configured():
+    await _ensure_request_access(client, int(request_id), user)
        await _ensure_request_access(client, int(request_id), user)
    snapshot = await build_snapshot(request_id)
    jelly = snapshot.raw.get("jellyseerr") or {}
    media = jelly.get("media") or {}
@@ -1746,8 +1572,7 @@ async def request_history(
 ) -> dict:
    runtime = get_runtime_settings()
    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if client.configured():
+    await _ensure_request_access(client, int(request_id), user)
        await _ensure_request_access(client, int(request_id), user)
    snapshots = await asyncio.to_thread(get_recent_snapshots, request_id, limit)
    return {"snapshots": snapshots}
@@ -1758,8 +1583,7 @@ async def request_actions(
 ) -> dict:
    runtime = get_runtime_settings()
    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if client.configured():
+    await _ensure_request_access(client, int(request_id), user)
        await _ensure_request_access(client, int(request_id), user)
    actions = await asyncio.to_thread(get_recent_actions, request_id, limit)
    return {"actions": actions}
@@ -1770,48 +1594,82 @@ async def action_grab(
 ) -> dict:
    runtime = get_runtime_settings()
    client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if client.configured():
+    await _ensure_request_access(client, int(request_id), user)
        await _ensure_request_access(client, int(request_id), user)
    snapshot = await build_snapshot(request_id)
    guid = payload.get("guid")
    indexer_id = payload.get("indexerId")
    indexer_name = payload.get("indexerName") or payload.get("indexer")
    download_url = payload.get("downloadUrl")
    release_title = payload.get("title")
    release_size = payload.get("size")
    release_protocol = payload.get("protocol") or "torrent"
    release_publish = payload.get("publishDate")
    release_seeders = payload.get("seeders")
    release_leechers = payload.get("leechers")
    if not guid or not indexer_id:
        raise HTTPException(status_code=400, detail="Missing guid or indexerId")
    logger.info(
        "Grab requested: request_id=%s guid=%s indexer_id=%s indexer_name=%s has_download_url=%s has_title=%s",
        request_id,
        guid,
        indexer_id,
        indexer_name,
        bool(download_url),
        bool(release_title),
    )
    runtime = get_runtime_settings()
    if not download_url:
        raise HTTPException(status_code=400, detail="Missing downloadUrl")
    if snapshot.request_type.value == "tv":
-        category = _resolve_qbittorrent_category(runtime.sonarr_qbittorrent_category, "sonarr")
+        client = SonarrClient(runtime.sonarr_base_url, runtime.sonarr_api_key)
        if not client.configured():
            raise HTTPException(status_code=400, detail="Sonarr not configured")
        try:
            response = await client.grab_release(str(guid), int(indexer_id))
        except httpx.HTTPStatusError as exc:
            status_code = exc.response.status_code if exc.response is not None else 502
            if status_code == 404 and download_url:
                qbit = QBittorrentClient(
                    runtime.qbittorrent_base_url,
                    runtime.qbittorrent_username,
                    runtime.qbittorrent_password,
                )
                if not qbit.configured():
                    raise HTTPException(status_code=400, detail="qBittorrent not configured")
                try:
                    await qbit.add_torrent_url(str(download_url), category=f"magent-{request_id}")
                except httpx.HTTPStatusError as qbit_exc:
                    raise HTTPException(status_code=502, detail=str(qbit_exc)) from qbit_exc
                await asyncio.to_thread(
                    save_action,
                    request_id,
                    "grab",
                    "Grab release",
                    "ok",
                    "Sent to qBittorrent via Prowlarr.",
                )
                return {"status": "ok", "message": "Sent to qBittorrent.", "via": "qbittorrent"}
            raise HTTPException(status_code=502, detail=str(exc)) from exc
        await asyncio.to_thread(
            save_action, request_id, "grab", "Grab release", "ok", "Grab sent to Sonarr."
        )
        return {"status": "ok", "response": response}
    if snapshot.request_type.value == "movie":
-        category = _resolve_qbittorrent_category(runtime.radarr_qbittorrent_category, "radarr")
+        client = RadarrClient(runtime.radarr_base_url, runtime.radarr_api_key)
-    if snapshot.request_type.value not in {"tv", "movie"}:
+        if not client.configured():
-        raise HTTPException(status_code=400, detail="Unknown request type")
+            raise HTTPException(status_code=400, detail="Radarr not configured")
-
+        try:
-    qbittorrent_added = await _fallback_qbittorrent_download(download_url, category)
+            response = await client.grab_release(str(guid), int(indexer_id))
-    if not qbittorrent_added:
+        except httpx.HTTPStatusError as exc:
-        raise HTTPException(status_code=400, detail="Failed to add torrent to qBittorrent")
+            status_code = exc.response.status_code if exc.response is not None else 502
-    action_message = f"Grab sent to qBittorrent (category {category})."
+            if status_code == 404 and download_url:
-    await asyncio.to_thread(
+                qbit = QBittorrentClient(
-        save_action, request_id, "grab", "Grab release", "ok", action_message
+                    runtime.qbittorrent_base_url,
-    )
+                    runtime.qbittorrent_username,
-    return {"status": "ok", "response": {"qbittorrent": "queued"}}
+                    runtime.qbittorrent_password,
                )
                if not qbit.configured():
                    raise HTTPException(status_code=400, detail="qBittorrent not configured")
                try:
                    await qbit.add_torrent_url(str(download_url), category=f"magent-{request_id}")
                except httpx.HTTPStatusError as qbit_exc:
                    raise HTTPException(status_code=502, detail=str(qbit_exc)) from qbit_exc
                await asyncio.to_thread(
                    save_action,
                    request_id,
                    "grab",
                    "Grab release",
                    "ok",
                    "Sent to qBittorrent via Prowlarr.",
                )
                return {"status": "ok", "message": "Sent to qBittorrent.", "via": "qbittorrent"}
            raise HTTPException(status_code=502, detail=str(exc)) from exc
        await asyncio.to_thread(
            save_action, request_id, "grab", "Grab release", "ok", "Grab sent to Radarr."
        )
        return {"status": "ok", "response": response}
    raise HTTPException(status_code=400, detail="Unknown request type")
@@ -1,39 +0,0 @@
 from typing import Any, Dict
 from fastapi import APIRouter, Depends
 from ..auth import get_current_user
 from ..runtime import get_runtime_settings
 router = APIRouter(prefix="/site", tags=["site"])
 _BANNER_TONES = {"info", "warning", "error", "maintenance"}
 def _build_site_info(include_changelog: bool) -> Dict[str, Any]:
    runtime = get_runtime_settings()
    banner_message = (runtime.site_banner_message or "").strip()
    tone = (runtime.site_banner_tone or "info").strip().lower()
    if tone not in _BANNER_TONES:
        tone = "info"
    info = {
        "buildNumber": (runtime.site_build_number or "").strip(),
        "banner": {
            "enabled": bool(runtime.site_banner_enabled and banner_message),
            "message": banner_message,
            "tone": tone,
        },
    }
    if include_changelog:
        info["changelog"] = (runtime.site_changelog or "").strip()
    return info
@router.get("/public")
 async def site_public() -> Dict[str, Any]:
    return _build_site_info(False)
@router.get("/info")
 async def site_info(user: Dict[str, Any] = Depends(get_current_user)) -> Dict[str, Any]:
    return _build_site_info(True)
@@ -1,3 +1,4 @@
 import asyncio
 from typing import Any, Dict
 import httpx
 from fastapi import APIRouter, Depends
@@ -38,53 +39,45 @@ async def services_status() -> Dict[str, Any]:
    )
    jellyfin = JellyfinClient(runtime.jellyfin_base_url, runtime.jellyfin_api_key)
-    services = []
+    checks = [
-    services.append(
+        _check(
        await _check(
            "Jellyseerr",
            jellyseerr.configured(),
            lambda: jellyseerr.get_recent_requests(take=1, skip=0),
-        )
+        ),
-    )
+        _check(
    services.append(
        await _check(
            "Sonarr",
            sonarr.configured(),
            sonarr.get_system_status,
-        )
+        ),
-    )
+        _check(
    services.append(
        await _check(
            "Radarr",
            radarr.configured(),
            radarr.get_system_status,
-        )
+        ),
-    )
+        _check(
-    prowlarr_status = await _check(
+            "Prowlarr",
-        "Prowlarr",
+            prowlarr.configured(),
-        prowlarr.configured(),
+            prowlarr.get_health,
-        prowlarr.get_health,
+        ),
-    )
+        _check(
            "qBittorrent",
            qbittorrent.configured(),
            qbittorrent.get_app_version,
        ),
        _check(
            "Jellyfin",
            jellyfin.configured(),
            jellyfin.get_system_info,
        ),
    ]
    services = await asyncio.gather(*checks)
    prowlarr_status = next(service for service in services if service["name"] == "Prowlarr")
    if prowlarr_status.get("status") == "up":
        health = prowlarr_status.get("detail")
        if isinstance(health, list) and health:
            prowlarr_status["status"] = "degraded"
            prowlarr_status["message"] = "Health warnings"
    services.append(prowlarr_status)
    services.append(
        await _check(
            "qBittorrent",
            qbittorrent.configured(),
            qbittorrent.get_app_version,
        )
    )
    services.append(
        await _check(
            "Jellyfin",
            jellyfin.configured(),
            jellyfin.get_system_info,
        )
    )
    overall = "up"
    if any(s.get("status") == "down" for s in services):
@@ -12,7 +12,6 @@ _INT_FIELDS = {
 }
 _BOOL_FIELDS = {
    "jellyfin_sync_to_arr",
    "site_banner_enabled",
 }
@@ -19,6 +19,8 @@ def verify_password(plain_password: str, hashed_password: str) -> bool:
 def create_access_token(subject: str, role: str, expires_minutes: Optional[int] = None) -> str:
    if not settings.jwt_secret:
        raise ValueError("JWT_SECRET is not configured")
    minutes = expires_minutes or settings.jwt_exp_minutes
    expires = datetime.now(timezone.utc) + timedelta(minutes=minutes)
    payload: Dict[str, Any] = {"sub": subject, "role": role, "exp": expires}
@@ -26,6 +28,8 @@ def create_access_token(subject: str, role: str, expires_minutes: Optional[int]
 def decode_token(token: str) -> Dict[str, Any]:
    if not settings.jwt_secret:
        raise ValueError("JWT_SECRET is not configured")
    return jwt.decode(token, settings.jwt_secret, algorithms=[_ALGORITHM])
@@ -11,14 +11,9 @@ from ..clients.radarr import RadarrClient
 from ..clients.prowlarr import ProwlarrClient
 from ..clients.qbittorrent import QBittorrentClient
 from ..runtime import get_runtime_settings
-from ..db import save_snapshot, get_request_cache_payload, get_recent_snapshots, get_setting, set_setting
+from ..db import save_snapshot, get_request_cache_payload
 from ..models import ActionOption, NormalizedState, RequestType, Snapshot, TimelineHop
 logger = logging.getLogger(__name__)
 JELLYFIN_SCAN_COOLDOWN_SECONDS = 300
 _jellyfin_scan_key = "jellyfin_scan_last_at"
 STATUS_LABELS = {
    1: "Waiting for approval",
@@ -46,35 +41,6 @@ def _pick_first(value: Any) -> Optional[Dict[str, Any]]:
    return None
 async def _maybe_refresh_jellyfin(snapshot: Snapshot) -> None:
    if snapshot.state not in {NormalizedState.available, NormalizedState.completed}:
        return
    runtime = get_runtime_settings()
    client = JellyfinClient(runtime.jellyfin_base_url, runtime.jellyfin_api_key)
    if not client.configured():
        return
    last_scan = get_setting(_jellyfin_scan_key)
    if last_scan:
        try:
            parsed = datetime.fromisoformat(last_scan.replace("Z", "+00:00"))
            if (datetime.now(timezone.utc) - parsed).total_seconds() < JELLYFIN_SCAN_COOLDOWN_SECONDS:
                return
        except ValueError:
            pass
    previous = await asyncio.to_thread(get_recent_snapshots, snapshot.request_id, 1)
    if previous:
        prev_state = previous[0].get("state")
        if prev_state in {NormalizedState.available.value, NormalizedState.completed.value}:
            return
    try:
        await client.refresh_library()
    except Exception as exc:
        logger.warning("Jellyfin library refresh failed: %s", exc)
        return
    set_setting(_jellyfin_scan_key, datetime.now(timezone.utc).isoformat())
    logger.info("Jellyfin library refresh triggered: request_id=%s", snapshot.request_id)
 def _queue_records(queue: Any) -> List[Dict[str, Any]]:
    if isinstance(queue, dict):
        records = queue.get("records")
@@ -415,6 +381,10 @@ async def build_snapshot(request_id: str) -> Snapshot:
    if arr_state is None:
        arr_state = "unknown"
    if arr_state == "missing" and media_status_code in {4}:
        arr_state = "available"
    elif arr_state == "missing" and media_status_code in {6}:
        arr_state = "added"
    timeline.append(TimelineHop(service="Sonarr/Radarr", status=arr_state, details=arr_details))
@@ -554,7 +524,7 @@ async def build_snapshot(request_id: str) -> Snapshot:
            snapshot.state_reason = "Waiting for download to start in qBittorrent."
    elif arr_state == "missing" and derived_approved:
        snapshot.state = NormalizedState.needs_add
-        snapshot.state_reason = "Approved, but not yet added to Sonarr/Radarr."
+        snapshot.state_reason = "Approved, but not added to the library yet."
    elif arr_state == "searching":
        snapshot.state = NormalizedState.searching
        snapshot.state_reason = "Searching for a matching release."
@@ -578,7 +548,7 @@ async def build_snapshot(request_id: str) -> Snapshot:
        actions.append(
            ActionOption(
                id="readd_to_arr",
-                label="Push to Sonarr/Radarr",
+                label="Add to the library queue (Sonarr/Radarr)",
                risk="medium",
            )
        )
@@ -634,6 +604,5 @@ async def build_snapshot(request_id: str) -> Snapshot:
        },
    }
    await _maybe_refresh_jellyfin(snapshot)
    await asyncio.to_thread(save_snapshot, snapshot)
    return snapshot
@@ -3,8 +3,6 @@ services:
    build:
      context: .
      dockerfile: backend/Dockerfile
      args:
        BUILD_NUMBER: ${BUILD_NUMBER}
    env_file:
      - ./.env
    ports:
@@ -1,8 +1,15 @@
 'use client'
-import { useCallback, useEffect, useMemo, useState } from 'react'
+import { useEffect, useMemo, useState } from 'react'
 import { useRouter } from 'next/navigation'
-import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
+import {
  authFetch,
  authFetchOrThrow,
  ForbiddenError,
  getApiBase,
  getToken,
  UnauthorizedError,
 } from '../lib/auth'
 import AdminShell from '../ui/AdminShell'
 type AdminSetting = {
@@ -29,12 +36,9 @@ const SECTION_LABELS: Record<string, string> = {
  qbittorrent: 'qBittorrent',
  log: 'Activity log',
  requests: 'Request syncing',
  site: 'Site',
 }
-const BOOL_SETTINGS = new Set(['jellyfin_sync_to_arr', 'site_banner_enabled'])
+const BOOL_SETTINGS = new Set(['jellyfin_sync_to_arr'])
 const TEXTAREA_SETTINGS = new Set(['site_banner_message', 'site_changelog'])
 const BANNER_TONES = ['info', 'warning', 'error', 'maintenance']
 const SECTION_DESCRIPTIONS: Record<string, string> = {
  jellyseerr: 'Connect the request system where users submit content.',
@@ -47,7 +51,6 @@ const SECTION_DESCRIPTIONS: Record<string, string> = {
  qbittorrent: 'Downloader connection settings.',
  requests: 'Sync and refresh cadence for requests.',
  log: 'Activity log for troubleshooting.',
  site: 'Sitewide banner, version, and changelog details.',
 }
 const SETTINGS_SECTION_MAP: Record<string, string | null> = {
@@ -62,7 +65,6 @@ const SETTINGS_SECTION_MAP: Record<string, string | null> = {
  cache: null,
  logs: 'log',
  maintenance: null,
  site: 'site',
 }
 const labelFromKey = (key: string) =>
@@ -83,11 +85,6 @@ const labelFromKey = (key: string) =>
    .replace('jellyfin public url', 'Jellyfin public URL')
    .replace('jellyfin sync to arr', 'Sync Jellyfin to Sonarr/Radarr')
    .replace('artwork cache mode', 'Artwork cache mode')
    .replace('site build number', 'Build number')
    .replace('site banner enabled', 'Sitewide banner enabled')
    .replace('site banner message', 'Sitewide banner message')
    .replace('site banner tone', 'Sitewide banner tone')
    .replace('site changelog', 'Changelog text')
 type SettingsPageProps = {
  section: string
@@ -117,19 +114,10 @@ export default function SettingsPage({ section }: SettingsPageProps) {
  const [maintenanceStatus, setMaintenanceStatus] = useState<string | null>(null)
  const [maintenanceBusy, setMaintenanceBusy] = useState(false)
-  const loadSettings = useCallback(async () => {
+  const loadSettings = async () => {
    const baseUrl = getApiBase()
-    const response = await authFetch(`${baseUrl}/admin/settings`)
+    const response = await authFetchOrThrow(`${baseUrl}/admin/settings`)
    if (!response.ok) {
      if (response.status === 401) {
        clearToken()
        router.push('/login')
        return
      }
      if (response.status === 403) {
        router.push('/')
        return
      }
      throw new Error('Failed to load settings')
    }
    const data = await response.json()
@@ -149,9 +137,9 @@ export default function SettingsPage({ section }: SettingsPageProps) {
    }
    setFormValues(initialValues)
    setStatus(null)
-  }, [router])
+  }
-  const loadArtworkPrefetchStatus = useCallback(async () => {
+  const loadArtworkPrefetchStatus = async () => {
    try {
      const baseUrl = getApiBase()
      const response = await authFetch(`${baseUrl}/admin/requests/artwork/status`)
@@ -163,9 +151,10 @@ export default function SettingsPage({ section }: SettingsPageProps) {
    } catch (err) {
      console.error(err)
    }
-  }, [])
+  }
-  const loadOptions = useCallback(async (service: 'sonarr' | 'radarr') => {
+
  const loadOptions = async (service: 'sonarr' | 'radarr') => {
    try {
      const baseUrl = getApiBase()
      const response = await authFetch(`${baseUrl}/admin/${service}/options`)
@@ -194,7 +183,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
        setRadarrError('Could not load Radarr options.')
      }
    }
-  }, [])
+  }
  useEffect(() => {
    const load = async () => {
@@ -208,6 +197,14 @@ export default function SettingsPage({ section }: SettingsPageProps) {
          await loadArtworkPrefetchStatus()
        }
      } catch (err) {
        if (err instanceof UnauthorizedError) {
          router.push('/login')
          return
        }
        if (err instanceof ForbiddenError) {
          router.push('/')
          return
        }
        console.error(err)
        setStatus('Could not load admin settings.')
      } finally {
@@ -222,7 +219,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
    if (section === 'radarr') {
      void loadOptions('radarr')
    }
-  }, [loadArtworkPrefetchStatus, loadOptions, loadSettings, router, section])
+  }, [router, section])
  const groupedSettings = useMemo(() => {
    const groups: Record<string, AdminSetting[]> = {}
@@ -280,12 +277,10 @@ export default function SettingsPage({ section }: SettingsPageProps) {
    sonarr_api_key: 'API key for Sonarr.',
    sonarr_quality_profile_id: 'Quality profile used when adding TV shows.',
    sonarr_root_folder: 'Root folder where Sonarr stores TV shows.',
    sonarr_qbittorrent_category: 'qBittorrent category for manual Sonarr downloads.',
    radarr_base_url: 'Radarr server URL for movies.',
    radarr_api_key: 'API key for Radarr.',
    radarr_quality_profile_id: 'Quality profile used when adding movies.',
    radarr_root_folder: 'Root folder where Radarr stores movies.',
    radarr_qbittorrent_category: 'qBittorrent category for manual Radarr downloads.',
    prowlarr_base_url: 'Prowlarr server URL for indexer searches.',
    prowlarr_api_key: 'API key for Prowlarr.',
    qbittorrent_base_url: 'qBittorrent server URL for download status.',
@@ -300,11 +295,6 @@ export default function SettingsPage({ section }: SettingsPageProps) {
    requests_data_source: 'Pick where Magent should read requests from.',
    log_level: 'How much detail is written to the activity log.',
    log_file: 'Where the activity log is stored.',
    site_build_number: 'Build number shown in the account menu (auto-set from releases).',
    site_banner_enabled: 'Enable a sitewide banner for announcements.',
    site_banner_message: 'Short banner message for maintenance or updates.',
    site_banner_tone: 'Visual tone for the banner.',
    site_changelog: 'One update per line for the public changelog.',
  }
  const buildSelectOptions = (
@@ -488,7 +478,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
      active = false
      clearInterval(timer)
    }
-  }, [artworkPrefetch])
+  }, [artworkPrefetch?.status])
  useEffect(() => {
    if (!artworkPrefetch || artworkPrefetch.status === 'running') {
@@ -498,7 +488,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
      setArtworkPrefetch(null)
    }, 5000)
    return () => clearTimeout(timer)
-  }, [artworkPrefetch])
+  }, [artworkPrefetch?.status])
  useEffect(() => {
    if (!requestsSync || requestsSync.status !== 'running') {
@@ -526,7 +516,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
      active = false
      clearInterval(timer)
    }
-  }, [requestsSync])
+  }, [requestsSync?.status])
  useEffect(() => {
    if (!requestsSync || requestsSync.status === 'running') {
@@ -536,9 +526,9 @@ export default function SettingsPage({ section }: SettingsPageProps) {
      setRequestsSync(null)
    }, 5000)
    return () => clearTimeout(timer)
-  }, [requestsSync])
+  }, [requestsSync?.status])
-  const loadLogs = useCallback(async () => {
+  const loadLogs = async () => {
    setLogsStatus(null)
    try {
      const baseUrl = getApiBase()
@@ -563,7 +553,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
          : 'Could not load logs.'
      setLogsStatus(message)
    }
-  }, [logsCount])
+  }
  useEffect(() => {
    if (!showLogs) {
@@ -574,7 +564,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
      void loadLogs()
    }, 5000)
    return () => clearInterval(timer)
-  }, [loadLogs, showLogs])
+  }, [logsCount, showLogs])
  const loadCache = async () => {
    setCacheStatus(null)
@@ -714,7 +704,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
          .map((sectionGroup) => (
          <section key={sectionGroup.key} className="admin-section">
            <div className="section-header">
-              <h2>{sectionGroup.key === 'requests' ? 'Sync controls' : sectionGroup.title}</h2>
+              <h2>{sectionGroup.title}</h2>
              {sectionGroup.key === 'sonarr' && (
                <button type="button" onClick={() => loadOptions('sonarr')}>
                  Refresh Sonarr options
@@ -737,22 +727,17 @@ export default function SettingsPage({ section }: SettingsPageProps) {
                </button>
              ) : null}
              {showRequestsExtras && sectionGroup.key === 'requests' && (
-                <div className="sync-actions-block">
+                <div className="sync-actions">
-                  <div className="sync-actions">
+                  <button type="button" onClick={syncRequests}>
-                    <button type="button" onClick={syncRequests}>
+                    Full refresh
-                      Full refresh (all requests)
+                  </button>
-                    </button>
+                  <button type="button" className="ghost-button" onClick={syncRequestsDelta}>
-                    <button type="button" className="ghost-button" onClick={syncRequestsDelta}>
+                    Quick refresh (new changes)
-                      Quick refresh (delta changes)
+                  </button>
                    </button>
                  </div>
                  <div className="meta sync-note">
                    Full refresh reloads the entire list. Quick refresh only checks recent changes.
                  </div>
                </div>
              )}
            </div>
-            {SECTION_DESCRIPTIONS[sectionGroup.key] && !settingsSection && (
+            {SECTION_DESCRIPTIONS[sectionGroup.key] && (
              <p className="section-subtitle">{SECTION_DESCRIPTIONS[sectionGroup.key]}</p>
            )}
            {sectionGroup.key === 'sonarr' && sonarrError && (
@@ -1028,34 +1013,6 @@ export default function SettingsPage({ section }: SettingsPageProps) {
                    </label>
                  )
                }
                if (setting.key === 'site_banner_tone') {
                  return (
                    <label key={setting.key} data-helper={helperText || undefined}>
                      <span className="label-row">
                        <span>{labelFromKey(setting.key)}</span>
                        <span className="meta">
                          {setting.isSet ? `Source: ${setting.source}` : 'Not set'}
                        </span>
                      </span>
                      <select
                        name={setting.key}
                        value={value || 'info'}
                        onChange={(event) =>
                          setFormValues((current) => ({
                            ...current,
                            [setting.key]: event.target.value,
                          }))
                        }
                      >
                        {BANNER_TONES.map((tone) => (
                          <option key={tone} value={tone}>
                            {tone.charAt(0).toUpperCase() + tone.slice(1)}
                          </option>
                        ))}
                      </select>
                    </label>
                  )
                }
                if (
                  setting.key === 'requests_full_sync_time' ||
                  setting.key === 'requests_cleanup_time'
@@ -1134,35 +1091,6 @@ export default function SettingsPage({ section }: SettingsPageProps) {
                    </label>
                  )
                }
                if (TEXTAREA_SETTINGS.has(setting.key)) {
                  return (
                    <label key={setting.key} data-helper={helperText || undefined}>
                      <span className="label-row">
                        <span>{labelFromKey(setting.key)}</span>
                        <span className="meta">
                          {setting.isSet ? `Source: ${setting.source}` : 'Not set'}
                          {setting.sensitive && setting.isSet ? '  stored' : ''}
                        </span>
                      </span>
                      <textarea
                        name={setting.key}
                        rows={setting.key === 'site_changelog' ? 6 : 3}
                        placeholder={
                          setting.key === 'site_changelog'
                            ? 'One update per line.'
                            : ''
                        }
                        value={value}
                        onChange={(event) =>
                          setFormValues((current) => ({
                            ...current,
                            [setting.key]: event.target.value,
                          }))
                        }
                      />
                    </label>
                  )
                }
                return (
                  <label key={setting.key} data-helper={helperText || undefined}>
                    <span className="label-row">
@@ -13,7 +13,6 @@ const ALLOWED_SECTIONS = new Set([
  'cache',
  'logs',
  'maintenance',
  'site',
 ])
 type PageProps = {
@@ -1,85 +0,0 @@
 'use client'
 import { useEffect, useMemo, useState } from 'react'
 import { useRouter } from 'next/navigation'
 import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
 type SiteInfo = {
  changelog?: string
 }
 const parseChangelog = (raw: string) =>
  raw
    .split('\n')
    .map((line) => line.trim())
    .filter(Boolean)
 export default function ChangelogPage() {
  const router = useRouter()
  const [entries, setEntries] = useState<string[]>([])
  const [loading, setLoading] = useState(true)
  useEffect(() => {
    const token = getToken()
    if (!token) {
      router.push('/login')
      return
    }
    let active = true
    const load = async () => {
      try {
        const baseUrl = getApiBase()
        const response = await authFetch(`${baseUrl}/site/info`)
        if (!response.ok) {
          if (response.status === 401) {
            clearToken()
            router.push('/login')
            return
          }
          throw new Error('Failed to load changelog')
        }
        const data: SiteInfo = await response.json()
        if (!active) return
        setEntries(parseChangelog(data?.changelog ?? ''))
      } catch (err) {
        console.error(err)
        if (!active) return
        setEntries([])
      } finally {
        if (active) setLoading(false)
      }
    }
    void load()
    return () => {
      active = false
    }
  }, [router])
  const content = useMemo(() => {
    if (loading) {
      return <div className="loading-text">Loading changelog...</div>
    }
    if (entries.length === 0) {
      return <div className="meta">No updates posted yet.</div>
    }
    return (
      <ul className="changelog-list">
        {entries.map((entry, index) => (
          <li key={`${entry}-${index}`}>{entry}</li>
        ))}
      </ul>
    )
  }, [entries, loading])
  return (
    <div className="page">
      <section className="card changelog-card">
        <div className="changelog-header">
          <h1>Changelog</h1>
          <p className="lede">Latest updates and release notes.</p>
        </div>
        {content}
      </section>
    </div>
  )
 }
@@ -2,7 +2,7 @@
 import { useEffect, useState } from 'react'
 import { useRouter } from 'next/navigation'
-import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
+import { authFetchOrThrow, getApiBase, getToken, UnauthorizedError } from '../lib/auth'
 type Profile = {
  username?: string
@@ -24,15 +24,17 @@ export default function FeedbackPage() {
    const load = async () => {
      try {
        const baseUrl = getApiBase()
-        const response = await authFetch(`${baseUrl}/auth/me`)
+        const response = await authFetchOrThrow(`${baseUrl}/auth/me`)
        if (!response.ok) {
-          clearToken()
+          throw new Error('Could not load profile.')
          router.push('/login')
          return
        }
        const data = await response.json()
        setProfile({ username: data?.username })
      } catch (error) {
        if (error instanceof UnauthorizedError) {
          router.push('/login')
          return
        }
        console.error(error)
      }
    }
@@ -49,7 +51,7 @@ export default function FeedbackPage() {
    setSubmitting(true)
    try {
      const baseUrl = getApiBase()
-      const response = await authFetch(`${baseUrl}/feedback`, {
+      const response = await authFetchOrThrow(`${baseUrl}/feedback`, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
@@ -58,17 +60,16 @@ export default function FeedbackPage() {
        }),
      })
      if (!response.ok) {
        if (response.status === 401) {
          clearToken()
          router.push('/login')
          return
        }
        const text = await response.text()
        throw new Error(text || `Request failed: ${response.status}`)
      }
      setMessage('')
      setStatus('Thanks! Your message has been sent.')
    } catch (error) {
      if (error instanceof UnauthorizedError) {
        router.push('/login')
        return
      }
      console.error(error)
      setStatus('That did not send. Please try again.')
    } finally {
@@ -175,35 +175,30 @@ body {
  margin-right: auto;
 }
 .signed-in {
  font-size: 12px;
  text-transform: uppercase;
  letter-spacing: 0.08em;
  color: var(--ink-muted);
  padding: 6px 10px;
  border-radius: 999px;
  border: 1px dashed var(--border);
  background: transparent;
  cursor: pointer;
 }
 .signed-in-menu {
  position: relative;
  display: inline-flex;
  align-items: center;
 }
 .avatar-button {
  width: 44px;
  height: 44px;
  border-radius: 50%;
  border: 1px solid rgba(255, 255, 255, 0.12);
  background: linear-gradient(130deg, rgba(28, 107, 255, 0.35), rgba(17, 214, 198, 0.25));
  color: var(--ink);
  font-weight: 700;
  letter-spacing: 0.04em;
  text-transform: uppercase;
  display: inline-flex;
  align-items: center;
  justify-content: center;
  box-shadow: 0 10px 20px rgba(28, 107, 255, 0.25);
  cursor: pointer;
 }
 .signed-in-dropdown {
  position: absolute;
  top: calc(100% + 8px);
  right: 0;
-  width: min(260px, 90vw);
+  min-width: 180px;
-  background: rgba(14, 20, 32, 0.96);
+  background: rgba(14, 20, 32, 0.95);
  border: 1px solid var(--border);
  border-radius: 12px;
  padding: 8px;
@@ -211,50 +206,17 @@ body {
  z-index: 20;
 }
-.signed-in-header {
+.signed-in-dropdown a {
  font-size: 11px;
  letter-spacing: 0.06em;
  text-transform: uppercase;
  color: var(--ink-muted);
  padding: 8px 10px 6px;
  border-bottom: 1px solid rgba(255, 255, 255, 0.08);
 }
 .signed-in-actions {
  display: grid;
  gap: 6px;
  padding: 8px 4px 4px;
 }
 .signed-in-actions a,
 .signed-in-signout {
  display: block;
  padding: 8px 12px;
  border-radius: 10px;
  color: var(--ink);
  text-decoration: none;
-  text-align: left;
+  text-align: center;
  background: rgba(255, 255, 255, 0.05);
  border: 1px solid rgba(255, 255, 255, 0.08);
 }
-.signed-in-signout {
+.signed-in-dropdown a:hover {
-  cursor: pointer;
+  background: rgba(255, 255, 255, 0.08);
  font: inherit;
 }
 .signed-in-actions a:hover,
 .signed-in-signout:hover {
  background: rgba(255, 255, 255, 0.12);
 }
 .signed-in-build {
  margin-top: 6px;
  padding: 6px 10px 8px;
  font-size: 11px;
  color: var(--ink-muted);
  text-align: left;
  letter-spacing: 0.04em;
 }
 .theme-toggle {
@@ -559,73 +521,6 @@ button span {
  margin-top: 4px;
 }
 .profile-grid {
  display: grid;
  gap: 20px;
 }
 .profile-section {
  display: grid;
  gap: 12px;
 }
 .stat-grid {
  display: grid;
  grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
  gap: 12px;
 }
 .stat-card {
  padding: 14px;
  border-radius: 16px;
  border: 1px solid var(--border);
  background: rgba(255, 255, 255, 0.05);
  display: grid;
  gap: 6px;
 }
 .stat-label {
  font-size: 11px;
  text-transform: uppercase;
  letter-spacing: 0.08em;
  color: var(--ink-muted);
 }
 .stat-value {
  font-size: 20px;
  font-weight: 700;
 }
 .stat-value--small {
  font-size: 14px;
  font-weight: 600;
 }
 .connection-list {
  display: grid;
  gap: 10px;
 }
 .connection-item {
  display: flex;
  justify-content: space-between;
  gap: 12px;
  padding: 12px 14px;
  border-radius: 14px;
  border: 1px solid var(--border);
  background: rgba(255, 255, 255, 0.04);
 }
 .connection-label {
  font-weight: 600;
 }
 .connection-count {
  font-size: 12px;
  color: var(--ink-muted);
  white-space: nowrap;
 }
 .state {
  display: grid;
  gap: 6px;
@@ -752,28 +647,12 @@ button span {
 }
 .user-card {
-  display: grid;
+  display: flex;
-  grid-template-columns: 1fr auto;
+  justify-content: space-between;
-  align-items: start;
+  align-items: center;
  gap: 16px;
 }
 .user-card strong {
  display: block;
  font-size: 16px;
  margin-bottom: 6px;
 }
 .user-meta {
  display: grid;
  gap: 6px;
  font-size: 13px;
 }
 .user-meta .meta {
  display: block;
 }
 .user-actions {
  display: grid;
  gap: 8px;
@@ -1047,17 +926,6 @@ button span {
  flex-wrap: wrap;
 }
 .sync-actions-block {
  display: grid;
  gap: 6px;
  justify-items: end;
  text-align: right;
 }
 .sync-note {
  margin-top: 0;
 }
 .section-header button {
  background: rgba(255, 255, 255, 0.08);
  color: var(--ink);
@@ -1100,49 +968,6 @@ button span {
  border: 1px solid var(--border);
 }
 .site-banner {
  padding: 12px 16px;
  border-radius: 12px;
  border: 1px solid var(--border);
  background: rgba(255, 255, 255, 0.08);
  color: var(--ink);
  font-size: 14px;
 }
 .site-banner--info {
  background: rgba(59, 130, 246, 0.18);
  border-color: rgba(59, 130, 246, 0.4);
 }
 .site-banner--warning {
  background: rgba(255, 200, 87, 0.22);
  border-color: rgba(255, 200, 87, 0.5);
 }
 .site-banner--error {
  background: rgba(255, 59, 48, 0.2);
  border-color: rgba(255, 59, 48, 0.4);
 }
 .site-banner--maintenance {
  background: rgba(255, 107, 43, 0.18);
  border-color: rgba(255, 107, 43, 0.4);
 }
 .site-version {
  position: fixed;
  left: 16px;
  bottom: 12px;
  font-size: 12px;
  letter-spacing: 0.04em;
  color: var(--ink-muted);
  padding: 6px 10px;
  border-radius: 999px;
  border: 1px solid var(--border);
  background: rgba(255, 255, 255, 0.08);
  z-index: 30;
 }
 .recent-header {
  display: flex;
  justify-content: space-between;
@@ -1531,83 +1356,19 @@ button span {
 }
@media (max-width: 720px) {
  .page {
    padding: 28px 18px 60px;
    gap: 24px;
  }
  .header {
    grid-template-columns: 1fr;
    grid-template-rows: auto auto auto;
    align-items: flex-start;
  }
  .header-left {
    width: 100%;
  }
  .brand-link {
    width: 100%;
    gap: 12px;
  }
  .brand-logo--header {
    width: 64px;
    height: 64px;
  }
  .brand {
    font-size: 26px;
  }
  .tagline {
    font-size: 13px;
  }
  .header-right {
    grid-column: 1 / -1;
    justify-content: flex-start;
    width: 100%;
    flex-wrap: wrap;
    gap: 10px;
  }
  .header-nav {
    justify-content: flex-start;
    width: 100%;
  }
  .signed-in-menu {
    margin-left: auto;
  }
  .avatar-button {
    width: 40px;
    height: 40px;
  }
  .signed-in-dropdown {
    right: 0;
    left: auto;
    width: min(260px, 92vw);
  }
  .header-actions {
    width: 100%;
    display: grid;
    grid-template-columns: repeat(2, minmax(0, 1fr));
    gap: 10px;
  }
  .header-actions a,
  .header-actions .header-link {
    font-size: 12px;
    padding: 8px 10px;
  }
  .header-actions .header-cta--left {
    grid-column: 1 / -1;
    margin-right: 0;
  }
  .summary {
@@ -1645,21 +1406,6 @@ button span {
  .cache-row {
    grid-template-columns: 1fr;
  }
  .user-card {
    grid-template-columns: 1fr;
  }
  .connection-item {
    flex-direction: column;
    align-items: flex-start;
  }
 }
@media (max-width: 480px) {
  .header-actions {
    grid-template-columns: 1fr;
  }
 }
 /* Loading spinner */
@@ -1750,91 +1496,6 @@ button span {
  border: 1px solid var(--border);
 }
 .how-step-grid {
  display: grid;
  gap: 16px;
  grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
 }
 .how-step-card {
  border-radius: 18px;
  padding: 18px;
  border: 1px solid var(--border);
  background: rgba(255, 255, 255, 0.06);
  display: grid;
  gap: 10px;
  position: relative;
  overflow: hidden;
 }
 .how-step-card::before {
  content: '';
  position: absolute;
  inset: 0;
  opacity: 0.35;
  pointer-events: none;
 }
 .step-jellyseerr::before {
  background: linear-gradient(135deg, rgba(255, 187, 92, 0.35), transparent 60%);
 }
 .step-arr::before {
  background: linear-gradient(135deg, rgba(94, 204, 255, 0.35), transparent 60%);
 }
 .step-prowlarr::before {
  background: linear-gradient(135deg, rgba(120, 255, 189, 0.35), transparent 60%);
 }
 .step-qbit::before {
  background: linear-gradient(135deg, rgba(255, 133, 200, 0.35), transparent 60%);
 }
 .step-jellyfin::before {
  background: linear-gradient(135deg, rgba(170, 140, 255, 0.35), transparent 60%);
 }
 .step-badge {
  width: 38px;
  height: 38px;
  border-radius: 50%;
  display: grid;
  place-items: center;
  font-weight: 700;
  background: rgba(255, 255, 255, 0.12);
  border: 1px solid var(--border);
  color: var(--ink);
 }
 .step-note {
  color: var(--ink-muted);
  font-size: 14px;
 }
 .step-fix-title {
  font-size: 13px;
  letter-spacing: 0.08em;
  text-transform: uppercase;
  color: var(--ink-muted);
 }
 .step-fix-list {
  list-style: none;
  display: grid;
  gap: 6px;
  padding: 0;
  margin: 0;
 }
 .step-fix-list li {
  padding: 8px 10px;
  border-radius: 10px;
  background: rgba(255, 255, 255, 0.08);
  border: 1px solid var(--border);
  font-size: 13px;
 }
 .how-callout {
  border-left: 4px solid var(--accent);
  padding: 16px 18px;
@@ -1843,21 +1504,3 @@ button span {
  display: grid;
  gap: 8px;
 }
 .changelog-card {
  gap: 18px;
 }
 .changelog-header {
  display: grid;
  gap: 8px;
 }
 .changelog-list {
  list-style: disc;
  padding-left: 22px;
  display: grid;
  gap: 10px;
  color: var(--ink-muted);
  font-size: 15px;
 }
@@ -75,64 +75,8 @@ export default function HowItWorksPage() {
        </ol>
      </section>
      <section className="how-flow">
        <h2>Steps and fixes (simple and visual)</h2>
        <div className="how-step-grid">
          <article className="how-step-card step-jellyseerr">
            <div className="step-badge">1</div>
            <h3>Request sent</h3>
            <p className="step-note">Jellyseerr holds your request and approval.</p>
            <div className="step-fix-title">Fixes you can try</div>
            <ul className="step-fix-list">
              <li>Add to library queue (if it was approved but never added)</li>
            </ul>
          </article>
          <article className="how-step-card step-arr">
            <div className="step-badge">2</div>
            <h3>Added to the library list</h3>
            <p className="step-note">Sonarr/Radarr decide what quality to get.</p>
            <div className="step-fix-title">Fixes you can try</div>
            <ul className="step-fix-list">
              <li>Search for releases (see options)</li>
              <li>Search and auto-download (let it pick for you)</li>
            </ul>
          </article>
          <article className="how-step-card step-prowlarr">
            <div className="step-badge">3</div>
            <h3>Searching for sources</h3>
            <p className="step-note">Prowlarr checks your torrent providers.</p>
            <div className="step-fix-title">Fixes you can try</div>
            <ul className="step-fix-list">
              <li>Search for releases (show a list to choose)</li>
            </ul>
          </article>
          <article className="how-step-card step-qbit">
            <div className="step-badge">4</div>
            <h3>Downloading the file</h3>
            <p className="step-note">qBittorrent downloads the selected match.</p>
            <div className="step-fix-title">Fixes you can try</div>
            <ul className="step-fix-list">
              <li>Resume download (only if it already exists there)</li>
            </ul>
          </article>
          <article className="how-step-card step-jellyfin">
            <div className="step-badge">5</div>
            <h3>Ready to watch</h3>
            <p className="step-note">Jellyfin shows it in your library.</p>
            <div className="step-fix-title">What to do next</div>
            <ul className="step-fix-list">
              <li>Open in Jellyfin (watch it)</li>
            </ul>
          </article>
        </div>
      </section>
      <section className="how-callout">
-        <h2>Why Magent sometimes says &quot;waiting&quot;</h2>
+        <h2>Why Magent sometimes says “waiting”</h2>
        <p>
          If the search helper cannot find a match yet, Magent will say there is nothing to grab.
          That does not mean it is broken. It usually means the release is not available yet.
@@ -5,7 +5,6 @@ import HeaderIdentity from './ui/HeaderIdentity'
 import ThemeToggle from './ui/ThemeToggle'
 import BrandingFavicon from './ui/BrandingFavicon'
 import BrandingLogo from './ui/BrandingLogo'
 import SiteStatus from './ui/SiteStatus'
 export const metadata = {
  title: 'Magent',
@@ -29,14 +28,13 @@ export default function RootLayout({ children }: { children: ReactNode }) {
              </a>
            </div>
            <div className="header-right">
              <ThemeToggle />
              <HeaderIdentity />
              <ThemeToggle />
            </div>
            <div className="header-nav">
              <HeaderActions />
            </div>
          </header>
          <SiteStatus />
          {children}
        </div>
      </body>
@@ -23,3 +23,37 @@ export const authFetch = (input: RequestInfo | URL, init?: RequestInit) => {
  }
  return fetch(input, { ...init, headers })
 }
 export class UnauthorizedError extends Error {
  constructor() {
    super('Unauthorized')
    this.name = 'UnauthorizedError'
  }
 }
 export class ForbiddenError extends Error {
  constructor() {
    super('Forbidden')
    this.name = 'ForbiddenError'
  }
 }
 export const authFetchOrThrow = async (input: RequestInfo | URL, init?: RequestInit) => {
  const response = await authFetch(input, init)
  if (response.status === 401) {
    clearToken()
    throw new UnauthorizedError()
  }
  if (response.status === 403) {
    throw new ForbiddenError()
  }
  return response
 }
 export const readResponseText = async (response: Response) => {
  try {
    return (await response.text()).trim()
  } catch {
    return ''
  }
 }
@@ -2,7 +2,13 @@
 import { useRouter } from 'next/navigation'
 import { useEffect, useState } from 'react'
-import { authFetch, getApiBase, getToken, clearToken } from './lib/auth'
+import {
  authFetchOrThrow,
  ForbiddenError,
  getApiBase,
  getToken,
  UnauthorizedError,
 } from './lib/auth'
 export default function HomePage() {
  const router = useRouter()
@@ -52,13 +58,8 @@ export default function HomePage() {
      setRecentError(null)
      try {
        const baseUrl = getApiBase()
-        const meResponse = await authFetch(`${baseUrl}/auth/me`)
+        const meResponse = await authFetchOrThrow(`${baseUrl}/auth/me`)
        if (!meResponse.ok) {
          if (meResponse.status === 401) {
            clearToken()
            router.push('/login')
            return
          }
          throw new Error(`Auth failed: ${meResponse.status}`)
        }
        const me = await meResponse.json()
@@ -66,15 +67,10 @@ export default function HomePage() {
        setRole(userRole)
        setAuthReady(true)
        const take = userRole === 'admin' ? 50 : 6
-        const response = await authFetch(
+        const response = await authFetchOrThrow(
          `${baseUrl}/requests/recent?take=${take}&days=${recentDays}`
        )
        if (!response.ok) {
          if (response.status === 401) {
            clearToken()
            router.push('/login')
            return
          }
          throw new Error(`Recent requests failed: ${response.status}`)
        }
        const data = await response.json()
@@ -99,6 +95,14 @@ export default function HomePage() {
          )
        }
      } catch (error) {
        if (error instanceof UnauthorizedError) {
          router.push('/login')
          return
        }
        if (error instanceof ForbiddenError) {
          router.push('/')
          return
        }
        console.error(error)
        setRecentError('Recent requests are not available right now.')
      } finally {
@@ -107,7 +111,7 @@ export default function HomePage() {
    }
    load()
-  }, [recentDays])
+  }, [recentDays, router])
  useEffect(() => {
    if (!authReady) {
@@ -118,18 +122,21 @@ export default function HomePage() {
      setServicesError(null)
      try {
        const baseUrl = getApiBase()
-        const response = await authFetch(`${baseUrl}/status/services`)
+        const response = await authFetchOrThrow(`${baseUrl}/status/services`)
        if (!response.ok) {
          if (response.status === 401) {
            clearToken()
            router.push('/login')
            return
          }
          throw new Error(`Service status failed: ${response.status}`)
        }
        const data = await response.json()
        setServicesStatus(data)
      } catch (error) {
        if (error instanceof UnauthorizedError) {
          router.push('/login')
          return
        }
        if (error instanceof ForbiddenError) {
          router.push('/')
          return
        }
        console.error(error)
        setServicesError('Service status is not available right now.')
      } finally {
@@ -145,13 +152,8 @@ export default function HomePage() {
  const runSearch = async (term: string) => {
    try {
      const baseUrl = getApiBase()
-      const response = await authFetch(`${baseUrl}/requests/search?query=${encodeURIComponent(term)}`)
+      const response = await authFetchOrThrow(`${baseUrl}/requests/search?query=${encodeURIComponent(term)}`)
      if (!response.ok) {
        if (response.status === 401) {
          clearToken()
          router.push('/login')
          return
        }
        throw new Error(`Search failed: ${response.status}`)
      }
      const data = await response.json()
@@ -168,6 +170,14 @@ export default function HomePage() {
        setSearchError(null)
      }
    } catch (error) {
      if (error instanceof UnauthorizedError) {
        router.push('/login')
        return
      }
      if (error instanceof ForbiddenError) {
        router.push('/')
        return
      }
      console.error(error)
      setSearchError('Search failed. Try a request ID instead.')
      setSearchResults([])
@@ -2,7 +2,13 @@
 import { useEffect, useState } from 'react'
 import { useRouter } from 'next/navigation'
-import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
+import {
  authFetchOrThrow,
  getApiBase,
  getToken,
  readResponseText,
  UnauthorizedError,
 } from '../lib/auth'
 type ProfileInfo = {
  username: string
@@ -10,65 +16,9 @@ type ProfileInfo = {
  auth_provider: string
 }
 type ProfileStats = {
  total: number
  ready: number
  pending: number
  in_progress: number
  declined: number
  working: number
  partial: number
  approved: number
  last_request_at?: string | null
  share: number
  global_total: number
  most_active_user?: { username: string; total: number } | null
 }
 type ActivityEntry = {
  ip: string
  user_agent: string
  first_seen_at: string
  last_seen_at: string
  hit_count: number
 }
 type ProfileActivity = {
  last_ip?: string | null
  last_user_agent?: string | null
  last_seen_at?: string | null
  device_count: number
  recent: ActivityEntry[]
 }
 type ProfileResponse = {
  user: ProfileInfo
  stats: ProfileStats
  activity: ProfileActivity
 }
 const formatDate = (value?: string | null) => {
  if (!value) return 'Never'
  const date = new Date(value)
  if (Number.isNaN(date.valueOf())) return value
  return date.toLocaleString()
 }
 const parseBrowser = (agent?: string | null) => {
  if (!agent) return 'Unknown'
  const value = agent.toLowerCase()
  if (value.includes('edg/')) return 'Edge'
  if (value.includes('chrome/') && !value.includes('edg/')) return 'Chrome'
  if (value.includes('firefox/')) return 'Firefox'
  if (value.includes('safari/') && !value.includes('chrome/')) return 'Safari'
  return 'Unknown'
 }
 export default function ProfilePage() {
  const router = useRouter()
  const [profile, setProfile] = useState<ProfileInfo | null>(null)
  const [stats, setStats] = useState<ProfileStats | null>(null)
  const [activity, setActivity] = useState<ProfileActivity | null>(null)
  const [currentPassword, setCurrentPassword] = useState('')
  const [newPassword, setNewPassword] = useState('')
  const [status, setStatus] = useState<string | null>(null)
@@ -82,22 +32,22 @@ export default function ProfilePage() {
    const load = async () => {
      try {
        const baseUrl = getApiBase()
-        const response = await authFetch(`${baseUrl}/auth/profile`)
+        const response = await authFetchOrThrow(`${baseUrl}/auth/me`)
        if (!response.ok) {
          clearToken()
          router.push('/login')
          return
        }
        const data = await response.json()
        const user = data?.user ?? {}
        setProfile({
-          username: user?.username ?? 'Unknown',
+          username: data?.username ?? 'Unknown',
-          role: user?.role ?? 'user',
+          role: data?.role ?? 'user',
-          auth_provider: user?.auth_provider ?? 'local',
+          auth_provider: data?.auth_provider ?? 'local',
        })
        setStats(data?.stats ?? null)
        setActivity(data?.activity ?? null)
      } catch (err) {
        if (err instanceof UnauthorizedError) {
          router.push('/login')
          return
        }
        console.error(err)
        setStatus('Could not load your profile.')
      } finally {
@@ -116,7 +66,7 @@ export default function ProfilePage() {
    }
    try {
      const baseUrl = getApiBase()
-      const response = await authFetch(`${baseUrl}/auth/password`, {
+      const response = await authFetchOrThrow(`${baseUrl}/auth/password`, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
@@ -125,13 +75,17 @@ export default function ProfilePage() {
        }),
      })
      if (!response.ok) {
-        const text = await response.text()
+        const text = await readResponseText(response)
        throw new Error(text || 'Update failed')
      }
      setCurrentPassword('')
      setNewPassword('')
      setStatus('Password updated.')
    } catch (err) {
      if (err instanceof UnauthorizedError) {
        router.push('/login')
        return
      }
      console.error(err)
      setStatus('Could not update password. Check your current password.')
    }
@@ -150,78 +104,6 @@ export default function ProfilePage() {
          {profile.auth_provider}.
        </div>
      )}
      <div className="profile-grid">
        <section className="profile-section">
          <h2>Account stats</h2>
          <div className="stat-grid">
            <div className="stat-card">
              <div className="stat-label">Requests submitted</div>
              <div className="stat-value">{stats?.total ?? 0}</div>
            </div>
            <div className="stat-card">
              <div className="stat-label">Ready to watch</div>
              <div className="stat-value">{stats?.ready ?? 0}</div>
            </div>
            <div className="stat-card">
              <div className="stat-label">In progress</div>
              <div className="stat-value">{stats?.in_progress ?? 0}</div>
            </div>
            <div className="stat-card">
              <div className="stat-label">Pending approval</div>
              <div className="stat-value">{stats?.pending ?? 0}</div>
            </div>
            <div className="stat-card">
              <div className="stat-label">Declined</div>
              <div className="stat-value">{stats?.declined ?? 0}</div>
            </div>
            <div className="stat-card">
              <div className="stat-label">Last request</div>
              <div className="stat-value stat-value--small">
                {formatDate(stats?.last_request_at)}
              </div>
            </div>
            <div className="stat-card">
              <div className="stat-label">Share of all requests</div>
              <div className="stat-value">
                {stats?.global_total
                  ? `${Math.round((stats.share || 0) * 1000) / 10}%`
                  : '0%'}
              </div>
            </div>
            {profile?.role === 'admin' ? (
              <div className="stat-card">
                <div className="stat-label">Most active user</div>
                <div className="stat-value stat-value--small">
                  {stats?.most_active_user
                    ? `${stats.most_active_user.username} (${stats.most_active_user.total})`
                    : 'N/A'}
                </div>
              </div>
            ) : null}
          </div>
        </section>
        <section className="profile-section">
          <h2>Connection history</h2>
          <div className="status-banner">
            Last seen {formatDate(activity?.last_seen_at)} from {activity?.last_ip ?? 'Unknown'}.
          </div>
          <div className="connection-list">
            {(activity?.recent ?? []).map((entry, index) => (
              <div key={`${entry.ip}-${entry.last_seen_at}-${index}`} className="connection-item">
                <div>
                  <div className="connection-label">{parseBrowser(entry.user_agent)}</div>
                  <div className="meta">IP: {entry.ip}</div>
                  <div className="meta">Last seen: {formatDate(entry.last_seen_at)}</div>
                </div>
                <div className="connection-count">{entry.hit_count} visits</div>
              </div>
            ))}
            {activity && activity.recent.length === 0 ? (
              <div className="status-banner">No connection history yet.</div>
            ) : null}
          </div>
        </section>
      </div>
      {profile?.auth_provider !== 'local' ? (
        <div className="status-banner">
          Password changes are only available for local Magent accounts.
@@ -1,9 +1,16 @@
 'use client'
 import Image from 'next/image'
 import { useEffect, useState } from 'react'
 import { useRouter } from 'next/navigation'
-import { authFetch, clearToken, getApiBase, getToken } from '../../lib/auth'
+import {
  authFetch,
  authFetchOrThrow,
  clearToken,
  getApiBase,
  getToken,
  readResponseText,
  UnauthorizedError,
 } from '../../lib/auth'
 type TimelineHop = {
  service: string
@@ -34,7 +41,6 @@ type ReleaseOption = {
  seeders?: number
  leechers?: number
  protocol?: string
  publishDate?: string
  infoUrl?: string
  downloadUrl?: string
 }
@@ -125,7 +131,7 @@ const friendlyState = (value: string) => {
  const map: Record<string, string> = {
    REQUESTED: 'Waiting for approval',
    APPROVED: 'Approved and queued',
-    NEEDS_ADD: 'Push to Sonarr/Radarr',
+    NEEDS_ADD: 'Needs adding to the library',
    ADDED_TO_ARR: 'Added to the library queue',
    SEARCHING: 'Searching for releases',
    GRABBED: 'Download queued',
@@ -157,7 +163,7 @@ const friendlyTimelineStatus = (service: string, status: string) => {
  }
  if (service === 'Sonarr/Radarr') {
    const map: Record<string, string> = {
-      missing: 'Push to Sonarr/Radarr',
+      missing: 'Not added yet',
      added: 'Added to the library queue',
      searching: 'Searching for releases',
      available: 'Ready to watch',
@@ -252,7 +258,7 @@ export default function RequestTimelinePage({ params }: { params: { id: string }
    }
    load()
-  }, [params.id, router])
+  }, [params.id])
  if (loading) {
    return (
@@ -276,11 +282,9 @@ export default function RequestTimelinePage({ params }: { params: { id: string }
  const downloadHop = snapshot.timeline.find((hop) => hop.service === 'qBittorrent')
  const downloadState = downloadHop?.details?.summary ?? downloadHop?.status ?? 'Unknown'
  const jellyfinAvailable = Boolean(snapshot.raw?.jellyfin?.available)
  const arrStageLabel =
    snapshot.state === 'NEEDS_ADD' ? 'Push to Sonarr/Radarr' : 'Library queue'
  const pipelineSteps = [
    { key: 'Jellyseerr', label: 'Jellyseerr' },
-    { key: 'Sonarr/Radarr', label: arrStageLabel },
+    { key: 'Sonarr/Radarr', label: 'Library queue' },
    { key: 'Prowlarr', label: 'Search' },
    { key: 'qBittorrent', label: 'Download' },
    { key: 'Jellyfin', label: 'Jellyfin' },
@@ -312,14 +316,11 @@ export default function RequestTimelinePage({ params }: { params: { id: string }
      <div className="request-header">
        <div className="request-header-main">
          {resolvedPoster && (
-            <Image
+            <img
              className="request-poster"
              src={resolvedPoster}
              alt={`${snapshot.title} poster`}
-              width={90}
+              loading="lazy"
              height={135}
              sizes="90px"
              unoptimized
            />
          )}
          <div>
@@ -509,16 +510,11 @@ export default function RequestTimelinePage({ params }: { params: { id: string }
                  setModalMessage(null)
                }
                try {
-                  const response = await authFetch(`${baseUrl}/requests/${snapshot.request_id}/${path}`, {
+                  const response = await authFetchOrThrow(`${baseUrl}/requests/${snapshot.request_id}/${path}`, {
                    method: 'POST',
                  })
                  if (!response.ok) {
-                    if (response.status === 401) {
+                    const text = await readResponseText(response)
                      clearToken()
                      router.push('/login')
                      return
                    }
                    const text = await response.text()
                    throw new Error(text || `Request failed: ${response.status}`)
                  }
                  const data = await response.json()
@@ -545,6 +541,10 @@ export default function RequestTimelinePage({ params }: { params: { id: string }
                    setModalMessage(message)
                  }
                } catch (error) {
                  if (error instanceof UnauthorizedError) {
                    router.push('/login')
                    return
                  }
                  console.error(error)
                  const message = `${action.label} failed. Check the backend logs.`
                  setActionMessage(message)
@@ -589,7 +589,7 @@ export default function RequestTimelinePage({ params }: { params: { id: string }
                      if (!ok) return
                      const baseUrl = getApiBase()
                      try {
-                        const response = await authFetch(
+                        const response = await authFetchOrThrow(
                          `${baseUrl}/requests/${snapshot.request_id}/actions/grab`,
                          {
                            method: 'POST',
@@ -597,29 +597,21 @@ export default function RequestTimelinePage({ params }: { params: { id: string }
                            body: JSON.stringify({
                              guid: release.guid,
                              indexerId: release.indexerId,
                              indexerName: release.indexer,
                              downloadUrl: release.downloadUrl,
                              title: release.title,
                              size: release.size,
                              protocol: release.protocol,
                              publishDate: release.publishDate,
                              seeders: release.seeders,
                              leechers: release.leechers,
                            }),
                          }
                        )
                        if (!response.ok) {
-                          if (response.status === 401) {
+                          const text = await readResponseText(response)
                            clearToken()
                            router.push('/login')
                            return
                          }
                          const text = await response.text()
                          throw new Error(text || `Request failed: ${response.status}`)
                        }
-                        setActionMessage('Download sent to qBittorrent.')
+                        setActionMessage('Download sent to Sonarr/Radarr.')
-                        setModalMessage('Download sent to qBittorrent.')
+                        setModalMessage('Download sent to Sonarr/Radarr.')
                      } catch (error) {
                        if (error instanceof UnauthorizedError) {
                          router.push('/login')
                          return
                        }
                        console.error(error)
                        const message = 'Download failed. Check the logs.'
                        setActionMessage(message)
@@ -25,7 +25,6 @@ const NAV_GROUPS = [
  {
    title: 'Admin',
    items: [
      { href: '/admin/site', label: 'Site' },
      { href: '/users', label: 'Users' },
      { href: '/admin/logs', label: 'Activity log' },
      { href: '/admin/maintenance', label: 'Maintenance' },
@@ -32,6 +32,14 @@ export default function HeaderActions() {
    void load()
  }, [])
  const signOut = () => {
    clearToken()
    setSignedIn(false)
    if (typeof window !== 'undefined') {
      window.location.href = '/login'
    }
  }
  if (!signedIn) {
    return null
  }
@@ -41,7 +49,11 @@ export default function HeaderActions() {
      <a className="header-cta header-cta--left" href="/feedback">Send feedback</a>
      <a href="/">Requests</a>
      <a href="/how-it-works">How it works</a>
      <a href="/profile">My profile</a>
      {role === 'admin' && <a href="/admin">Settings</a>}
      <button type="button" className="header-link" onClick={signOut}>
        Sign out
      </button>
    </div>
  )
 }
@@ -1,41 +1,35 @@
 'use client'
 import { useEffect, useState } from 'react'
-import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
+import { authFetchOrThrow, getApiBase, getToken, UnauthorizedError } from '../lib/auth'
 export default function HeaderIdentity() {
-  const [identity, setIdentity] = useState<{ username: string; role?: string } | null>(null)
+  const [identity, setIdentity] = useState<string | null>(null)
  const [buildNumber, setBuildNumber] = useState<string | null>(null)
  const [open, setOpen] = useState(false)
  useEffect(() => {
    const token = getToken()
    if (!token) {
      setIdentity(null)
      setBuildNumber(null)
      return
    }
    const load = async () => {
      try {
        const baseUrl = getApiBase()
-        const response = await authFetch(`${baseUrl}/auth/me`)
+        const response = await authFetchOrThrow(`${baseUrl}/auth/me`)
        if (!response.ok) {
          clearToken()
          setIdentity(null)
          return
        }
        const data = await response.json()
        if (data?.username) {
-          setIdentity({ username: data.username, role: data.role })
+          setIdentity(`${data.username}${data.role ? ` (${data.role})` : ''}`)
        }
        const siteResponse = await fetch(`${baseUrl}/site/public`)
        if (siteResponse.ok) {
          const siteInfo = await siteResponse.json()
          if (siteInfo?.buildNumber) {
            setBuildNumber(siteInfo.buildNumber)
          }
        }
      } catch (err) {
        if (err instanceof UnauthorizedError) {
          setIdentity(null)
          return
        }
        console.error(err)
        setIdentity(null)
      }
@@ -47,42 +41,14 @@ export default function HeaderIdentity() {
    return null
  }
  const label = `${identity.username}${identity.role ? ` (${identity.role})` : ''}`
  const initial = identity.username.slice(0, 1).toUpperCase()
  const signOut = () => {
    clearToken()
    if (typeof window !== 'undefined') {
      window.location.href = '/login'
    }
  }
  return (
    <div className="signed-in-menu">
-      <button
+      <button type="button" className="signed-in" onClick={() => setOpen((prev) => !prev)}>
-        type="button"
+        Signed in as {identity}
        className="avatar-button"
        onClick={() => setOpen((prev) => !prev)}
        aria-haspopup="true"
        aria-expanded={open}
        title={label}
      >
        {initial}
      </button>
      {open && (
        <div className="signed-in-dropdown">
-          <div className="signed-in-header">Signed in as {label}</div>
+          <a href="/profile">My profile</a>
          <div className="signed-in-actions">
            <a href="/profile" onClick={() => setOpen(false)}>
              My profile
            </a>
            <a href="/changelog" onClick={() => setOpen(false)}>
              Changelog
            </a>
            <button type="button" className="signed-in-signout" onClick={signOut}>
              Sign out
            </button>
          </div>
          {buildNumber ? <div className="signed-in-build">Build {buildNumber}</div> : null}
        </div>
      )}
    </div>
@@ -1,62 +0,0 @@
 'use client'
 import { useEffect, useState } from 'react'
 import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
 type BannerInfo = {
  enabled: boolean
  message: string
  tone?: string
 }
 type SiteInfo = {
  buildNumber?: string
  banner?: BannerInfo
 }
 const buildRequest = () => {
  const token = getToken()
  const baseUrl = getApiBase()
  const url = token ? `${baseUrl}/site/info` : `${baseUrl}/site/public`
  const fetcher = token ? authFetch : fetch
  return { token, url, fetcher }
 }
 export default function SiteStatus() {
  const [info, setInfo] = useState<SiteInfo | null>(null)
  useEffect(() => {
    let active = true
    const load = async () => {
      try {
        const { token, url, fetcher } = buildRequest()
        const response = await fetcher(url)
        if (!response.ok) {
          if (response.status === 401 && token) {
            clearToken()
          }
          return
        }
        const data = await response.json()
        if (!active) return
        setInfo(data)
      } catch (err) {
        console.error(err)
      }
    }
    void load()
    return () => {
      active = false
    }
  }, [])
  const banner = info?.banner
  const tone = banner?.tone || 'info'
  return (
    <>
      {banner?.enabled && banner.message ? (
        <div className={`site-banner site-banner--${tone}`}>{banner.message}</div>
      ) : null}
    </>
  )
 }
@@ -2,7 +2,13 @@
 import { useEffect, useState } from 'react'
 import { useRouter } from 'next/navigation'
-import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
+import {
  authFetchOrThrow,
  ForbiddenError,
  getApiBase,
  getToken,
  UnauthorizedError,
 } from '../lib/auth'
 import AdminShell from '../ui/AdminShell'
 type AdminUser = {
@@ -29,17 +35,8 @@ export default function UsersPage() {
  const loadUsers = async () => {
    try {
      const baseUrl = getApiBase()
-      const response = await authFetch(`${baseUrl}/admin/users`)
+      const response = await authFetchOrThrow(`${baseUrl}/admin/users`)
      if (!response.ok) {
        if (response.status === 401) {
          clearToken()
          router.push('/login')
          return
        }
        if (response.status === 403) {
          router.push('/')
          return
        }
        throw new Error('Could not load users.')
      }
      const data = await response.json()
@@ -58,6 +55,14 @@ export default function UsersPage() {
      }
      setError(null)
    } catch (err) {
      if (err instanceof UnauthorizedError) {
        router.push('/login')
        return
      }
      if (err instanceof ForbiddenError) {
        router.push('/')
        return
      }
      console.error(err)
      setError('Could not load user list.')
    } finally {
@@ -68,7 +73,7 @@ export default function UsersPage() {
  const toggleUserBlock = async (username: string, blocked: boolean) => {
    try {
      const baseUrl = getApiBase()
-      const response = await authFetch(
+      const response = await authFetchOrThrow(
        `${baseUrl}/admin/users/${encodeURIComponent(username)}/${blocked ? 'block' : 'unblock'}`,
        { method: 'POST' }
      )
@@ -77,6 +82,14 @@ export default function UsersPage() {
      }
      await loadUsers()
    } catch (err) {
      if (err instanceof UnauthorizedError) {
        router.push('/login')
        return
      }
      if (err instanceof ForbiddenError) {
        router.push('/')
        return
      }
      console.error(err)
      setError('Could not update user access.')
    }
@@ -85,7 +98,7 @@ export default function UsersPage() {
  const updateUserRole = async (username: string, role: string) => {
    try {
      const baseUrl = getApiBase()
-      const response = await authFetch(
+      const response = await authFetchOrThrow(
        `${baseUrl}/admin/users/${encodeURIComponent(username)}/role`,
        {
          method: 'POST',
@@ -98,6 +111,14 @@ export default function UsersPage() {
      }
      await loadUsers()
    } catch (err) {
      if (err instanceof UnauthorizedError) {
        router.push('/login')
        return
      }
      if (err instanceof ForbiddenError) {
        router.push('/')
        return
      }
      console.error(err)
      setError('Could not update user role.')
    }
@@ -136,11 +157,9 @@ export default function UsersPage() {
              <div key={user.username} className="summary-card user-card">
                <div>
                  <strong>{user.username}</strong>
-                  <div className="user-meta">
+                  <span className="meta">Role: {user.role}</span>
-                    <span className="meta">Role: {user.role}</span>
+                  <span className="meta">Login type: {user.authProvider || 'local'}</span>
-                    <span className="meta">Login type: {user.authProvider || 'local'}</span>
+                  <span className="meta">Last login: {formatLastLogin(user.lastLoginAt)}</span>
                    <span className="meta">Last login: {formatLastLogin(user.lastLoginAt)}</span>
                  </div>
                </div>
                <div className="user-actions">
                  <label className="toggle">
@@ -1,2 +1,5 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/basic-features/typescript for more information.
@@ -1,7 +1,11 @@
 {
  "compilerOptions": {
    "target": "ES2019",
-    "lib": ["dom", "dom.iterable", "esnext"],
+    "lib": [
      "dom",
      "dom.iterable",
      "esnext"
    ],
    "allowJs": false,
    "skipLibCheck": true,
    "strict": true,
@@ -12,8 +16,20 @@
    "resolveJsonModule": true,
    "isolatedModules": true,
    "jsx": "preserve",
-    "incremental": true
+    "incremental": true,
    "plugins": [
      {
        "name": "next"
      }
    ]
  },
-  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx"],
+  "include": [
-  "exclude": ["node_modules"]
+    "next-env.d.ts",
    "**/*.ts",
    "**/*.tsx",
    ".next/types/**/*.ts"
  ],
  "exclude": [
    "node_modules"
  ]
 }
@@ -1,26 +0,0 @@
 $ErrorActionPreference = "Stop"
 $repoRoot = Resolve-Path "$PSScriptRoot\\.."
 Set-Location $repoRoot
 $now = Get-Date
 $buildNumber = "{0}{1}{2}{3}{4}" -f $now.ToString("dd"), $now.ToString("M"), $now.ToString("yy"), $now.ToString("HH"), $now.ToString("mm")
 Write-Host "Build number: $buildNumber"
 git tag $buildNumber
 git push origin $buildNumber
 $backendImage = "rephl3xnz/magent-backend:$buildNumber"
 $frontendImage = "rephl3xnz/magent-frontend:$buildNumber"
 docker build -f backend/Dockerfile -t $backendImage --build-arg BUILD_NUMBER=$buildNumber .
 docker build -f frontend/Dockerfile -t $frontendImage frontend
 docker tag $backendImage rephl3xnz/magent-backend:latest
 docker tag $frontendImage rephl3xnz/magent-frontend:latest
 docker push $backendImage
 docker push $frontendImage
 docker push rephl3xnz/magent-backend:latest
 docker push rephl3xnz/magent-frontend:latest