- docs-check.yml runs on push/PR only when .md files change
- markdown-lint job: uses markdownlint-cli to check all .md files
- mermaid-parse job: extracts all mermaid blocks from .md files and
validates each via mmdc (mermaid-js CLI) in headless Chromium
- Both jobs use continue-on-error: true so docs failures never block
a release or fail the main CI pipeline
- .markdownlint.json disables MD013 (line length), MD033 (inline HTML),
MD041 (first-line heading) to reduce noise on this repo
Replace \n in stateDiagram transition labels, sequenceDiagram notes,
and graph edge labels — these are not valid in those contexts and
cause diagrams to fail to render. Also replace Unicode × and → with
plain ASCII equivalents to avoid parser issues.
When TLS_ENABLED=false (e.g. behind a reverse proxy) the healthcheck
was still hitting https://localhost which fails on plain HTTP, keeping
the container perpetually in 'starting' state on TrueNAS SCALE.
Use a shell conditional so the correct protocol is used at runtime:
- TLS_ENABLED=false -> wget http://localhost:${PORT}/health
- TLS_ENABLED=true (default) -> wget --no-check-certificate https://...
Sonarr queue and history records do not expose episodeNumber at the
top level — it is only present inside the nested episode object
(record.episode.episodeNumber). Same for seasonNumber. The original
extractEpisode() read record.episodeNumber which was always undefined,
so gatherEpisodes() always returned an empty array.
Fix: prefer the nested episode object fields, falling back to the
top-level fields for forward-compatibility.
- Add includeEpisode:true to Sonarr queue and history API requests
in both the poller and historyFetcher
- Add extractEpisode() / gatherEpisodes() helpers in dashboard.js
and history.js to build a sorted, deduplicated episodes array
covering all records matching a download title (handles multi-
episode packs and series packs)
- Replace episodeInfo: sonarrMatch with episodes: gatherEpisodes()
across all 8 assignment sites in dashboard.js
- Add episodes field to /api/history/recent response items
- Frontend: formatEpisodeInfo() renders S01E05 for single episodes
or 'Multiple episodes' with hover tooltip listing all for packs
- CSS: .episode-info and .multi-episode tooltip styles
- ARCHITECTURE.md: update polling table and download/history schemas
server/index.js:
- Import http and https modules
- Resolve TLS_ENABLED early (before Helmet) so upgradeInsecureRequests
CSP directive fires when TLS is active directly (not only via proxy)
- loadTlsCredentials() reads TLS_CERT/TLS_KEY (defaulting to bundled
snakeoil) and returns null on failure (graceful HTTP fallback)
- Start https.createServer or http.createServer depending on credentials
- Startup banner now shows protocol, TLS cert path, and snakeoil warning
certs/:
- Add bundled snakeoil self-signed certificate (RSA 2048, 10yr, SAN for
localhost + 127.0.0.1) for out-of-the-box HTTPS without configuration
- .gitignore allows only snakeoil.{crt,key} — real certs must not be
committed
Dockerfile:
- COPY certs/ into image so snakeoil default is always available
- HEALTHCHECK updated to https:// with --no-check-certificate
docker-compose.yaml:
- Port now exposes HTTPS directly by default
- TLS_CERT/TLS_KEY/TLS_ENABLED/TRUST_PROXY documented with Option A/B
- cert volume mount examples added (commented out)
- healthcheck updated to https with --no-check-certificate
.env.sample:
- New TLS/HTTPS section with TLS_ENABLED, TLS_CERT, TLS_KEY
- openssl self-signed cert generation example included
docs/ARCHITECTURE.md:
- Configuration table: TLS_ENABLED, TLS_CERT, TLS_KEY env vars added
- Docker image section: TLS default behaviour documented
- Docker Compose example: Option A (direct TLS) / Option B (proxy) layout
- Security checklist: HTTPS now first item, updated for TLS modes
par keyword is not supported in the PlantUML version on the Gitea runner.
Replace with a group block (universally supported) and a spanning note
to convey the parallelism.
The pill redesign set display:inline-flex + white-space:nowrap on all
.detail-item elements. The .progress-item (which extends .detail-item)
was then shrinking the .progress-bar to zero usable width.
Override pill styles on .progress-item: display:flex, no background,
no padding, white-space:normal. Also give .progress-container flex:1
so it expands to fill the row.
float:left on .progress-segment was ignored inside the overflow:hidden
position:relative .progress-bar container, so the coloured fill never
appeared. Absolute positioning from top:0 left:0 with the JS-assigned
width renders correctly.
- Detail items (Size, Progress, Speed, ETA, Seeds, Peers, Availability,
Completed) now render as inline pill badges with background + border-
radius that wrap naturally on any screen width
- Remove mobile @media override that forced flex-direction:column,
which was causing one-per-line centred layout on small screens
- Availability < 100%: value text shown in red (--danger) bold, both
on card creation and on live SSE update via classList.toggle
- Also ensures updateDownloadCard keeps availability-warning in sync
secure:true cookies are only sent by browsers over HTTPS connections.
When NODE_ENV=production (always set in the Docker container) but no
TLS proxy is in front, the browser receives the cookie on login but
refuses to send it on subsequent HTTP requests — causing every
authenticated endpoint (/stream, /status, etc.) to return 401.
The correct signal is TRUST_PROXY: it is only set when a TLS-terminating
reverse proxy is confirmed to be in front. Affects emby_user and
csrf_token cookies across login, /csrf refresh, and logout.
