Harden request cache titles and cache-only reads

.build_number

@@ -0,0 +1 @@
+251261937

backend/app/auth.py

@@ -1,15 +1,28 @@
 from typing import Dict, Any
 
-from fastapi import Depends, HTTPException, status
+from fastapi import Depends, HTTPException, status, Request
 from fastapi.security import OAuth2PasswordBearer
 
-from .db import get_user_by_username
+from .db import get_user_by_username, upsert_user_activity
 from .security import safe_decode_token, TokenError
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login")
 
+def _extract_client_ip(request: Request) -> str:
+    forwarded = request.headers.get("x-forwarded-for")
+    if forwarded:
+        parts = [part.strip() for part in forwarded.split(",") if part.strip()]
+        if parts:
+            return parts[0]
+    real_ip = request.headers.get("x-real-ip")
+    if real_ip:
+        return real_ip.strip()
+    if request.client and request.client.host:
+        return request.client.host
+    return "unknown"
 
-def get_current_user(token: str = Depends(oauth2_scheme)) -> Dict[str, Any]:
+
+def get_current_user(token: str = Depends(oauth2_scheme), request: Request = None) -> Dict[str, Any]:
     try:
         payload = safe_decode_token(token)
     except TokenError as exc:
@@ -25,6 +38,11 @@ def get_current_user(token: str = Depends(oauth2_scheme)) -> Dict[str, Any]:
     if user.get("is_blocked"):
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
 
+    if request is not None:
+        ip = _extract_client_ip(request)
+        user_agent = request.headers.get("user-agent", "unknown")
+        upsert_user_activity(user["username"], ip, user_agent)
+
     return {
         "username": user["username"],
         "role": user["role"],

backend/app/db.py

@@ -24,6 +24,58 @@ def _connect() -> sqlite3.Connection:
     return sqlite3.connect(_db_path())
 
 
+def _normalize_title_value(title: Optional[str]) -> Optional[str]:
+    if not isinstance(title, str):
+        return None
+    trimmed = title.strip()
+    return trimmed if trimmed else None
+
+
+def _normalize_year_value(year: Optional[Any]) -> Optional[int]:
+    if isinstance(year, int):
+        return year
+    if isinstance(year, str):
+        trimmed = year.strip()
+        if trimmed.isdigit():
+            return int(trimmed)
+    return None
+
+
+def _is_placeholder_title(title: Optional[str], request_id: Optional[int]) -> bool:
+    if not isinstance(title, str):
+        return True
+    normalized = title.strip().lower()
+    if not normalized:
+        return True
+    if normalized == "untitled":
+        return True
+    if request_id and normalized == f"request {request_id}":
+        return True
+    return False
+
+
+def _extract_title_year_from_payload(payload_json: Optional[str]) -> tuple[Optional[str], Optional[int]]:
+    if not payload_json:
+        return None, None
+    try:
+        payload = json.loads(payload_json)
+    except json.JSONDecodeError:
+        return None, None
+    if not isinstance(payload, dict):
+        return None, None
+    media = payload.get("media") or {}
+    title = None
+    year = None
+    if isinstance(media, dict):
+        title = media.get("title") or media.get("name")
+        year = media.get("year")
+    if not title:
+        title = payload.get("title") or payload.get("name")
+    if year is None:
+        year = payload.get("year")
+    return _normalize_title_value(title), _normalize_year_value(year)
+
+
 def init_db() -> None:
     with _connect() as conn:
         conn.execute(
@@ -61,7 +113,9 @@ def init_db() -> None:
                 auth_provider TEXT NOT NULL DEFAULT 'local',
                 created_at TEXT NOT NULL,
                 last_login_at TEXT,
-                is_blocked INTEGER NOT NULL DEFAULT 0
+                is_blocked INTEGER NOT NULL DEFAULT 0,
+                jellyfin_password_hash TEXT,
+                last_jellyfin_auth_at TEXT
             )
             """
         )
@@ -103,6 +157,32 @@ def init_db() -> None:
             ON requests_cache (requested_by_norm)
             """
         )
+        conn.execute(
+            """
+            CREATE TABLE IF NOT EXISTS user_activity (
+                id INTEGER PRIMARY KEY AUTOINCREMENT,
+                username TEXT NOT NULL,
+                ip TEXT NOT NULL,
+                user_agent TEXT NOT NULL,
+                first_seen_at TEXT NOT NULL,
+                last_seen_at TEXT NOT NULL,
+                hit_count INTEGER NOT NULL DEFAULT 1,
+                UNIQUE(username, ip, user_agent)
+            )
+            """
+        )
+        conn.execute(
+            """
+            CREATE INDEX IF NOT EXISTS idx_user_activity_username
+            ON user_activity (username)
+            """
+        )
+        conn.execute(
+            """
+            CREATE INDEX IF NOT EXISTS idx_user_activity_last_seen
+            ON user_activity (last_seen_at)
+            """
+        )
         try:
             conn.execute("ALTER TABLE users ADD COLUMN last_login_at TEXT")
         except sqlite3.OperationalError:
@@ -115,6 +195,14 @@ def init_db() -> None:
             conn.execute("ALTER TABLE users ADD COLUMN auth_provider TEXT NOT NULL DEFAULT 'local'")
         except sqlite3.OperationalError:
             pass
+        try:
+            conn.execute("ALTER TABLE users ADD COLUMN jellyfin_password_hash TEXT")
+        except sqlite3.OperationalError:
+            pass
+        try:
+            conn.execute("ALTER TABLE users ADD COLUMN last_jellyfin_auth_at TEXT")
+        except sqlite3.OperationalError:
+            pass
     _backfill_auth_providers()
     ensure_admin_user()
 
@@ -251,7 +339,8 @@ def get_user_by_username(username: str) -> Optional[Dict[str, Any]]:
     with _connect() as conn:
         row = conn.execute(
             """
-            SELECT id, username, password_hash, role, auth_provider, created_at, last_login_at, is_blocked
+            SELECT id, username, password_hash, role, auth_provider, created_at, last_login_at,
+                   is_blocked, jellyfin_password_hash, last_jellyfin_auth_at
             FROM users
             WHERE username = ?
             """,
@@ -268,6 +357,8 @@ def get_user_by_username(username: str) -> Optional[Dict[str, Any]]:
         "created_at": row[5],
         "last_login_at": row[6],
         "is_blocked": bool(row[7]),
+        "jellyfin_password_hash": row[8],
+        "last_jellyfin_auth_at": row[9],
     }
 
 
@@ -347,6 +438,22 @@ def set_user_password(username: str, password: str) -> None:
         )
 
 
+def set_jellyfin_auth_cache(username: str, password: str) -> None:
+    if not username or not password:
+        return
+    password_hash = hash_password(password)
+    timestamp = datetime.now(timezone.utc).isoformat()
+    with _connect() as conn:
+        conn.execute(
+            """
+            UPDATE users
+            SET jellyfin_password_hash = ?, last_jellyfin_auth_at = ?
+            WHERE username = ?
+            """,
+            (password_hash, timestamp, username),
+        )
+
+
 def _backfill_auth_providers() -> None:
     with _connect() as conn:
         rows = conn.execute(
@@ -377,6 +484,164 @@ def _backfill_auth_providers() -> None:
         )
 
 
+def upsert_user_activity(username: str, ip: str, user_agent: str) -> None:
+    if not username:
+        return
+    ip_value = ip.strip() if isinstance(ip, str) and ip.strip() else "unknown"
+    agent_value = (
+        user_agent.strip() if isinstance(user_agent, str) and user_agent.strip() else "unknown"
+    )
+    timestamp = datetime.now(timezone.utc).isoformat()
+    with _connect() as conn:
+        conn.execute(
+            """
+            INSERT INTO user_activity (username, ip, user_agent, first_seen_at, last_seen_at, hit_count)
+            VALUES (?, ?, ?, ?, ?, 1)
+            ON CONFLICT(username, ip, user_agent)
+            DO UPDATE SET last_seen_at = excluded.last_seen_at, hit_count = hit_count + 1
+            """,
+            (username, ip_value, agent_value, timestamp, timestamp),
+        )
+
+
+def get_user_activity(username: str, limit: int = 5) -> list[Dict[str, Any]]:
+    limit = max(1, min(limit, 20))
+    with _connect() as conn:
+        rows = conn.execute(
+            """
+            SELECT ip, user_agent, first_seen_at, last_seen_at, hit_count
+            FROM user_activity
+            WHERE username = ?
+            ORDER BY last_seen_at DESC
+            LIMIT ?
+            """,
+            (username, limit),
+        ).fetchall()
+    results: list[Dict[str, Any]] = []
+    for row in rows:
+        results.append(
+            {
+                "ip": row[0],
+                "user_agent": row[1],
+                "first_seen_at": row[2],
+                "last_seen_at": row[3],
+                "hit_count": row[4],
+            }
+        )
+    return results
+
+
+def get_user_activity_summary(username: str) -> Dict[str, Any]:
+    with _connect() as conn:
+        last_row = conn.execute(
+            """
+            SELECT ip, user_agent, last_seen_at
+            FROM user_activity
+            WHERE username = ?
+            ORDER BY last_seen_at DESC
+            LIMIT 1
+            """,
+            (username,),
+        ).fetchone()
+        count_row = conn.execute(
+            """
+            SELECT COUNT(*)
+            FROM user_activity
+            WHERE username = ?
+            """,
+            (username,),
+        ).fetchone()
+    return {
+        "last_ip": last_row[0] if last_row else None,
+        "last_user_agent": last_row[1] if last_row else None,
+        "last_seen_at": last_row[2] if last_row else None,
+        "device_count": int(count_row[0] or 0) if count_row else 0,
+    }
+
+
+def get_user_request_stats(username_norm: str) -> Dict[str, Any]:
+    if not username_norm:
+        return {
+            "total": 0,
+            "ready": 0,
+            "pending": 0,
+            "approved": 0,
+            "working": 0,
+            "partial": 0,
+            "declined": 0,
+            "in_progress": 0,
+            "last_request_at": None,
+        }
+    with _connect() as conn:
+        total_row = conn.execute(
+            """
+            SELECT COUNT(*)
+            FROM requests_cache
+            WHERE requested_by_norm = ?
+            """,
+            (username_norm,),
+        ).fetchone()
+        status_rows = conn.execute(
+            """
+            SELECT status, COUNT(*)
+            FROM requests_cache
+            WHERE requested_by_norm = ?
+            GROUP BY status
+            """,
+            (username_norm,),
+        ).fetchall()
+        last_row = conn.execute(
+            """
+            SELECT MAX(created_at)
+            FROM requests_cache
+            WHERE requested_by_norm = ?
+            """,
+            (username_norm,),
+        ).fetchone()
+    counts = {int(row[0]): int(row[1]) for row in status_rows if row[0] is not None}
+    pending = counts.get(1, 0)
+    approved = counts.get(2, 0)
+    declined = counts.get(3, 0)
+    ready = counts.get(4, 0)
+    working = counts.get(5, 0)
+    partial = counts.get(6, 0)
+    in_progress = approved + working + partial
+    return {
+        "total": int(total_row[0] or 0) if total_row else 0,
+        "ready": ready,
+        "pending": pending,
+        "approved": approved,
+        "working": working,
+        "partial": partial,
+        "declined": declined,
+        "in_progress": in_progress,
+        "last_request_at": last_row[0] if last_row else None,
+    }
+
+
+def get_global_request_leader() -> Optional[Dict[str, Any]]:
+    with _connect() as conn:
+        row = conn.execute(
+            """
+            SELECT requested_by_norm, MAX(requested_by) as display_name, COUNT(*) as total
+            FROM requests_cache
+            WHERE requested_by_norm IS NOT NULL AND requested_by_norm != ''
+            GROUP BY requested_by_norm
+            ORDER BY total DESC
+            LIMIT 1
+            """
+        ).fetchone()
+    if not row:
+        return None
+    return {"username": row[1] or row[0], "total": int(row[2] or 0)}
+
+
+def get_global_request_total() -> int:
+    with _connect() as conn:
+        row = conn.execute("SELECT COUNT(*) FROM requests_cache").fetchone()
+    return int(row[0] or 0)
+
+
 def upsert_request_cache(
     request_id: int,
     media_id: Optional[int],
@@ -390,7 +655,34 @@ def upsert_request_cache(
     updated_at: Optional[str],
     payload_json: str,
 ) -> None:
+    normalized_title = _normalize_title_value(title)
+    normalized_year = _normalize_year_value(year)
+    derived_title = None
+    derived_year = None
+    if not normalized_title or normalized_year is None:
+        derived_title, derived_year = _extract_title_year_from_payload(payload_json)
+    if _is_placeholder_title(normalized_title, request_id):
+        normalized_title = None
+    if derived_title and not normalized_title:
+        normalized_title = derived_title
+    if normalized_year is None and derived_year is not None:
+        normalized_year = derived_year
     with _connect() as conn:
+        existing_title = None
+        existing_year = None
+        if normalized_title is None or normalized_year is None:
+            row = conn.execute(
+                "SELECT title, year FROM requests_cache WHERE request_id = ?",
+                (request_id,),
+            ).fetchone()
+            if row:
+                existing_title, existing_year = row[0], row[1]
+                if _is_placeholder_title(existing_title, request_id):
+                    existing_title = None
+        if normalized_title is None and existing_title:
+            normalized_title = existing_title
+        if normalized_year is None and existing_year is not None:
+            normalized_year = existing_year
         conn.execute(
             """
             INSERT INTO requests_cache (
@@ -424,8 +716,8 @@ def upsert_request_cache(
                 media_id,
                 media_type,
                 status,
-                title,
+                normalized_title,
-                year,
+                normalized_year,
                 requested_by,
                 requested_by_norm,
                 created_at,
@@ -528,22 +820,11 @@ def get_cached_requests(
         title = row[4]
         year = row[5]
         if (not title or not year) and row[8]:
-            try:
+            derived_title, derived_year = _extract_title_year_from_payload(row[8])
-                payload = json.loads(row[8])
-                if isinstance(payload, dict):
-                    media = payload.get("media") or {}
             if not title:
-                        title = (
+                title = derived_title
-                            (media.get("title") if isinstance(media, dict) else None)
-                            or (media.get("name") if isinstance(media, dict) else None)
-                            or payload.get("title")
-                            or payload.get("name")
-                        )
             if not year:
-                        year = media.get("year") if isinstance(media, dict) else None
+                year = derived_year
-                        year = year or payload.get("year")
-            except json.JSONDecodeError:
-                pass
         results.append(
             {
                 "request_id": row[0],
@@ -575,18 +856,8 @@ def get_request_cache_overview(limit: int = 50) -> list[Dict[str, Any]]:
     for row in rows:
         title = row[4]
         if not title and row[9]:
-            try:
+            derived_title, _ = _extract_title_year_from_payload(row[9])
-                payload = json.loads(row[9])
+            title = derived_title or row[4]
-                if isinstance(payload, dict):
-                    media = payload.get("media") or {}
-                    title = (
-                        (media.get("title") if isinstance(media, dict) else None)
-                        or (media.get("name") if isinstance(media, dict) else None)
-                        or payload.get("title")
-                        or payload.get("name")
-                    )
-            except json.JSONDecodeError:
-                title = row[4]
         results.append(
             {
                 "request_id": row[0],
@@ -612,7 +883,9 @@ def get_request_cache_count() -> int:
 def update_request_cache_title(
     request_id: int, title: str, year: Optional[int] = None
 ) -> None:
-    if not title:
+    normalized_title = _normalize_title_value(title)
+    normalized_year = _normalize_year_value(year)
+    if not normalized_title:
         return
     with _connect() as conn:
         conn.execute(
@@ -621,10 +894,38 @@ def update_request_cache_title(
             SET title = ?, year = COALESCE(?, year)
             WHERE request_id = ?
             """,
-            (title, year, request_id),
+            (normalized_title, normalized_year, request_id),
         )
 
 
+def repair_request_cache_titles() -> int:
+    updated = 0
+    with _connect() as conn:
+        rows = conn.execute(
+            """
+            SELECT request_id, title, year, payload_json
+            FROM requests_cache
+            """
+        ).fetchall()
+        for row in rows:
+            request_id, title, year, payload_json = row
+            if not _is_placeholder_title(title, request_id):
+                continue
+            derived_title, derived_year = _extract_title_year_from_payload(payload_json)
+            if not derived_title:
+                continue
+            conn.execute(
+                """
+                UPDATE requests_cache
+                SET title = ?, year = COALESCE(?, year)
+                WHERE request_id = ?
+                """,
+                (derived_title, derived_year, request_id),
+            )
+            updated += 1
+    return updated
+
+
 def prune_duplicate_requests_cache() -> int:
     with _connect() as conn:
         cursor = conn.execute(

backend/app/routers/admin.py

@@ -21,6 +21,7 @@ from ..db import (
     clear_history,
     cleanup_history,
     update_request_cache_title,
+    repair_request_cache_titles,
 )
 from ..runtime import get_runtime_settings
 from ..clients.sonarr import SonarrClient
@@ -282,27 +283,10 @@ async def read_logs(lines: int = 200) -> Dict[str, Any]:
 
 @router.get("/requests/cache")
 async def requests_cache(limit: int = 50) -> Dict[str, Any]:
+    repaired = repair_request_cache_titles()
+    if repaired:
+        logger.info("Requests cache titles repaired via settings view: %s", repaired)
     rows = get_request_cache_overview(limit)
-    missing_titles = [row for row in rows if not row.get("title")]
-    if missing_titles:
-        runtime = get_runtime_settings()
-        client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-        if client.configured():
-            for row in missing_titles:
-                request_id = row.get("request_id")
-                if not isinstance(request_id, int):
-                    continue
-                details = await requests_router._get_request_details(client, request_id)
-                if not isinstance(details, dict):
-                    continue
-                payload = requests_router._parse_request_payload(details)
-                title = payload.get("title")
-                if not title:
-                    continue
-                row["title"] = title
-                if payload.get("year"):
-                    row["year"] = payload.get("year")
-                update_request_cache_title(request_id, title, payload.get("year"))
     return {"rows": rows}
 
 

backend/app/routers/auth.py

@@ -1,3 +1,5 @@
+from datetime import datetime, timedelta, timezone
+
 from fastapi import APIRouter, HTTPException, status, Depends
 from fastapi.security import OAuth2PasswordRequestForm
 
@@ -7,16 +9,51 @@ from ..db import (
     set_last_login,
     get_user_by_username,
     set_user_password,
+    set_jellyfin_auth_cache,
+    get_user_activity,
+    get_user_activity_summary,
+    get_user_request_stats,
+    get_global_request_leader,
+    get_global_request_total,
 )
 from ..runtime import get_runtime_settings
 from ..clients.jellyfin import JellyfinClient
 from ..clients.jellyseerr import JellyseerrClient
-from ..security import create_access_token
+from ..security import create_access_token, verify_password
 from ..auth import get_current_user
 
 router = APIRouter(prefix="/auth", tags=["auth"])
 
 
+def _normalize_username(value: str) -> str:
+    return value.strip().lower()
+
+
+def _is_recent_jellyfin_auth(last_auth_at: str) -> bool:
+    if not last_auth_at:
+        return False
+    try:
+        parsed = datetime.fromisoformat(last_auth_at)
+    except ValueError:
+        return False
+    if parsed.tzinfo is None:
+        parsed = parsed.replace(tzinfo=timezone.utc)
+    age = datetime.now(timezone.utc) - parsed
+    return age <= timedelta(days=7)
+
+
+def _has_valid_jellyfin_cache(user: dict, password: str) -> bool:
+    if not user or not password:
+        return False
+    cached_hash = user.get("jellyfin_password_hash")
+    last_auth_at = user.get("last_jellyfin_auth_at")
+    if not cached_hash or not last_auth_at:
+        return False
+    if not verify_password(password, cached_hash):
+        return False
+    return _is_recent_jellyfin_auth(last_auth_at)
+
+
 @router.post("/login")
 async def login(form_data: OAuth2PasswordRequestForm = Depends()) -> dict:
     user = verify_user_password(form_data.username, form_data.password)
@@ -39,14 +76,23 @@ async def jellyfin_login(form_data: OAuth2PasswordRequestForm = Depends()) -> di
     client = JellyfinClient(runtime.jellyfin_base_url, runtime.jellyfin_api_key)
     if not client.configured():
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Jellyfin not configured")
+    username = form_data.username
+    password = form_data.password
+    user = get_user_by_username(username)
+    if user and user.get("is_blocked"):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
+    if user and _has_valid_jellyfin_cache(user, password):
+        token = create_access_token(username, "user")
+        set_last_login(username)
+        return {"access_token": token, "token_type": "bearer", "user": {"username": username, "role": "user"}}
     try:
-        response = await client.authenticate_by_name(form_data.username, form_data.password)
+        response = await client.authenticate_by_name(username, password)
     except Exception as exc:
         raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
     if not isinstance(response, dict) or not response.get("User"):
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid Jellyfin credentials")
-    create_user_if_missing(form_data.username, "jellyfin-user", role="user", auth_provider="jellyfin")
+    create_user_if_missing(username, "jellyfin-user", role="user", auth_provider="jellyfin")
-    user = get_user_by_username(form_data.username)
+    user = get_user_by_username(username)
     if user and user.get("is_blocked"):
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
     try:
@@ -60,9 +106,10 @@ async def jellyfin_login(form_data: OAuth2PasswordRequestForm = Depends()) -> di
                     create_user_if_missing(name, "jellyfin-user", role="user", auth_provider="jellyfin")
     except Exception:
         pass
-    token = create_access_token(form_data.username, "user")
+    set_jellyfin_auth_cache(username, password)
-    set_last_login(form_data.username)
+    token = create_access_token(username, "user")
-    return {"access_token": token, "token_type": "bearer", "user": {"username": form_data.username, "role": "user"}}
+    set_last_login(username)
+    return {"access_token": token, "token_type": "bearer", "user": {"username": username, "role": "user"}}
 
 
 @router.post("/jellyseerr/login")
@@ -92,6 +139,32 @@ async def me(current_user: dict = Depends(get_current_user)) -> dict:
     return current_user
 
 
+@router.get("/profile")
+async def profile(current_user: dict = Depends(get_current_user)) -> dict:
+    username = current_user.get("username") or ""
+    username_norm = _normalize_username(username) if username else ""
+    stats = get_user_request_stats(username_norm)
+    global_total = get_global_request_total()
+    share = (stats.get("total", 0) / global_total) if global_total else 0
+    activity_summary = get_user_activity_summary(username) if username else {}
+    activity_recent = get_user_activity(username, limit=5) if username else []
+    stats_payload = {
+        **stats,
+        "share": share,
+        "global_total": global_total,
+    }
+    if current_user.get("role") == "admin":
+        stats_payload["most_active_user"] = get_global_request_leader()
+    return {
+        "user": current_user,
+        "stats": stats_payload,
+        "activity": {
+            **activity_summary,
+            "recent": activity_recent,
+        },
+    }
+
+
 @router.post("/password")
 async def change_password(payload: dict, current_user: dict = Depends(get_current_user)) -> dict:
     if current_user.get("auth_provider") != "local":

backend/app/routers/branding.py

@@ -11,6 +11,10 @@ router = APIRouter(prefix="/branding", tags=["branding"])
 _BRANDING_DIR = os.path.join(os.getcwd(), "data", "branding")
 _LOGO_PATH = os.path.join(_BRANDING_DIR, "logo.png")
 _FAVICON_PATH = os.path.join(_BRANDING_DIR, "favicon.ico")
+_BUNDLED_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "assets", "branding"))
+_BUNDLED_LOGO_PATH = os.path.join(_BUNDLED_DIR, "logo.png")
+_BUNDLED_FAVICON_PATH = os.path.join(_BUNDLED_DIR, "favicon.ico")
+_BRANDING_SOURCE = os.getenv("BRANDING_SOURCE", "bundled").lower()
 
 
 def _ensure_branding_dir() -> None:
@@ -41,6 +45,18 @@ def _ensure_default_branding() -> None:
     if os.path.exists(_LOGO_PATH) and os.path.exists(_FAVICON_PATH):
         return
     _ensure_branding_dir()
+    if not os.path.exists(_LOGO_PATH) and os.path.exists(_BUNDLED_LOGO_PATH):
+        try:
+            with open(_BUNDLED_LOGO_PATH, "rb") as source, open(_LOGO_PATH, "wb") as target:
+                target.write(source.read())
+        except OSError:
+            pass
+    if not os.path.exists(_FAVICON_PATH) and os.path.exists(_BUNDLED_FAVICON_PATH):
+        try:
+            with open(_BUNDLED_FAVICON_PATH, "rb") as source, open(_FAVICON_PATH, "wb") as target:
+                target.write(source.read())
+        except OSError:
+            pass
     if not os.path.exists(_LOGO_PATH):
         image = Image.new("RGBA", (300, 300), (12, 18, 28, 255))
         draw = ImageDraw.Draw(image)
@@ -65,24 +81,32 @@ def _ensure_default_branding() -> None:
             favicon.save(_FAVICON_PATH, format="ICO")
 
 
+def _resolve_branding_paths() -> tuple[str, str]:
+    if _BRANDING_SOURCE == "data":
+        _ensure_default_branding()
+        return _LOGO_PATH, _FAVICON_PATH
+    if os.path.exists(_BUNDLED_LOGO_PATH) and os.path.exists(_BUNDLED_FAVICON_PATH):
+        return _BUNDLED_LOGO_PATH, _BUNDLED_FAVICON_PATH
+    _ensure_default_branding()
+    return _LOGO_PATH, _FAVICON_PATH
+
+
 @router.get("/logo.png")
 async def branding_logo() -> FileResponse:
-    if not os.path.exists(_LOGO_PATH):
+    logo_path, _ = _resolve_branding_paths()
-        _ensure_default_branding()
+    if not os.path.exists(logo_path):
-    if not os.path.exists(_LOGO_PATH):
         raise HTTPException(status_code=404, detail="Logo not found")
-    headers = {"Cache-Control": "public, max-age=300"}
+    headers = {"Cache-Control": "no-store"}
-    return FileResponse(_LOGO_PATH, media_type="image/png", headers=headers)
+    return FileResponse(logo_path, media_type="image/png", headers=headers)
 
 
 @router.get("/favicon.ico")
 async def branding_favicon() -> FileResponse:
-    if not os.path.exists(_FAVICON_PATH):
+    _, favicon_path = _resolve_branding_paths()
-        _ensure_default_branding()
+    if not os.path.exists(favicon_path):
-    if not os.path.exists(_FAVICON_PATH):
         raise HTTPException(status_code=404, detail="Favicon not found")
-    headers = {"Cache-Control": "public, max-age=300"}
+    headers = {"Cache-Control": "no-store"}
-    return FileResponse(_FAVICON_PATH, media_type="image/x-icon", headers=headers)
+    return FileResponse(favicon_path, media_type="image/x-icon", headers=headers)
 
 
 async def save_branding_image(file: UploadFile) -> Dict[str, Any]:

backend/app/routers/requests.py

@@ -30,6 +30,7 @@ from ..db import (
     get_request_cache_last_updated,
     get_request_cache_count,
     get_request_cache_payloads,
+    repair_request_cache_titles,
     prune_duplicate_requests_cache,
     upsert_request_cache,
     get_setting,
@@ -814,13 +815,14 @@ def _get_recent_from_cache(
 async def startup_warmup_requests_cache() -> None:
     runtime = get_runtime_settings()
     client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
-    if not client.configured():
+    if client.configured():
-        return
         try:
             await _ensure_requests_cache(client)
         except httpx.HTTPError as exc:
             logger.warning("Requests warmup skipped: %s", exc)
-        return
+    repaired = repair_request_cache_titles()
+    if repaired:
+        logger.info("Requests cache titles repaired: %s", repaired)
     _refresh_recent_cache_from_db()
 
 
@@ -968,7 +970,10 @@ async def _ensure_request_access(
     runtime = get_runtime_settings()
     mode = (runtime.requests_data_source or "prefer_cache").lower()
     cached = get_request_cache_payload(request_id)
-    if mode != "always_js" and cached is not None:
+    if mode != "always_js":
+        if cached is None:
+            logger.debug("access cache miss: request_id=%s mode=%s", request_id, mode)
+            raise HTTPException(status_code=404, detail="Request not found in cache")
         logger.debug("access cache hit: request_id=%s mode=%s", request_id, mode)
         if _request_matches_user(cached, user.get("username", "")):
             return
@@ -1249,9 +1254,11 @@ async def recent_requests(
 ) -> dict:
     runtime = get_runtime_settings()
     client = JellyseerrClient(runtime.jellyseerr_base_url, runtime.jellyseerr_api_key)
+    mode = (runtime.requests_data_source or "prefer_cache").lower()
+    allow_remote = mode == "always_js"
+    if allow_remote:
         if not client.configured():
             raise HTTPException(status_code=400, detail="Jellyseerr not configured")
-
         try:
             await _ensure_requests_cache(client)
         except httpx.HTTPStatusError as exc:
@@ -1266,10 +1273,8 @@ async def recent_requests(
         _refresh_recent_cache_from_db()
     rows = _get_recent_from_cache(requested_by, take, skip, since_iso)
     cache_mode = (runtime.artwork_cache_mode or "remote").lower()
-    mode = (runtime.requests_data_source or "prefer_cache").lower()
+    allow_title_hydrate = False
-    allow_remote = mode == "always_js"
+    allow_artwork_hydrate = allow_remote
-    allow_title_hydrate = mode == "prefer_cache"
-    allow_artwork_hydrate = allow_remote or allow_title_hydrate
     jellyfin = JellyfinClient(runtime.jellyfin_base_url, runtime.jellyfin_api_key)
     jellyfin_cache: Dict[str, bool] = {}
 
@@ -1814,4 +1819,3 @@ async def action_grab(
         save_action, request_id, "grab", "Grab release", "ok", action_message
     )
     return {"status": "ok", "response": {"qbittorrent": "queued"}}
-

backend/app/services/snapshot.py

@@ -220,6 +220,7 @@ async def build_snapshot(request_id: str) -> Snapshot:
                 "snapshot cache miss: request_id=%s mode=%s", request_id, mode
             )
 
+    allow_remote = mode == "always_js" and jellyseerr.configured()
     if not jellyseerr.configured() and not cached_request:
         timeline.append(TimelineHop(service="Jellyseerr", status="not_configured"))
         timeline.append(TimelineHop(service="Sonarr/Radarr", status="not_configured"))
@@ -227,9 +228,15 @@ async def build_snapshot(request_id: str) -> Snapshot:
         timeline.append(TimelineHop(service="qBittorrent", status="not_configured"))
         snapshot.timeline = timeline
         return snapshot
+    if cached_request is None and not allow_remote:
+        timeline.append(TimelineHop(service="Jellyseerr", status="cache_miss"))
+        snapshot.timeline = timeline
+        snapshot.state = NormalizedState.unknown
+        snapshot.state_reason = "Request not found in cache"
+        return snapshot
 
     jelly_request = cached_request
-    if (jelly_request is None or mode == "always_js") and jellyseerr.configured():
+    if allow_remote and (jelly_request is None or mode == "always_js"):
         try:
             jelly_request = await jellyseerr.get_request(request_id)
             logging.getLogger(__name__).debug(
@@ -262,7 +269,7 @@ async def build_snapshot(request_id: str) -> Snapshot:
         poster_path = media.get("posterPath") or media.get("poster_path")
         backdrop_path = media.get("backdropPath") or media.get("backdrop_path")
 
-    if snapshot.title in {None, "", "Unknown"} and jellyseerr.configured():
+    if snapshot.title in {None, "", "Unknown"} and allow_remote:
         tmdb_id = jelly_request.get("media", {}).get("tmdbId")
         if tmdb_id:
             try:

frontend/app/admin/SettingsPage.tsx

@@ -297,10 +297,11 @@ export default function SettingsPage({ section }: SettingsPageProps) {
     requests_full_sync_time: 'Daily time to refresh the full request list.',
     requests_cleanup_time: 'Daily time to trim old history.',
     requests_cleanup_days: 'History older than this is removed during cleanup.',
-    requests_data_source: 'Pick where Magent should read requests from.',
+    requests_data_source:
+      'Pick where Magent should read requests from. Cache-only avoids Jellyseerr lookups on reads.',
     log_level: 'How much detail is written to the activity log.',
     log_file: 'Where the activity log is stored.',
-    site_build_number: 'Build number shown in the footer (auto-set from releases).',
+    site_build_number: 'Build number shown in the account menu (auto-set from releases).',
     site_banner_enabled: 'Enable a sitewide banner for announcements.',
     site_banner_message: 'Short banner message for maintenance or updates.',
     site_banner_tone: 'Visual tone for the banner.',
@@ -714,7 +715,7 @@ export default function SettingsPage({ section }: SettingsPageProps) {
           .map((sectionGroup) => (
           <section key={sectionGroup.key} className="admin-section">
             <div className="section-header">
-              <h2>{sectionGroup.title}</h2>
+              <h2>{sectionGroup.key === 'requests' ? 'Sync controls' : sectionGroup.title}</h2>
               {sectionGroup.key === 'sonarr' && (
                 <button type="button" onClick={() => loadOptions('sonarr')}>
                   Refresh Sonarr options
@@ -737,17 +738,22 @@ export default function SettingsPage({ section }: SettingsPageProps) {
                 </button>
               ) : null}
               {showRequestsExtras && sectionGroup.key === 'requests' && (
+                <div className="sync-actions-block">
                   <div className="sync-actions">
                     <button type="button" onClick={syncRequests}>
-                    Full refresh
+                      Full refresh (all requests)
                     </button>
                     <button type="button" className="ghost-button" onClick={syncRequestsDelta}>
-                    Quick refresh (new changes)
+                      Quick refresh (delta changes)
                     </button>
                   </div>
+                  <div className="meta sync-note">
+                    Full refresh reloads the entire list. Quick refresh only checks recent changes.
+                  </div>
+                </div>
               )}
             </div>
-            {SECTION_DESCRIPTIONS[sectionGroup.key] && (
+            {SECTION_DESCRIPTIONS[sectionGroup.key] && !settingsSection && (
               <p className="section-subtitle">{SECTION_DESCRIPTIONS[sectionGroup.key]}</p>
             )}
             {sectionGroup.key === 'sonarr' && sonarrError && (
@@ -1124,7 +1130,9 @@ export default function SettingsPage({ section }: SettingsPageProps) {
                         }
                       >
                         <option value="always_js">Always use Jellyseerr (slower)</option>
-                        <option value="prefer_cache">Use saved requests first (faster)</option>
+                        <option value="prefer_cache">
+                          Use saved requests only (fastest)
+                        </option>
                       </select>
                     </label>
                   )

frontend/app/globals.css

@@ -175,30 +175,35 @@ body {
   margin-right: auto;
 }
 
-.signed-in {
-  font-size: 12px;
-  text-transform: uppercase;
-  letter-spacing: 0.08em;
-  color: var(--ink-muted);
-  padding: 6px 10px;
-  border-radius: 999px;
-  border: 1px dashed var(--border);
-  background: transparent;
-  cursor: pointer;
-}
-
 .signed-in-menu {
   position: relative;
   display: inline-flex;
   align-items: center;
 }
 
+.avatar-button {
+  width: 44px;
+  height: 44px;
+  border-radius: 50%;
+  border: 1px solid rgba(255, 255, 255, 0.12);
+  background: linear-gradient(130deg, rgba(28, 107, 255, 0.35), rgba(17, 214, 198, 0.25));
+  color: var(--ink);
+  font-weight: 700;
+  letter-spacing: 0.04em;
+  text-transform: uppercase;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  box-shadow: 0 10px 20px rgba(28, 107, 255, 0.25);
+  cursor: pointer;
+}
+
 .signed-in-dropdown {
   position: absolute;
   top: calc(100% + 8px);
   right: 0;
-  min-width: 180px;
+  width: min(260px, 90vw);
-  background: rgba(14, 20, 32, 0.95);
+  background: rgba(14, 20, 32, 0.96);
   border: 1px solid var(--border);
   border-radius: 12px;
   padding: 8px;
@@ -206,17 +211,50 @@ body {
   z-index: 20;
 }
 
-.signed-in-dropdown a {
+.signed-in-header {
+  font-size: 11px;
+  letter-spacing: 0.06em;
+  text-transform: uppercase;
+  color: var(--ink-muted);
+  padding: 8px 10px 6px;
+  border-bottom: 1px solid rgba(255, 255, 255, 0.08);
+}
+
+.signed-in-actions {
+  display: grid;
+  gap: 6px;
+  padding: 8px 4px 4px;
+}
+
+.signed-in-actions a,
+.signed-in-signout {
   display: block;
   padding: 8px 12px;
   border-radius: 10px;
   color: var(--ink);
   text-decoration: none;
-  text-align: center;
+  text-align: left;
+  background: rgba(255, 255, 255, 0.05);
+  border: 1px solid rgba(255, 255, 255, 0.08);
 }
 
-.signed-in-dropdown a:hover {
+.signed-in-signout {
-  background: rgba(255, 255, 255, 0.08);
+  cursor: pointer;
+  font: inherit;
+}
+
+.signed-in-actions a:hover,
+.signed-in-signout:hover {
+  background: rgba(255, 255, 255, 0.12);
+}
+
+.signed-in-build {
+  margin-top: 6px;
+  padding: 6px 10px 8px;
+  font-size: 11px;
+  color: var(--ink-muted);
+  text-align: left;
+  letter-spacing: 0.04em;
 }
 
 .theme-toggle {
@@ -521,6 +559,73 @@ button span {
   margin-top: 4px;
 }
 
+.profile-grid {
+  display: grid;
+  gap: 20px;
+}
+
+.profile-section {
+  display: grid;
+  gap: 12px;
+}
+
+.stat-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
+  gap: 12px;
+}
+
+.stat-card {
+  padding: 14px;
+  border-radius: 16px;
+  border: 1px solid var(--border);
+  background: rgba(255, 255, 255, 0.05);
+  display: grid;
+  gap: 6px;
+}
+
+.stat-label {
+  font-size: 11px;
+  text-transform: uppercase;
+  letter-spacing: 0.08em;
+  color: var(--ink-muted);
+}
+
+.stat-value {
+  font-size: 20px;
+  font-weight: 700;
+}
+
+.stat-value--small {
+  font-size: 14px;
+  font-weight: 600;
+}
+
+.connection-list {
+  display: grid;
+  gap: 10px;
+}
+
+.connection-item {
+  display: flex;
+  justify-content: space-between;
+  gap: 12px;
+  padding: 12px 14px;
+  border-radius: 14px;
+  border: 1px solid var(--border);
+  background: rgba(255, 255, 255, 0.04);
+}
+
+.connection-label {
+  font-weight: 600;
+}
+
+.connection-count {
+  font-size: 12px;
+  color: var(--ink-muted);
+  white-space: nowrap;
+}
+
 .state {
   display: grid;
   gap: 6px;
@@ -647,12 +752,28 @@ button span {
 }
 
 .user-card {
-  display: flex;
+  display: grid;
-  justify-content: space-between;
+  grid-template-columns: 1fr auto;
-  align-items: center;
+  align-items: start;
   gap: 16px;
 }
 
+.user-card strong {
+  display: block;
+  font-size: 16px;
+  margin-bottom: 6px;
+}
+
+.user-meta {
+  display: grid;
+  gap: 6px;
+  font-size: 13px;
+}
+
+.user-meta .meta {
+  display: block;
+}
+
 .user-actions {
   display: grid;
   gap: 8px;
@@ -926,6 +1047,17 @@ button span {
   flex-wrap: wrap;
 }
 
+.sync-actions-block {
+  display: grid;
+  gap: 6px;
+  justify-items: end;
+  text-align: right;
+}
+
+.sync-note {
+  margin-top: 0;
+}
+
 .section-header button {
   background: rgba(255, 255, 255, 0.08);
   color: var(--ink);
@@ -1399,19 +1531,83 @@ button span {
 }
 
 @media (max-width: 720px) {
+  .page {
+    padding: 28px 18px 60px;
+    gap: 24px;
+  }
+
   .header {
     grid-template-columns: 1fr;
     grid-template-rows: auto auto auto;
     align-items: flex-start;
   }
 
+  .header-left {
+    width: 100%;
+  }
+
+  .brand-link {
+    width: 100%;
+    gap: 12px;
+  }
+
+  .brand-logo--header {
+    width: 64px;
+    height: 64px;
+  }
+
+  .brand {
+    font-size: 26px;
+  }
+
+  .tagline {
+    font-size: 13px;
+  }
+
   .header-right {
     grid-column: 1 / -1;
     justify-content: flex-start;
+    width: 100%;
+    flex-wrap: wrap;
+    gap: 10px;
   }
 
   .header-nav {
     justify-content: flex-start;
+    width: 100%;
+  }
+
+  .signed-in-menu {
+    margin-left: auto;
+  }
+
+  .avatar-button {
+    width: 40px;
+    height: 40px;
+  }
+
+  .signed-in-dropdown {
+    right: 0;
+    left: auto;
+    width: min(260px, 92vw);
+  }
+
+  .header-actions {
+    width: 100%;
+    display: grid;
+    grid-template-columns: repeat(2, minmax(0, 1fr));
+    gap: 10px;
+  }
+
+  .header-actions a,
+  .header-actions .header-link {
+    font-size: 12px;
+    padding: 8px 10px;
+  }
+
+  .header-actions .header-cta--left {
+    grid-column: 1 / -1;
+    margin-right: 0;
   }
 
   .summary {
@@ -1449,6 +1645,21 @@ button span {
   .cache-row {
     grid-template-columns: 1fr;
   }
+
+  .user-card {
+    grid-template-columns: 1fr;
+  }
+
+  .connection-item {
+    flex-direction: column;
+    align-items: flex-start;
+  }
+}
+
+@media (max-width: 480px) {
+  .header-actions {
+    grid-template-columns: 1fr;
+  }
 }
 
 /* Loading spinner */

frontend/app/layout.tsx

@@ -29,8 +29,8 @@ export default function RootLayout({ children }: { children: ReactNode }) {
               </a>
             </div>
             <div className="header-right">
-              <HeaderIdentity />
               <ThemeToggle />
+              <HeaderIdentity />
             </div>
             <div className="header-nav">
               <HeaderActions />

frontend/app/profile/page.tsx

@@ -10,9 +10,65 @@ type ProfileInfo = {
   auth_provider: string
 }
 
+type ProfileStats = {
+  total: number
+  ready: number
+  pending: number
+  in_progress: number
+  declined: number
+  working: number
+  partial: number
+  approved: number
+  last_request_at?: string | null
+  share: number
+  global_total: number
+  most_active_user?: { username: string; total: number } | null
+}
+
+type ActivityEntry = {
+  ip: string
+  user_agent: string
+  first_seen_at: string
+  last_seen_at: string
+  hit_count: number
+}
+
+type ProfileActivity = {
+  last_ip?: string | null
+  last_user_agent?: string | null
+  last_seen_at?: string | null
+  device_count: number
+  recent: ActivityEntry[]
+}
+
+type ProfileResponse = {
+  user: ProfileInfo
+  stats: ProfileStats
+  activity: ProfileActivity
+}
+
+const formatDate = (value?: string | null) => {
+  if (!value) return 'Never'
+  const date = new Date(value)
+  if (Number.isNaN(date.valueOf())) return value
+  return date.toLocaleString()
+}
+
+const parseBrowser = (agent?: string | null) => {
+  if (!agent) return 'Unknown'
+  const value = agent.toLowerCase()
+  if (value.includes('edg/')) return 'Edge'
+  if (value.includes('chrome/') && !value.includes('edg/')) return 'Chrome'
+  if (value.includes('firefox/')) return 'Firefox'
+  if (value.includes('safari/') && !value.includes('chrome/')) return 'Safari'
+  return 'Unknown'
+}
+
 export default function ProfilePage() {
   const router = useRouter()
   const [profile, setProfile] = useState<ProfileInfo | null>(null)
+  const [stats, setStats] = useState<ProfileStats | null>(null)
+  const [activity, setActivity] = useState<ProfileActivity | null>(null)
   const [currentPassword, setCurrentPassword] = useState('')
   const [newPassword, setNewPassword] = useState('')
   const [status, setStatus] = useState<string | null>(null)
@@ -26,18 +82,21 @@ export default function ProfilePage() {
     const load = async () => {
       try {
         const baseUrl = getApiBase()
-        const response = await authFetch(`${baseUrl}/auth/me`)
+        const response = await authFetch(`${baseUrl}/auth/profile`)
         if (!response.ok) {
           clearToken()
           router.push('/login')
           return
         }
         const data = await response.json()
+        const user = data?.user ?? {}
         setProfile({
-          username: data?.username ?? 'Unknown',
+          username: user?.username ?? 'Unknown',
-          role: data?.role ?? 'user',
+          role: user?.role ?? 'user',
-          auth_provider: data?.auth_provider ?? 'local',
+          auth_provider: user?.auth_provider ?? 'local',
         })
+        setStats(data?.stats ?? null)
+        setActivity(data?.activity ?? null)
       } catch (err) {
         console.error(err)
         setStatus('Could not load your profile.')
@@ -91,6 +150,78 @@ export default function ProfilePage() {
           {profile.auth_provider}.
         </div>
       )}
+      <div className="profile-grid">
+        <section className="profile-section">
+          <h2>Account stats</h2>
+          <div className="stat-grid">
+            <div className="stat-card">
+              <div className="stat-label">Requests submitted</div>
+              <div className="stat-value">{stats?.total ?? 0}</div>
+            </div>
+            <div className="stat-card">
+              <div className="stat-label">Ready to watch</div>
+              <div className="stat-value">{stats?.ready ?? 0}</div>
+            </div>
+            <div className="stat-card">
+              <div className="stat-label">In progress</div>
+              <div className="stat-value">{stats?.in_progress ?? 0}</div>
+            </div>
+            <div className="stat-card">
+              <div className="stat-label">Pending approval</div>
+              <div className="stat-value">{stats?.pending ?? 0}</div>
+            </div>
+            <div className="stat-card">
+              <div className="stat-label">Declined</div>
+              <div className="stat-value">{stats?.declined ?? 0}</div>
+            </div>
+            <div className="stat-card">
+              <div className="stat-label">Last request</div>
+              <div className="stat-value stat-value--small">
+                {formatDate(stats?.last_request_at)}
+              </div>
+            </div>
+            <div className="stat-card">
+              <div className="stat-label">Share of all requests</div>
+              <div className="stat-value">
+                {stats?.global_total
+                  ? `${Math.round((stats.share || 0) * 1000) / 10}%`
+                  : '0%'}
+              </div>
+            </div>
+            {profile?.role === 'admin' ? (
+              <div className="stat-card">
+                <div className="stat-label">Most active user</div>
+                <div className="stat-value stat-value--small">
+                  {stats?.most_active_user
+                    ? `${stats.most_active_user.username} (${stats.most_active_user.total})`
+                    : 'N/A'}
+                </div>
+              </div>
+            ) : null}
+          </div>
+        </section>
+        <section className="profile-section">
+          <h2>Connection history</h2>
+          <div className="status-banner">
+            Last seen {formatDate(activity?.last_seen_at)} from {activity?.last_ip ?? 'Unknown'}.
+          </div>
+          <div className="connection-list">
+            {(activity?.recent ?? []).map((entry, index) => (
+              <div key={`${entry.ip}-${entry.last_seen_at}-${index}`} className="connection-item">
+                <div>
+                  <div className="connection-label">{parseBrowser(entry.user_agent)}</div>
+                  <div className="meta">IP: {entry.ip}</div>
+                  <div className="meta">Last seen: {formatDate(entry.last_seen_at)}</div>
+                </div>
+                <div className="connection-count">{entry.hit_count} visits</div>
+              </div>
+            ))}
+            {activity && activity.recent.length === 0 ? (
+              <div className="status-banner">No connection history yet.</div>
+            ) : null}
+          </div>
+        </section>
+      </div>
       {profile?.auth_provider !== 'local' ? (
         <div className="status-banner">
           Password changes are only available for local Magent accounts.

frontend/app/ui/HeaderActions.tsx

@@ -32,14 +32,6 @@ export default function HeaderActions() {
     void load()
   }, [])
 
-  const signOut = () => {
-    clearToken()
-    setSignedIn(false)
-    if (typeof window !== 'undefined') {
-      window.location.href = '/login'
-    }
-  }
-
   if (!signedIn) {
     return null
   }
@@ -49,12 +41,7 @@ export default function HeaderActions() {
       <a className="header-cta header-cta--left" href="/feedback">Send feedback</a>
       <a href="/">Requests</a>
       <a href="/how-it-works">How it works</a>
-      <a href="/changelog">Changelog</a>
-      <a href="/profile">My profile</a>
       {role === 'admin' && <a href="/admin">Settings</a>}
-      <button type="button" className="header-link" onClick={signOut}>
-        Sign out
-      </button>
     </div>
   )
 }

frontend/app/ui/HeaderIdentity.tsx

@@ -4,13 +4,15 @@ import { useEffect, useState } from 'react'
 import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
 
 export default function HeaderIdentity() {
-  const [identity, setIdentity] = useState<string | null>(null)
+  const [identity, setIdentity] = useState<{ username: string; role?: string } | null>(null)
+  const [buildNumber, setBuildNumber] = useState<string | null>(null)
   const [open, setOpen] = useState(false)
 
   useEffect(() => {
     const token = getToken()
     if (!token) {
       setIdentity(null)
+      setBuildNumber(null)
       return
     }
     const load = async () => {
@@ -24,7 +26,14 @@ export default function HeaderIdentity() {
         }
         const data = await response.json()
         if (data?.username) {
-          setIdentity(`${data.username}${data.role ? ` (${data.role})` : ''}`)
+          setIdentity({ username: data.username, role: data.role })
+        }
+        const siteResponse = await fetch(`${baseUrl}/site/public`)
+        if (siteResponse.ok) {
+          const siteInfo = await siteResponse.json()
+          if (siteInfo?.buildNumber) {
+            setBuildNumber(siteInfo.buildNumber)
+          }
         }
       } catch (err) {
         console.error(err)
@@ -38,14 +47,42 @@ export default function HeaderIdentity() {
     return null
   }
 
+  const label = `${identity.username}${identity.role ? ` (${identity.role})` : ''}`
+  const initial = identity.username.slice(0, 1).toUpperCase()
+  const signOut = () => {
+    clearToken()
+    if (typeof window !== 'undefined') {
+      window.location.href = '/login'
+    }
+  }
+
   return (
     <div className="signed-in-menu">
-      <button type="button" className="signed-in" onClick={() => setOpen((prev) => !prev)}>
+      <button
-        Signed in as {identity}
+        type="button"
+        className="avatar-button"
+        onClick={() => setOpen((prev) => !prev)}
+        aria-haspopup="true"
+        aria-expanded={open}
+        title={label}
+      >
+        {initial}
       </button>
       {open && (
         <div className="signed-in-dropdown">
-          <a href="/profile">My profile</a>
+          <div className="signed-in-header">Signed in as {label}</div>
+          <div className="signed-in-actions">
+            <a href="/profile" onClick={() => setOpen(false)}>
+              My profile
+            </a>
+            <a href="/changelog" onClick={() => setOpen(false)}>
+              Changelog
+            </a>
+            <button type="button" className="signed-in-signout" onClick={signOut}>
+              Sign out
+            </button>
+          </div>
+          {buildNumber ? <div className="signed-in-build">Build {buildNumber}</div> : null}
         </div>
       )}
     </div>

frontend/app/ui/SiteStatus.tsx

@@ -57,9 +57,6 @@ export default function SiteStatus() {
       {banner?.enabled && banner.message ? (
         <div className={`site-banner site-banner--${tone}`}>{banner.message}</div>
       ) : null}
-      {info?.buildNumber ? (
-        <div className="site-version">Build {info.buildNumber}</div>
-      ) : null}
     </>
   )
 }

frontend/app/users/page.tsx

@@ -136,10 +136,12 @@ export default function UsersPage() {
               <div key={user.username} className="summary-card user-card">
                 <div>
                   <strong>{user.username}</strong>
+                  <div className="user-meta">
                     <span className="meta">Role: {user.role}</span>
                     <span className="meta">Login type: {user.authProvider || 'local'}</span>
                     <span className="meta">Last login: {formatLastLogin(user.lastLoginAt)}</span>
                   </div>
+                </div>
                 <div className="user-actions">
                   <label className="toggle">
                     <input