Expose issue portal navigation

.gitea/workflows/ci-cd.yml

@@ -0,0 +1,73 @@
+name: Magent CI/CD
+
+on:
+  push:
+    branches:
+      - beta
+      - prod
+  workflow_dispatch:
+
+concurrency:
+  group: magent-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+          cache: npm
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install frontend dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Run backend quality gate
+        run: bash scripts/ci_backend_quality_gate.sh
+
+      - name: Build frontend
+        working-directory: frontend
+        run: npm run build
+
+  deploy-prod:
+    if: github.ref_name == 'prod'
+    needs: verify
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure SSH key
+        env:
+          PROD_SSH_PRIVATE_KEY: ${{ secrets.PROD_SSH_PRIVATE_KEY }}
+          PROD_SSH_KNOWN_HOSTS: ${{ secrets.PROD_SSH_KNOWN_HOSTS }}
+        run: |
+          set -euo pipefail
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          printf '%s' "$PROD_SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          if [ -n "${PROD_SSH_KNOWN_HOSTS:-}" ]; then
+            printf '%s\n' "$PROD_SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+            chmod 644 ~/.ssh/known_hosts
+          fi
+
+      - name: Deploy to AMS-DEV01
+        env:
+          DEPLOY_HOST: ${{ secrets.PROD_SSH_HOST }}
+          DEPLOY_USER: ${{ secrets.PROD_SSH_USER }}
+          DEPLOY_PATH: ${{ secrets.PROD_DEPLOY_PATH }}
+          DEPLOY_SSH_OPTS: -o StrictHostKeyChecking=accept-new
+        run: bash scripts/deploy_ams_dev01.sh

README.md

@@ -141,6 +141,26 @@ The frontend proxies `/api/*` to the backend container. Set:
 
 If you prefer the browser to call the backend directly, set `NEXT_PUBLIC_API_BASE` to your public backend URL and ensure CORS is configured.
 
+## Gitea CI/CD
+
+This repo now includes a Gitea Actions workflow at `.gitea/workflows/ci-cd.yml`.
+
+- Push to `beta`: runs the backend unit-test quality gate and a production frontend build.
+- Push to `prod`: runs the same verification, then deploys to Docker on `AMS-DEV01`.
+
+The deploy step ships tracked repository files over SSH, preserves the server's `.env` and `data/`, rebuilds with `docker compose up -d --build`, and smoke-tests:
+
+- `http://127.0.0.1:8000/health`
+- `http://127.0.0.1:3000/login`
+
+Configure these Gitea Actions secrets before enabling the deploy job:
+
+- `PROD_SSH_PRIVATE_KEY`: private key for the deployment account.
+- `PROD_SSH_HOST`: target host, for example `AMS-DEV01`.
+- `PROD_SSH_USER`: target user, for example `zak`.
+- `PROD_DEPLOY_PATH`: target app path, for example `/home/zak/magent`.
+- `PROD_SSH_KNOWN_HOSTS`: optional pinned `known_hosts` entry for stricter host verification.
+
 ## History endpoints
 
 - `GET /requests/{id}/history?limit=10` recent snapshots

backend/app/clients/qbittorrent.py

@@ -52,6 +52,17 @@ class QBittorrentClient(ApiClient):
             response = await client.post(f"{self.base_url}{path}", data=data)
             response.raise_for_status()
 
+    async def is_webui_reachable(self) -> bool:
+        if not self.base_url:
+            return False
+        try:
+            async with httpx.AsyncClient(timeout=10.0, follow_redirects=True) as client:
+                response = await client.get(self.base_url)
+                response.raise_for_status()
+            return True
+        except httpx.HTTPError:
+            return False
+
     async def get_torrents(self) -> Optional[Any]:
         return await self._get("/api/v2/torrents/info")
 

backend/app/db.py

@@ -418,12 +418,16 @@ def init_db() -> None:
             ON requests_cache (updated_at DESC, request_id DESC)
             """
         )
-        conn.execute(
+        try:
-            """
+            conn.execute(
-            CREATE INDEX IF NOT EXISTS idx_requests_cache_requested_by_id_created_at
+                """
-            ON requests_cache (requested_by_id, created_at DESC, request_id DESC)
+                CREATE INDEX IF NOT EXISTS idx_requests_cache_requested_by_id_created_at
-            """
+                ON requests_cache (requested_by_id, created_at DESC, request_id DESC)
-        )
+                """
+            )
+        except sqlite3.OperationalError:
+            # Older databases may not have requested_by_id until later migrations run.
+            pass
         conn.execute(
             """
             CREATE INDEX IF NOT EXISTS idx_requests_cache_requested_by_norm_created_at

backend/app/routers/requests.py

@@ -118,6 +118,7 @@ def _cache_get(key: str) -> Optional[Dict[str, Any]]:
 
 def _cache_set(key: str, payload: Dict[str, Any]) -> None:
     _detail_cache[key] = (time.time() + CACHE_TTL_SECONDS, payload)
+    _failed_detail_cache.pop(key, None)
 
 
 def _status_label_with_jellyfin(current_status: Any, jellyfin_available: bool) -> str:
@@ -169,7 +170,6 @@ async def _request_is_available_in_jellyfin(
                 return True
     availability_cache[cache_key] = False
     return False
-    _failed_detail_cache.pop(key, None)
 
 
 def _failure_cache_has(key: str) -> bool:

backend/app/routers/status.py

@@ -26,6 +26,35 @@ async def _check(name: str, configured: bool, func) -> Dict[str, Any]:
         return {"name": name, "status": "down", "message": str(exc)}
 
 
+async def _check_qbittorrent(qbittorrent: QBittorrentClient) -> Dict[str, Any]:
+    if not qbittorrent.base_url:
+        return {"name": "qBittorrent", "status": "not_configured"}
+    if not qbittorrent.username or not qbittorrent.password:
+        reachable = await qbittorrent.is_webui_reachable()
+        return {
+            "name": "qBittorrent",
+            "status": "degraded" if reachable else "not_configured",
+            "message": "qBittorrent credentials are incomplete" if reachable else "qBittorrent is not fully configured",
+        }
+    try:
+        result = await qbittorrent.get_app_version()
+        return {"name": "qBittorrent", "status": "up", "detail": result}
+    except RuntimeError as exc:
+        if "login failed" in str(exc).lower():
+            reachable = await qbittorrent.is_webui_reachable()
+            if reachable:
+                return {
+                    "name": "qBittorrent",
+                    "status": "degraded",
+                    "message": "qBittorrent is reachable but the saved credentials were rejected",
+                }
+        return {"name": "qBittorrent", "status": "down", "message": str(exc)}
+    except httpx.HTTPError as exc:
+        return {"name": "qBittorrent", "status": "down", "message": str(exc)}
+    except Exception as exc:
+        return {"name": "qBittorrent", "status": "down", "message": str(exc)}
+
+
 @router.get("/services")
 async def services_status() -> Dict[str, Any]:
     runtime = get_runtime_settings()
@@ -71,13 +100,7 @@ async def services_status() -> Dict[str, Any]:
             prowlarr_status["status"] = "degraded"
             prowlarr_status["message"] = "Health warnings"
     services.append(prowlarr_status)
-    services.append(
+    services.append(await _check_qbittorrent(qbittorrent))
-        await _check(
-            "qBittorrent",
-            qbittorrent.configured(),
-            qbittorrent.get_app_version,
-        )
-    )
     services.append(
         await _check(
             "Jellyfin",
@@ -122,10 +145,12 @@ async def test_service(service: str) -> Dict[str, Any]:
         "sonarr": ("Sonarr", sonarr.configured(), sonarr.get_system_status),
         "radarr": ("Radarr", radarr.configured(), radarr.get_system_status),
         "prowlarr": ("Prowlarr", prowlarr.configured(), prowlarr.get_health),
-        "qbittorrent": ("qBittorrent", qbittorrent.configured(), qbittorrent.get_app_version),
         "jellyfin": ("Jellyfin", jellyfin.configured(), jellyfin.get_system_info),
     }
 
+    if service_key == "qbittorrent":
+        return await _check_qbittorrent(qbittorrent)
+
     if service_key not in checks:
         raise HTTPException(status_code=404, detail="Unknown service")
 

backend/tests/test_backend_quality.py

@@ -11,6 +11,8 @@ from backend.app.config import settings
 from backend.app.network_security import request_trusts_forwarded_headers, validate_notification_target_url
 from backend.app.routers import auth as auth_router
 from backend.app.routers import portal as portal_router
+from backend.app.routers import requests as requests_router
+from backend.app.routers import status as status_router
 from backend.app.security import PASSWORD_POLICY_MESSAGE, validate_password_policy
 from backend.app.services import password_reset
 
@@ -94,6 +96,44 @@ class NetworkSecurityTests(unittest.TestCase):
             settings.magent_proxy_trusted_proxies = original_proxies
 
 
+class ServiceStatusTests(unittest.IsolatedAsyncioTestCase):
+    async def test_qbittorrent_incomplete_credentials_report_degraded_when_reachable(self) -> None:
+        client = status_router.QBittorrentClient("http://10.0.0.2:8080", "admin", None)
+        with patch.object(client, "is_webui_reachable", new=AsyncMock(return_value=True)):
+            result = await status_router._check_qbittorrent(client)
+
+        self.assertEqual(result["status"], "degraded")
+        self.assertIn("credentials", result["message"].lower())
+
+    async def test_qbittorrent_rejected_credentials_report_degraded_when_reachable(self) -> None:
+        client = status_router.QBittorrentClient("http://10.0.0.2:8080", "admin", "secret")
+        with patch.object(
+            client,
+            "get_app_version",
+            new=AsyncMock(side_effect=RuntimeError("qBittorrent login failed")),
+        ), patch.object(client, "is_webui_reachable", new=AsyncMock(return_value=True)):
+            result = await status_router._check_qbittorrent(client)
+
+        self.assertEqual(result["status"], "degraded")
+        self.assertIn("credentials", result["message"].lower())
+
+
+class RequestCacheTests(unittest.TestCase):
+    def tearDown(self) -> None:
+        requests_router._detail_cache.clear()
+        requests_router._failed_detail_cache.clear()
+
+    def test_successful_detail_cache_write_clears_prior_failure(self) -> None:
+        key = "request:123"
+        requests_router._failure_cache_set(key)
+        self.assertTrue(requests_router._failure_cache_has(key))
+
+        requests_router._cache_set(key, {"id": 123})
+
+        self.assertFalse(requests_router._failure_cache_has(key))
+        self.assertEqual(requests_router._cache_get(key), {"id": 123})
+
+
 class DatabaseEmailTests(TempDatabaseMixin, unittest.TestCase):
     def test_set_user_email_is_case_insensitive(self) -> None:
         created = db.create_user_if_missing(

frontend/app/globals.css

@@ -3565,12 +3565,14 @@ button:disabled {
 .user-grid-pill.is-blocked {
   background: rgba(244, 114, 114, 0.14);
   border-color: rgba(244, 114, 114, 0.24);
+  color: #ffd5d5;
 }
 
 .system-pill-degraded,
 .user-grid-pill.is-disabled {
   background: rgba(208, 166, 92, 0.14);
   border-color: rgba(208, 166, 92, 0.22);
+  color: #ffe3a6;
 }
 
 .system-dot {

frontend/app/requests/[id]/page.tsx

@@ -55,6 +55,44 @@ type ActionHistory = {
   created_at: string
 }
 
+const readApiError = async (response: Response, fallback: string) => {
+  try {
+    const contentType = response.headers.get('content-type') ?? ''
+    if (contentType.includes('application/json')) {
+      const payload = await response.json()
+      if (typeof payload?.detail === 'string' && payload.detail.trim()) {
+        return payload.detail
+      }
+      if (typeof payload?.message === 'string' && payload.message.trim()) {
+        return payload.message
+      }
+    } else {
+      const text = await response.text()
+      if (text.trim()) {
+        return text.trim()
+      }
+    }
+  } catch (error) {
+    console.error(error)
+  }
+  return fallback
+}
+
+const isSnapshotPayload = (value: unknown): value is Snapshot => {
+  if (!value || typeof value !== 'object') {
+    return false
+  }
+  const snapshot = value as Partial<Snapshot>
+  return (
+    typeof snapshot.request_id === 'string' &&
+    typeof snapshot.title === 'string' &&
+    typeof snapshot.request_type === 'string' &&
+    typeof snapshot.state === 'string' &&
+    Array.isArray(snapshot.timeline) &&
+    Array.isArray(snapshot.actions)
+  )
+}
+
 const percentFromTorrent = (torrent: Record<string, any>) => {
   const progress = Number(torrent.progress)
   if (!Number.isNaN(progress) && progress >= 0 && progress <= 1) {
@@ -201,6 +239,7 @@ export default function RequestTimelinePage() {
   const router = useRouter()
   const [snapshot, setSnapshot] = useState<Snapshot | null>(null)
   const [loading, setLoading] = useState(true)
+  const [loadError, setLoadError] = useState<string | null>(null)
   const [showDetails, setShowDetails] = useState(false)
   const [actionMessage, setActionMessage] = useState<string | null>(null)
   const [releaseOptions, setReleaseOptions] = useState<ReleaseOption[]>([])
@@ -214,6 +253,9 @@ export default function RequestTimelinePage() {
       return
     }
     const load = async () => {
+      setLoading(true)
+      setLoadError(null)
+      setSnapshot(null)
       try {
         if (!getToken()) {
           router.push('/login')
@@ -226,12 +268,22 @@ export default function RequestTimelinePage() {
           authFetch(`${baseUrl}/requests/${requestId}/actions?limit=5`),
         ])
 
-        if (snapshotResponse.status === 401) {
+        const authExpired = [snapshotResponse, historyResponse, actionsResponse].some(
+          (response) => response.status === 401
+        )
+        if (authExpired) {
           clearToken()
           router.push('/login')
           return
         }
+        if (!snapshotResponse.ok) {
+          const message = await readApiError(snapshotResponse, 'Unable to load this request.')
+          throw new Error(message)
+        }
         const snapshotData = await snapshotResponse.json()
+        if (!isSnapshotPayload(snapshotData)) {
+          throw new Error('Unable to load this request.')
+        }
         setSnapshot(snapshotData)
         setReleaseOptions([])
         setSearchRan(false)
@@ -251,6 +303,9 @@ export default function RequestTimelinePage() {
         }
       } catch (error) {
         console.error(error)
+        setLoadError(
+          error instanceof Error && error.message ? error.message : 'Unable to load this request.'
+        )
       } finally {
         setLoading(false)
       }
@@ -328,8 +383,12 @@ export default function RequestTimelinePage() {
     )
   }
 
+  if (loadError) {
+    return <main className="card">{loadError}</main>
+  }
+
   if (!snapshot) {
-    return <main className="card">Could not load that request.</main>
+    return <main className="card">Unable to load this request.</main>
   }
 
   const summary =

frontend/app/ui/HeaderActions.tsx

@@ -42,7 +42,8 @@ export default function HeaderActions() {
       <div className="header-actions-right">
         <a href="/">Requests</a>
         <a href="/profile/invites">Invites</a>
-        <a href="/portal">Portal</a>
+        <a href="/portal/requests">Portal</a>
+        <a href="/portal/issues">Issues</a>
       </div>
     </div>
   )

scripts/ci_backend_quality_gate.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$repo_root"
+
+python_bin="${PYTHON_BIN:-python3}"
+
+echo "Installing backend Python requirements"
+"$python_bin" -m pip install -r backend/requirements.txt
+
+echo "Running Python dependency integrity check"
+"$python_bin" -m pip check
+
+echo "Running backend unit tests"
+"$python_bin" -m unittest discover -s backend/tests -p "test_*.py" -v
+
+echo "Backend quality gate passed"

scripts/deploy_ams_dev01.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$repo_root"
+
+deploy_host="${DEPLOY_HOST:-AMS-DEV01}"
+deploy_user="${DEPLOY_USER:-zak}"
+deploy_path="${DEPLOY_PATH:-/home/${deploy_user}/magent}"
+ssh_opts="${DEPLOY_SSH_OPTS:-"-o StrictHostKeyChecking=accept-new"}"
+timestamp="$(date -u +%Y%m%dT%H%M%SZ)"
+
+remote="${deploy_user}@${deploy_host}"
+
+echo "Deploying tracked repository contents to ${remote}:${deploy_path}"
+
+git archive --format=tar HEAD | ssh ${ssh_opts} "${remote}" "
+  set -e
+  mkdir -p '${deploy_path}'
+  backup_root=\"\${HOME}/magent-backups/${timestamp}\"
+  mkdir -p \"\${backup_root}\"
+  cd '${deploy_path}'
+  for path in backend frontend docker-compose.yml docker-compose.hub.yml Dockerfile README.md docker scripts .build_number .gitattributes .gitignore; do
+    if [ -e \"\$path\" ]; then
+      cp -a \"\$path\" \"\${backup_root}/\"
+    fi
+  done
+  tar -xf - -C '${deploy_path}'
+  docker compose up -d --build
+"
+
+echo "Running remote smoke checks"
+ssh ${ssh_opts} "${remote}" "
+  set -e
+  python3 - <<'PY'
+from urllib import request
+
+checks = [
+    ('http://127.0.0.1:8000/health', 200),
+    ('http://127.0.0.1:3000/login', 200),
+]
+
+for url, expected in checks:
+    with request.urlopen(url, timeout=20) as response:
+        if response.status != expected:
+            raise SystemExit(f'{url} returned {response.status}, expected {expected}')
+        print(url, response.status)
+PY
+"
+
+echo "Deployment completed successfully"