Release v1.6.0

Major feature release bringing technical-debt remediation, service extraction, frontend migration, and staged history loading. ### Added - Staged history loading with SSE push — history data from Sonarr/Radarr is now fetched in stages; history-update SSE events push incremental results to the dashboard - Frontend unit tests — added Vitest + jsdom test suite covering client/src/ modules - Comprehensive tests for staged history loading — backend tests verify background-fetch behaviour, cache TTL handling, and SSE emission - Integration test coverage — new integration and unit tests for dashboard, emby, sonarr, radarr, and sabnzbd routes ### Changed - Technical-debt remediation — service extraction — extracted matching and assembly logic from monolithic dashboard.js (~1,360 lines → ~284 lines) into dedicated services: DownloadMatcher.js, DownloadAssembler.js, DownloadBuilder.js, TagMatcher.js, WebhookStatus.js - Frontend architecture — migrated from monolithic public/app.js to vanilla ES modules under client/src/, bundled by Vite - History pagination — replaced custom date-based cursor pagination with retriever's built-in pagination (pageSize=100, up to 10 pages / 1,000 records total) - Status endpoint path — admin status route moved from /api/status/status to /api/status - Background-fetch safety — poller no longer overwrites cache with empty data when background fetch fails - SABnzbd progress calculation — progress computed from slot.mb and slot.mbleft / mbmissing - Speed formatting consistency — updateDownloadCard() now calls formatSpeed() for uniform units - Status-panel error handling — panel now surfaces error messages instead of blank box ### Fixed - CSRF token reference errors — fixed ReferenceError bugs in api.js, auth.js, and blocklist handler - Logout button — fixed undefined variable references - Missing progress bar for SABnzbd — SABnzbd downloads now render correct progress bar - Status route 404 — corrected Express router mount - Status button DOM ID — fixed element-ID mismatch - Tab selection — fixed to use data-tab attributes - CSP violations and ignoreAvailable reference error - Docker client-build stage — removed client/ from .dockerignore - Unmatched torrent exclusion — torrents not matching Sonarr/Radarr record now correctly omitted - Blocklist button CSRF — fixed ReferenceError ### Breaking Changes - Unmatched torrents are no longer displayed — torrents that do not match a Sonarr/Radarr queue or history record are excluded - Frontend build process changed — monolithic public/app.js source replaced by Vite build from client/src/ - Status API endpoint path changed — admin status endpoint moved from /api/status/status to /api/status
chore: bump version to 1.6.0, update CHANGELOG and ARCHITECTURE docs
2026-05-21 11:55:55 +01:00 · 2026-05-21 11:49:57 +01:00 · 2026-05-21 09:28:17 +01:00 · 2026-05-21 02:17:48 +01:00 · 2026-05-21 02:16:34 +01:00 · 2026-05-21 02:15:09 +01:00
125 changed files with 19655 additions and 4619 deletions
@@ -1,3 +1,4 @@
+# Docker build context ignores
 node_modules/
 .env
 .env.example
@@ -7,10 +8,18 @@ node_modules/
 .DS_Store
 *.log
 **/*.log
-client/
+client/node_modules/
+client/dist/
 dist/
 build/
+coverage/
+tests/
+vitest.config.js
+.markdownlint.json
 README.md
+CHANGELOG.md
+SECURITY.md
+LICENSE
 .dockerignore
 Dockerfile
 .gitea/
@@ -1,37 +0,0 @@
-# Server Configuration
-PORT=3001
-LOG_LEVEL=info
-
-# Cookie signing secret for tamper-proof session cookies
-# Required in production. Generate with: openssl rand -hex 32
-COOKIE_SECRET=your_cookie_secret_here
-
-# Set to 1 (or a specific IP/CIDR) when running behind a reverse proxy
-# (Nginx, Caddy, Traefik) so Express trusts X-Forwarded-For/Proto.
-# Leave unset if sofarr is exposed directly.
-# TRUST_PROXY=1
-
-# Directory for persistent data (SQLite token store + logs)
-# Defaults to ./data relative to project root
-# DATA_DIR=/app/data
-
-# Background polling interval in ms (default: 5000)
-# Set to 0 or "off" to disable and fetch on-demand instead
-# POLL_INTERVAL=5000
-
-# Emby Configuration (single instance)
-EMBY_URL=http://localhost:8096
-EMBY_API_KEY=your_emby_api_key
-
-# SABnzbd Instances (JSON array)
-# Format: [{"name": "Instance Name", "url": "http://...", "apiKey": "..."}]
-SABNZBD_INSTANCES=[{"name": "Primary", "url": "http://localhost:8080", "apiKey": "your_api_key"}]
-
-# Sonarr Instances (JSON array)
-SONARR_INSTANCES=[{"name": "Primary", "url": "http://localhost:8989", "apiKey": "your_api_key"}]
-
-# Radarr Instances (JSON array)
-RADARR_INSTANCES=[{"name": "Primary", "url": "http://localhost:7878", "apiKey": "your_api_key"}]
-
-# qBittorrent Instances (JSON array)
-QBITTORRENT_INSTANCES=[{"name": "main", "url": "http://localhost:8080", "username": "admin", "password": "your_password"}]
@@ -19,6 +19,54 @@ LOG_LEVEL=info
 # Generate with: openssl rand -hex 32
 COOKIE_SECRET=your-cookie-secret-here

+# =============================================================================
+# WEBHOOK SETTINGS
+# =============================================================================
+
+# Secret for validating incoming webhooks from Sonarr and Radarr
+# Required for webhook endpoints to accept requests
+# Sonarr/Radarr must send this secret in the X-Sofarr-Webhook-Secret header
+# Generate with: openssl rand -hex 32
+SOFARR_WEBHOOK_SECRET=your-webhook-secret-here
+
+# Public base URL of Sofarr (for webhook configuration)
+# Required for the one-click webhook setup endpoints
+# Sonarr/Radarr need this URL to know where to send webhook events
+# Example: https://sofarr.example.com or https://192.168.1.100:3001
+SOFARR_BASE_URL=https://your-sofarr-url
+
+# --- Webhook Polling Optimization (Phase 5) ---
+
+# Minutes of silence after which the poller falls back to a full poll
+# even if webhooks were recently active. Default: 10 minutes.
+# Set lower (e.g. 2) for more aggressive fallback; higher (e.g. 30) to
+# reduce background polling on very stable setups.
+# WEBHOOK_FALLBACK_TIMEOUT=10
+
+# When an instance has received a recent webhook event, the poller skips
+# its queue/history fetch entirely (saving API calls). If you still want
+# a periodic poll even with webhooks, set this to 1 to disable skipping.
+# Default behaviour: skip polling for instances with recent webhook activity.
+# WEBHOOK_POLL_INTERVAL_MULTIPLIER=3
+
+# =============================================================================
+# TLS / HTTPS
+# =============================================================================
+
+# TLS is enabled by default using the bundled snakeoil self-signed certificate
+# (valid for localhost/127.0.0.1, 10-year expiry).
+# Set TLS_CERT and TLS_KEY to use your own certificate (recommended).
+# Set TLS_ENABLED=false to run in plain HTTP mode (e.g. behind a TLS proxy).
+#
+# To generate a self-signed cert for your own hostname:
+#   openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt \
+#     -days 365 -nodes -subj "/CN=yourhostname" \
+#     -addext "subjectAltName=DNS:yourhostname,IP:192.168.x.x"
+#
+# TLS_ENABLED=true
+# TLS_CERT=/path/to/server.crt
+# TLS_KEY=/path/to/server.key
+
 # =============================================================================
 # REVERSE PROXY & DEPLOYMENT
 # =============================================================================
@@ -34,6 +82,10 @@ COOKIE_SECRET=your-cookie-secret-here
 # Defaults to ./data relative to the project root.
 # DATA_DIR=/app/data

+# Number of days of completed download history to show in the Recently Completed section.
+# Override per-request with ?days=N (capped at 90).
+# RECENT_COMPLETED_DAYS=7
+
 # Background polling interval in milliseconds (default: 5000)
 # sofarr polls all services in the background and caches results so
 # dashboard requests are near-instant.
@@ -72,6 +124,17 @@ QBITTORRENT_INSTANCES=[{"name":"main","url":"https://qbittorrent.example.com","u
 # QBITTORRENT_USERNAME=admin
 # QBITTORRENT_PASSWORD=your-password

+# =============================================================================
+# RTORRENT_INSTANCES (JSON Array)
+# The url MUST include the full XML-RPC endpoint path.
+# Standard/self-hosted installs: .../RPC2
+# whatbox.ca users: .../xmlrpc
+# Other installations may use different custom paths.
+# Example:
+RTORRENT_INSTANCES=[{"name":"main","url":"http://rtorrent.local:8080/RPC2","username":"rtorrent","password":"rtorrent"}]
+# For whatbox.ca:
+# RTORRENT_INSTANCES=[{"name":"whatbox","url":"https://user.whatbox.ca/xmlrpc","username":"user","password":"pass"}]
+
 # =============================================================================
 # SONARR INSTANCES (JSON Array Format)
 # Add one or more Sonarr instances as a single-line JSON array
@@ -103,4 +166,9 @@ RADARR_INSTANCES=[{"name":"main","url":"https://radarr.example.com","apiKey":"yo
 # 4. For qBittorrent, ensure Web UI is enabled in settings
 # 5. User downloads are matched by tags in Sonarr/Radarr - tag your media!
 # 6. Background polling keeps data fresh; disable it for low-resource setups
+# 7. Webhooks (SOFARR_WEBHOOK_SECRET + SOFARR_BASE_URL) enable real-time
+#    push updates from Sonarr/Radarr and automatically reduce polling load.
+#    Use the Webhooks Configuration panel in the dashboard UI to enable them
+#    with one click. The secret must match the header value in each *arr
+#    notification connection (X-Sofarr-Webhook-Secret).
 # =============================================================================
@@ -4,7 +4,7 @@ on:
  push:
    branches:
      - 'release/**'
-      - 'develop'
+      - 'develop*'

 jobs:
  build:
@@ -20,9 +20,11 @@ jobs:
          BRANCH=${GITHUB_REF#refs/heads/}
          echo "version=${VERSION}" >> $GITHUB_OUTPUT

-          if [ "$BRANCH" = "develop" ]; then
-            echo "tags=reg.i3omb.com/sofarr:develop" >> $GITHUB_OUTPUT
-            echo "Building develop image (version ${VERSION})"
+          if [[ "$BRANCH" == develop* ]]; then
+            # Sanitise branch name for tag: replace slashes with dashes
+            SAFE_BRANCH=$(echo "$BRANCH" | tr '/' '-')
+            echo "tags=reg.i3omb.com/sofarr:${SAFE_BRANCH}" >> $GITHUB_OUTPUT
+            echo "Building develop image ${SAFE_BRANCH} (version ${VERSION})"
          else
            RELEASE_NAME=${BRANCH#release/}
            TAGS="reg.i3omb.com/sofarr:${VERSION}"
@@ -0,0 +1,108 @@
+name: Docs Check
+
+on:
+  push:
+    branches: ["**", "!main", "!release/**"]
+    paths:
+      - "**.md"
+      - ".gitea/workflows/docs-check.yml"
+  pull_request:
+    branches: ["**", "!main", "!release/**"]
+    paths:
+      - "**.md"
+      - ".gitea/workflows/docs-check.yml"
+
+jobs:
+  markdown-lint:
+    name: Markdown lint
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install markdownlint-cli
+        run: npm install -g markdownlint-cli
+
+      - name: Lint all Markdown files
+        run: markdownlint "**/*.md" --ignore node_modules
+
+  mermaid-parse:
+    name: Mermaid diagram parse check
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install mermaid and jsdom
+        run: npm install mermaid jsdom
+
+      - name: Extract and validate Mermaid diagrams
+        run: |
+          cat > check-mermaid.cjs << 'SCRIPT'
+          const { JSDOM } = require('jsdom');
+          const fs   = require('fs');
+          const path = require('path');
+
+          // Provide minimal browser globals so mermaid.parse() works in Node
+          const dom = new JSDOM('<!DOCTYPE html><html><body></body></html>', { url: 'http://localhost' });
+          globalThis.window   = dom.window;
+          globalThis.document = dom.window.document;
+          globalThis.DOMPurify = {
+            addHook: () => {}, removeHook: () => {}, setConfig: () => {},
+            sanitize: (s) => s, isValidAttribute: () => true,
+          };
+
+          function findMdFiles(dir) {
+            const out = [];
+            for (const e of fs.readdirSync(dir, { withFileTypes: true })) {
+              const full = path.join(dir, e.name);
+              if (e.isDirectory() && e.name !== 'node_modules' && !e.name.startsWith('.'))
+                out.push(...findMdFiles(full));
+              else if (e.isFile() && e.name.endsWith('.md'))
+                out.push(full);
+            }
+            return out;
+          }
+
+          import('./node_modules/mermaid/dist/mermaid.core.mjs').then(async (m) => {
+            const mermaid = m.default;
+            let errors = 0, total = 0;
+
+            for (const mdFile of findMdFiles('.')) {
+              const content = fs.readFileSync(mdFile, 'utf8');
+              const blocks = [...content.matchAll(/^```mermaid\n([\s\S]*?)^```/gm)];
+              if (!blocks.length) continue;
+              console.log(`\nChecking ${mdFile} (${blocks.length} diagram(s))`);
+              for (let i = 0; i < blocks.length; i++) {
+                total++;
+                const diagram = blocks[i][1].trim();
+                try {
+                  await mermaid.parse(diagram);
+                  console.log(`  [OK]  diagram ${i + 1}`);
+                } catch (err) {
+                  const msg = String(err.message || err).split('\n')[0];
+                  console.error(`  [FAIL] diagram ${i + 1}: ${msg}`);
+                  console.log(`::warning file=${mdFile}::Mermaid diagram ${i + 1} failed: ${msg}`);
+                  errors++;
+                }
+              }
+            }
+
+            console.log(`\nTotal: ${total}. Failures: ${errors}`);
+            if (errors > 0) {
+              console.log(`::warning::${errors} Mermaid diagram(s) failed to parse.`);
+              process.exit(1);
+            }
+          }).catch(e => { console.error('Fatal:', e.message); process.exit(1); });
+          SCRIPT
+          node check-mermaid.cjs
@@ -0,0 +1,98 @@
+name: Licence Check
+
+on:
+  push:
+    branches: ["**", "!main", "!release/**"]
+    paths:
+      - "package.json"
+      - "package-lock.json"
+      - ".gitea/workflows/licence-check.yml"
+      - "**/*.js"
+      - "**/*.ts"
+      - "**/*.jsx"
+      - "**/*.tsx"
+  pull_request:
+    branches: ["**", "!main", "!release/**"]
+    paths:
+      - "package.json"
+      - "package-lock.json"
+      - ".gitea/workflows/licence-check.yml"
+      - "**/*.js"
+      - "**/*.ts"
+      - "**/*.jsx"
+      - "**/*.tsx"
+
+jobs:
+  licence-check:
+    name: Licence compatibility and copyright header verification
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install production dependencies
+        run: npm ci --omit=dev
+
+      - name: Check licence compatibility
+        run: |
+          # First, output all production licenses for visibility
+          echo "Checking production dependency licenses..."
+          npx --yes license-checker --production --excludePrivatePackages --json > /tmp/licenses.json
+          
+          # Check for incompatible licenses
+          if ! npx --yes license-checker --production \
+            --onlyAllow "MIT;ISC;MIT-0;BSD-2-Clause;BSD-3-Clause;Apache-2.0;CC0-1.0;BlueOak-1.0.0" \
+            --excludePrivatePackages; then
+            echo ""
+            echo "❌ Found incompatible licenses. Full license report:"
+            cat /tmp/licenses.json
+            exit 1
+          fi
+          
+          echo "✅ All production dependency licences are compatible with MIT."
+
+      - name: Check copyright headers in source files
+        run: |
+          #!/bin/bash
+          set -e
+          
+          # Find all source files, excluding build artifacts and node_modules
+          SOURCE_FILES=$(find . -type f \( -name "*.js" -o -name "*.ts" -o -name "*.jsx" -o -name "*.tsx" \) \
+            ! -path "./node_modules/*" \
+            ! -path "./.git/*" \
+            ! -path "./dist/*" \
+            ! -path "./build/*" \
+            ! -path "./public/*" \
+            ! -path "./.gitea/*")
+          
+          MISSING_HEADER=0
+          
+          # Check each file for MIT-compliant copyright header
+          while IFS= read -r file; do
+            if [ -z "$file" ]; then
+              continue
+            fi
+            
+            # Check if file starts with a copyright header containing: Copyright, year (4 digits), name, and MIT License
+            if ! head -n 5 "$file" | grep -qiE "Copyright.*[0-9]{4}.*MIT"; then
+              echo "❌ Missing MIT-compliant copyright header in: $file"
+              echo "   Required format: // Copyright (c) YYYY Name. MIT License."
+              echo "   Actual first 5 lines:"
+              head -n 5 "$file" | sed 's/^/     /'
+              echo ""
+              MISSING_HEADER=$((MISSING_HEADER + 1))
+            fi
+          done <<< "$SOURCE_FILES"
+          
+          if [ $MISSING_HEADER -gt 0 ]; then
+            echo ""
+            echo "⚠️  Found $MISSING_HEADER file(s) with missing or non-compliant copyright headers."
+            exit 1
+          else
+            echo "✅ All source files have MIT-compliant copyright headers."
+          fi
@@ -1,42 +0,0 @@
-name: Render PlantUML Diagrams
-
-on:
-  push:
-    branches: ["main", "develop", "release/**"]
-    paths:
-      - "docs/diagrams/**.puml"
-
-jobs:
-  render:
-    name: Render .puml → .png
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.BOT_TOKEN }}
-
-      - name: Install Java & Graphviz
-        run: |
-          sudo apt-get update -qq
-          sudo apt-get install -y --no-install-recommends default-jre-headless graphviz
-
-      - name: Download PlantUML jar
-        run: |
-          curl -sSL -o /usr/local/bin/plantuml.jar \
-            https://github.com/plantuml/plantuml/releases/download/v1.2024.6/plantuml-1.2024.6.jar
-
-      - name: Render diagrams
-        run: |
-          java -jar /usr/local/bin/plantuml.jar -tpng -o . docs/diagrams/*.puml
-
-      - name: Commit rendered PNGs
-        run: |
-          git config user.name  "gitea-actions[bot]"
-          git config user.email "gitea-actions[bot]@i3omb.com"
-          git add docs/diagrams/*.png
-          if git diff --cached --quiet; then
-            echo "No diagram changes to commit."
-          else
-            git commit -m "ci: render PlantUML diagrams [skip ci]"
-            git push
-          fi
@@ -0,0 +1,18 @@
+{
+  "default": true,
+  "MD009": false,
+  "MD012": false,
+  "MD013": false,
+  "MD022": false,
+  "MD024": false,
+  "MD029": false,
+  "MD031": false,
+  "MD032": false,
+  "MD033": false,
+  "MD034": false,
+  "MD036": false,
+  "MD040": false,
+  "MD041": false,
+  "MD058": false,
+  "MD060": false
+}
@@ -0,0 +1,292 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+## [1.6.0] - 2026-05-21
+
+### Added
+
+- **Staged history loading with SSE push** — history data from Sonarr/Radarr is now fetched in stages; `history-update` SSE events push incremental results to the dashboard so the "Recently Completed" tab populates without waiting for the full fetch.
+- **Frontend unit tests** — added Vitest + jsdom test suite covering `client/src/` modules (formatters, storage, state).
+- **Comprehensive tests for staged history loading** — backend tests verify the new background-fetch behaviour, cache TTL handling, and SSE emission.
+- **Integration test coverage** — new integration and unit tests for `dashboard`, `emby`, `sonarr`, `radarr`, and `sabnzbd` routes.
+
+### Changed
+
+- **Technical-debt remediation — service extraction** — extracted matching and assembly logic from the monolithic `dashboard.js` (~1,360 lines → ~284 lines) into dedicated, testable services:
+  - `DownloadMatcher.js` — SABnzbd slot / torrent → *arr record matching
+  - `DownloadAssembler.js` — cover-art, episode, link, blocklist-eligibility helpers
+  - `DownloadBuilder.js` — orchestrator that reads the cache snapshot and builds the final user-facing download list
+  - `TagMatcher.js` — tag extraction, sanitisation, and user-ownership matching
+  - `WebhookStatus.js` — webhook configuration status aggregation
+- **Frontend architecture** — migrated from a monolithic `public/app.js` to vanilla ES modules under `client/src/`, bundled by Vite into `public/app.js`.
+- **History pagination** — replaced custom date-based cursor pagination with the retriever's built-in pagination (`pageSize=100`, up to 10 pages / 1,000 records total). Eliminates the 40-second response-time regression seen with large histories.
+- **Status endpoint path** — admin status route moved from `/api/status/status` to `/api/status` for consistency with the router mount point.
+- **Background-fetch safety** — the poller no longer overwrites the cache with empty data when a background history fetch fails or returns no records.
+- **SABnzbd progress calculation** — progress is now computed from `slot.mb` and `slot.mbleft` / `slot.mbmissing` because the SABnzbd queue API does not expose a `percentage` field.
+- **Speed formatting consistency** — `updateDownloadCard()` now calls `formatSpeed()` so all speed values display with uniform units (B/s, KB/s, MB/s, GB/s).
+- **Status-panel error handling** — the panel now surfaces error messages (e.g. `403` for non-admin users) instead of showing a blank box.
+
+### Fixed
+
+- **CSRF token reference errors** — fixed `ReferenceError` bugs in `api.js`, `auth.js`, and the blocklist handler where `csrfToken` and `currentUser` were accessed as bare variables instead of via the shared `state` object.
+- **Logout button** — fixed undefined variable references in `handleLogoutClick` that prevented the logout flow from completing.
+- **Missing progress bar for SABnzbd** — SABnzbd downloads now render a correct progress bar instead of showing `undefined%`.
+- **Status route 404** — corrected the Express router mount so `GET /api/status` responds instead of returning HTML 404.
+- **Status button DOM ID** — fixed element-ID mismatch (`status-btn` vs `status-toggle`) that prevented the admin status button from toggling the panel.
+- **Tab selection** — fixed tab switching to use `data-tab` attributes after the DOM IDs were removed during the ES-module migration.
+- **CSP violations and `ignoreAvailable` reference error** — resolved frontend CSP compliance issues and a missing-variable error in the history tab.
+- **Docker client-build stage** — removed `client/` from `.dockerignore` so the multi-stage Dockerfile can run the Vite build during image creation.
+- **Unmatched torrent exclusion** — torrents that cannot be matched to a Sonarr/Radarr record are now correctly omitted from the download display.
+- **Blocklist button CSRF** — fixed a `ReferenceError` that occurred when a non-admin user clicked the blocklist button.
+
+### Breaking Changes
+
+- **Unmatched torrents are no longer displayed** — torrents that do not match a Sonarr/Radarr queue or history record are excluded from the dashboard. Users who previously saw direct torrent-client downloads will no longer see them unless the *arr services track the item.
+- **Frontend build process changed** — the monolithic `public/app.js` source file has been replaced by a Vite build from `client/src/`. Any custom deployment scripts that copy or modify `public/app.js` directly must be updated to run `npm run build` (or use the provided Dockerfile, which already does this).
+- **Status API endpoint path changed** — the admin status endpoint moved from `/api/status/status` to `/api/status`. External integrations, monitoring checks, or scripts hitting the old path will receive `404`.
+
+---
+
+## [1.5.5] - 2026-05-20
+
+### Added
+
+- **Download client logos** — Added SVG logos for all supported download clients (SABnzbd, qBittorrent, Transmission, rTorrent, Deluge). Logos appear in the download client filter picker and on download cards.
+- **Download client logo in filter picker** — Multi-select download client filter now displays client logos alongside names for visual identification.
+- **Download client logo in download cards** — Download cards now display the client logo in the bottom-right corner (32×32px). Positioned absolutely within the card.
+- **SABnzbd speed display** — SABnzbd downloads now display the overall queue speed for the currently active download only. Speed is fetched from the client status API and applied to the downloading slot.
+- **Speed formatting** — Speed values are now formatted with appropriate units (B/s, KB/s, MB/s, GB/s) instead of raw bytes.
+
+### Fixed
+
+- **Missing pieces display for SABnzbd** — Removed incorrect "missing x of y" text display for SABnzbd downloads. This information is only relevant for torrent clients (qBittorrent, rTorrent) and is now only shown for those clients.
+- **Logo duplication on page reload** — Fixed download client logos and user tags appearing twice during page load. Updated `updateDownloadCard()` to remove old elements before adding new ones.
+- **Logo positioning** — Fixed download client logos appearing stacked at bottom-right of browser window instead of bottom-right of each card. Added `position: relative` to `.download-card` to provide proper positioning context.
+
+---
+
+## [1.5.4] - 2026-05-19
+
+### Added
+
+- **Multi-select download client filter** — Active Downloads tab now includes a dropdown filter that allows users to select multiple download clients. Shows client name and type (e.g., "Main (qbitt)"). Includes Select All / Deselect All buttons. Selection persists across sessions via localStorage.
+- **Download client ordering** — Downloads are now sorted by client order (matching the configuration order). Downloads from the first configured client appear first.
+- **Client metadata in downloads** — Download objects now include `client`, `instanceId`, and `instanceName` fields for client identification and filtering.
+- **SSE payload extension** — SSE stream now includes `downloadClients` array with all configured clients for UI ordering/filtering.
+- **Automatic migration** — Existing single-select filter selection automatically migrates to new multi-select format on first load.
+
+### Fixed
+
+- **SABnzbd size and speed display** — Fixed SABnzbd downloads showing undefined size and speed values. Now correctly uses `slot.mb` for size calculation and `slot.kbpersec` for per-slot speed from cached data.
+
+---
+
+## [1.5.3] - 2026-05-19
+
+### Fixed
+
+- **Status panel rendering regression** — the status panel was rendering as a small blank box due to an undefined `--background` CSS variable. Added the missing variable to all three themes (light, dark, mono).
+- **Status panel content destruction** — `showDashboard()` was calling `sp.innerHTML = ''` which destroyed the `status-content` div inside the status panel. Removed this destructive line.
+- **Webhooks panel visibility sync** — the webhooks panel was incorrectly visible on app load. Added explicit hiding of `webhooks-section` in `showDashboard()` to keep it in sync with the status panel (both show/hide together via `toggleStatusPanel()`).
+- **Webhooks panel DOM structure** — reverted webhooks-section to be a sibling of status-panel (not nested inside it), preventing innerHTML operations from affecting webhook elements.
+
+---
+
+## [1.5.2] - 2026-05-19
+
+### Fixed
+
+- **Status panel close button CSP compliance** — replaced inline `onclick` handler with `addEventListener` to comply with CSP nonce policy.
+
+---
+
+## [1.5.1] - 2026-05-19
+
+### Fixed
+
+- **Webhook endpoints not reachable in production** — `server/index.js` (the production entry point) was missing the `webhookRoutes` import and mount. Only `server/app.js` (the test factory) had the routes registered. As a result every `POST /api/webhook/*` request in a running container fell through to the `verifyCsrf` middleware and was rejected with `403 CSRF token missing`. Added `app.use('/api/webhook', webhookRoutes)` in `index.js` immediately after `authRoutes` and before `verifyCsrf`, matching the order in `app.js`.
+
+---
+
+## [1.5.0a] - 2026-05-19
+
+### Fixed
+
+- **Status panel close button** — the `×` button now correctly hides the status panel and stops the auto-refresh timer. The button was previously using an inline `onclick` attribute which was silently blocked by the server's CSP nonce policy. Replaced with `addEventListener` wired after `innerHTML` is set, consistent with all other button handlers in the application.
+
+---
+
+## [1.5.0] - 2026-05-19
+
+### Changed
+
+- **`ARCHITECTURE.md`** — consolidated the two existing architecture documents (root concise reference and `docs/ARCHITECTURE.md` deep-dive) into a single comprehensive reference at the project root. The merged document covers all 11 sections: Introduction, High-Level Architecture, Pluggable Architecture Layers (PDCA + PALDRA), Webhook System, Data Flow and Real-time Updates, Caching and Smart Polling, Key Subsystems, Directory Structure, Configuration and Environment Variables, Security Model, and Technology Stack. Includes full Mermaid diagrams for system overview, polling cycle, webhook path, UI state machine, and download matching pipeline.
+- **`docs/ARCHITECTURE.md`** — removed; content fully merged into root `ARCHITECTURE.md`.
+
+---
+
+## [1.4.0] - 2026-05-19
+
+### Added
+
+#### Webhook Integration (Phases 1–5.1)
+
+- **Webhook receiver endpoints** — `POST /api/webhook/sonarr` and `POST /api/webhook/radarr` accept push events from Sonarr and Radarr with shared-secret validation (`X-Sofarr-Webhook-Secret` header). Dashboard updates in < 1 second after any grab, import, or failure.
+- **Selective cache invalidation** — each incoming event is classified into *queue events* (`Grab`, `Download`, `DownloadFailed`, `ManualInteractionRequired`) or *history events* (`DownloadFolderImported`, `ImportFailed`, `EpisodeFileRenamed`, `MovieFileRenamed`). Only the affected cache key is refreshed via a lightweight re-poll of that instance, rather than a full poll cycle.
+- **SSE broadcast on webhook** — after refreshing the cache, `pollAllServices()` is called as a fire-and-forget, triggering an immediate SSE push to every connected browser.
+- **Notification management API proxy** — `GET /api/sonarr/api/v3/notification` and `POST /api/sonarr/api/v3/notification` (and Radarr equivalents) proxy the full *arr Notification API through sofarr with auth + CSRF enforcement.
+- **One-click webhook setup** — `POST /api/sonarr/webhook/enable` and `POST /api/radarr/webhook/enable` auto-configure the Sofarr webhook notification connection inside the respective *arr service. `POST /api/sonarr/webhook/test` and `/radarr/webhook/test` trigger a test event.
+- **Webhooks Configuration UI** — collapsible panel in the dashboard allowing users to enable, test, and view webhook status for each configured Sonarr/Radarr instance, with per-trigger type indicators showing which event types are active.
+- **`SOFARR_WEBHOOK_SECRET`** environment variable — required for webhook endpoints to accept requests. Generate with `openssl rand -hex 32`.
+- **`SOFARR_BASE_URL`** environment variable — public URL of sofarr, used by the one-click setup to tell Sonarr/Radarr where to POST events.
+
+#### Smart Polling Optimization (Phase 5)
+
+- **Webhook metrics tracking** — `cache.js` now maintains per-instance and global webhook metrics (`lastWebhookTimestamp`, `eventsReceived`, `pollsSkipped`) via `getWebhookMetrics()`, `updateWebhookMetrics()`, `incrementPollsSkipped()`, `getGlobalWebhookMetrics()`.
+- **Conditional poll skipping** — `poller.js` calls `shouldSkipInstancePolling()` before each Sonarr/Radarr fetch. If all instances of a type have received a webhook event within the fallback timeout window, their queue/history API calls are skipped entirely; existing cached data has its TTL extended instead.
+- **Webhook fallback** — if no webhook events have been received globally for `WEBHOOK_FALLBACK_TIMEOUT` minutes (default: 10), the poller forces a full poll regardless of per-instance state. Logged as `[Poller] Webhook fallback triggered`.
+- **Poll-skip logging** — logs `[Poller] Skipping sonarr/radarr polling for N instance(s) with active webhooks` when polling is skipped.
+- **`WEBHOOK_FALLBACK_TIMEOUT`** environment variable — minutes before fallback polling (default: `10`).
+- **`WEBHOOK_POLL_INTERVAL_MULTIPLIER`** environment variable — internal multiplier for TTL calculations when webhooks are active (default: `3`).
+- **Phase 5.1 metrics connection** — `webhook.js` calls `cache.updateWebhookMetrics(instance.url)` after every successfully validated event, activating the smart skip logic for that instance.
+
+#### Security Hardening (Phase 6)
+
+- **Dedicated webhook rate limiter** — 60 requests per minute per IP on `/api/webhook/*`, stricter than the global 300/15 min API limiter. Bypassed in tests via `SKIP_RATE_LIMIT=1`.
+- **Strict input validation** — `validatePayload()` rejects: non-object bodies, missing/non-string/overlong `eventType`, unrecognised event type values (allowlist of 18 known *arr event types), non-string `instanceName`. Returns `400` with a descriptive message.
+- **Replay protection** — `isReplay()` tracks recently-seen `(eventType, instanceName, date)` tuples in a `Map` with a 5-minute TTL. Duplicate events within the window return `200 { received: true, duplicate: true }` without triggering a cache refresh or SSE broadcast.
+- **35 new webhook integration tests** — cover secret validation (missing/wrong/unconfigured), payload validation (all invalid cases), replay protection, happy-path acceptance of all relevant event types, metrics increment, and secret-never-leaks assertions.
+
+#### Documentation (Phase 6)
+
+- **`README.md`** — updated architecture overview diagram, added Webhooks section with quick-setup guide, added PDCA/PALDRA/webhook architecture table, added Webhooks & Smart Polling env var section, added webhook API endpoints, updated test count.
+- **`CHANGELOG.md`** — this entry.
+- **`SECURITY.md`** — added webhook threat model rows, webhook-specific hardening checklist, and rate-limit table entry for webhook endpoints.
+- **`ARCHITECTURE.md`** (root) — new concise top-level architecture reference describing all pluggable layers and the full webhook + polling optimization flow.
+- **`.env.sample`** — added `WEBHOOK_FALLBACK_TIMEOUT` and `WEBHOOK_POLL_INTERVAL_MULTIPLIER` with explanatory comments; updated NOTES section.
+
+### Changed
+
+- `poller.js` — `pollAllServices()` now conditionally skips Sonarr/Radarr fetches when webhooks are active; extends TTL of existing cache entries instead of overwriting with empty data.
+- `cache.js` — exports four new webhook metrics helpers alongside the existing `MemoryCache` singleton.
+- `webhook.js` — imported `express-rate-limit`; added `validatePayload()`, `isReplay()`, `VALID_EVENT_TYPES` allowlist, `recentEvents` Map, and per-route `webhookLimiter` middleware.
+
+---
+
+## [1.3.0] - 2026-05-17
+
+### Added
+
+- **History tab** — new "Recently Completed" tab showing imported and failed downloads from Sonarr/Radarr history for the last N days (configurable via the days input, persisted in `localStorage`). Auto-refreshes every 5 minutes.
+- **History deduplication** — when a failed download has subsequently been imported successfully, only the successful record is shown. If the most recent record for an item is a failure but the episode/movie is already on disk (upgrade attempt), the record is flagged as `availableForUpgrade`.
+- **"Upgrade available" badge** — failed history cards where the content is already on disk display an amber badge to indicate this is a failed upgrade rather than a missing item.
+- **"Hide upgrade failures" toggle** — checkbox in the history tab to filter out failed records that are already available on disk. State persists in `localStorage`. Tooltip explains the behaviour and matches the episode/multi-episode tooltip style.
+- **Blocklist & Search button** — admin-only button on download cards with an "Import Pending" caution. Removes the download from the client with `blocklist=true` (preventing re-grab of the same release) then immediately triggers an `EpisodeSearch`/`MoviesSearch` command in Sonarr/Radarr. Shows a confirmation dialog, loading/success/error states. Kicks a background poll on success.
+- **`POST /api/dashboard/blocklist-search`** — new admin-only endpoint backing the above button. Accepts `arrQueueId`, `arrType`, `arrInstanceUrl`, `arrInstanceKey`, `arrContentId`, `arrContentType`.
+- **Title link home navigation** — the sofarr logo/title in the header now navigates to the default view (Active Downloads tab, close status panel, reset "Show all users" toggle) without a page reload.
+- **Version footer link** — the version string in the dashboard footer links to the source repository.
+
+### Changed
+
+- History records are now deduplicated server-side before being sent to the client — only the most relevant record per content item per instance is returned.
+- Import-issue badge tooltip now uses the themed `var(--surface)` / `var(--text-primary)` / `var(--border)` CSS variables, matching the episode and toggle tooltip style.
+- Poller now stores `_instanceKey` on Sonarr/Radarr queue records in the cache, enabling the backend to look up API credentials for blocklist operations without an additional configuration lookup.
+- **Blocklist & Search button** — now available on all admin downloads (not just those with import issues), and also available to non-admin users when: import issues are present, OR (for qBittorrent torrents only) the download is more than 1 hour old AND has less than 100% availability.
+- **Download object** — added `canBlocklist` boolean field to indicate whether the current user can blocklist a given download.
+- **qBittorrent torrent data** — added `addedOn` timestamp field to enable age-based blocklist eligibility checks.
+
+---
+
+## [1.2.2] - 2026-05-17
+
+### Changed
+
+- **Header logo** — uses the higher-resolution 192px favicon source rendered at 56px for better visual balance alongside the title text.
+
+---
+
+## [1.2.1] - 2026-05-17
+
+### Added
+
+- **Version footer** — the dashboard footer now displays the running app version (e.g. `sofarr v1.2.1`), fetched from the `/health` endpoint on page load.
+
+---
+
+## [1.2.0] - 2025-05-17
+
+### Security
+
+- **Docker secrets support** — all sensitive environment variables (`COOKIE_SECRET`, `EMBY_API_KEY`, `SABNZBD_API_KEY`, `SONARR_API_KEY`, `RADARR_API_KEY`, `QBITTORRENT_PASSWORD`) now support the standard `_FILE` variant for loading values from mounted secret files (e.g. `COOKIE_SECRET_FILE=/run/secrets/cookie_secret`).
+- **Weak secret warning** — server now warns at startup if `COOKIE_SECRET` is shorter than 32 characters.
+- **EMBY_URL validation** — validates the Emby URL scheme at startup and warns on misconfiguration.
+- **Improved error sanitization** — `sanitizeError()` now also redacts hostnames from full request URLs that may appear in axios error messages.
+- **Graceful shutdown** — `SIGTERM` and `SIGINT` handlers now stop the background poller and drain open HTTP connections before exiting. Prevents data loss and zombie processes on `docker stop`.
+
+### Compliance
+
+- **MIT LICENSE file** added to project root.
+- **Copyright headers** added to key server source files (`index.js`, `poller.js`, `config.js`, `sanitizeError.js`, `loadSecrets.js`).
+- **`security.txt`** (`/.well-known/security.txt`) added for responsible disclosure.
+
+### Configuration
+
+- **URL validation** added to `config.js` — all configured service instance URLs are validated for scheme (`http`/`https`) and well-formedness at startup; malformed URLs emit a warning instead of crashing.
+
+### Docker / Deployment
+
+- **`docker-compose.yaml`** updated with commented Option B (Docker secrets `_FILE` pattern) alongside the existing plain-env Option A.
+- **`.dockerignore`** updated — `tests/`, `coverage/`, `vitest.config.js`, `CHANGELOG.md`, `SECURITY.md`, `LICENSE`, `.markdownlint.json` excluded from the production image.
+
+### CI
+
+- **`docs-check` workflow** added — separate Gitea Actions workflow that lints all Markdown files and validates Mermaid diagram syntax on every push that touches `.md` files. Both jobs use `continue-on-error: true` so documentation issues never block a release.
+- **Mermaid diagrams** in `docs/ARCHITECTURE.md` fixed — replaced invalid `\n` in stateDiagram transition labels, Unicode arrows/dashes, and double-spaces in flowchart edge definitions.
+
+---
+
+## [1.1.2] - 2025-05-15
+
+### Changed
+
+- Server startup message now includes the current version (`sofarr v1.1.2`).
+
+---
+
+## [1.1.1] - 2025-05-14
+
+### Fixed
+
+- Docker/TrueNAS SCALE healthcheck: dynamic HTTP/HTTPS selection based on `TLS_ENABLED` environment variable. Prevents containers from being stuck in "starting" state when `TLS_ENABLED=false`.
+
+---
+
+## [1.1.0] - 2025-05-13
+
+### Added
+
+- **Episode display** — TV show download cards now show episode information (S01E01 format with title). Multi-episode packs show a "Multiple episodes" badge with a tooltip listing all episodes.
+- **Episode tooltip** — solid background colour (theme-dependent) for readability.
+- Sonarr queue and history API requests now include `includeEpisode=true`.
+
+---
+
+## [1.0.0] - 2025-05-01
+
+### Added
+
+- Initial release.
+- SABnzbd queue and history integration.
+- qBittorrent torrent integration.
+- Sonarr and Radarr queue/history matching with user tag filtering.
+- Emby/Jellyfin authentication.
+- Server-Sent Events (SSE) real-time dashboard.
+- Per-request CSP nonce, CSRF double-submit, HSTS, Permissions-Policy.
+- Background polling with configurable interval and on-demand fallback.
+- Docker multi-stage build, non-root user, read-only filesystem.
+- TLS support with bundled snakeoil certificate.
@@ -9,6 +9,18 @@ WORKDIR /app
 COPY package.json package-lock.json ./
 RUN npm ci --omit=dev

+# ---------------------------------------------------------------------------
+# Stage 1.5 — client-build: build frontend with Vite
+# ---------------------------------------------------------------------------
+FROM node:22-alpine AS client-build
+
+WORKDIR /app/client
+
+COPY client/package.json client/package-lock.json ./
+RUN npm ci
+COPY client/ ./
+RUN npm run build
+
 # ---------------------------------------------------------------------------
 # Stage 2 — runtime image (minimal attack surface)
 # ---------------------------------------------------------------------------
@@ -33,7 +45,11 @@ COPY --from=deps /app/node_modules ./node_modules
 # Copy application source owned by root (read-only at runtime)
 COPY --chown=root:root server/ ./server/
 COPY --chown=root:root public/ ./public/
+COPY --from=client-build --chown=root:root /app/public/app.js ./public/app.js
 COPY --chown=root:root package.json ./
+# Bundled snakeoil certificate for out-of-the-box TLS (self-signed, localhost only).
+# Mount your own cert/key over /app/certs/ or set TLS_CERT/TLS_KEY env vars.
+COPY --chown=root:root certs/ ./certs/

 # Persistent data directory owned by node user (token store, logs)
 RUN mkdir -p /app/data && chown node:node /app/data
@@ -46,8 +62,10 @@ USER node

 EXPOSE 3001

-# HEALTHCHECK — Docker will restart the container if this fails 3 times
+# HEALTHCHECK — Docker will restart the container if this fails 3 times.
+# Respects TLS_ENABLED at runtime: uses https (with --no-check-certificate
+# to handle self-signed/snakeoil certs) when TLS is on, plain http when off.
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-  CMD wget -qO- http://localhost:3001/health || exit 1
+  CMD /bin/sh -c '[ "${TLS_ENABLED:-true}" = "false" ] && wget -qO- http://localhost:${PORT:-3001}/health || wget -qO- --no-check-certificate https://localhost:${PORT:-3001}/health'

 CMD ["node", "server/index.js"]
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Gordon Bolton
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -4,39 +4,76 @@

 **sofarr** is a personal media download dashboard that aggregates and displays real-time download progress from all your media automation services. Named for the experience of checking what has downloaded "so far" while you wait comfortably on your "sofa" for Sonarr, Radarr, and your download clients to do their thing!

+Version 1.5.x adds **real-time webhook integration**: Sonarr and Radarr can push events directly to sofarr, eliminating polling latency and automatically reducing background API calls when webhooks are active.
+
 ## What It Does

 sofarr connects to your media stack and shows you a personalized view of:
- **Active Downloads** - See what's currently downloading from Usenet (SABnzbd) and BitTorrent (qBittorrent)
+- **Active Downloads** - See what's currently downloading from Usenet (SABnzbd) and BitTorrent (qBittorrent, Transmission, rTorrent)
 - **Progress Tracking** - Real-time progress bars with speed, ETA, and completion estimates
+- **Recently Completed** - History tab showing imported and failed downloads from Sonarr/Radarr with deduplication and upgrade-awareness
 - **User Matching** - Downloads are matched to you based on tags in Sonarr/Radarr
 - **Multi-Instance Support** - Connect to multiple instances of each service
+- **Webhook Push Updates** - Sonarr/Radarr push events instantly to sofarr; dashboard updates in < 1s after a grab or import
+- **Smart Polling** - Background polling automatically reduces (or skips) API calls for instances with active webhooks, with configurable fallback

 ## How It Works

 ### Architecture Overview

 ```
-┌─────────────┐     ┌──────────────┐     ┌─────────────────────────────┐
-│   Browser   │────▶│   sofarr     │────▶│  SABnzbd (Usenet downloads)   │
-│   (User)    │◀────│   Server     │     │  qBittorrent (Torrents)       │
-└─────────────┘     └──────────────┘     │  Sonarr (TV management)       │
-                       │                 │  Radarr (Movie management)    │
-                       │                 │  Emby (User authentication)   │
-                       ▼                 └─────────────────────────────┘
-                ┌──────────────┐
-                │  Dashboard   │
-                │  Aggregator  │
-                └──────────────┘
+┌─────────────┐     ┌──────────────────────────────────────────────┐
+│   Browser   │────▶│               sofarr Server                 │
+│   (User)    │◀────│  Auth · Dashboard · History · Webhooks       │
+└─────────────┘     │                                              │
+   SSE push ◀───────│  Poller (smart: skips when webhooks active)  │
+                    │  Cache · PDCA Download Registry · PALDRA     │
+                    └───┬─────────────────────────┬────────────────┘
+                        │ polls (background)       │ receives webhooks
+                        ▼                          │
+         ┌──────────────────────────┐    ┌─────────▼───────────────────┐
+         │  Download Clients        │    │  *arr Services              │
+         │  SABnzbd (Usenet)        │    │  Sonarr  (TV management)    │
+         │  qBittorrent (Torrent)   │◀───│  Radarr  (Movie management) │
+         │  Transmission (Torrent)  │    └─────────────────────────────┘
+         │  rTorrent (Torrent)      │
+         └──────────────────────────┘
+                       │
+              Emby / Jellyfin
+              (User authentication)
 ```

+**Three pluggable layers power sofarr:**
+
+| Layer | Name | What it does |
+|-------|------|--------------|
+| Download clients | **PDCA** (Pluggable Download Client Architecture) | Normalised interface for SABnzbd, qBittorrent, Transmission, rTorrent; easy to add new clients |
+| *arr data retrieval | **PALDRA** (Pluggable *Arr Library Data Retrieval Architecture) | Unified fetch layer for Sonarr/Radarr queue, history, and tags across multiple instances |
+| Real-time push | **Webhook receiver** | Sonarr/Radarr POST events to sofarr; cache updated immediately; SSE pushes to browser in < 1s |
+
+### Webhooks
+
+When webhooks are configured, sofarr receives instant push notifications from Sonarr and Radarr whenever a download is grabbed, imported, failed, or renamed. The dashboard updates in under a second — no polling delay.
+
+**Quick setup:**
+1. Set `SOFARR_WEBHOOK_SECRET` and `SOFARR_BASE_URL` in your `.env`
+2. Open the sofarr dashboard → **Webhooks Configuration** panel
+3. Click **Enable** next to each Sonarr/Radarr instance
+4. sofarr auto-configures the notification connection inside each *arr service
+
+**Smart polling fallback:** Once webhooks are active, the background poller automatically skips queue/history API calls for those instances. If no webhook events arrive for `WEBHOOK_FALLBACK_TIMEOUT` minutes (default: 10), the poller resumes a full poll automatically.
+
+**Webhook endpoints** (no user authentication required — protected by `X-Sofarr-Webhook-Secret`):
+- `POST /api/webhook/sonarr` — receives Sonarr events
+- `POST /api/webhook/radarr` — receives Radarr events
+
 ### The Matching Process

 1. **User Authentication**: Login via Emby credentials
-2. **Tag-Based Matching**: 
+2. **Tag-Based Matching**:
   - Your media in Sonarr/Radarr is tagged with your username (e.g., "gordon")
   - sofarr checks Sonarr/Radarr activity to find items tagged with your name
-   - Downloads (from SABnzbd/qBittorrent) are matched by title to that activity
+   - Downloads (from SABnzbd, qBittorrent, Transmission, or rTorrent) are matched by title to that activity
   - Only your downloads appear on your dashboard

 ### Multi-Instance Support
@@ -52,7 +89,7 @@ SONARR_INSTANCES=[{"name":"main","url":"...","apiKey":"..."}]
 ## Prerequisites

 - **Docker** (recommended), or Node.js (v22+) for manual installation
- At least one of: SABnzbd or qBittorrent
+- At least one download client: SABnzbd, qBittorrent, Transmission, or rTorrent
 - Sonarr (optional, for TV tracking)
 - Radarr (optional, for movie tracking)
 - Emby (for user authentication)
@@ -107,6 +144,8 @@ docker run -d \
  -e RADARR_INSTANCES='[{"name":"main","url":"http://radarr:7878","apiKey":"your-key"}]' \
  -e SABNZBD_INSTANCES='[{"name":"main","url":"http://sabnzbd:8080","apiKey":"your-key"}]' \
  -e QBITTORRENT_INSTANCES='[{"name":"main","url":"http://qbit:8080","username":"admin","password":"pass"}]' \
+  -e TRANSMISSION_INSTANCES='[{"name":"main","url":"http://transmission:9091","username":"admin","password":"pass"}]' \
+  -e RTORRENT_INSTANCES='[{"name":"main","url":"http://rtorrent:8080/RPC2","username":"rtorrent","password":"rtorrent"}]' \
  -e LOG_LEVEL=info \
  -e POLL_INTERVAL=5000 \
  docker.i3omb.com/sofarr:latest
@@ -130,6 +169,8 @@ services:
      - RADARR_INSTANCES=[{"name":"main","url":"http://radarr:7878","apiKey":"your-key"}]
      - SABNZBD_INSTANCES=[{"name":"main","url":"http://sabnzbd:8080","apiKey":"your-key"}]
      - QBITTORRENT_INSTANCES=[{"name":"main","url":"http://qbit:8080","username":"admin","password":"pass"}]
+      - TRANSMISSION_INSTANCES=[{"name":"main","url":"http://transmission:9091","username":"admin","password":"pass"}]
+      - RTORRENT_INSTANCES=[{"name":"main","url":"http://rtorrent:8080/RPC2","username":"rtorrent","password":"rtorrent"}]
      - LOG_LEVEL=info
      - POLL_INTERVAL=5000
 ```
@@ -187,6 +228,30 @@ POLL_INTERVAL=5000                  # Background polling interval in ms (default
                                    # Set to 0 or "off" to disable (on-demand mode)
 ```

+### Webhooks & Smart Polling
+```bash
+# Required for webhook endpoints to accept events
+SOFARR_WEBHOOK_SECRET=your-secret   # Shared secret (generate: openssl rand -hex 32)
+SOFARR_BASE_URL=https://sofarr.example.com  # Public URL used by one-click setup
+
+# Optional tuning
+WEBHOOK_FALLBACK_TIMEOUT=10         # Minutes without a webhook before forcing a full poll (default: 10)
+WEBHOOK_POLL_INTERVAL_MULTIPLIER=3  # Internal multiplier used by the skip logic (default: 3)
+```
+
+### Download Clients (PDCA)
+
+sofarr uses a **Pluggable Download Client Architecture (PDCA)** that provides a unified interface for all download clients. This enables consistent data normalization, easy addition of new client types, and centralized configuration management.
+
+**Supported Download Clients:**
+
+| Client | Protocol | Auth Method | Notes |
+|--------|----------|-------------|-------|
+| SABnzbd | REST API | API Key | Usenet downloads |
+| qBittorrent | Sync API | Username/Password | BitTorrent with incremental updates |
+| Transmission | JSON-RPC | Username/Password | BitTorrent with session management |
+| rTorrent | XML-RPC | HTTP Basic Auth | BitTorrent, requires the full RPC endpoint in the url field (e.g. /RPC2 or /xmlrpc for whatbox.ca). No path is automatically appended. |
+
 ### Service Instances (JSON Array Format)

 All services support multi-instance configuration via single-line JSON arrays:
@@ -198,10 +263,21 @@ SABNZBD_INSTANCES=[{"name":"primary","url":"https://sabnzbd.example.com","apiKey
 # qBittorrent Instances (uses username/password, not API key)
 QBITTORRENT_INSTANCES=[{"name":"main","url":"https://qbittorrent.example.com","username":"admin","password":"secret"}]

+# Transmission Instances (uses username/password)
+TRANSMISSION_INSTANCES=[{"name":"main","url":"http://transmission:9091/transmission/rpc","username":"admin","password":"pass"}]
+
+# rTorrent Instances (uses username/password, URL must include full RPC endpoint)
+# Standard installs use /RPC2. Some providers like whatbox.ca use /xmlrpc.
+# No path is automatically appended - always include the full RPC endpoint.
+RTORRENT_INSTANCES=[{"name":"main","url":"http://rtorrent:8080/RPC2","username":"rtorrent","password":"rtorrent"}]
+
+# For whatbox.ca (example):
+# RTORRENT_INSTANCES=[{"name":"whatbox","url":"https://user.whatbox.ca/xmlrpc","username":"user","password":"pass"}]
+
 # Sonarr Instances
 SONARR_INSTANCES=[{"name":"hd","url":"https://sonarr.example.com","apiKey":"your-api-key"}]

-# Radarr Instances  
+# Radarr Instances
 RADARR_INSTANCES=[{"name":"movies","url":"https://radarr.example.com","apiKey":"your-api-key"}]

 # Emby (single instance for authentication)
@@ -215,6 +291,18 @@ If you only have one instance, you can use the legacy format:
 ```bash
 SABNZBD_URL=https://sabnzbd.example.com
 SABNZBD_API_KEY=your-api-key
+
+QBITTORRENT_URL=https://qbittorrent.example.com
+QBITTORRENT_USERNAME=admin
+QBITTORRENT_PASSWORD=secret
+
+TRANSMISSION_URL=http://transmission:9091/transmission/rpc
+TRANSMISSION_USERNAME=admin
+TRANSMISSION_PASSWORD=pass
+
+RTORRENT_URL=http://rtorrent:8080/RPC2
+RTORRENT_USERNAME=rtorrent
+RTORRENT_PASSWORD=rtorrent
 ```

 ## Setting Up User Tags
@@ -279,6 +367,24 @@ sofarr polls all configured services in the background and caches the results. D
 - `GET /api/dashboard/user-summary` — Per-user download counts (admin)
 - `GET /api/dashboard/status` — Server / polling / cache status (admin)
 - `GET /api/dashboard/cover-art` — Proxied cover art image
+- `POST /api/dashboard/blocklist-search` — Blocklist a release and trigger a new search (admin or non-admin with eligibility: import issues OR torrent >1h old AND availability<100%)
+
+### History
+- `GET /api/history/recent` — Recently completed downloads from Sonarr/Radarr history
+
+### Webhook Receiver (no user auth — protected by `X-Sofarr-Webhook-Secret`)
+- `POST /api/webhook/sonarr` — receive Sonarr webhook events
+- `POST /api/webhook/radarr` — receive Radarr webhook events
+
+### Webhook Management (requires auth + CSRF)
+- `GET /api/sonarr/api/v3/notification` — list Sonarr notification connections
+- `POST /api/sonarr/api/v3/notification` — create/update Sonarr notification connection
+- `GET /api/radarr/api/v3/notification` — list Radarr notification connections
+- `POST /api/radarr/api/v3/notification` — create/update Radarr notification connection
+- `POST /api/sonarr/webhook/enable` — one-click enable Sofarr webhook in Sonarr
+- `POST /api/radarr/webhook/enable` — one-click enable Sofarr webhook in Radarr
+- `POST /api/sonarr/webhook/test` — trigger a Sonarr test event
+- `POST /api/radarr/webhook/test` — trigger a Radarr test event

 ### Service APIs (proxy to your services)
 - `GET /api/sabnzbd/*` — SABnzbd API proxy
@@ -323,7 +429,7 @@ npm run test:coverage   # with V8 coverage report (outputs to coverage/)
 npm run test:ui         # interactive Vitest UI
 ```

-115 tests across 8 test files covering the security-critical paths: auth middleware, CSRF protection, secret sanitization, config parsing, token store, and qBittorrent utilities. See [`tests/README.md`](tests/README.md) for design decisions and coverage targets.
+290 tests across 18 test files covering auth middleware, CSRF protection, secret sanitization, config parsing, token store, qBittorrent utilities, history deduplication/classification, download client architecture, webhook endpoint security, input validation, replay protection, and webhook metrics integration. See [`tests/README.md`](tests/README.md) for design decisions and coverage targets.

 ## Development

@@ -342,3 +448,4 @@ MIT
 ---

 *sofarr: See what has downloaded "so far" from the comfort of your "sofa"*
+
@@ -4,9 +4,12 @@

 | Version | Supported |
 |---------|-----------|
-| 1.0.x   | ✅ Yes    |
-| 0.2.x   | ❌ No     |
-| 0.1.x   | ❌ No     |
+| 1.4.x   | ✅ Yes    |
+| 1.3.x   | ✅ Yes    |
+| 1.2.x   | ✅ Yes    |
+| 1.1.x   | ❌ No     |
+| 1.0.x   | ❌ No     |
+| < 1.0   | ❌ No     |

 ## Reporting a Vulnerability

@@ -34,6 +37,10 @@ users via Emby. The primary threat surface when exposed to the public internet:
 | Privilege escalation (container) | Non-root user (UID 1000), `no-new-privileges`, all caps dropped |
 | Unbounded log growth | Size-based rotation: 10 MB cap, 3 rotated files kept |
 | Dependency vulnerabilities | `npm audit --audit-level=high` in CI on every push |
+| Unauthorized webhook injection | `SOFARR_WEBHOOK_SECRET` required on `X-Sofarr-Webhook-Secret` header; 401 on mismatch |
+| Webhook payload injection | `validatePayload()` allowlists 18 known event types; rejects non-object bodies and overlong fields |
+| Webhook replay attacks | `isReplay()` tracks `(eventType, instanceName, date)` tuples for 5 minutes; duplicate events return `200 { duplicate: true }` without cache mutation |
+| Webhook flood / DoS | Dedicated rate limiter: 60 requests/min per IP on `/api/webhook/*` |

 ---

@@ -48,6 +55,15 @@ users via Emby. The primary threat surface when exposed to the public internet:
 - [ ] HTTPS enforced by the reverse proxy with a valid certificate
 - [ ] Firewall rules: only 443/80 open externally; 3001 not directly exposed

+### Webhook-Specific (if using webhook integration)
+
+- [ ] `SOFARR_WEBHOOK_SECRET` set to a random 32-byte hex string (`openssl rand -hex 32`)
+- [ ] `SOFARR_BASE_URL` set to the public HTTPS URL of sofarr (used by one-click setup)
+- [ ] Secret stored only in `.env` or Docker secret — never committed to source control
+- [ ] Rotate `SOFARR_WEBHOOK_SECRET` if you suspect it has been leaked; re-enable webhooks via the UI
+- [ ] Verify Sonarr/Radarr send the exact secret value in the `X-Sofarr-Webhook-Secret` header
+- [ ] Review webhook logs (`[Webhook] WARNING`) for repeated auth failures which may indicate probing
+
 ### Recommended

 - [ ] Reverse proxy: Nginx, Caddy, or Traefik with TLS termination
@@ -79,10 +95,10 @@ services:
      - EMBY_API_KEY_FILE=/run/secrets/emby_api_key
 ```

-> Note: File-based secret loading requires application code support.
-> Currently sofarr reads secrets from environment variables only.
-> Mounting secrets as env vars (via `environment:` in compose) is the
-> current supported approach.
+> Since v1.2.0, sofarr natively supports the `_FILE` pattern.
+> Set `COOKIE_SECRET_FILE=/run/secrets/cookie_secret` and sofarr will
+> read the secret value from that file at startup. See `docker-compose.yaml`
+> for a complete example.

 ---

@@ -144,6 +160,7 @@ server {
 |----------|-------|
 | `POST /api/auth/login` | 10 failed attempts per 15 min per IP |
 | All `/api/*` routes | 300 requests per 15 min per IP |
+| `POST /api/webhook/*` | 60 requests per 1 min per IP (webhook-specific limiter, stricter than general) |

 ---

@@ -0,0 +1,6 @@
+# Ignore all cert/key files EXCEPT the bundled snakeoil development defaults.
+# Never commit real TLS certificates or private keys to version control.
+*
+!.gitignore
+!snakeoil.crt
+!snakeoil.key
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIUPgupZzf+zgMp4ylvf1NBRIWNpeUwDQYJKoZIhvcNAQEL
+BQAwUjELMAkGA1UEBhMCR0IxDjAMBgNVBAgMBUxvY2FsMQ4wDAYDVQQHDAVMb2Nh
+bDEPMA0GA1UECgwGc29mYXJyMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjYwNTE3
+MDk0NDQ4WhcNMzYwNTE0MDk0NDQ4WjBSMQswCQYDVQQGEwJHQjEOMAwGA1UECAwF
+TG9jYWwxDjAMBgNVBAcMBUxvY2FsMQ8wDQYDVQQKDAZzb2ZhcnIxEjAQBgNVBAMM
+CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5Y05DF
+9U3k27SGByJqdbKThRRabX0hsK0zckkbXoaj0U4odZatUicAqkm6yWzpqQyZM6qH
+XX68LXqJk8r2VIdTTtKe5QU1WUAsW6KD0c514YC1VZ3a9ivQ2/tfdQsm8YxM/ECq
+e2XFklfvE72HkHF4fM9LCMS/LeazazF0ogNTkyE27g9Ry/ofR2P4MymLtyBbQ1NA
+B1zYRIhJ5HqFRMszBKhWi1zRgUQQNBuYA5wtxnXA9QNSz6ObtdWStfJ/C1Kuitpe
+OVrB/TKCp1OKBpZTd4mBKlvdJWos9eZPzP4vLnsReT4pHBx6J2Jd1dC97/MAXLYP
+mIXP+04zK5sWRUsCAwEAAaNvMG0wHQYDVR0OBBYEFCpYKb3zMgv4qThe8ukFrVIl
+lhD3MB8GA1UdIwQYMBaAFCpYKb3zMgv4qThe8ukFrVIllhD3MA8GA1UdEwEB/wQF
+MAMBAf8wGgYDVR0RBBMwEYcEfwAAAYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUA
+A4IBAQBQ5Jg0pn4XW/560laNl7XAoGuMwrIy5j6zDlIgFE8DWAb0NGNyu/FkCVIZ
+ruLNktq+w+kTeneAuYW3CGyac2HZo9T60VtQNL/k17hrDw1F6kMpAAYm6aiyFtE9
+Stw07PMvpvjxKvetPLOQsfk0/hh0Nh2PiVVdqvVE/gGoraboHEfH+eGf/Arzg7s4
+CzZTEz0OJP5i7VkZAvFygShPx/gHY77ojeHPl2LN3KI7s43TrjYZjxbUDwWDpGp0
+BIsDFP+9NAvA5I74biChfEEopmBczVbQRtqBxBX1JTa2aT5w/ifUNyKVKIGp49Q8
+o59gDmbCXhypom7OsyxBLZgyVWU1
+-----END CERTIFICATE-----
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+WNOQxfVN5Nu0
+hgcianWyk4UUWm19IbCtM3JJG16Go9FOKHWWrVInAKpJusls6akMmTOqh11+vC16
+iZPK9lSHU07SnuUFNVlALFuig9HOdeGAtVWd2vYr0Nv7X3ULJvGMTPxAqntlxZJX
+7xO9h5BxeHzPSwjEvy3ms2sxdKIDU5MhNu4PUcv6H0dj+DMpi7cgW0NTQAdc2ESI
+SeR6hUTLMwSoVotc0YFEEDQbmAOcLcZ1wPUDUs+jm7XVkrXyfwtSroraXjlawf0y
+gqdTigaWU3eJgSpb3SVqLPXmT8z+Ly57EXk+KRwceidiXdXQve/zAFy2D5iFz/tO
+MyubFkVLAgMBAAECggEAEk0RCyNCJBSdqSKWLtFq8o0rdBsDpugyOymuOQHOjOxu
+oQo6NnWaNF5kgQVAyfd0EpGFfavyw2iNVaUPo1zoU9ogwuOWSnHOj64UIcp0+PN6
+VHknohWqdukBLyiGfnJM/0ieaKTbi2i7dGsfDA+rxbUoO6s2GYPC6O9inlUqVJGU
+fBXKTbCneW1+hJQFcOKPW2+qwiUxbudG9neNTYFOm9a7Bfa6MLJ22mkfYVrHYDzo
+gESo8sHXbEtvemka9jN0N/GoXgUi7iFXbqslPUoakCF7sgG0cXuUM9duSt67ynLj
+j7Ix+QiKAZgvSO/83b7vK74Xmd6XFUif41VMZ2iEGQKBgQDqp/ZSCAakarRpBRN4
+psKuhaYiBKurb5GezTOSfEGWxmng2s0bHcx74alKKNN8Tu2mNx6yafQdRNQdM+fG
+dn8JnQUGXYpGwQbLHZ/aO0M64WBxfQku4JNGh+VZ3ZyUC+So28vzCYqx8qwJi94L
+2sF8787hzHO1INzVaeXzQ89pEwKBgQDPqRzsJsP+zZmA4x16CtoWY7Z1d4z0GTkA
+erlXNinu76AIvra6aUld/65ymMyNIIpLZoci55ZGxBY7g8U29e10iT+xmxAgq3VT
+Tn438MbDXEgA+HvdRXCFPvNQQk0ZDegazdhTdtuhj+IHcm4M94zfVM3MSJOr0hJf
+JGaVIGEx6QKBgDZLftckPEU221+haQv1qf4vtm0Qn5gfTJZt7Izsa1CzwDPi7Kpl
+jrbrU/xwzd5pdNuMzXGCypUrI9lN9Ucai/JxfoQmiKQubZ/5zs7z/25UT7hysflC
+xVEAiLTubhhjWBkqIlqtzoW2HNBoqIwdpb9+zWO5ptw2KmLHCgnrmsY5AoGBAKOt
+YCaix4lm9L8qRGmVdCCBp6ce+/LKjqtaEAw1nQe/yBwcdlqn8jQs+4tH9LKoG1kj
+DxDsCP7uP7fZPPD9FpTsOU/8MNIPUwK+s63UElaZvgdF1BusR+w+mfmAyNQeqfu2
+k/P1k1fc2QOVpjiCRn8hkLSb4AlmIyTqxBB23SVBAoGATMtuk1r+SS9SDJW73CI1
+jLkJkPGrBvX0dFZGtedpwLVhUTDnqKIsy2F1iGDRGIAy5IAiLEFx44qQrhUau7zR
+/2avY0Ua9To9LW0k/matzJUKvXxYm59jh/GDp6LFU89hsL2zSd6z0Aknvh1SryCb
+OSbN8wfCz53+7qea4NQEB4E=
+-----END PRIVATE KEY-----
@@ -1,306 +0,0 @@
-* {
-  margin: 0;
-  padding: 0;
-  box-sizing: border-box;
-}
-
-body {
-  font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen',
-    'Ubuntu', 'Cantarell', 'Fira Sans', 'Droid Sans', 'Helvetica Neue',
-    sans-serif;
-  -webkit-font-smoothing: antialiased;
-  -moz-osx-font-smoothing: grayscale;
-  background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-  min-height: 100vh;
-}
-
-.app {
-  min-height: 100vh;
-  padding: 20px;
-  max-width: 1200px;
-  margin: 0 auto;
-}
-
-.app-header {
-  background: white;
-  padding: 30px;
-  border-radius: 10px;
-  box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-  margin-bottom: 20px;
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-  flex-wrap: wrap;
-  gap: 20px;
-}
-
-.app-header h1 {
-  color: #333;
-  font-size: 2rem;
-}
-
-.user-info {
-  display: flex;
-  align-items: center;
-  gap: 10px;
-  background: #f0f0f0;
-  padding: 10px 20px;
-  border-radius: 20px;
-}
-
-.user-label {
-  color: #666;
-  font-weight: 500;
-}
-
-.user-name {
-  color: #667eea;
-  font-weight: bold;
-  font-size: 1.1rem;
-}
-
-.controls {
-  background: white;
-  padding: 20px;
-  border-radius: 10px;
-  box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-  margin-bottom: 20px;
-  display: flex;
-  gap: 15px;
-  align-items: center;
-  flex-wrap: wrap;
-}
-
-.controls label {
-  color: #333;
-  font-weight: 500;
-}
-
-.session-select {
-  flex: 1;
-  min-width: 200px;
-  padding: 10px;
-  border: 2px solid #e0e0e0;
-  border-radius: 5px;
-  font-size: 1rem;
-  cursor: pointer;
-}
-
-.session-select:focus {
-  outline: none;
-  border-color: #667eea;
-}
-
-.refresh-btn {
-  padding: 10px 20px;
-  background: #667eea;
-  color: white;
-  border: none;
-  border-radius: 5px;
-  cursor: pointer;
-  font-size: 1rem;
-  transition: background 0.3s;
-}
-
-.refresh-btn:hover {
-  background: #5568d3;
-}
-
-.error-message {
-  background: #fee;
-  color: #c33;
-  padding: 15px;
-  border-radius: 10px;
-  margin-bottom: 20px;
-  border-left: 4px solid #c33;
-}
-
-.loading {
-  text-align: center;
-  padding: 40px;
-  color: white;
-  font-size: 1.2rem;
-}
-
-.downloads-container {
-  background: white;
-  padding: 30px;
-  border-radius: 10px;
-  box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-}
-
-.downloads-container h2 {
-  color: #333;
-  margin-bottom: 20px;
-  font-size: 1.5rem;
-}
-
-.no-downloads {
-  text-align: center;
-  padding: 40px;
-  color: #666;
-}
-
-.no-downloads p {
-  margin: 10px 0;
-}
-
-.downloads-list {
-  display: grid;
-  gap: 20px;
-}
-
-.download-card {
-  border: 2px solid #e0e0e0;
-  border-radius: 10px;
-  padding: 20px;
-  transition: transform 0.2s, box-shadow 0.2s;
-  display: flex;
-  gap: 20px;
-  align-items: flex-start;
-}
-
-.download-cover {
-  flex-shrink: 0;
-  width: 80px;
-  border-radius: 6px;
-  overflow: hidden;
-  box-shadow: 0 2px 8px rgba(0, 0, 0, 0.15);
-}
-
-.download-cover img {
-  width: 100%;
-  height: auto;
-  display: block;
-}
-
-.download-info {
-  flex: 1;
-  min-width: 0;
-}
-
-.download-card:hover {
-  transform: translateY(-2px);
-  box-shadow: 0 6px 12px rgba(0, 0, 0, 0.1);
-}
-
-.download-card.series {
-  border-left: 4px solid #667eea;
-}
-
-.download-card.movie {
-  border-left: 4px solid #f093fb;
-}
-
-.download-header {
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-  margin-bottom: 15px;
-}
-
-.download-type {
-  padding: 5px 15px;
-  border-radius: 20px;
-  font-size: 0.9rem;
-  font-weight: 500;
-}
-
-.download-type.series {
-  background: #e8eaf6;
-  color: #667eea;
-}
-
-.download-type.movie {
-  background: #fce4ec;
-  color: #f093fb;
-}
-
-.download-status {
-  padding: 5px 15px;
-  border-radius: 20px;
-  font-size: 0.9rem;
-  font-weight: 500;
-  text-transform: capitalize;
-}
-
-.download-status.downloading {
-  background: #e8f5e9;
-  color: #4caf50;
-}
-
-.download-status.completed {
-  background: #e3f2fd;
-  color: #2196f3;
-}
-
-.download-status.failed {
-  background: #ffebee;
-  color: #f44336;
-}
-
-.download-title {
-  color: #333;
-  margin-bottom: 10px;
-  font-size: 1.2rem;
-}
-
-.download-series,
-.download-movie {
-  color: #666;
-  margin-bottom: 15px;
-  font-style: italic;
-}
-
-.download-details {
-  display: grid;
-  grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
-  gap: 15px;
-  padding-top: 15px;
-  border-top: 1px solid #e0e0e0;
-}
-
-.detail-item {
-  display: flex;
-  flex-direction: column;
-  gap: 5px;
-}
-
-.detail-label {
-  color: #999;
-  font-size: 0.85rem;
-  text-transform: uppercase;
-  letter-spacing: 0.5px;
-}
-
-.detail-value {
-  color: #333;
-  font-weight: 500;
-}
-
-.app-footer {
-  margin-top: 20px;
-  text-align: center;
-  color: white;
-  font-size: 0.9rem;
-}
-
-.app-footer p {
-  opacity: 0.9;
-}
-
-@media (max-width: 768px) {
-  .app-header {
-    flex-direction: column;
-    align-items: flex-start;
-  }
-
-  .controls {
-    flex-direction: column;
-    align-items: stretch;
-  }
-
-  .download-details {
-    grid-template-columns: 1fr;
-  }
-}
@@ -1,187 +0,0 @@
-import { useState, useEffect } from 'react';
-import axios from 'axios';
-import './App.css';
-
-function App() {
-  const [sessionId, setSessionId] = useState('');
-  const [currentUser, setCurrentUser] = useState(null);
-  const [downloads, setDownloads] = useState([]);
-  const [loading, setLoading] = useState(false);
-  const [error, setError] = useState(null);
-  const [sessions, setSessions] = useState([]);
-
-  useEffect(() => {
-    fetchSessions();
-  }, []);
-
-  const fetchSessions = async () => {
-    try {
-      const response = await axios.get('/api/emby/sessions');
-      setSessions(response.data);
-      
-      // Auto-select first active session
-      const activeSession = response.data.find(s => s.NowPlayingItem || s.Active);
-      if (activeSession) {
-        setSessionId(activeSession.Id);
-        fetchUserDownloads(activeSession.Id);
-      }
-    } catch (err) {
-      setError('Failed to fetch Emby sessions. Make sure Emby is running and configured.');
-      console.error(err);
-    }
-  };
-
-  const fetchUserDownloads = async (sessionId) => {
-    setLoading(true);
-    setError(null);
-    try {
-      const response = await axios.get(`/api/dashboard/user-downloads/${sessionId}`);
-      setCurrentUser(response.data.user);
-      setDownloads(response.data.downloads);
-    } catch (err) {
-      setError('Failed to fetch downloads. Make sure all services are configured.');
-      console.error(err);
-    } finally {
-      setLoading(false);
-    }
-  };
-
-  const handleSessionChange = (e) => {
-    const newSessionId = e.target.value;
-    setSessionId(newSessionId);
-    if (newSessionId) {
-      fetchUserDownloads(newSessionId);
-    }
-  };
-
-  const formatSize = (bytes) => {
-    if (!bytes) return 'N/A';
-    const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
-    const i = Math.floor(Math.log(bytes) / Math.log(1024));
-    return Math.round(bytes / Math.pow(1024, i) * 100) / 100 + ' ' + sizes[i];
-  };
-
-  const formatDate = (dateString) => {
-    if (!dateString) return 'N/A';
-    return new Date(dateString).toLocaleString();
-  };
-
-  return (
-    <div className="app">
-      <header className="app-header">
-        <h1>Media Download Dashboard</h1>
-        {currentUser && (
-          <div className="user-info">
-            <span className="user-label">Current User:</span>
-            <span className="user-name">{currentUser}</span>
-          </div>
-        )}
-      </header>
-
-      <div className="controls">
-        <label htmlFor="session-select">Select Emby Session:</label>
-        <select 
-          id="session-select"
-          value={sessionId} 
-          onChange={handleSessionChange}
-          className="session-select"
-        >
-          <option value="">-- Select Session --</option>
-          {sessions.map(session => (
-            <option key={session.Id} value={session.Id}>
-              {session.UserName} - {session.Client} {session.NowPlayingItem ? `(Playing: ${session.NowPlayingItem.Name})` : '(Idle)'}
-            </option>
-          ))}
-        </select>
-        <button onClick={fetchSessions} className="refresh-btn">Refresh Sessions</button>
-      </div>
-
-      {error && (
-        <div className="error-message">
-          {error}
-        </div>
-      )}
-
-      {loading && (
-        <div className="loading">Loading downloads...</div>
-      )}
-
-      {!loading && !error && (
-        <div className="downloads-container">
-          <h2>Your Downloads</h2>
-          {downloads.length === 0 ? (
-            <div className="no-downloads">
-              <p>No downloads found for your user.</p>
-              <p>Make sure your shows and movies are tagged with "user:yourusername" in Sonarr/Radarr.</p>
-            </div>
-          ) : (
-            <div className="downloads-list">
-              {downloads.map((download, index) => (
-                <div key={index} className={`download-card ${download.type}`}>
-                  {download.coverArt && (
-                    <div className="download-cover">
-                      <img src={download.coverArt} alt={download.movieName || download.seriesName || download.title} />
-                    </div>
-                  )}
-                  <div className="download-info">
-                  <div className="download-header">
-                    <span className={`download-type ${download.type}`}>
-                      {download.type === 'series' ? '📺 Series' : '🎬 Movie'}
-                    </span>
-                    <span className={`download-status ${download.status}`}>
-                      {download.status}
-                    </span>
-                  </div>
-                  <h3 className="download-title">{download.title}</h3>
-                  {download.seriesName && (
-                    <p className="download-series">Series: {download.seriesName}</p>
-                  )}
-                  {download.movieName && (
-                    <p className="download-movie">Movie: {download.movieName}</p>
-                  )}
-                  <div className="download-details">
-                    <div className="detail-item">
-                      <span className="detail-label">Size:</span>
-                      <span className="detail-value">{formatSize(download.size)}</span>
-                    </div>
-                    {download.progress && (
-                      <div className="detail-item">
-                        <span className="detail-label">Progress:</span>
-                        <span className="detail-value">{download.progress}%</span>
-                      </div>
-                    )}
-                    {download.speed && (
-                      <div className="detail-item">
-                        <span className="detail-label">Speed:</span>
-                        <span className="detail-value">{download.speed}</span>
-                      </div>
-                    )}
-                    {download.eta && (
-                      <div className="detail-item">
-                        <span className="detail-label">ETA:</span>
-                        <span className="detail-value">{download.eta}</span>
-                      </div>
-                    )}
-                    {download.completedAt && (
-                      <div className="detail-item">
-                        <span className="detail-label">Completed:</span>
-                        <span className="detail-value">{formatDate(download.completedAt)}</span>
-                      </div>
-                    )}
-                  </div>
-                  </div>
-                </div>
-              ))}
-            </div>
-          )}
-        </div>
-      )}
-
-      <footer className="app-footer">
-        <p>Ensure your media is tagged with "user:username" in Sonarr/Radarr to match downloads to users.</p>
-      </footer>
-    </div>
-  );
-}
-
-export default App;
@@ -0,0 +1,292 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { state } from './state.js';
+
+export async function checkAuthentication() {
+  try {
+    // Fetch both auth state and a fresh CSRF token in parallel
+    const [meRes, csrfRes] = await Promise.all([
+      fetch('/api/auth/me'),
+      fetch('/api/auth/csrf')
+    ]);
+    const data = await meRes.json();
+    const csrfData = await csrfRes.json();
+    if (csrfData.csrfToken) state.csrfToken = csrfData.csrfToken;
+
+    if (data.authenticated) {
+      state.currentUser = data.user;
+      state.isAdmin = !!data.user.isAdmin;
+      return { authenticated: true, user: data.user };
+    } else {
+      return { authenticated: false };
+    }
+  } catch (err) {
+    console.error('Authentication check failed:', err);
+    return { authenticated: false };
+  }
+}
+
+export async function handleLogin(username, password, rememberMe) {
+  try {
+    const response = await fetch('/api/auth/login', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({ username, password, rememberMe })
+    });
+    
+    const data = await response.json();
+    
+    if (data.success) {
+      state.currentUser = data.user;
+      state.isAdmin = !!data.user.isAdmin;
+      // Store CSRF token returned by login for use in subsequent requests
+      if (data.csrfToken) state.csrfToken = data.csrfToken;
+      return { success: true, user: data.user };
+    } else {
+      return { success: false, error: data.error || 'Login failed' };
+    }
+  } catch (err) {
+    console.error(err);
+    return { success: false, error: 'Login failed. Please try again.' };
+  }
+}
+
+export async function handleLogout() {
+  try {
+    await fetch('/api/auth/logout', {
+      method: 'POST',
+      headers: state.csrfToken ? { 'X-CSRF-Token': state.csrfToken } : {}
+    });
+    state.currentUser = null;
+    state.csrfToken = null;
+    return { success: true };
+  } catch (err) {
+    console.error('Logout failed:', err);
+    return { success: false };
+  }
+}
+
+export async function loadHistory(forceRefresh = false) {
+  try {
+    const params = new URLSearchParams({ days: state.historyDays });
+    if (state.showAll) params.set('showAll', 'true');
+    if (forceRefresh) params.set('_t', Date.now());
+    const res = await fetch(`/api/history/recent?${params}`);
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    const data = await res.json();
+    return { success: true, history: data.history || [] };
+  } catch (err) {
+    console.error('[History] Load error:', err);
+    return { success: false, error: 'Failed to load history.' };
+  }
+}
+
+export async function handleBlocklistSearch(download) {
+  try {
+    const res = await fetch('/api/dashboard/blocklist-search', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-CSRF-Token': state.csrfToken
+      },
+      body: JSON.stringify({
+        arrQueueId: download.arrQueueId,
+        arrType: download.arrType,
+        arrInstanceUrl: download.arrInstanceUrl,
+        arrInstanceKey: download.arrInstanceKey,
+        arrContentId: download.arrContentId,
+        arrContentType: download.arrContentType
+      })
+    });
+
+    if (!res.ok) {
+      const data = await res.json().catch(() => ({}));
+      throw new Error(data.error || `HTTP ${res.status}`);
+    }
+
+    return { success: true };
+  } catch (err) {
+    console.error('[Blocklist] Error:', err);
+    throw err;
+  }
+}
+
+export async function loadAppVersion() {
+  try {
+    const res = await fetch('/health');
+    const data = await res.json();
+    return data.version || null;
+  } catch (err) {
+    return null;
+  }
+}
+
+export async function fetchWebhookMetrics() {
+  try {
+    const res = await fetch('/api/dashboard/webhook-metrics');
+    if (!res.ok) return null;
+    return await res.json();
+  } catch (err) {
+    return null;
+  }
+}
+
+export async function fetchWebhookStatus() {
+  try {
+    // Fetch metrics in parallel
+    const metricsPromise = fetchWebhookMetrics();
+    
+    // Fetch Sonarr notifications
+    let sonarrEnabled = false;
+    let sonarrTriggers = { onGrab: false, onDownload: false, onImport: false, onUpgrade: false };
+    try {
+      const sonarrRes = await fetch('/api/sonarr/notifications');
+      if (sonarrRes.ok) {
+        const sonarrData = await sonarrRes.json();
+        const sonarrSofarr = sonarrData.find(n => n.name === 'Sofarr');
+        sonarrEnabled = !!sonarrSofarr;
+        if (sonarrSofarr) {
+          sonarrTriggers = {
+            onGrab: sonarrSofarr.onGrab,
+            onDownload: sonarrSofarr.onDownload,
+            onImport: sonarrSofarr.onImport,
+            onUpgrade: sonarrSofarr.onUpgrade
+          };
+        }
+      }
+    } catch (err) {
+      // Sonarr not configured
+    }
+    
+    // Fetch Radarr notifications
+    let radarrEnabled = false;
+    let radarrTriggers = { onGrab: false, onDownload: false, onImport: false, onUpgrade: false };
+    try {
+      const radarrRes = await fetch('/api/radarr/notifications');
+      if (radarrRes.ok) {
+        const radarrData = await radarrRes.json();
+        const radarrSofarr = radarrData.find(n => n.name === 'Sofarr');
+        radarrEnabled = !!radarrSofarr;
+        if (radarrSofarr) {
+          radarrTriggers = {
+            onGrab: radarrSofarr.onGrab,
+            onDownload: radarrSofarr.onDownload,
+            onImport: radarrSofarr.onImport,
+            onUpgrade: radarrSofarr.onUpgrade
+          };
+        }
+      }
+    } catch (err) {
+      // Radarr not configured
+    }
+    
+    state.webhookMetrics = await metricsPromise;
+    
+    // Find instance stats
+    const instanceEntries = state.webhookMetrics ? Object.entries(state.webhookMetrics.instances || {}) : [];
+    const sonarrStats = instanceEntries.find(([url]) => url.includes('sonarr'))?.[1] || null;
+    const radarrStats = instanceEntries.find(([url]) => url.includes('radarr'))?.[1] || null;
+    
+    state.sonarrWebhook = { enabled: sonarrEnabled, triggers: sonarrTriggers, stats: sonarrStats };
+    state.radarrWebhook = { enabled: radarrEnabled, triggers: radarrTriggers, stats: radarrStats };
+    
+    return { success: true };
+  } catch (err) {
+    console.error('Failed to fetch webhook status:', err);
+    return { success: false };
+  }
+}
+
+export async function enableSonarrWebhook() {
+  try {
+    const res = await fetch('/api/sonarr/notifications/sofarr-webhook', {
+      method: 'POST',
+      headers: { 'X-CSRF-Token': state.csrfToken || '' }
+    });
+    if (!res.ok) throw new Error('Failed to enable');
+    await fetchWebhookStatus();
+    return { success: true };
+  } catch (err) {
+    console.error('Failed to enable Sonarr webhook:', err);
+    return { success: false, error: err.message };
+  }
+}
+
+export async function enableRadarrWebhook() {
+  try {
+    const res = await fetch('/api/radarr/notifications/sofarr-webhook', {
+      method: 'POST',
+      headers: { 'X-CSRF-Token': state.csrfToken || '' }
+    });
+    if (!res.ok) throw new Error('Failed to enable');
+    await fetchWebhookStatus();
+    return { success: true };
+  } catch (err) {
+    console.error('Failed to enable Radarr webhook:', err);
+    return { success: false, error: err.message };
+  }
+}
+
+export async function testSonarrWebhook() {
+  try {
+    const sonarrRes = await fetch('/api/sonarr/notifications');
+    if (!sonarrRes.ok) throw new Error('Failed to fetch notifications');
+    const sonarrData = await sonarrRes.json();
+    const sonarrSofarr = sonarrData.find(n => n.name === 'Sofarr');
+    if (!sonarrSofarr) throw new Error('Sofarr webhook not found');
+    
+    const res = await fetch('/api/sonarr/notifications/test', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-CSRF-Token': state.csrfToken || ''
+      },
+      body: JSON.stringify(sonarrSofarr)
+    });
+    if (!res.ok) throw new Error('Test failed');
+    await fetchWebhookStatus();
+    return { success: true };
+  } catch (err) {
+    console.error('Failed to test Sonarr webhook:', err);
+    return { success: false, error: err.message };
+  }
+}
+
+export async function testRadarrWebhook() {
+  try {
+    const radarrRes = await fetch('/api/radarr/notifications');
+    if (!radarrRes.ok) throw new Error('Failed to fetch notifications');
+    const radarrData = await radarrRes.json();
+    const radarrSofarr = radarrData.find(n => n.name === 'Sofarr');
+    if (!radarrSofarr) throw new Error('Sofarr webhook not found');
+    
+    const res = await fetch('/api/radarr/notifications/test', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-CSRF-Token': state.csrfToken || ''
+      },
+      body: JSON.stringify(radarrSofarr)
+    });
+    if (!res.ok) throw new Error('Test failed');
+    await fetchWebhookStatus();
+    return { success: true };
+  } catch (err) {
+    console.error('Failed to test Radarr webhook:', err);
+    return { success: false, error: err.message };
+  }
+}
+
+export async function refreshStatusPanel() {
+  try {
+    const res = await fetch('/api/status');
+    if (!res.ok) throw new Error('Failed to fetch status: ' + res.status);
+    const data = await res.json();
+    return { success: true, data };
+  } catch (err) {
+    console.error('[Status] Error fetching status:', err);
+    return { success: false, error: err.message };
+  }
+}
@@ -0,0 +1,62 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+// Bootstrap - wire all event handlers on DOMContentLoaded
+import { checkAuthenticationAndInit, handleLogin, handleLogoutClick } from './ui/auth.js';
+import { initDownloadClientFilter } from './ui/filters.js';
+import { initHistoryControls } from './ui/history.js';
+import { toggleStatusPanel } from './ui/statusPanel.js';
+import { initWebhooks } from './ui/webhooks.js';
+import { initThemeSwitcher } from './ui/theme.js';
+import { initTabs, goHome } from './ui/tabs.js';
+import { handleShowAllToggle } from './sse.js';
+import { loadAppVersion } from './api.js';
+
+document.addEventListener('DOMContentLoaded', () => {
+  // Login form
+  const loginForm = document.getElementById('login-form');
+  if (loginForm) {
+    loginForm.addEventListener('submit', handleLogin);
+  }
+  
+  // Logout button
+  const logoutBtn = document.getElementById('logout-btn');
+  if (logoutBtn) {
+    logoutBtn.addEventListener('click', handleLogoutClick);
+  }
+  
+  // Show all toggle
+  const showAllToggle = document.getElementById('show-all-toggle');
+  if (showAllToggle) {
+    showAllToggle.addEventListener('change', (e) => handleShowAllToggle(e.target.checked));
+  }
+  
+  // Status panel toggle
+  const statusToggle = document.getElementById('status-btn');
+  if (statusToggle) {
+    statusToggle.addEventListener('click', toggleStatusPanel);
+  }
+  
+  // Home button
+  const homeBtn = document.getElementById('home-btn');
+  if (homeBtn) {
+    homeBtn.addEventListener('click', goHome);
+  }
+  
+  // Initialize UI components
+  initThemeSwitcher();
+  initTabs();
+  initDownloadClientFilter();
+  initHistoryControls();
+  initWebhooks();
+  
+  // Load app version
+  loadAppVersion().then(version => {
+    const versionEl = document.getElementById('app-version');
+    if (versionEl && version) {
+      versionEl.textContent = 'v' + version;
+    }
+  });
+  
+  // Check authentication and initialize
+  checkAuthenticationAndInit();
+});
@@ -1,10 +0,0 @@
-import React from 'react'
-import ReactDOM from 'react-dom/client'
-import App from './App.jsx'
-import './App.css'
-
-ReactDOM.createRoot(document.getElementById('root')).render(
-  <React.StrictMode>
-    <App />
-  </React.StrictMode>,
-)
@@ -0,0 +1,74 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { state, SSE_RECONNECT_MS } from './state.js';
+import { renderDownloads } from './ui/downloads.js';
+import { hideError, hideLoading } from './ui/auth.js';
+import { loadHistory } from './ui/history.js';
+
+export function startSSE() {
+  stopSSE();
+  const params = state.showAll ? '?showAll=true' : '';
+  const source = new EventSource('/api/dashboard/stream' + params);
+  state.sseSource = source;
+
+  let firstMessage = true;
+  source.onmessage = (event) => {
+    try {
+      const data = JSON.parse(event.data);
+      state.currentUser = data.user;
+      state.isAdmin = !!data.isAdmin;
+      state.downloads = data.downloads;
+      // Store download clients and update filter dropdown
+      if (data.downloadClients) {
+        state.downloadClients = data.downloadClients;
+        // Trigger filter update
+        const filterUpdateEvent = new CustomEvent('downloadClientsUpdated');
+        document.dispatchEvent(filterUpdateEvent);
+      }
+      document.getElementById('currentUser').textContent = state.currentUser || '-';
+      renderDownloads();
+      hideError();
+      if (firstMessage) { firstMessage = false; hideLoading(); }
+    } catch (err) {
+      console.error('[SSE] Failed to parse message:', err);
+    }
+  };
+
+  // Listen for history-update events from server
+  source.addEventListener('history-update', (event) => {
+    try {
+      const data = JSON.parse(event.data);
+      console.log('[SSE] History update received:', data.type);
+      // Trigger history reload
+      const historyReloadEvent = new CustomEvent('historyReload');
+      document.dispatchEvent(historyReloadEvent);
+    } catch (err) {
+      console.error('[SSE] Failed to parse history-update message:', err);
+    }
+  });
+
+  source.onerror = () => {
+    // EventSource retries automatically; we just log and show a reconnecting indicator
+    console.warn('[SSE] Connection lost, browser will retry...');
+  };
+
+  console.log('[SSE] Stream connected');
+}
+
+export function stopSSE() {
+  if (state.sseReconnectTimer) { clearTimeout(state.sseReconnectTimer); state.sseReconnectTimer = null; }
+  if (state.sseSource) {
+    state.sseSource.close();
+    state.sseSource = null;
+    console.log('[SSE] Stream closed');
+  }
+}
+
+export function handleShowAllToggle(checked) {
+  state.showAll = checked;
+  // Re-open stream with updated showAll param
+  startSSE();
+  // Trigger history reload with updated showAll param
+  const historyReloadEvent = new CustomEvent('historyReload');
+  document.dispatchEvent(historyReloadEvent);
+}
@@ -0,0 +1,38 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+// Global state (using objects for mutability across modules)
+export const state = {
+  currentUser: null,
+  downloads: [],
+  downloadClients: [], // List of download clients from server (for ordering/filtering)
+  selectedDownloadClients: [], // Array of selected client IDs for multi-select filter
+  isAdmin: false,
+  showAll: false,
+  csrfToken: null, // double-submit CSRF token, sent as X-CSRF-Token on mutating requests
+  
+  // History section state
+  historyDays: 7, // Default value, will be loaded from localStorage
+  historyRefreshHandle: null,
+  ignoreAvailable: false, // Default value, will be loaded from localStorage
+  lastHistoryItems: [], // raw items from last fetch, for re-filtering without a network round-trip
+  
+  // SSE stream state
+  sseSource: null,
+  sseReconnectTimer: null,
+  
+  // Status panel state
+  statusRefreshHandle: null,
+  
+  // Webhooks state
+  webhookSectionExpanded: false,
+  webhookLoading: false,
+  sonarrWebhook: { enabled: false, triggers: { onGrab: false, onDownload: false, onImport: false, onUpgrade: false }, stats: null },
+  radarrWebhook: { enabled: false, triggers: { onGrab: false, onDownload: false, onImport: false, onUpgrade: false }, stats: null },
+  webhookMetrics: null
+};
+
+// Constants
+export const SPLASH_MIN_MS = 1200; // minimum splash display time
+export const HISTORY_REFRESH_MS = 5 * 60 * 1000; // auto-refresh history every 5 min
+export const SSE_RECONNECT_MS = 3000; // browser already retries, but we add explicit backoff too
+export const STATUS_REFRESH_MS = 5000;
@@ -0,0 +1,176 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { state, SPLASH_MIN_MS } from '../state.js';
+import { checkAuthentication, handleLogin as apiHandleLogin, handleLogout as apiHandleLogout } from '../api.js';
+import { startSSE, stopSSE } from '../sse.js';
+import { stopHistoryRefresh, clearHistory, startHistoryRefresh } from './history.js';
+import { closeStatusPanel } from './statusPanel.js';
+
+export function fadeOutLogin() {
+  return new Promise(resolve => {
+    const login = document.getElementById('login-container');
+    login.classList.add('fade-out');
+    login.addEventListener('transitionend', () => {
+      login.classList.add('hidden');
+      login.classList.remove('fade-out');
+      resolve();
+    }, { once: true });
+  });
+}
+
+export function showSplash() {
+  const splash = document.getElementById('splash-screen');
+  splash.classList.remove('hidden');
+  splash.style.opacity = '1';
+  splash.classList.remove('fade-out');
+}
+
+export function dismissSplash(startTime) {
+  return new Promise(resolve => {
+    const elapsed = Date.now() - (startTime || 0);
+    const remaining = Math.max(0, SPLASH_MIN_MS - elapsed);
+    setTimeout(() => {
+      const splash = document.getElementById('splash-screen');
+      splash.classList.add('fade-out');
+      // Fallback: resolve after transition duration + buffer in case
+      // transitionend never fires (e.g. display was toggled in same frame)
+      const TRANSITION_MS = 400;
+      const fallback = setTimeout(() => {
+        splash.classList.add('hidden');
+        resolve();
+      }, TRANSITION_MS + 100);
+      splash.addEventListener('transitionend', () => {
+        clearTimeout(fallback);
+        splash.classList.add('hidden');
+        resolve();
+      }, { once: true });
+    }, remaining);
+  });
+}
+
+export async function checkAuthenticationAndInit() {
+  const splashStart = Date.now();
+  try {
+    const result = await checkAuthentication();
+    if (result.authenticated) {
+      showDashboard();
+      showLoading();
+      startSSE();
+      await dismissSplash(splashStart);
+    } else {
+      await dismissSplash(splashStart);
+      showLogin();
+    }
+  } catch (err) {
+    console.error('Authentication check failed:', err);
+    await dismissSplash(splashStart);
+    showLogin();
+  }
+}
+
+export async function handleLogin(e) {
+  e.preventDefault();
+  
+  const username = document.getElementById('username').value;
+  const password = document.getElementById('password').value;
+  const rememberMe = document.getElementById('remember-me').checked;
+  
+  try {
+    const result = await apiHandleLogin(username, password, rememberMe);
+    
+    if (result.success) {
+      // Fade out login, then show splash while opening SSE stream.
+      // requestAnimationFrame ensures the browser paints the splash at
+      // opacity:1 before dismissSplash adds fade-out, so the CSS
+      // transition fires and transitionend is guaranteed.
+      await fadeOutLogin();
+      showSplash();
+      await new Promise(r => requestAnimationFrame(() => requestAnimationFrame(r)));
+      showDashboard();
+      showLoading();
+      const splashStart = Date.now();
+      startSSE();
+      await dismissSplash(splashStart);
+    } else {
+      showLoginError(result.error || 'Login failed');
+    }
+  } catch (err) {
+    showLoginError('Login failed. Please try again.');
+    console.error(err);
+  }
+}
+
+export async function handleLogoutClick() {
+  try {
+    stopSSE();
+    stopHistoryRefresh();
+    if (state.statusRefreshHandle) { clearInterval(state.statusRefreshHandle); state.statusRefreshHandle = null; }
+    await apiHandleLogout();
+    state.currentUser = null;
+    clearHistory();
+    showLogin();
+  } catch (err) {
+    console.error('Logout failed:', err);
+  }
+}
+
+export function showLogin() {
+  document.getElementById('login-container').classList.remove('hidden');
+  document.getElementById('dashboard-container').classList.add('hidden');
+  hideLoginError();
+}
+
+export function showDashboard() {
+  document.getElementById('login-container').classList.add('hidden');
+  document.getElementById('dashboard-container').classList.remove('hidden');
+  document.getElementById('currentUser').textContent = state.currentUser.name || '-';
+  // Always start with status panel hidden (guards against stale display value on re-login)
+  const sp = document.getElementById('status-panel');
+  sp.classList.add('hidden');
+  // Also hide webhooks-section to keep them in sync (both show/hide together)
+  const webhooksSection = document.getElementById('webhooks-section');
+  if (webhooksSection) webhooksSection.classList.add('hidden');
+  const adminControls = document.getElementById('admin-controls');
+  if (state.isAdmin) {
+    adminControls.classList.remove('hidden');
+  } else {
+    adminControls.classList.add('hidden');
+  }
+  // Note: webhooks-section visibility is controlled by toggleStatusPanel()
+  // Initialise days input from saved value
+  const daysInput = document.getElementById('history-days');
+  if (daysInput) daysInput.value = state.historyDays;
+  startHistoryRefresh();
+}
+
+export function showLoginError(message) {
+  const errorDiv = document.getElementById('login-error');
+  errorDiv.textContent = message;
+  errorDiv.classList.remove('hidden');
+}
+
+export function hideLoginError() {
+  const errorDiv = document.getElementById('login-error');
+  errorDiv.classList.add('hidden');
+}
+
+export function showError(message) {
+  const errorDiv = document.getElementById('error-message');
+  errorDiv.textContent = message;
+  errorDiv.classList.remove('hidden');
+}
+
+export function hideError() {
+  const errorDiv = document.getElementById('error-message');
+  errorDiv.classList.add('hidden');
+}
+
+export function showLoading() {
+  const loading = document.getElementById('loading');
+  loading.classList.remove('hidden');
+}
+
+export function hideLoading() {
+  const loading = document.getElementById('loading');
+  loading.classList.add('hidden');
+}
@@ -0,0 +1,507 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { state } from '../state.js';
+import { formatSize, formatSpeed, formatEpisodeInfo, escapeHtml } from '../utils/format.js';
+import { handleBlocklistSearch } from '../api.js';
+
+export function renderTagBadges(tagBadges, showAll, matchedUserTag) {
+  const fragment = document.createDocumentFragment();
+
+  if (showAll && tagBadges && tagBadges.length > 0) {
+    const unmatched = tagBadges.filter(b => !b.matchedUser);
+    const matched = tagBadges.filter(b => b.matchedUser);
+    for (const b of unmatched) {
+      const badge = document.createElement('span');
+      badge.className = 'download-user-badge unmatched';
+      badge.textContent = b.label;
+      fragment.appendChild(badge);
+    }
+    for (const b of matched) {
+      const badge = document.createElement('span');
+      badge.className = 'download-user-badge';
+      badge.textContent = b.matchedUser;
+      fragment.appendChild(badge);
+    }
+  } else if (matchedUserTag) {
+    const matchedBadge = document.createElement('span');
+    matchedBadge.className = 'download-user-badge';
+    matchedBadge.textContent = matchedUserTag;
+    fragment.appendChild(matchedBadge);
+  }
+
+  return fragment;
+}
+
+function createClientLogo(download) {
+  const clientLogoWrapper = document.createElement('span');
+  clientLogoWrapper.className = 'download-client-logo-wrapper download-card-logo-wrapper';
+
+  const clientLogo = document.createElement('img');
+  clientLogo.className = 'download-client-logo';
+  clientLogo.src = `/images/clients/${download.client}.svg`;
+  clientLogo.alt = `${download.instanceName || download.client} icon`;
+  clientLogo.title = download.instanceName || download.client;
+  clientLogo.onerror = () => {
+    clientLogoWrapper.textContent = download.client.charAt(0).toUpperCase();
+    clientLogoWrapper.classList.add('fallback');
+  };
+
+  clientLogoWrapper.appendChild(clientLogo);
+  return clientLogoWrapper;
+}
+
+export function renderDownloads() {
+  const downloadsList = document.getElementById('downloads-list');
+  const noDownloads = document.getElementById('no-downloads');
+
+  // Filter downloads by selected clients
+  let filteredDownloads = state.downloads;
+  if (state.selectedDownloadClients.length > 0) {
+    // Map indices to client objects, then filter by both client type and instanceId
+    const selectedClients = state.selectedDownloadClients.map(idx => state.downloadClients[idx]).filter(Boolean);
+    filteredDownloads = state.downloads.filter(d =>
+      selectedClients.some(c => c.type === d.client && c.id === d.instanceId)
+    );
+  }
+
+  // Sort downloads by client order (matching the order in downloadClients)
+  if (state.downloadClients.length > 0) {
+    const clientOrder = new Map(state.downloadClients.map((c, idx) => [c.id, idx]));
+    filteredDownloads = [...filteredDownloads].sort((a, b) => {
+      const orderA = clientOrder.get(a.instanceId) ?? Infinity;
+      const orderB = clientOrder.get(b.instanceId) ?? Infinity;
+      return orderA - orderB;
+    });
+  }
+
+  if (filteredDownloads.length === 0) {
+    noDownloads.classList.remove('hidden');
+    downloadsList.innerHTML = '';
+    return;
+  }
+
+  noDownloads.classList.add('hidden');
+
+  // Get existing cards
+  const existingCards = new Map();
+  downloadsList.querySelectorAll('.download-card').forEach(card => {
+    existingCards.set(card.dataset.id, card);
+  });
+
+  // Track which downloads we've processed
+  const processedIds = new Set();
+
+  filteredDownloads.forEach(download => {
+    const id = download.title;
+    processedIds.add(id);
+
+    const existingCard = existingCards.get(id);
+    if (existingCard) {
+      // Update existing card
+      updateDownloadCard(existingCard, download);
+    } else {
+      // Create new card
+      const card = createDownloadCard(download);
+      downloadsList.appendChild(card);
+    }
+  });
+
+  // Remove cards for downloads that no longer exist
+  existingCards.forEach((card, id) => {
+    if (!processedIds.has(id)) {
+      card.remove();
+    }
+  });
+}
+
+export function updateDownloadCard(card, download) {
+  // Remove old header-right container if it exists
+  const oldRightSide = card.querySelector('.download-header-right');
+  if (oldRightSide) {
+    oldRightSide.remove();
+  }
+
+  // Remove old user badges directly in header
+  const oldBadges = card.querySelectorAll('.download-header .download-user-badge');
+  oldBadges.forEach(badge => badge.remove());
+
+  // Remove old client logo from header (old structure)
+  const oldLogoInHeader = card.querySelector('.download-header .download-client-logo-wrapper');
+  if (oldLogoInHeader) {
+    oldLogoInHeader.remove();
+  }
+
+  // Remove old client logo from card (new structure) if it exists
+  const oldLogoInCard = card.querySelector('.download-card-logo-wrapper');
+  if (oldLogoInCard) {
+    oldLogoInCard.remove();
+  }
+
+  // Add new right-side container with user badge only
+  const header = card.querySelector('.download-header');
+  if (header && !header.querySelector('.download-header-right')) {
+    const rightSide = document.createElement('div');
+    rightSide.className = 'download-header-right';
+
+    const badges = renderTagBadges(download.tagBadges, state.showAll, download.matchedUserTag);
+    rightSide.appendChild(badges);
+
+    header.appendChild(rightSide);
+  }
+
+  // Add client logo to card (positioned at bottom right via CSS)
+  if (download.client && !card.querySelector('.download-card-logo-wrapper')) {
+    card.appendChild(createClientLogo(download));
+  }
+
+  // Update status
+  const statusEl = card.querySelector('.download-status');
+  if (statusEl && statusEl.textContent !== download.status) {
+    statusEl.textContent = download.status;
+    statusEl.className = `download-status ${download.status}`;
+  }
+  
+  // Update progress bar and missing pieces
+  const progressContainer = card.querySelector('.progress-container');
+  if (progressContainer && download.progress !== undefined) {
+    const progressBar = progressContainer.querySelector('.progress-bar');
+    const progressText = progressContainer.querySelector('.progress-text');
+    const missingText = progressContainer.querySelector('.missing-text');
+    
+    if (progressBar) {
+      const downloaded = progressBar.querySelector('.downloaded');
+      if (downloaded) {
+        downloaded.style.width = download.progress + '%';
+      }
+    }
+    
+    if (progressText) {
+      progressText.textContent = download.progress + '%';
+    }
+    
+    if (missingText) {
+      const totalMb = parseFloat(download.mb) || parseFloat(download.size);
+      const missingMb = parseFloat(download.mbmissing) || 0;
+      if (missingMb > 0 && totalMb > 0) {
+        missingText.textContent = `(missing ${missingMb.toFixed(1)} of ${totalMb.toFixed(1)} MB)`;
+      } else {
+        missingText.textContent = '';
+      }
+    }
+  }
+  
+  // Update speed
+  const speedEl = card.querySelector('.detail-item[data-label="Speed"] .detail-value');
+  if (speedEl && download.speed !== undefined) {
+    speedEl.textContent = formatSpeed(download.speed);
+  }
+  
+  // Update ETA
+  const etaEl = card.querySelector('.detail-item[data-label="ETA"] .detail-value');
+  if (etaEl && download.eta !== undefined) {
+    etaEl.textContent = download.eta;
+  }
+  
+  // Update qBittorrent-specific fields
+  if (download.qbittorrent) {
+    const seedsEl = card.querySelector('.detail-item[data-label="Seeds"] .detail-value');
+    if (seedsEl && download.seeds !== undefined) {
+      seedsEl.textContent = download.seeds;
+    }
+    
+    const peersEl = card.querySelector('.detail-item[data-label="Peers"] .detail-value');
+    if (peersEl && download.peers !== undefined) {
+      peersEl.textContent = download.peers;
+    }
+    
+    const availabilityItem = card.querySelector('.detail-item[data-label="Availability"]');
+    if (availabilityItem && download.availability !== undefined) {
+      availabilityItem.querySelector('.detail-value').textContent = `${download.availability}%`;
+      availabilityItem.classList.toggle('availability-warning', parseFloat(download.availability) < 100);
+    }
+  }
+}
+
+export async function handleBlocklistSearchClick(btn, download) {
+  console.log('[Blocklist] Clicked, download:', download);
+  console.log('[Blocklist] Required fields:', {
+    arrQueueId: download.arrQueueId,
+    arrType: download.arrType,
+    arrInstanceUrl: download.arrInstanceUrl,
+    arrInstanceKey: download.arrInstanceKey,
+    arrContentId: download.arrContentId,
+    arrContentType: download.arrContentType,
+    isAdmin: state.isAdmin,
+    canBlocklist: download.canBlocklist
+  });
+
+  if (!confirm(`Blocklist "${download.title}" and trigger a new search?\n\nThis will:\n• Remove the download from the download client\n• Add this release to the blocklist\n• Trigger an automatic search for a new release`)) return;
+
+  btn.disabled = true;
+  btn.textContent = '⏳ Working…';
+
+  try {
+    await handleBlocklistSearch(download);
+    btn.textContent = '✓ Done — searching…';
+    btn.className = 'blocklist-search-btn success';
+  } catch (err) {
+    console.error('[Blocklist] Error:', err);
+    btn.disabled = false;
+    btn.textContent = '⛔ Blocklist & Search';
+    btn.className = 'blocklist-search-btn error';
+    btn.title = `Failed: ${err.message}`;
+    setTimeout(() => {
+      btn.className = 'blocklist-search-btn';
+      btn.title = 'Remove this release from the download client, add it to the blocklist, and trigger an automatic search';
+    }, 4000);
+  }
+}
+
+export function createDownloadCard(download) {
+  const card = document.createElement('div');
+  card.className = `download-card ${download.type}`;
+  card.dataset.id = download.title;
+  
+  // Cover art
+  if (download.coverArt) {
+    const coverDiv = document.createElement('div');
+    coverDiv.className = 'download-cover';
+    const coverImg = document.createElement('img');
+    // Proxy cover art through the server so the CSP img-src 'self' rule
+    // is satisfied (external poster URLs would be blocked otherwise).
+    coverImg.src = download.coverArt
+      ? '/api/dashboard/cover-art?url=' + encodeURIComponent(download.coverArt)
+      : '';
+    coverImg.alt = download.movieName || download.seriesName || download.title;
+    coverImg.loading = 'lazy';
+    coverDiv.appendChild(coverImg);
+    card.appendChild(coverDiv);
+  }
+  
+  // Info wrapper
+  const infoDiv = document.createElement('div');
+  infoDiv.className = 'download-info';
+  
+  const header = document.createElement('div');
+  header.className = 'download-header';
+
+  const type = document.createElement('span');
+  type.className = `download-type ${download.type}`;
+  if (download.type === 'series') {
+    type.textContent = '📺 Series';
+  } else if (download.type === 'movie') {
+    type.textContent = '🎬 Movie';
+  } else if (download.type === 'torrent') {
+    const instName = download.instanceName ? ` (${download.instanceName})` : '';
+    type.textContent = `📥 Torrent${instName}`;
+  } else {
+    type.textContent = download.type;
+  }
+
+  const status = document.createElement('span');
+  status.className = `download-status ${download.status}`;
+  status.textContent = download.status;
+
+  header.appendChild(type);
+  header.appendChild(status);
+
+  if (download.importIssues && download.importIssues.length > 0) {
+    const issueBadge = document.createElement('span');
+    issueBadge.className = 'import-issue-badge';
+    issueBadge.textContent = 'Import Pending';
+    issueBadge.setAttribute('data-tooltip', download.importIssues.join('\n'));
+    header.appendChild(issueBadge);
+  }
+
+  if ((state.isAdmin || download.canBlocklist) && download.arrQueueId) {
+    const blBtn = document.createElement('button');
+    blBtn.className = 'blocklist-search-btn';
+    blBtn.textContent = '⛔ Blocklist & Search';
+    blBtn.title = 'Remove this release from the download client, add it to the blocklist, and trigger a new automatic search';
+    blBtn.addEventListener('click', () => handleBlocklistSearchClick(blBtn, download));
+    header.appendChild(blBtn);
+  }
+
+  // Right side container for user badge only
+  const rightSide = document.createElement('div');
+  rightSide.className = 'download-header-right';
+
+  const badges = renderTagBadges(download.tagBadges, state.showAll, download.matchedUserTag);
+  rightSide.appendChild(badges);
+
+  header.appendChild(rightSide);
+
+  // Add client logo to card (positioned at bottom right via CSS)
+  if (download.client) {
+    card.appendChild(createClientLogo(download));
+  }
+
+  const title = document.createElement('h3');
+  title.className = 'download-title';
+  title.textContent = download.title;
+  
+  infoDiv.appendChild(header);
+  infoDiv.appendChild(title);
+  
+  if (download.seriesName) {
+    const series = document.createElement('p');
+    series.className = 'download-series';
+    if (state.isAdmin && download.arrLink) {
+      series.innerHTML = 'Series: <a href="' + escapeHtml(download.arrLink) + '" target="_blank" class="arr-link">' + escapeHtml(download.seriesName) + '</a>';
+    } else {
+      series.textContent = `Series: ${download.seriesName}`;
+    }
+    infoDiv.appendChild(series);
+    const epEl = formatEpisodeInfo(download.episodes);
+    if (epEl) infoDiv.appendChild(epEl);
+  }
+  
+  if (download.movieName) {
+    const movie = document.createElement('p');
+    movie.className = 'download-movie';
+    if (state.isAdmin && download.arrLink) {
+      movie.innerHTML = 'Movie: <a href="' + escapeHtml(download.arrLink) + '" target="_blank" class="arr-link">' + escapeHtml(download.movieName) + '</a>';
+    } else {
+      movie.textContent = `Movie: ${download.movieName}`;
+    }
+    infoDiv.appendChild(movie);
+  }
+
+  const details = document.createElement('div');
+  details.className = 'download-details';
+  
+  const size = createDetailItem('Size', formatSize(download.size));
+  details.appendChild(size);
+  
+  if (download.progress !== undefined) {
+    const progressItem = document.createElement('div');
+    progressItem.className = 'detail-item progress-item';
+    progressItem.dataset.label = 'Progress';
+    
+    const labelSpan = document.createElement('span');
+    labelSpan.className = 'detail-label';
+    labelSpan.textContent = 'Progress';
+    
+    const valueDiv = document.createElement('div');
+    valueDiv.className = 'progress-container';
+    
+    // Progress bar with segments
+    const totalMb = parseFloat(download.mb) || parseFloat(download.size);
+    const missingMb = parseFloat(download.mbmissing) || 0;
+    const downloadedMb = totalMb - missingMb;
+    const progressPercent = parseFloat(download.progress) || 0;
+    const missingPercent = totalMb > 0 ? (missingMb / totalMb) * 100 : 0;
+    
+    const progressBar = document.createElement('div');
+    progressBar.className = 'progress-bar';
+    
+    // Downloaded portion (green)
+    if (progressPercent > 0) {
+      const downloaded = document.createElement('div');
+      downloaded.className = 'progress-segment downloaded';
+      downloaded.style.width = progressPercent + '%';
+      progressBar.appendChild(downloaded);
+    }
+    
+    valueDiv.appendChild(progressBar);
+    
+    // Text showing percentage
+    const progressText = document.createElement('span');
+    progressText.className = 'progress-text';
+    progressText.textContent = download.progress + '%';
+    valueDiv.appendChild(progressText);
+    
+    // Missing pieces text (only for torrent clients like qBittorrent)
+    if (download.client && (download.client === 'qbittorrent' || download.client === 'rtorrent') && missingMb > 0 && totalMb > 0) {
+      const missingText = document.createElement('span');
+      missingText.className = 'missing-text';
+      missingText.textContent = `(missing ${missingMb.toFixed(1)} of ${totalMb.toFixed(1)} MB)`;
+      valueDiv.appendChild(missingText);
+    }
+    
+    progressItem.appendChild(labelSpan);
+    progressItem.appendChild(valueDiv);
+    details.appendChild(progressItem);
+  }
+  
+  if (download.speed && download.speed > 0) {
+    const speed = createDetailItem('Speed', formatSpeed(download.speed));
+    details.appendChild(speed);
+  }
+  
+  if (download.eta) {
+    const eta = createDetailItem('ETA', download.eta);
+    details.appendChild(eta);
+  }
+  
+  // qBittorrent-specific fields
+  if (download.qbittorrent) {
+    if (download.seeds !== undefined) {
+      const seeds = createDetailItem('Seeds', download.seeds);
+      details.appendChild(seeds);
+    }
+    
+    if (download.peers !== undefined) {
+      const peers = createDetailItem('Peers', download.peers);
+      details.appendChild(peers);
+    }
+    
+    if (download.availability !== undefined) {
+      const availability = createDetailItem('Availability', `${download.availability}%`);
+      if (parseFloat(download.availability) < 100) availability.classList.add('availability-warning');
+      details.appendChild(availability);
+    }
+  }
+  
+  if (download.completedAt) {
+    const completed = createDetailItem('Completed', formatDate(download.completedAt));
+    details.appendChild(completed);
+  }
+
+  if (state.isAdmin && (download.downloadPath || download.targetPath)) {
+    const pathsDiv = document.createElement('div');
+    pathsDiv.className = 'download-paths';
+    if (download.downloadPath) {
+      const dlPath = document.createElement('div');
+      dlPath.className = 'path-item';
+      dlPath.innerHTML = '<span class="path-label">Download:</span> <span class="path-value">' + escapeHtml(download.downloadPath) + '</span>';
+      pathsDiv.appendChild(dlPath);
+    }
+    if (download.targetPath) {
+      const tgtPath = document.createElement('div');
+      tgtPath.className = 'path-item';
+      tgtPath.innerHTML = '<span class="path-label">Target:</span> <span class="path-value">' + escapeHtml(download.targetPath) + '</span>';
+      pathsDiv.appendChild(tgtPath);
+    }
+    details.appendChild(pathsDiv);
+  }
+  
+  infoDiv.appendChild(details);
+  card.appendChild(infoDiv);
+  
+  return card;
+}
+
+export function createDetailItem(label, value) {
+  const item = document.createElement('div');
+  item.className = 'detail-item';
+  item.dataset.label = label;
+  
+  const labelSpan = document.createElement('span');
+  labelSpan.className = 'detail-label';
+  labelSpan.textContent = label;
+  
+  const valueSpan = document.createElement('span');
+  valueSpan.className = 'detail-value';
+  valueSpan.textContent = value;
+  
+  item.appendChild(labelSpan);
+  item.appendChild(valueSpan);
+  
+  return item;
+}
+
+function formatDate(dateString) {
+  if (!dateString) return 'N/A';
+  return new Date(dateString).toLocaleString();
+}
@@ -0,0 +1,87 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { state } from '../state.js';
+import { saveDownloadClients } from '../utils/storage.js';
+import { renderDownloads } from './downloads.js';
+
+export function initDownloadClientFilter() {
+  const filterBtn = document.getElementById('download-client-filter-btn');
+  const filterDropdown = document.getElementById('download-client-filter-dropdown');
+  const filterClose = document.getElementById('download-client-filter-close');
+  
+  if (!filterBtn || !filterDropdown) return;
+  
+  filterBtn.addEventListener('click', (e) => {
+    e.stopPropagation();
+    filterDropdown.classList.toggle('open');
+  });
+  
+  filterClose.addEventListener('click', () => {
+    filterDropdown.classList.remove('open');
+  });
+  
+  // Close dropdown when clicking outside
+  document.addEventListener('click', (e) => {
+    if (!filterDropdown.contains(e.target) && e.target !== filterBtn) {
+      filterDropdown.classList.remove('open');
+    }
+  });
+  
+  // Listen for download clients updates from SSE
+  document.addEventListener('downloadClientsUpdated', updateDownloadClientFilter);
+  
+  // Initial filter update
+  updateDownloadClientFilter();
+}
+
+export function updateDownloadClientFilter() {
+  const filterList = document.getElementById('download-client-filter-list');
+  if (!filterList) return;
+  
+  filterList.innerHTML = '';
+  
+  state.downloadClients.forEach((client, index) => {
+    const item = document.createElement('div');
+    item.className = 'filter-item';
+    item.dataset.index = index;
+    
+    const checkbox = document.createElement('input');
+    checkbox.type = 'checkbox';
+    checkbox.id = `client-${index}`;
+    checkbox.checked = state.selectedDownloadClients.includes(index);
+    checkbox.addEventListener('change', () => toggleClientSelection(index));
+    
+    const label = document.createElement('label');
+    label.htmlFor = `client-${index}`;
+    label.textContent = client.name || `${client.type} (${client.id})`;
+    
+    item.appendChild(checkbox);
+    item.appendChild(label);
+    filterList.appendChild(item);
+  });
+  
+  updateSelectedCountDisplay();
+}
+
+export function toggleClientSelection(index) {
+  const idx = state.selectedDownloadClients.indexOf(index);
+  if (idx > -1) {
+    state.selectedDownloadClients.splice(idx, 1);
+  } else {
+    state.selectedDownloadClients.push(index);
+  }
+  saveDownloadClients(state.selectedDownloadClients);
+  updateSelectedCountDisplay();
+  renderDownloads();
+}
+
+export function updateSelectedCountDisplay() {
+  const countDisplay = document.getElementById('download-client-filter-count');
+  if (!countDisplay) return;
+  
+  if (state.selectedDownloadClients.length === 0) {
+    countDisplay.textContent = 'All';
+  } else {
+    countDisplay.textContent = state.selectedDownloadClients.length;
+  }
+}
@@ -0,0 +1,226 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { state, HISTORY_REFRESH_MS } from '../state.js';
+import { loadHistory as apiLoadHistory } from '../api.js';
+import { saveHistoryDays, saveIgnoreAvailable } from '../utils/storage.js';
+import { formatDate, formatEpisodeInfo, escapeHtml } from '../utils/format.js';
+import { renderTagBadges } from './downloads.js';
+
+export function initHistoryControls() {
+  const daysInput = document.getElementById('history-days');
+  const refreshBtn = document.getElementById('history-refresh-btn');
+  const ignoreToggle = document.getElementById('ignore-available-toggle');
+  if (daysInput) {
+    daysInput.addEventListener('change', () => {
+      const v = parseInt(daysInput.value, 10);
+      if (v > 0 && v <= 90) {
+        historyDays = v;
+        saveHistoryDays(v);
+        loadHistory(true);
+      }
+    });
+  }
+  if (refreshBtn) {
+    refreshBtn.addEventListener('click', () => loadHistory(true));
+  }
+  if (ignoreToggle) {
+    ignoreToggle.checked = state.ignoreAvailable;
+    ignoreToggle.addEventListener('change', () => {
+      state.ignoreAvailable = ignoreToggle.checked;
+      saveIgnoreAvailable(state.ignoreAvailable);
+      renderHistory(state.lastHistoryItems);
+    });
+  }
+
+  // Listen for history reload events from other modules
+  document.addEventListener('historyReload', () => {
+    loadHistory(true);
+  });
+}
+
+export function startHistoryRefresh() {
+  stopHistoryRefresh();
+  state.historyRefreshHandle = setInterval(() => loadHistory(), HISTORY_REFRESH_MS);
+}
+
+export function stopHistoryRefresh() {
+  if (state.historyRefreshHandle) {
+    clearInterval(state.historyRefreshHandle);
+    state.historyRefreshHandle = null;
+  }
+}
+
+export function clearHistory() {
+  state.lastHistoryItems = [];
+  document.getElementById('history-list').innerHTML = '';
+  document.getElementById('no-history').classList.add('hidden');
+  document.getElementById('history-error').classList.add('hidden');
+}
+
+export async function loadHistory(forceRefresh = false) {
+  const listEl = document.getElementById('history-list');
+  const loadingEl = document.getElementById('history-loading');
+  const errorEl = document.getElementById('history-error');
+  const noHistoryEl = document.getElementById('no-history');
+
+  loadingEl.classList.remove('hidden');
+  errorEl.classList.add('hidden');
+  noHistoryEl.classList.add('hidden');
+
+  try {
+    const result = await apiLoadHistory(forceRefresh);
+    loadingEl.classList.add('hidden');
+    if (result.success) {
+      state.lastHistoryItems = result.history;
+      renderHistory(state.lastHistoryItems);
+    } else {
+      errorEl.textContent = result.error || 'Failed to load history.';
+      errorEl.classList.remove('hidden');
+    }
+  } catch (err) {
+    loadingEl.classList.add('hidden');
+    errorEl.textContent = 'Failed to load history.';
+    errorEl.classList.remove('hidden');
+    console.error('[History] Load error:', err);
+  }
+}
+
+export function renderHistory(items) {
+  const listEl = document.getElementById('history-list');
+  const noHistoryEl = document.getElementById('no-history');
+  listEl.innerHTML = '';
+  const visible = state.ignoreAvailable
+    ? items.filter(item => !(item.outcome === 'failed' && item.availableForUpgrade))
+    : items;
+  if (!visible.length) {
+    noHistoryEl.classList.remove('hidden');
+    return;
+  }
+  noHistoryEl.classList.add('hidden');
+  visible.forEach(item => listEl.appendChild(createHistoryCard(item)));
+}
+
+export function createHistoryCard(item) {
+  const card = document.createElement('div');
+  card.className = `history-card ${item.type} ${item.outcome}`;
+
+  if (item.coverArt) {
+    const coverDiv = document.createElement('div');
+    coverDiv.className = 'history-cover';
+    const img = document.createElement('img');
+    img.src = '/api/dashboard/cover-art?url=' + encodeURIComponent(item.coverArt);
+    img.alt = item.movieName || item.seriesName || item.title;
+    img.loading = 'lazy';
+    coverDiv.appendChild(img);
+    card.appendChild(coverDiv);
+  }
+
+  const info = document.createElement('div');
+  info.className = 'history-info';
+
+  // Header row: type badge + outcome badge
+  const header = document.createElement('div');
+  header.className = 'history-card-header';
+
+  const typeBadge = document.createElement('span');
+  typeBadge.className = `history-type-badge ${item.type}`;
+  typeBadge.textContent = item.type === 'series' ? '📺 Series' : '🎬 Movie';
+  header.appendChild(typeBadge);
+
+  const outcomeBadge = document.createElement('span');
+  outcomeBadge.className = `history-outcome-badge ${item.outcome}`;
+  outcomeBadge.textContent = item.outcome === 'imported' ? '✓ Imported' : '✗ Failed';
+  header.appendChild(outcomeBadge);
+
+  if (item.availableForUpgrade) {
+    const upgradeBadge = document.createElement('span');
+    upgradeBadge.className = 'history-upgrade-badge';
+    upgradeBadge.title = 'A previous version of this item is available. An upgrade download has failed.';
+    upgradeBadge.textContent = '⬆ Available';
+    header.appendChild(upgradeBadge);
+  }
+
+  if (item.instanceName) {
+    const instBadge = document.createElement('span');
+    instBadge.className = 'history-instance-badge';
+    instBadge.textContent = item.instanceName;
+    header.appendChild(instBadge);
+  }
+
+  const badges = renderTagBadges(item.tagBadges, state.showAll, item.matchedUserTag);
+  header.appendChild(badges);
+
+  info.appendChild(header);
+
+  // Title
+  const title = document.createElement('h3');
+  title.className = 'history-title';
+  title.textContent = item.title;
+  info.appendChild(title);
+
+  // Series/movie name with optional arr link
+  if (item.seriesName) {
+    const p = document.createElement('p');
+    p.className = 'history-media-name';
+    if (state.isAdmin && item.arrLink) {
+      p.innerHTML = 'Series: <a href="' + escapeHtml(item.arrLink) + '" target="_blank" class="arr-link">' + escapeHtml(item.seriesName) + '</a>';
+    } else {
+      p.textContent = 'Series: ' + item.seriesName;
+    }
+    info.appendChild(p);
+    const epEl = formatEpisodeInfo(item.episodes);
+    if (epEl) info.appendChild(epEl);
+  }
+  if (item.movieName) {
+    const p = document.createElement('p');
+    p.className = 'history-media-name';
+    if (state.isAdmin && item.arrLink) {
+      p.innerHTML = 'Movie: <a href="' + escapeHtml(item.arrLink) + '" target="_blank" class="arr-link">' + escapeHtml(item.movieName) + '</a>';
+    } else {
+      p.textContent = 'Movie: ' + item.movieName;
+    }
+    info.appendChild(p);
+  }
+
+  // Detail pills
+  const details = document.createElement('div');
+  details.className = 'history-details';
+
+  if (item.completedAt) {
+    details.appendChild(createDetailItem('Completed', formatDate(item.completedAt)));
+  }
+  if (item.quality) {
+    details.appendChild(createDetailItem('Quality', item.quality));
+  }
+
+  // Failed imports: show failure message
+  if (item.outcome === 'failed' && item.failureMessage) {
+    const failItem = document.createElement('div');
+    failItem.className = 'history-failure-message';
+    failItem.textContent = item.failureMessage;
+    details.appendChild(failItem);
+  }
+
+  info.appendChild(details);
+  card.appendChild(info);
+  return card;
+}
+
+function createDetailItem(label, value) {
+  const item = document.createElement('div');
+  item.className = 'detail-item';
+  item.dataset.label = label;
+  
+  const labelSpan = document.createElement('span');
+  labelSpan.className = 'detail-label';
+  labelSpan.textContent = label;
+  
+  const valueSpan = document.createElement('span');
+  valueSpan.className = 'detail-value';
+  valueSpan.textContent = value;
+  
+  item.appendChild(labelSpan);
+  item.appendChild(valueSpan);
+  
+  return item;
+}
@@ -0,0 +1,199 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { state, STATUS_REFRESH_MS } from '../state.js';
+import { refreshStatusPanel as apiRefreshStatusPanel } from '../api.js';
+import { fetchWebhookStatus } from './webhooks.js';
+
+export async function toggleStatusPanel() {
+  const panel = document.getElementById('status-panel');
+  const webhooksSection = document.getElementById('webhooks-section');
+  if (!panel.classList.contains('hidden')) {
+    // Close both panels (webhooks is a sibling, hide it too)
+    panel.classList.add('hidden');
+    if (webhooksSection) webhooksSection.classList.add('hidden');
+    if (state.statusRefreshHandle) { clearInterval(state.statusRefreshHandle); state.statusRefreshHandle = null; }
+    return;
+  }
+  // Open status panel and webhooks section (siblings)
+  panel.classList.remove('hidden');
+  // Show webhooks section for admin users (collapsed by default)
+  if (webhooksSection && state.isAdmin) {
+    webhooksSection.classList.remove('hidden');
+    state.webhookSectionExpanded = false;
+    document.getElementById('webhooks-content').classList.add('hidden');
+    document.getElementById('webhooks-toggle').classList.remove('expanded');
+    await fetchWebhookStatus();
+  } else if (webhooksSection) {
+    webhooksSection.classList.add('hidden');
+  }
+  refreshStatusPanel();
+  if (state.statusRefreshHandle) clearInterval(state.statusRefreshHandle);
+  state.statusRefreshHandle = setInterval(refreshStatusPanel, STATUS_REFRESH_MS);
+}
+
+export function closeStatusPanel() {
+  document.getElementById('status-panel').classList.add('hidden');
+  const webhooksSection = document.getElementById('webhooks-section');
+  if (webhooksSection) webhooksSection.classList.add('hidden');
+  if (state.statusRefreshHandle) { clearInterval(state.statusRefreshHandle); state.statusRefreshHandle = null; }
+}
+
+export async function refreshStatusPanel() {
+  const panel = document.getElementById('status-panel');
+  const contentDiv = document.getElementById('status-content');
+  console.log('[Status] panel found:', !!panel, 'contentDiv found:', !!contentDiv, 'panel display:', panel?.style?.display);
+  if (!panel || panel.classList.contains('hidden')) return;
+  console.log('[Status] Refreshing status panel...');
+  try {
+    const result = await apiRefreshStatusPanel();
+    if (result.success) {
+      console.log('[Status] Got status data, rendering...');
+      renderStatusPanel(result.data, panel);
+    } else {
+      console.error('[Status] API returned error:', result.error);
+      if (contentDiv && (!contentDiv.innerHTML || contentDiv.innerHTML.includes('status-loading'))) {
+        contentDiv.innerHTML = '<p class="status-error">Failed to load status: ' + result.error + '</p>';
+      }
+    }
+  } catch (err) {
+    console.error('[Status] Error fetching status:', err);
+    // Don't overwrite panel on transient error during auto-refresh
+    if (contentDiv && (!contentDiv.innerHTML || contentDiv.innerHTML.includes('status-loading'))) {
+      contentDiv.innerHTML = '<p class="status-error">Failed to load status: ' + err.message + '</p>';
+    }
+  }
+}
+
+export function renderStatusPanel(data, panel) {
+  console.log('[Status] renderStatusPanel called with data:', data ? 'yes' : 'no', 'keys:', data ? Object.keys(data) : 'none');
+  const s = data.server;
+  const hrs = Math.floor(s.uptimeSeconds / 3600);
+  const mins = Math.floor((s.uptimeSeconds % 3600) / 60);
+  const secs = s.uptimeSeconds % 60;
+  const uptime = `${hrs}h ${mins}m ${secs}s`;
+
+  const totalKB = (data.cache.totalSizeBytes / 1024).toFixed(1);
+
+  let html = `
+    <div class="status-header">
+      <h3>Server Status</h3>
+      <button class="status-close" id="status-close-btn">&times;</button>
+    </div>
+    <div class="status-grid">
+      <div class="status-card">
+        <div class="status-card-title">Server</div>
+        <div class="status-row"><span>Uptime</span><span>${uptime}</span></div>
+        <div class="status-row"><span>Node</span><span>${escapeHtml(s.nodeVersion)}</span></div>
+        <div class="status-row"><span>Memory (RSS)</span><span>${s.memoryUsageMB} MB</span></div>
+        <div class="status-row"><span>Heap</span><span>${s.heapUsedMB} / ${s.heapTotalMB} MB</span></div>
+      </div>
+      <div class="status-card">
+        <div class="status-card-title">Data Refresh</div>`;
+
+  const pollIntervalMs = data.polling.intervalMs;
+  const clients = data.clients || [];
+  const sseClients = clients.filter(c => c.type === 'sse');
+
+  if (data.polling.enabled) {
+    html += `<div class="status-row"><span>Background poll</span><span>${pollIntervalMs / 1000}s</span></div>`;
+  } else {
+    html += `<div class="status-row"><span>Background poll</span><span>Disabled</span></div>`;
+  }
+
+  const mode = sseClients.length > 0
+    ? `<span class="status-fg-badge">SSE push</span>`
+    : (data.polling.enabled ? 'Background' : 'On-demand (idle)');
+  html += `<div class="status-row"><span>Delivery mode</span><span>${mode}</span></div>`;
+
+  html += `<div class="status-row"><span>SSE clients</span><span>${sseClients.length}</span></div>`;
+  for (const c of sseClients) {
+    const age = Math.round((Date.now() - c.connectedAt) / 1000);
+    html += `<div class="status-row status-row-sub"><span>${escapeHtml(c.user)}</span><span>connected ${age}s ago</span></div>`;
+  }
+
+  html += `</div>`;
+
+  // Webhook metrics card (admin only)
+  if (state.isAdmin && data.webhooks) {
+    const wh = data.webhooks;
+    const sonarrEnabled = wh.sonarr?.enabled ? '●' : '○';
+    const radarrEnabled = wh.radarr?.enabled ? '●' : '○';
+    const sonarrEvents = wh.sonarr?.eventsReceived || 0;
+    const radarrEvents = wh.radarr?.eventsReceived || 0;
+    const sonarrPolls = wh.sonarr?.pollsSkipped || 0;
+    const radarrPolls = wh.radarr?.pollsSkipped || 0;
+
+    html += `
+      <div class="status-card">
+        <div class="status-card-title">Webhooks</div>
+        <div class="status-row"><span>Sonarr</span><span>${sonarrEnabled} ${wh.sonarr?.enabled ? 'Enabled' : 'Disabled'}</span></div>
+        <div class="status-row"><span>Radarr</span><span>${radarrEnabled} ${wh.radarr?.enabled ? 'Enabled' : 'Disabled'}</span></div>
+        <div class="status-row status-row-sub"><span>Events</span><span>S:${sonarrEvents} R:${radarrEvents}</span></div>
+        <div class="status-row status-row-sub"><span>Polls skipped</span><span>S:${sonarrPolls} R:${radarrPolls}</span></div>
+      </div>`;
+  }
+
+  // Poll timings card
+  const lp = data.polling.lastPoll;
+  if (lp) {
+    const pollAge = Math.round((Date.now() - new Date(lp.timestamp).getTime()) / 1000);
+    html += `
+      <div class="status-card status-card-wide">
+        <div class="status-card-title">Last Poll (${lp.totalMs}ms total, ${pollAge}s ago)</div>
+        <div class="status-timings">`;
+    const maxTaskMs = lp.tasks.reduce((max, t) => Math.max(max, t.ms), 1);
+    for (const t of lp.tasks) {
+      const barWidth = Math.max(2, (t.ms / maxTaskMs) * 100);
+      html += `
+          <div class="timing-row">
+            <span class="timing-label">${escapeHtml(t.label)}</span>
+            <div class="timing-bar-bg"><div class="timing-bar" data-w="${barWidth.toFixed(1)}"></div></div>
+            <span class="timing-value">${t.ms}ms</span>
+          </div>`;
+    }
+    html += `</div></div>`;
+  }
+
+  // Cache table
+  html += `
+      <div class="status-card status-card-wide">
+        <div class="status-card-title">Cache (${data.cache.entryCount} entries, ${totalKB} KB)</div>
+        <table class="status-table">
+          <thead><tr><th>Key</th><th>Items</th><th>Size</th><th>TTL</th></tr></thead>
+          <tbody>`;
+
+  for (const e of data.cache.entries) {
+    const sizeStr = e.sizeBytes > 1024 ? (e.sizeBytes / 1024).toFixed(1) + ' KB' : e.sizeBytes + ' B';
+    const ttlStr = e.expired ? '<span class="status-expired">expired</span>' : (e.ttlRemainingMs / 1000).toFixed(0) + 's';
+    const items = e.itemCount !== null ? e.itemCount : '—';
+    html += `<tr><td><code>${escapeHtml(e.key)}</code></td><td>${items}</td><td>${sizeStr}</td><td>${ttlStr}</td></tr>`;
+  }
+
+  html += `</tbody></table></div></div>`;
+  // Render into status-content div, not the whole panel (preserves webhooks section)
+  const contentDiv = document.getElementById('status-content');
+  const panelCheck = document.getElementById('status-panel');
+  console.log('[Status] contentDiv found:', !!contentDiv, 'panel children:', panelCheck?.children?.length, 'HTML length:', html.length);
+  if (panelCheck) {
+    console.log('[Status] panel innerHTML preview:', panelCheck.innerHTML.substring(0, 200));
+  }
+  if (contentDiv) {
+    contentDiv.innerHTML = html;
+    console.log('[Status] HTML rendered, contentDiv innerHTML length:', contentDiv.innerHTML.length);
+  } else {
+    console.error('[Status] contentDiv not found!');
+  }
+  // Wire close button — addEventListener avoids CSP inline handler restrictions
+  const closeBtn = document.getElementById('status-close-btn');
+  if (closeBtn) closeBtn.addEventListener('click', closeStatusPanel);
+  // Set bar widths via JS DOM assignment — immune to CSP style-src restrictions
+  panel.querySelectorAll('.timing-bar[data-w]').forEach(el => {
+    el.style.width = el.dataset.w + '%';
+  });
+}
+
+function escapeHtml(str) {
+  const div = document.createElement('div');
+  div.textContent = str;
+  return div.innerHTML;
+}
@@ -0,0 +1,48 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { getActiveTab, saveActiveTab } from '../utils/storage.js';
+import { loadHistory } from './history.js';
+
+export function initTabs() {
+  const downloadsTab = document.querySelector('[data-tab="downloads"]');
+  const historyTab = document.querySelector('[data-tab="history"]');
+  
+  if (!downloadsTab || !historyTab) return;
+  
+  // Load saved tab
+  const savedTab = getActiveTab();
+  if (savedTab === 'history') {
+    activateTab('history');
+  } else {
+    activateTab('downloads');
+  }
+  
+  downloadsTab.addEventListener('click', () => activateTab('downloads'));
+  historyTab.addEventListener('click', () => activateTab('history'));
+}
+
+export function activateTab(tab) {
+  const downloadsTab = document.querySelector('[data-tab="downloads"]');
+  const historyTab = document.querySelector('[data-tab="history"]');
+  const downloadsSection = document.getElementById('tab-downloads');
+  const historySection = document.getElementById('tab-history');
+  
+  if (tab === 'downloads') {
+    downloadsTab.classList.add('active');
+    historyTab.classList.remove('active');
+    downloadsSection.classList.remove('hidden');
+    historySection.classList.add('hidden');
+    saveActiveTab('downloads');
+  } else if (tab === 'history') {
+    historyTab.classList.add('active');
+    downloadsTab.classList.remove('active');
+    historySection.classList.remove('hidden');
+    downloadsSection.classList.add('hidden');
+    saveActiveTab('history');
+    loadHistory();
+  }
+}
+
+export function goHome() {
+  activateTab('downloads');
+}
@@ -0,0 +1,27 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { getTheme, saveTheme } from '../utils/storage.js';
+
+// Apply saved theme immediately on load
+(function applyTheme() {
+  const theme = getTheme();
+  if (theme) {
+    document.documentElement.setAttribute('data-theme', theme);
+  }
+})();
+
+export function initThemeSwitcher() {
+  const themeToggle = document.getElementById('theme-toggle');
+  if (!themeToggle) return;
+  
+  themeToggle.addEventListener('click', () => {
+    const currentTheme = getTheme();
+    const newTheme = currentTheme === 'dark' ? 'light' : 'dark';
+    setTheme(newTheme);
+  });
+}
+
+export function setTheme(theme) {
+  document.documentElement.setAttribute('data-theme', theme);
+  saveTheme(theme);
+}
@@ -0,0 +1,213 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { state } from '../state.js';
+import { fetchWebhookStatus as apiFetchWebhookStatus, enableSonarrWebhook as apiEnableSonarrWebhook, enableRadarrWebhook as apiEnableRadarrWebhook, testSonarrWebhook as apiTestSonarrWebhook, testRadarrWebhook as apiTestRadarrWebhook } from '../api.js';
+import { formatTimeAgo } from '../utils/format.js';
+
+export function initWebhooks() {
+  const webhooksSection = document.getElementById('webhooks-section');
+  if (!webhooksSection) return;
+  
+  // Note: visibility is controlled by showDashboard() based on isAdmin
+  
+  document.getElementById('webhooks-header').addEventListener('click', toggleWebhookSection);
+  document.getElementById('enable-sonarr-webhook').addEventListener('click', enableSonarrWebhook);
+  document.getElementById('enable-radarr-webhook').addEventListener('click', enableRadarrWebhook);
+  document.getElementById('test-sonarr-webhook').addEventListener('click', testSonarrWebhook);
+  document.getElementById('test-radarr-webhook').addEventListener('click', testRadarrWebhook);
+}
+
+export function toggleWebhookSection() {
+  state.webhookSectionExpanded = !state.webhookSectionExpanded;
+  const content = document.getElementById('webhooks-content');
+  const toggle = document.getElementById('webhooks-toggle');
+  
+  if (state.webhookSectionExpanded) {
+    content.classList.remove('hidden');
+  } else {
+    content.classList.add('hidden');
+  }
+  toggle.classList.toggle('expanded', state.webhookSectionExpanded);
+  
+  if (state.webhookSectionExpanded) {
+    fetchWebhookStatus();
+  }
+}
+
+export async function fetchWebhookStatus() {
+  const loadingEl = document.getElementById('webhook-loading');
+  loadingEl.classList.remove('hidden');
+  
+  try {
+    const result = await apiFetchWebhookStatus();
+    if (result.success) {
+      renderWebhookStatus();
+    }
+  } catch (err) {
+    console.error('Failed to fetch webhook status:', err);
+  } finally {
+    loadingEl.classList.add('hidden');
+  }
+}
+
+export function renderWebhookStatus() {
+  // Sonarr
+  const sonarrStatus = document.getElementById('sonarr-status');
+  const sonarrEnableBtn = document.getElementById('enable-sonarr-webhook');
+  const sonarrTestBtn = document.getElementById('test-sonarr-webhook');
+  const sonarrTriggers = document.getElementById('sonarr-triggers');
+  const sonarrStats = document.getElementById('sonarr-stats');
+  
+  sonarrStatus.textContent = sonarrWebhook.enabled ? '● Enabled' : '○ Disabled';
+  sonarrStatus.className = 'status-indicator ' + (sonarrWebhook.enabled ? 'enabled' : 'disabled');
+  if (sonarrWebhook.enabled) {
+    sonarrEnableBtn.classList.add('hidden');
+    sonarrTestBtn.classList.remove('hidden');
+    sonarrTriggers.classList.remove('hidden');
+  } else {
+    sonarrEnableBtn.classList.remove('hidden');
+    sonarrTestBtn.classList.add('hidden');
+    sonarrTriggers.classList.add('hidden');
+  }
+  
+  if (sonarrWebhook.enabled) {
+    document.getElementById('sonarr-onGrab').textContent = sonarrWebhook.triggers.onGrab ? '✓' : '✗';
+    document.getElementById('sonarr-onGrab').className = 'trigger-value ' + (sonarrWebhook.triggers.onGrab ? 'active' : 'inactive');
+    document.getElementById('sonarr-onDownload').textContent = sonarrWebhook.triggers.onDownload ? '✓' : '✗';
+    document.getElementById('sonarr-onDownload').className = 'trigger-value ' + (sonarrWebhook.triggers.onDownload ? 'active' : 'inactive');
+    document.getElementById('sonarr-onImport').textContent = sonarrWebhook.triggers.onImport ? '✓' : '✗';
+    document.getElementById('sonarr-onImport').className = 'trigger-value ' + (sonarrWebhook.triggers.onImport ? 'active' : 'inactive');
+    document.getElementById('sonarr-onUpgrade').textContent = sonarrWebhook.triggers.onUpgrade ? '✓' : '✗';
+    document.getElementById('sonarr-onUpgrade').className = 'trigger-value ' + (sonarrWebhook.triggers.onUpgrade ? 'active' : 'inactive');
+  }
+  
+  if (sonarrWebhook.stats) {
+    sonarrStats.classList.remove('hidden');
+    document.getElementById('sonarr-events').textContent = sonarrWebhook.stats.eventsReceived ?? 0;
+    document.getElementById('sonarr-polls').textContent = sonarrWebhook.stats.pollsSkipped ?? 0;
+    document.getElementById('sonarr-last').textContent = formatTimeAgo(sonarrWebhook.stats.lastWebhookTimestamp);
+  } else {
+    sonarrStats.classList.add('hidden');
+  }
+  
+  // Radarr
+  const radarrStatus = document.getElementById('radarr-status');
+  const radarrEnableBtn = document.getElementById('enable-radarr-webhook');
+  const radarrTestBtn = document.getElementById('test-radarr-webhook');
+  const radarrTriggers = document.getElementById('radarr-triggers');
+  const radarrStats = document.getElementById('radarr-stats');
+  
+  radarrStatus.textContent = radarrWebhook.enabled ? '● Enabled' : '○ Disabled';
+  radarrStatus.className = 'status-indicator ' + (radarrWebhook.enabled ? 'enabled' : 'disabled');
+  if (radarrWebhook.enabled) {
+    radarrEnableBtn.classList.add('hidden');
+    radarrTestBtn.classList.remove('hidden');
+    radarrTriggers.classList.remove('hidden');
+  } else {
+    radarrEnableBtn.classList.remove('hidden');
+    radarrTestBtn.classList.add('hidden');
+    radarrTriggers.classList.add('hidden');
+  }
+  
+  if (radarrWebhook.enabled) {
+    document.getElementById('radarr-onGrab').textContent = radarrWebhook.triggers.onGrab ? '✓' : '✗';
+    document.getElementById('radarr-onGrab').className = 'trigger-value ' + (radarrWebhook.triggers.onGrab ? 'active' : 'inactive');
+    document.getElementById('radarr-onDownload').textContent = radarrWebhook.triggers.onDownload ? '✓' : '✗';
+    document.getElementById('radarr-onDownload').className = 'trigger-value ' + (radarrWebhook.triggers.onDownload ? 'active' : 'inactive');
+    document.getElementById('radarr-onImport').textContent = radarrWebhook.triggers.onImport ? '✓' : '✗';
+    document.getElementById('radarr-onImport').className = 'trigger-value ' + (radarrWebhook.triggers.onImport ? 'active' : 'inactive');
+    document.getElementById('radarr-onUpgrade').textContent = radarrWebhook.triggers.onUpgrade ? '✓' : '✗';
+    document.getElementById('radarr-onUpgrade').className = 'trigger-value ' + (radarrWebhook.triggers.onUpgrade ? 'active' : 'inactive');
+  }
+  
+  if (radarrWebhook.stats) {
+    radarrStats.classList.remove('hidden');
+    document.getElementById('radarr-events').textContent = radarrWebhook.stats.eventsReceived ?? 0;
+    document.getElementById('radarr-polls').textContent = radarrWebhook.stats.pollsSkipped ?? 0;
+    document.getElementById('radarr-last').textContent = formatTimeAgo(radarrWebhook.stats.lastWebhookTimestamp);
+  } else {
+    radarrStats.classList.add('hidden');
+  }
+}
+
+export async function enableSonarrWebhook() {
+  setWebhookLoading(true);
+  try {
+    const result = await apiEnableSonarrWebhook();
+    if (!result.success) {
+      console.error('Failed to enable Sonarr webhook:', result.error);
+      alert('Failed to enable Sonarr webhook. Check console for details.');
+    }
+  } catch (err) {
+    console.error('Failed to enable Sonarr webhook:', err);
+    alert('Failed to enable Sonarr webhook. Check console for details.');
+  } finally {
+    setWebhookLoading(false);
+  }
+}
+
+export async function enableRadarrWebhook() {
+  setWebhookLoading(true);
+  try {
+    const result = await apiEnableRadarrWebhook();
+    if (!result.success) {
+      console.error('Failed to enable Radarr webhook:', result.error);
+      alert('Failed to enable Radarr webhook. Check console for details.');
+    }
+  } catch (err) {
+    console.error('Failed to enable Radarr webhook:', err);
+    alert('Failed to enable Radarr webhook. Check console for details.');
+  } finally {
+    setWebhookLoading(false);
+  }
+}
+
+export async function testSonarrWebhook() {
+  setWebhookLoading(true);
+  try {
+    const result = await apiTestSonarrWebhook();
+    if (result.success) {
+      alert('Sonarr webhook test sent successfully!');
+    } else {
+      console.error('Failed to test Sonarr webhook:', result.error);
+      alert('Failed to test Sonarr webhook. Check console for details.');
+    }
+  } catch (err) {
+    console.error('Failed to test Sonarr webhook:', err);
+    alert('Failed to test Sonarr webhook. Check console for details.');
+  } finally {
+    setWebhookLoading(false);
+  }
+}
+
+export async function testRadarrWebhook() {
+  setWebhookLoading(true);
+  try {
+    const result = await apiTestRadarrWebhook();
+    if (result.success) {
+      alert('Radarr webhook test sent successfully!');
+    } else {
+      console.error('Failed to test Radarr webhook:', result.error);
+      alert('Failed to test Radarr webhook. Check console for details.');
+    }
+  } catch (err) {
+    console.error('Failed to test Radarr webhook:', err);
+    alert('Failed to test Radarr webhook. Check console for details.');
+  } finally {
+    setWebhookLoading(false);
+  }
+}
+
+export function setWebhookLoading(loading) {
+  state.webhookLoading = loading;
+  document.getElementById('enable-sonarr-webhook').disabled = loading;
+  document.getElementById('enable-radarr-webhook').disabled = loading;
+  document.getElementById('test-sonarr-webhook').disabled = loading;
+  document.getElementById('test-radarr-webhook').disabled = loading;
+  const loadingEl = document.getElementById('webhook-loading');
+  if (loading) {
+    loadingEl.classList.remove('hidden');
+  } else {
+    loadingEl.classList.add('hidden');
+  }
+}
@@ -0,0 +1,74 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+export function formatSize(size) {
+  if (!size) return 'N/A';
+  // If already a formatted string (e.g., "21.5 GB"), return as-is
+  if (typeof size === 'string') {
+    return size;
+  }
+  // If it's a number (bytes), format it
+  const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
+  const i = Math.floor(Math.log(size) / Math.log(1024));
+  return Math.round(size / Math.pow(1024, i) * 100) / 100 + ' ' + sizes[i];
+}
+
+export function formatSpeed(bytesPerSecond) {
+  if (!bytesPerSecond || bytesPerSecond === 0) return '0 B/s';
+  
+  const units = ['B/s', 'KB/s', 'MB/s', 'GB/s'];
+  let value = bytesPerSecond;
+  let unitIndex = 0;
+  
+  while (value >= 1024 && unitIndex < units.length - 1) {
+    value /= 1024;
+    unitIndex++;
+  }
+  
+  return `${value.toFixed(2)} ${units[unitIndex]}`;
+}
+
+export function formatDate(dateString) {
+  if (!dateString) return 'N/A';
+  return new Date(dateString).toLocaleString();
+}
+
+export function formatTimeAgo(timestamp) {
+  if (!timestamp) return 'Never';
+  const seconds = Math.floor((Date.now() - timestamp) / 1000);
+  if (seconds < 60) return seconds + 's ago';
+  const minutes = Math.floor(seconds / 60);
+  if (minutes < 60) return minutes + 'm ago';
+  const hours = Math.floor(minutes / 60);
+  if (hours < 24) return hours + 'h ago';
+  return Math.floor(hours / 24) + 'd ago';
+}
+
+export function escapeHtml(str) {
+  const div = document.createElement('div');
+  div.textContent = str;
+  return div.innerHTML;
+}
+
+// Build an episode-info element for series downloads/history.
+// Single episode: "S01E05 — Episode Title"
+// Multiple episodes: "Multiple episodes" with tooltip listing them all.
+// Returns null if no episode data.
+export function formatEpisodeInfo(episodes) {
+  if (!episodes || episodes.length === 0) return null;
+  const el = document.createElement('p');
+  el.className = 'episode-info';
+  if (episodes.length === 1) {
+    const ep = episodes[0];
+    const code = 'S' + String(ep.season).padStart(2, '0') + 'E' + String(ep.episode).padStart(2, '0');
+    el.textContent = ep.title ? code + ' \u2014 ' + ep.title : code;
+  } else {
+    el.textContent = 'Multiple episodes';
+    el.classList.add('multi-episode');
+    const lines = episodes.map(ep => {
+      const code = 'S' + String(ep.season).padStart(2, '0') + 'E' + String(ep.episode).padStart(2, '0');
+      return ep.title ? code + ' \u2014 ' + ep.title : code;
+    });
+    el.setAttribute('data-tooltip', lines.join('\n'));
+  }
+  return el;
+}
@@ -0,0 +1,76 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+import { state } from '../state.js';
+
+// Migration from old single-select to new multi-select format
+(function migrateDownloadClientFilter() {
+  const oldSelection = localStorage.getItem('sofarr-download-client');
+  if (oldSelection && oldSelection !== 'all') {
+    try {
+      state.selectedDownloadClients = [oldSelection];
+      localStorage.setItem('sofarr-download-clients', JSON.stringify(state.selectedDownloadClients));
+      localStorage.removeItem('sofarr-download-client');
+    } catch (e) {
+      console.error('[Migration] Failed to migrate download client filter:', e);
+    }
+  } else {
+    try {
+      const newSelection = localStorage.getItem('sofarr-download-clients');
+      state.selectedDownloadClients = newSelection ? JSON.parse(newSelection) : [];
+    } catch (e) {
+      console.error('[Migration] Failed to load download client filter:', e);
+      state.selectedDownloadClients = [];
+    }
+  }
+})();
+
+// Load history days from localStorage
+(function loadHistorySettings() {
+  try {
+    const savedDays = localStorage.getItem('sofarr-history-days');
+    if (savedDays) {
+      state.historyDays = parseInt(savedDays, 10) || 7;
+    }
+  } catch (e) {
+    console.error('[Storage] Failed to load history days:', e);
+  }
+})();
+
+// Load ignore available setting from localStorage
+(function loadIgnoreAvailable() {
+  try {
+    const saved = localStorage.getItem('sofarr-ignore-available');
+    state.ignoreAvailable = saved === 'true';
+  } catch (e) {
+    console.error('[Storage] Failed to load ignore available:', e);
+  }
+})();
+
+// Export helper functions for localStorage operations
+export function saveHistoryDays(days) {
+  localStorage.setItem('sofarr-history-days', days);
+}
+
+export function saveIgnoreAvailable(value) {
+  localStorage.setItem('sofarr-ignore-available', value);
+}
+
+export function saveDownloadClients(clients) {
+  localStorage.setItem('sofarr-download-clients', JSON.stringify(clients));
+}
+
+export function getTheme() {
+  return localStorage.getItem('sofarr-theme') || 'light';
+}
+
+export function saveTheme(theme) {
+  localStorage.setItem('sofarr-theme', theme);
+}
+
+export function getActiveTab() {
+  return localStorage.getItem('sofarr-active-tab') || 'downloads';
+}
+
+export function saveActiveTab(tab) {
+  localStorage.setItem('sofarr-active-tab', tab);
+}
@@ -1,8 +1,21 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'

 export default defineConfig({
-  plugins: [react()],
+  build: {
+    outDir: '../public',
+    emptyOutDir: false,
+    rollupOptions: {
+      input: {
+        main: './src/main.js'
+      },
+      output: {
+        entryFileNames: 'app.js',
+        chunkFileNames: '[name].js',
+        assetFileNames: '[name][extname]'
+      }
+    }
+  },
  server: {
    port: 5173,
    proxy: {
@@ -4,15 +4,25 @@ services:
    container_name: sofarr
    restart: unless-stopped
    ports:
-      - "127.0.0.1:3001:3001"   # bind to loopback only — expose via reverse proxy
+      # Direct HTTPS (default — uses bundled snakeoil cert if TLS_CERT not set)
+      - "3001:3001"
+      # Uncomment the line below and comment out the above to bind to loopback
+      # only when using a reverse proxy (set TLS_ENABLED=false in that case):
+      # - "127.0.0.1:3001:3001"
    environment:
      - PORT=3001
      - NODE_ENV=production
      - LOG_LEVEL=info
-      # Set to 1 when running behind a reverse proxy (Nginx, Caddy, Traefik)
-      # so Express trusts X-Forwarded-For and X-Forwarded-Proto headers.
-      - TRUST_PROXY=1
-      # --- Replace placeholders with real values or use Docker secrets ---
+      # --- TLS ---
+      # Default: TLS enabled using bundled snakeoil cert (self-signed).
+      # Supply your own cert/key by mounting them and setting these paths:
+      # - TLS_CERT=/app/certs/server.crt
+      # - TLS_KEY=/app/certs/server.key
+      # Set TLS_ENABLED=false if terminating TLS at a reverse proxy instead.
+      # If using a reverse proxy, also set TRUST_PROXY=1 below.
+      # - TRUST_PROXY=1
+      # --- Secrets: use _FILE variants (Docker secrets) in production -------
+      # Option A — plain environment variables (simple, less secure):
      - COOKIE_SECRET=change-me-generate-with-openssl-rand-hex-32
      - EMBY_URL=https://emby.example.com
      - EMBY_API_KEY=your-emby-api-key
@@ -20,13 +30,31 @@ services:
      - RADARR_INSTANCES=[{"name":"main","url":"https://radarr.example.com","apiKey":"your-radarr-api-key"}]
      - SABNZBD_INSTANCES=[{"name":"main","url":"https://sabnzbd.example.com","apiKey":"your-sabnzbd-api-key"}]
      - QBITTORRENT_INSTANCES=[{"name":"main","url":"https://qbittorrent.example.com","username":"admin","password":"your-password"}]
+      # Option B — Docker secrets (_FILE pattern, recommended for production):
+      # Uncomment the lines below and comment out Option A above.
+      # Create secret files with: echo -n "value" > ./secrets/cookie_secret.txt
+      # - COOKIE_SECRET_FILE=/run/secrets/cookie_secret
+      # - EMBY_API_KEY_FILE=/run/secrets/emby_api_key
+      # - SONARR_API_KEY_FILE=/run/secrets/sonarr_api_key   # legacy single-instance only
+      # - RADARR_API_KEY_FILE=/run/secrets/radarr_api_key   # legacy single-instance only
+      # - SABNZBD_API_KEY_FILE=/run/secrets/sabnzbd_api_key # legacy single-instance only
+    # secrets:                      # uncomment when using Option B
+    #   - cookie_secret
+    #   - emby_api_key
    volumes:
-      # Persistent volume for SQLite token store and log file
+      # Persistent volume for token store and log file
      - sofarr-data:/app/data
+      # Mount code for development (comment out in production)
+      - ./server:/app/server
+      - ./public:/app/public
+      # Mount your own TLS certificate and key (optional — snakeoil used if omitted)
+      # - /path/to/your/server.crt:/app/certs/server.crt:ro
+      # - /path/to/your/server.key:/app/certs/server.key:ro
    # Run as the built-in non-root 'node' user (UID/GID 1000)
    user: "1000:1000"
    # Read-only root filesystem; only the data volume is writable
-    read_only: true
+    # Comment out for development when mounting code volumes
+    # read_only: true
    tmpfs:
      - /tmp                    # Node.js needs a writable /tmp
    security_opt:
@@ -35,7 +63,9 @@ services:
      - ALL                     # drop all Linux capabilities
    cap_add: []                 # add back none — Node.js needs no special caps
    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:3001/health"]
+      # Respects TLS_ENABLED: uses http when set to false, https otherwise.
+      # --no-check-certificate handles self-signed / snakeoil certs.
+      test: ["CMD", "/bin/sh", "-c", "[ \"${TLS_ENABLED:-true}\" = \"false\" ] && wget -qO- http://localhost:${PORT:-3001}/health || wget -qO- --no-check-certificate https://localhost:${PORT:-3001}/health"]
      interval: 30s
      timeout: 5s
      retries: 3
@@ -43,3 +73,10 @@ services:

 volumes:
  sofarr-data:
+
+# Docker secrets definitions (uncomment and populate when using Option B above)
+# secrets:
+#   cookie_secret:
+#     file: ./secrets/cookie_secret.txt
+#   emby_api_key:
+#     file: ./secrets/emby_api_key.txt
@@ -0,0 +1,399 @@
+# Adding a New Download Client to Sofarr
+
+This guide explains how to add support for a new download client to Sofarr using the Pluggable Download Client Architecture (PDCA).
+
+## Overview
+
+The PDCA makes adding new download clients straightforward by providing a standardized interface. You only need to implement the `DownloadClient` abstract base class and register your client in the configuration system.
+
+## Prerequisites
+
+- Familiarity with JavaScript/Node.js
+- Understanding of your target client's API
+- Basic knowledge of Sofarr's architecture (see [ARCHITECTURE.md](ARCHITECTURE.md))
+
+## Step 1: Create the Client Class
+
+Create a new file in `server/clients/` named after your client (e.g., `DelugeClient.js`).
+
+```javascript
+// server/clients/DelugeClient.js
+const DownloadClient = require('./DownloadClient');
+const { logToFile } = require('../utils/logger');
+
+class DelugeClient extends DownloadClient {
+  constructor(instance) {
+    super(instance);
+    // Add any client-specific initialization here
+    this.sessionId = null;
+    this.rpcUrl = `${this.url}/json`;
+  }
+
+  getClientType() {
+    return 'deluge';
+  }
+
+  async testConnection() {
+    try {
+      // Implement connection test logic
+      const response = await this.makeRequest('auth.check_session');
+      logToFile(`[Deluge:${this.name}] Connection test successful`);
+      return true;
+    } catch (error) {
+      logToFile(`[Deluge:${this.name}] Connection test failed: ${error.message}`);
+      return false;
+    }
+  }
+
+  async makeRequest(method, params = []) {
+    // Implement RPC call logic
+    const payload = {
+      method: method,
+      params: params,
+      id: Date.now()
+    };
+
+    // Add authentication if needed
+    if (this.sessionId) {
+      payload.params.unshift(this.sessionId);
+    }
+
+    // Make HTTP request to your client's API
+    // Handle authentication, errors, etc.
+  }
+
+  async getActiveDownloads() {
+    try {
+      // Fetch downloads from your client
+      const torrents = await this.makeRequest('core.get_torrents_status', 
+        [{}, ['name', 'state', 'progress', 'total_size', 'download_payload_rate']]
+      );
+
+      // Normalize each download using the standard schema
+      return Object.entries(torrents).map(([id, torrent]) => 
+        this.normalizeDownload({ ...torrent, id })
+      );
+    } catch (error) {
+      logToFile(`[Deluge:${this.name}] Error fetching downloads: ${error.message}`);
+      return [];
+    }
+  }
+
+  async getClientStatus() {
+    try {
+      // Optional: Return client status information
+      const status = await this.makeRequest('core.get_session_status');
+      return status;
+    } catch (error) {
+      logToFile(`[Deluge:${this.name}] Error getting client status: ${error.message}`);
+      return null;
+    }
+  }
+
+  normalizeDownload(torrent) {
+    // Convert client-specific data to the normalized schema
+    return {
+      id: torrent.id,
+      title: torrent.name,
+      type: 'torrent',
+      client: 'deluge',
+      instanceId: this.id,
+      instanceName: this.name,
+      status: this.mapStatus(torrent.state),
+      progress: Math.round(torrent.progress * 100),
+      size: torrent.total_size,
+      downloaded: Math.round(torrent.total_size * torrent.progress),
+      speed: torrent.download_payload_rate,
+      eta: torrent.eta > 0 ? torrent.eta : null,
+      category: torrent.label || undefined,
+      tags: torrent.tracker ? [torrent.tracker] : [],
+      savePath: torrent.save_path,
+      addedOn: torrent.added_time ? new Date(torrent.added_time * 1000).toISOString() : undefined,
+      raw: torrent // Include original data for advanced use cases
+    };
+  }
+
+  mapStatus(state) {
+    // Map client-specific states to normalized statuses
+    const statusMap = {
+      'Downloading': 'Downloading',
+      'Seeding': 'Seeding',
+      'Paused': 'Paused',
+      'Checking': 'Checking',
+      'Error': 'Error',
+      'Queued': 'Queued'
+    };
+    
+    return statusMap[state] || state;
+  }
+}
+
+module.exports = DelugeClient;
+```
+
+## Step 2: Add Configuration Support
+
+Update `server/utils/config.js` to add support for your client's environment variables:
+
+```javascript
+function getDelugeInstances() {
+  return parseInstances(
+    process.env.DELUGE_INSTANCES,
+    process.env.DELUGE_URL,
+    null, // no apiKey for Deluge
+    process.env.DELUGE_USERNAME,
+    process.env.DELUGE_PASSWORD
+  );
+}
+
+// Add to module.exports
+module.exports = {
+  // ... existing exports
+  getDelugeInstances,
+  // ... other exports
+};
+```
+
+## Step 3: Register the Client
+
+Update `server/utils/downloadClients.js` to include your client:
+
+```javascript
+const DelugeClient = require('../clients/DelugeClient');
+
+// Add to clientClasses mapping
+const clientClasses = {
+  sabnzbd: SABnzbdClient,
+  qbittorrent: QBittorrentClient,
+  transmission: TransmissionClient,
+  deluge: DelugeClient // Add your client here
+};
+
+// Update instance configuration
+const instanceConfigs = [
+  ...sabnzbdInstances.map(inst => ({ ...inst, type: 'sabnzbd' })),
+  ...qbittorrentInstances.map(inst => ({ ...inst, type: 'qbittorrent' })),
+  ...transmissionInstances.map(inst => ({ ...inst, type: 'transmission' })),
+  ...delugeInstances.map(inst => ({ ...inst, type: 'deluge' })) // Add this line
+];
+```
+
+## Step 4: Update Poller Integration
+
+The poller automatically uses the registry, so no changes are needed there. However, if you want to maintain backward compatibility with existing cache keys, you may need to update the poller's transformation logic.
+
+## Step 5: Add Tests
+
+Create comprehensive tests for your client:
+
+```javascript
+// tests/unit/clients/DelugeClient.test.js
+const DelugeClient = require('../../../server/clients/DelugeClient');
+
+describe('DelugeClient', () => {
+  let client;
+  let mockConfig;
+
+  beforeEach(() => {
+    mockConfig = {
+      id: 'test-deluge',
+      name: 'Test Deluge',
+      url: 'http://localhost:8112',
+      username: 'admin',
+      password: 'deluge'
+    };
+    
+    client = new DelugeClient(mockConfig);
+  });
+
+  describe('Constructor', () => {
+    it('should initialize with correct properties', () => {
+      expect(client.getClientType()).toBe('deluge');
+      expect(client.getInstanceId()).toBe('test-deluge');
+      expect(client.name).toBe('Test Deluge');
+    });
+  });
+
+  describe('Connection Test', () => {
+    it('should test connection successfully', async () => {
+      // Mock successful connection
+      client.makeRequest = jest.fn().mockResolvedValue({ result: true });
+      
+      const result = await client.testConnection();
+      
+      expect(result).toBe(true);
+      expect(client.makeRequest).toHaveBeenCalledWith('auth.check_session');
+    });
+  });
+
+  describe('Download Normalization', () => {
+    it('should normalize download data correctly', () => {
+      const torrent = {
+        id: 'abc123',
+        name: 'Test Torrent',
+        state: 'Downloading',
+        progress: 0.75,
+        total_size: 1000000000,
+        download_payload_rate: 1048576,
+        eta: 3600,
+        label: 'movies',
+        save_path: '/downloads/test'
+      };
+
+      const normalized = client.normalizeDownload(torrent);
+
+      expect(normalized).toEqual({
+        id: 'abc123',
+        title: 'Test Torrent',
+        type: 'torrent',
+        client: 'deluge',
+        instanceId: 'test-deluge',
+        instanceName: 'Test Deluge',
+        status: 'Downloading',
+        progress: 75,
+        size: 1000000000,
+        downloaded: 750000000,
+        speed: 1048576,
+        eta: 3600,
+        category: 'movies',
+        tags: [],
+        savePath: '/downloads/test',
+        raw: torrent
+      });
+    });
+  });
+
+  // Add more tests for error handling, edge cases, etc.
+});
+```
+
+## Step 6: Configuration Examples
+
+Add documentation for your client's configuration in `.env.sample`:
+
+```bash
+# Deluge Configuration
+# Single instance (legacy format)
+# DELUGE_URL=http://localhost:8112
+# DELUGE_USERNAME=admin
+# DELUGE_PASSWORD=deluge
+
+# Multiple instances (JSON format)
+DELUGE_INSTANCES='[
+  {
+    "name": "Main Deluge",
+    "url": "http://localhost:8112",
+    "username": "admin",
+    "password": "deluge"
+  },
+  {
+    "name": "Backup Deluge",
+    "url": "http://localhost:8113",
+    "username": "admin",
+    "password": "deluge"
+  }
+]'
+```
+
+## Step 7: Update Documentation
+
+Update relevant documentation files:
+
+1. **ARCHITECTURE.md**: Add your client to the download clients section
+2. **README.md**: Add configuration instructions for your client
+3. **CHANGELOG.md**: Document the new client support
+
+## Best Practices
+
+### Error Handling
+
+- Always wrap API calls in try-catch blocks
+- Return empty arrays for download fetch failures
+- Log errors with appropriate context
+- Implement retry logic where appropriate
+
+### Authentication
+
+- Store credentials securely (don't log them)
+- Handle session expiration gracefully
+- Implement automatic re-authentication when possible
+
+### Performance
+
+- Use efficient API calls (batch requests when available)
+- Implement caching for expensive operations
+- Consider pagination for large download lists
+- Use connection pooling for HTTP clients
+
+### Normalization
+
+- Always return the complete normalized schema
+- Handle missing or null values gracefully
+- Preserve original data in the `raw` field
+- Map client-specific statuses to standard ones
+
+### Testing
+
+- Test both success and failure scenarios
+- Mock external API calls
+- Test normalization edge cases
+- Include integration tests
+
+## Example: Complete Implementation
+
+For a complete example, refer to the existing client implementations:
+
+- **SABnzbdClient.js**: Simple REST API client
+- **QBittorrentClient.js**: Complex client with sync API and fallback
+- **TransmissionClient.js**: JSON-RPC client with session management
+- **RTorrentClient.js**: XML-RPC client with HTTP Basic Auth
+
+### rTorrent Specific Notes
+
+rTorrent uses XML-RPC over HTTP with the following specifics:
+
+- **Endpoint**: `${url}/RPC2` (most common)
+- **Authentication**: HTTP Basic Auth (handled by reverse proxy or web server)
+- **Primary Method**: `d.multicall2` for efficient bulk torrent data retrieval
+- **Library**: Uses the `xmlrpc` package (v1.3.2)
+- **Status Mapping**: Combines `d.state`, `d.is_active`, and `d.is_hash_checking` to determine status
+- **ETA Calculation**: Computed from download speed and remaining bytes when actively downloading
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Authentication failures**: Check credentials and URL format
+2. **API changes**: Ensure your client matches the API version
+3. **Network issues**: Implement proper timeout and retry logic
+4. **Data normalization**: Verify all required fields are populated
+
+### Debugging
+
+- Enable debug logging in your client
+- Check the server logs for error messages
+- Use the test connection endpoint to verify configuration
+- Test API calls manually before implementing
+
+## Contributing
+
+When contributing a new client:
+
+1. Follow the existing code style and patterns
+2. Include comprehensive tests
+3. Update all relevant documentation
+4. Test with multiple instances if supported
+5. Consider edge cases and error scenarios
+
+## Support
+
+If you need help implementing a new client:
+
+1. Review existing client implementations
+2. Check the architecture documentation
+3. Look at the test examples
+4. Ask questions in the project discussions
+
+---
+
+*This guide covers the basics of adding a new download client. For more advanced scenarios, refer to the source code and existing implementations.*
@@ -1,806 +0,0 @@
-# sofarr — Architecture Documentation
-
-Comprehensive technical documentation covering the full architecture of the **sofarr** application: a personal media download dashboard that aggregates downloads from SABnzbd, Sonarr, Radarr, and qBittorrent, filtered by Emby user identity.
-
---
-
-## Table of Contents
-
-1. [System Overview](#1-system-overview)
-2. [Technology Stack](#2-technology-stack)
-3. [Directory Structure](#3-directory-structure)
-4. [Component Architecture](#4-component-architecture)
-5. [Data Flow](#5-data-flow)
-6. [Authentication & Authorisation](#6-authentication--authorisation)
-7. [Background Polling & Caching](#7-background-polling--caching)
-8. [Download Matching Pipeline](#8-download-matching-pipeline)
-9. [API Reference](#9-api-reference)
-10. [Frontend Architecture](#10-frontend-architecture)
-11. [Configuration](#11-configuration)
-12. [Deployment](#12-deployment)
-13. [UML Diagrams (PlantUML)](#13-uml-diagrams-plantuml)
-
---
-
-## 1. System Overview
-
-sofarr is a **single-page web application** with a Node.js/Express backend. It provides a personalised view of media downloads by:
-
-1. **Authenticating** users against an Emby/Jellyfin media server.
-2. **Aggregating** download data from multiple *arr service instances and download clients.
-3. **Filtering** downloads by user — each user only sees media tagged with their username in Sonarr/Radarr.
-4. **Presenting** a real-time dashboard with progress, speeds, cover art, and status.
-
-Admin users can view all users' downloads, see server status, cache statistics, and poll timings.
-
-### High-Level Architecture
-
-```
-┌─────────────────────────────────────────────────────┐
-│                    Browser (SPA)                     │
-│  ┌──────────┐  ┌──────────┐  ┌───────────────────┐  │
-│  │  Login   │  │Dashboard │  │  Status Panel     │  │
-│  │  Form    │  │  Cards   │  │  (Admin only)     │  │
-│  └────┬─────┘  └────┬─────┘  └───────┬───────────┘  │
-│       │              │                │              │
-└───────┼──────────────┼────────────────┼──────────────┘
-        │ POST /login  │ GET /user-     │ GET /status
-        │              │ downloads      │
-        ▼              ▼                ▼
-┌─────────────────────────────────────────────────────┐
-│                Express Server (:3001)                 │
-│  ┌────────┐ ┌──────────┐ ┌────────┐ ┌────────────┐  │
-│  │  Auth  │ │Dashboard │ │ Emby   │ │  Static    │  │
-│  │ Routes │ │  Routes  │ │ Routes │ │  Files     │  │
-│  └────┬───┘ └────┬─────┘ └────┬───┘ └────────────┘  │
-│       │          │            │                       │
-│  ┌────┴──────────┴────────────┴──────────────────┐   │
-│  │             Utilities Layer                    │   │
-│  │  ┌────────┐ ┌────────┐ ┌──────┐ ┌──────────┐ │   │
-│  │  │ Poller │ │ Cache  │ │Config│ │qBittorrent│ │   │
-│  │  └───┬────┘ └────────┘ └──────┘ └──────────┘ │   │
-│  └──────┼────────────────────────────────────────┘   │
-└─────────┼────────────────────────────────────────────┘
-          │ HTTP/API calls
-          ▼
-┌──────────────────────────────────────────────────────┐
-│              External Services                        │
-│  ┌──────────┐ ┌────────┐ ┌────────┐ ┌────────────┐  │
-│  │ SABnzbd  │ │ Sonarr │ │ Radarr │ │qBittorrent │  │
-│  │ (Usenet) │ │ (TV)   │ │(Movie) │ │ (Torrent)  │  │
-│  └──────────┘ └────────┘ └────────┘ └────────────┘  │
-│  ┌──────────────────────────────────────────────┐    │
-│  │              Emby / Jellyfin                  │    │
-│  │          (Authentication + User DB)           │    │
-│  └──────────────────────────────────────────────┘    │
-└──────────────────────────────────────────────────────┘
-```
-
---
-
-## 2. Technology Stack
-
-### Runtime & Framework
-
-| Layer | Technology | Purpose |
-|-------|-----------|------|
-| **Runtime** | Node.js 22 (Alpine) | Server runtime |
-| **Framework** | Express 4.x | HTTP server, routing, middleware |
-| **HTTP Client** | axios 1.x | External API communication |
-| **Frontend** | Vanilla JS + CSS | Single-page app, no build step |
-| **Containerisation** | Docker multi-stage (Alpine) | Production deployment |
-| **Logging** | Custom logger + `console.*` | File + stdout logging with levels |
-
-### Security Middleware
-
-| Package | Purpose |
-|---------|--------|
-| `helmet` 7.x | HTTP security headers (CSP with per-request nonce, HSTS, referrer policy) |
-| `express-rate-limit` 7.x | 300 req/15 min general limiter; 10 failed attempts/15 min login limiter |
-| `cookie-parser` 1.x | Signed cookie support (HMAC via `COOKIE_SECRET`) |
-
-### Auth & Session
-
-| Component | Technology | Details |
-|-----------|-----------|--------|
-| **Identity** | Emby API | `POST /Users/authenticatebyname` |
-| **Session cookie** | `httpOnly` + `sameSite: strict` | Signed when `COOKIE_SECRET` set |
-| **CSRF protection** | Double-submit cookie pattern | `csrf_token` cookie + `X-CSRF-Token` header |
-| **Token store** | JSON file (`DATA_DIR/tokens.json`) | Atomic writes, 31-day TTL, hourly pruning |
-
-### Testing
-
-| Tool | Purpose |
-|------|---------|
-| `vitest` 4.x | Test runner (V8 coverage built-in) |
-| `supertest` 7.x | HTTP integration testing |
-| `nock` 14.x | HTTP interception at Node layer (works with CJS `require('axios')`) |
-
---
-
-## 3. Directory Structure
-
-```
-sofarr/
-├── server/                     # Backend application
-│   ├── index.js                # Entry point: logging setup, server listen, poller start
-│   ├── app.js                  # Express app factory (imported by index.js and tests)
-│   ├── routes/
-│   │   ├── auth.js             # POST /login, GET /me, GET /csrf, POST /logout
-│   │   ├── dashboard.js        # GET /user-downloads, /user-summary, /status, /cover-art
-│   │   ├── emby.js             # Proxy routes to Emby API
-│   │   ├── sabnzbd.js          # Proxy routes to SABnzbd API
-│   │   ├── sonarr.js           # Proxy routes to Sonarr API
-│   │   └── radarr.js           # Proxy routes to Radarr API
-│   ├── middleware/
-│   │   ├── requireAuth.js      # httpOnly cookie auth enforcement
-│   │   └── verifyCsrf.js       # CSRF double-submit cookie validation
-│   └── utils/
-│       ├── cache.js            # MemoryCache class (Map + TTL + stats)
-│       ├── config.js           # Multi-instance service configuration parser
-│       ├── logger.js           # File logger (DATA_DIR/server.log)
-│       ├── poller.js           # Background polling engine + timing
-│       ├── qbittorrent.js      # qBittorrent client with auth + torrent mapping
-│       ├── sanitizeError.js    # Redacts secrets from error messages before logging
-│       └── tokenStore.js       # JSON file-backed Emby token store (atomic, TTL)
-├── public/                     # Static frontend (served by Express)
-│   ├── index.html              # HTML shell: splash, login, dashboard
-│   ├── app.js                  # All frontend logic (auth, rendering, status)
-│   ├── style.css               # Themes, layout, responsive design
-│   ├── favicon.ico             # Multi-size favicon (16/32/48px)
-│   ├── favicon-32.png          # 32px PNG favicon
-│   ├── favicon-192.png         # 192px PNG (apple-touch-icon / PWA)
-│   └── images/                 # Logo / splash screen assets
-├── tests/
-│   ├── README.md               # Testing approach, design decisions, coverage targets
-│   ├── setup.js                # Global setup: isolated DATA_DIR, rate-limit bypass
-│   ├── unit/                   # Pure unit tests (no HTTP)
-│   └── integration/            # Supertest integration tests (nock for external HTTP)
-├── docs/
-│   ├── ARCHITECTURE.md         # This document
-│   └── diagrams/               # PlantUML source files
-├── .gitea/workflows/
-│   ├── ci.yml                  # Security audit + test/coverage CI jobs
-│   ├── build-image.yml         # Docker image build and push
-│   └── create-release.yml      # Release tagging workflow
-├── Dockerfile                  # Multi-stage production container image (node:22-alpine)
-├── docker-compose.yaml         # Example compose deployment
-├── vitest.config.js            # Test runner configuration with per-file coverage thresholds
-├── package.json                # Dependencies and scripts
-├── .env.sample                 # Annotated environment variable template
-└── README.md                   # User-facing documentation
-```
-
---
-
-## 4. Component Architecture
-
-### 4.1 Application Factory (`server/app.js`) and Entry Point (`server/index.js`)
-
-**`server/app.js`** is a `createApp(options?)` factory that builds and returns the configured Express `app` instance. It is imported by both `server/index.js` (production) and the test suite. Keeping app creation separate from `app.listen()` means tests get a clean instance without triggering log-file setup, `process.exit()` calls, or the background poller.
-
-`createApp` responsibilities:
- Configure `trust proxy` from `TRUST_PROXY` env var
- Apply `helmet` with a per-request CSP nonce (`crypto.randomBytes(16)`) for inline styles/scripts
- Add `Permissions-Policy` header
- Apply the general API rate limiter (300 req / 15 min per IP)
- Mount `cookie-parser` (signed when `COOKIE_SECRET` is set)
- Mount `express.json` (64 KB body limit)
- Expose `/health` and `/ready` endpoints (no auth, no rate limit)
- Mount `/api/auth` routes **before** CSRF middleware (login/logout are exempt)
- Mount `verifyCsrf` for all subsequent `/api` routes
- Mount remaining route modules under `/api/*`
- Register global error handler (500 with sanitized message)
-
-**`server/index.js`** entry point responsibilities:
- Load `.env` via `dotenv`
- Configure structured logging (`LOG_LEVEL`) with `console.*` redirection to both stdout and `DATA_DIR/server.log`
- Call `createApp()`, serve `public/` as static files, start `app.listen()`
- Start the background poller
-
-### 4.2 Route Modules
-
-| Module | Mount Point | Auth Required | CSRF Required | Purpose |
-|--------|------------|:-------------:|:-------------:|--------|
-| `auth.js` | `/api/auth` | No | No | Login, session check, CSRF token, logout |
-| `dashboard.js` | `/api/dashboard` | Yes (`requireAuth`) | Yes (except `/stream` — GET) | SSE stream, aggregated download data, status, cover-art proxy |
-| `emby.js` | `/api/emby` | Yes (`requireAuth`) | Yes | Proxy to Emby API |
-| `sabnzbd.js` | `/api/sabnzbd` | Yes (`requireAuth`) | Yes | Proxy to SABnzbd API |
-| `sonarr.js` | `/api/sonarr` | Yes (`requireAuth`) | Yes | Proxy to Sonarr API |
-| `radarr.js` | `/api/radarr` | Yes (`requireAuth`) | Yes | Proxy to Radarr API |
-
-**`requireAuth`** (`server/middleware/requireAuth.js`) reads the `emby_user` cookie (signed if `COOKIE_SECRET` is set) and attaches the parsed `{ id, name, isAdmin }` user to `req.user`. Returns `401` if the cookie is absent, tampered, or schema-invalid.
-
-**`verifyCsrf`** (`server/middleware/verifyCsrf.js`) implements the double-submit cookie pattern for all state-changing requests (`POST`, `PUT`, `PATCH`, `DELETE`). Compares the `csrf_token` cookie against the `X-CSRF-Token` request header using `crypto.timingSafeEqual`. Safe methods (`GET`, `HEAD`, `OPTIONS`) are exempt. Auth routes are mounted **before** this middleware (login/logout are exempt by design — `sameSite: strict` provides equivalent protection).
-
-> **Note:** The proxy routes (`emby`, `sabnzbd`, `sonarr`, `radarr`) exist for direct API access. The dashboard itself reads from the poller cache — it does not proxy through these routes.
-
-### 4.3 Utility Modules
-
-**`config.js`** — Parses service instances from environment variables. Supports both JSON array format (`SONARR_INSTANCES=[{...}]`) and legacy single-instance format (`SONARR_URL` + `SONARR_API_KEY`). Each instance gets an `id` derived from `name` or index.
-
-**`cache.js`** — Singleton `MemoryCache` backed by a `Map`. Each entry has an expiration timestamp. Provides `get`, `set`, `invalidate`, `clear`, and `getStats` (returns per-key size, item count, TTL remaining).
-
-**`poller.js`** — Background polling engine. Fetches data from all configured service instances in parallel with per-task timing. Stores results in the cache with a configurable TTL. Can be disabled entirely (`POLL_INTERVAL=0`), in which case data is fetched on-demand. After each successful poll it notifies all registered SSE subscriber callbacks so connected clients receive data immediately.
-
-**`qbittorrent.js`** — `QBittorrentClient` class with cookie-based authentication, automatic re-auth on 403, and persistent client instances. Includes torrent-to-download mapping (`mapTorrentToDownload`) and formatting utilities (`formatBytes`, `formatSpeed`, `formatEta`).
-
-**`tokenStore.js`** — JSON file-backed store (`DATA_DIR/tokens.json`) for Emby `AccessToken`s. Tokens are stored server-side and **never sent to the client**. Writes are atomic (write to `.tmp` then rename). Entries expire after 31 days (slightly longer than the maximum 30-day cookie). Pruning runs on startup and hourly.
-
-**`sanitizeError.js`** — Redacts secrets from error message strings before they are logged or returned in API responses. Patterns: URL query-param secrets (`apikey=`, `token=`, etc.), HTTP auth headers (`Authorization:`, `X-Emby-Authorization:`, etc.), Bearer tokens, and basic-auth credentials in URLs.
-
-**`logger.js`** — Simple file appender writing timestamped messages to `DATA_DIR/server.log`.
-
---
-
-## 5. Data Flow
-
-### 5.1 Polling Cycle
-
-Every `POLL_INTERVAL` ms (default 5000), the poller fetches from all services in parallel:
-
-| Task | API Call | Params |
-|------|----------|--------|
-| SABnzbd Queue | `GET /api?mode=queue` | `output=json` |
-| SABnzbd History | `GET /api?mode=history` | `limit=10` |
-| Sonarr Tags | `GET /api/v3/tag` | — |
-| Sonarr Queue | `GET /api/v3/queue` | `includeSeries=true` |
-| Sonarr History | `GET /api/v3/history` | `pageSize=10` |
-| Radarr Queue | `GET /api/v3/queue` | `includeMovie=true` |
-| Radarr History | `GET /api/v3/history` | `pageSize=10` |
-| Radarr Tags | `GET /api/v3/tag` | — |
-| qBittorrent | `GET /api/v2/torrents/info` | — |
-
-Results are stored in the cache under `poll:*` keys with a TTL of `POLL_INTERVAL × 3`.
-
-### 5.2 SSE Stream
-
-When a browser opens `GET /api/dashboard/stream` (after authentication):
-
-1. Server sets `Content-Type: text/event-stream`, disables buffering (`X-Accel-Buffering: no`)
-2. Immediately builds and sends the first payload (same matching logic as below)
-3. Registers a callback with the poller's `onPollComplete` subscriber set
-4. After every subsequent poll cycle completes the callback fires, rebuilds the payload, and writes a `data:` SSE frame
-5. A 25-second heartbeat comment (`: heartbeat`) keeps the connection alive through proxies
-6. On client disconnect: deregisters callback, stops heartbeat, removes from active-client map
-
-The browser's native `EventSource` API handles reconnection automatically on network interruption.
-
-### 5.3 Download Matching
-
-For each connected user the server:
-
-1. Reads all `poll:*` keys from cache
-2. Builds `seriesMap` and `moviesMap` from embedded objects in queue records
-3. Builds `sonarrTagMap` and `radarrTagMap` from tag data
-4. For each SABnzbd queue slot → tries to match against Sonarr/Radarr queue records by title
-5. For each SABnzbd history slot → tries to match against Sonarr/Radarr history records
-6. For each qBittorrent torrent → tries to match against Sonarr/Radarr queue, then history
-7. For each match, resolves the series/movie, extracts the user tag, checks if it belongs to the requesting user
-8. Returns only the user's downloads (or all, if admin with `showAll=true`)
-
---
-
-## 6. Authentication & Authorisation
-
-### Flow
-
-1. User submits credentials (+ optional `rememberMe`) via the login form
-2. Backend applies the **login rate limiter** (max 10 failed attempts per IP per 15-minute window; successful requests don't count)
-3. Backend calls Emby `POST /Users/authenticatebyname` using a deterministic `DeviceId` derived from the username — this causes Emby to reuse the existing session rather than creating a new one on every login
-4. On success, fetches full user profile (`GET /Users/{id}`) to determine admin status
-5. Stores the Emby `AccessToken` in **`tokenStore`** (server-side, never sent to the client)
-6. Sets an `httpOnly` `emby_user` cookie containing only `{ id, name, isAdmin }`:
-   - **`rememberMe: true`** → persistent cookie, `Max-Age` 30 days
-   - **`rememberMe: false`** → session cookie (no `Max-Age`; expires when browser closes)
-   - `secure` flag enabled when `TRUST_PROXY` is set (i.e. a TLS-terminating reverse proxy is in front)
-   - Signed with HMAC when `COOKIE_SECRET` is set
-7. Issues a `csrf_token` cookie (`httpOnly: false` so JS can read it) containing a 32-byte random hex token
-8. Returns `{ success: true, user, csrfToken }` — the SPA stores `csrfToken` in memory and sends it as `X-CSRF-Token` on all subsequent state-changing requests
-9. All subsequent dashboard requests read the `emby_user` cookie for identity via `requireAuth`
-
-### Authorisation Matrix
-
-| Feature | Regular User | Admin |
-|---------|:----------:|:-----:|
-| View own downloads | ✓ | ✓ |
-| View all users' downloads | ✗ | ✓ (`showAll`) |
-| See download/target paths | ✗ | ✓ |
-| See Sonarr/Radarr links | ✗ | ✓ |
-| View status panel | ✗ | ✓ |
-
-### Tag Matching
-
-Users are matched to downloads via tags in Sonarr/Radarr:
-
-1. **Exact match**: tag label (lowercased) === username (lowercased)
-2. **Sanitised match**: handles Ombi's tag mangling — `sanitizeTagLabel()` converts to lowercase, replaces non-alphanumeric with hyphens, collapses, trims
-
---
-
-## 7. Background Polling & Caching
-
-### Polling Modes
-
-| Mode | `POLL_INTERVAL` | Behaviour |
-|------|----------------|-----------|
-| **Background** | `> 0` (e.g. `5000`) | Periodic fetch every N ms |
-| **On-demand** | `0` / `off` / `false` | Fetch triggered by first user request when cache is empty |
-
-### Cache Keys
-
-| Key | Content | Source |
-|-----|---------|--------|
-| `poll:sab-queue` | `{ slots, status, speed, kbpersec }` | SABnzbd queue |
-| `poll:sab-history` | `{ slots }` | SABnzbd history |
-| `poll:sonarr-tags` | `[{ instance, data: [{id, label}] }]` | Sonarr tag API |
-| `poll:sonarr-queue` | `{ records }` — includes embedded `series` objects | Sonarr queue (includeSeries) |
-| `poll:sonarr-history` | `{ records }` — lightweight, no embedded objects | Sonarr history |
-| `poll:radarr-queue` | `{ records }` — includes embedded `movie` objects | Radarr queue (includeMovie) |
-| `poll:radarr-history` | `{ records }` — lightweight, no embedded objects | Radarr history |
-| `poll:radarr-tags` | `[{id, label}]` | Radarr tag API |
-| `poll:qbittorrent` | `[torrent, ...]` | qBittorrent all torrents |
-| `emby:users` | `Map<lowerName, displayName>` | Full Emby user list (60s TTL) |
-
-### TTL Strategy
-
- **Polling enabled**: `POLL_INTERVAL × 3` — ensures data survives between polls even if one poll is slow
- **Polling disabled**: `30000` ms — stale after 30s, next request triggers a fresh fetch
-
-### Active Client Tracking
-
-SSE connections are tracked precisely: registered on connect, removed on disconnect. The admin status panel shows each connected user and how long they have been connected. The `type: 'sse'` field distinguishes SSE clients from any legacy HTTP clients.
-
---
-
-## 8. Download Matching Pipeline
-
-The core logic in `dashboard.js` matches raw download client data to *arr service metadata to determine which user each download belongs to.
-
-### Matching Strategy
-
-For each download item (SABnzbd slot or qBittorrent torrent):
-
-```
-1. Try Sonarr QUEUE match (by title substring)
-   → resolve series via seriesMap (embedded in queue record)
-   → extract user tag → check tag matches requesting user
-
-2. Try Radarr QUEUE match (by title substring)
-   → resolve movie via moviesMap (embedded in queue record)
-   → extract user tag → check tag matches requesting user
-
-3. Try Sonarr HISTORY match (by title substring)
-   → resolve series via seriesMap (from queue) using seriesId
-   → extract user tag → check tag matches requesting user
-
-4. Try Radarr HISTORY match (by title substring)
-   → resolve movie via moviesMap (from queue) using movieId
-   → extract user tag → check tag matches requesting user
-```
-
-### Title Matching
-
-Matches are **bidirectional substring matches** (case-insensitive):
-```javascript
-rTitle.includes(downloadTitle) || downloadTitle.includes(rTitle)
-```
-
-### Download Object Structure
-
-Each matched download produces an object with:
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `type` | `'series'` / `'movie'` / `'torrent'` | Media type |
-| `title` | string | Raw download title |
-| `coverArt` | string / null | Poster URL from *arr |
-| `status` | string | Download status |
-| `progress` | string | Percentage complete |
-| `size` / `mb` / `mbmissing` | string / number | Size info |
-| `speed` | string | Current download speed |
-| `eta` | string | Estimated time remaining |
-| `seriesName` / `movieName` | string | Friendly media title |
-| `episodeInfo` / `movieInfo` | object | Full *arr queue/history record |
-| `allTags` | string[] | All resolved tag labels on the series/movie |
-| `matchedUserTag` | string / null | Tag label matching the requesting user, or `null` |
-| `tagBadges` | `{label, matchedUser}[]` / undefined | (Admin `showAll` only) Each tag classified against full Emby user list |
-| `importIssues` | string[] / null | Import warning/error messages |
-| `downloadPath` | string / null | (Admin) Download client path |
-| `targetPath` | string / null | (Admin) *arr target path |
-| `arrLink` | string / null | (Admin) Link to *arr web UI |
-
---
-
-## 9. API Reference
-
-### `POST /api/auth/login`
-
-Authenticate a user via Emby. Rate-limited to **10 failed attempts per IP per 15 minutes**.
-
-**Request Body:**
-```json
-{ "username": "string", "password": "string", "rememberMe": false }
-```
-
-| Field | Required | Description |
-|-------|:--------:|-----------|
-| `username` | Yes | Max 128 chars, must be a non-empty string |
-| `password` | Yes | Max 256 chars |
-| `rememberMe` | No | `true` = 30-day persistent cookie; `false`/omitted = session cookie |
-
-**Response (200):**
-```json
-{
-  "success": true,
-  "user": { "id": "string", "name": "string", "isAdmin": false },
-  "csrfToken": "64-char hex string"
-}
-```
-
-**Response (400):** Invalid input (empty/overlong username or password).
-
-**Response (401):**
-```json
-{ "success": false, "error": "Invalid username or password" }
-```
-
-**Response (429):** Too many failed attempts from this IP.
-
-**Side Effects:**
- Sets `emby_user` cookie: `httpOnly`, `sameSite: strict`, `secure` in production, signed if `COOKIE_SECRET` is set. Payload: `{ id, name, isAdmin }`. The Emby `AccessToken` is **never** included.
- Sets `csrf_token` cookie: `httpOnly: false` (JS-readable), same security flags. 64-char hex.
- Stores the Emby `AccessToken` server-side in `tokenStore` (used only for server-side Emby logout).
-
---
-
-### `GET /api/auth/me`
-
-Check current session (no auth required — returns unauthenticated state rather than 401).
-
-**Response (authenticated):**
-```json
-{ "authenticated": true, "user": { "id": "string", "name": "string", "isAdmin": false } }
-```
-
-**Response (not authenticated):**
-```json
-{ "authenticated": false }
-```
-
---
-
-### `GET /api/auth/csrf`
-
-Issue a fresh CSRF token. Used by the SPA after a page reload when the in-memory `csrfToken` variable is lost.
-
-**Response (200):**
-```json
-{ "csrfToken": "64-char hex string" }
-```
-
-**Side Effect:** Sets a new `csrf_token` cookie.
-
---
-
-### `POST /api/auth/logout`
-
-Clear session and revoke the Emby token server-side. Does **not** require a CSRF token (auth routes are mounted before `verifyCsrf`; `sameSite: strict` provides equivalent protection).
-
---
-
-### `GET /api/dashboard/stream`
-
-Server-Sent Events stream. Opens a persistent connection that pushes download data on every poll cycle.
-
-**Query Parameters:**
-| Param | Type | Description |
-|-------|------|-------------|
-| `showAll` | `"true"` | (Admin) Include all users' downloads |
-
-**Response:** `Content-Type: text/event-stream`
-
-Each event is a `data:` frame containing JSON:
-```json
-{
-  "user": "Alice",
-  "isAdmin": false,
-  "downloads": [ /* download objects — same shape as /user-downloads */ ]
-}
-```
-
-The connection is kept alive with `: heartbeat` comments every 25 seconds. The browser's `EventSource` reconnects automatically on failure.
-
---
-
-### `GET /api/dashboard/user-downloads`
-
-Fetch downloads for the authenticated user (single HTTP request, no streaming).
-
-**Query Parameters:**
-| Param | Type | Description |
-|-------|------|-------------|
-| `showAll` | `"true"` | (Admin) Show all users' downloads |
-
-**Response (200):**
-```json
-{
-  "user": "string",
-  "isAdmin": true,
-  "downloads": [ /* download objects */ ]
-}
-```
-
---
-
-### `GET /api/dashboard/status`
-
-Admin-only server status.
-
-**Response (200):**
-```json
-{
-  "server": {
-    "uptimeSeconds": 3600,
-    "nodeVersion": "v18.19.0",
-    "memoryUsageMB": 45.2,
-    "heapUsedMB": 28.1,
-    "heapTotalMB": 35.0
-  },
-  "polling": {
-    "enabled": true,
-    "intervalMs": 5000,
-    "lastPoll": {
-      "totalMs": 1234,
-      "timestamp": "2026-05-16T00:00:00.000Z",
-      "tasks": [
-        { "label": "SABnzbd Queue", "ms": 120 },
-        { "label": "Sonarr Queue", "ms": 890 }
-      ]
-    }
-  },
-  "cache": {
-    "entryCount": 9,
-    "totalSizeBytes": 51200,
-    "entries": [
-      { "key": "poll:sab-queue", "sizeBytes": 1024, "itemCount": 3, "ttlRemainingMs": 12000, "expired": false }
-    ]
-  },
-  "clients": [
-    { "user": "Alice", "type": "sse", "connectedAt": 1715817600000, "lastSeen": 1715817600000 }
-  ]
-}
-```
-
---
-
-### `GET /api/dashboard/user-summary`
-
-Admin-only per-user download counts (fetches live from APIs, not cached).
-
-**Response (200):**
-```json
-[
-  { "username": "Alice", "seriesCount": 12, "movieCount": 5 }
-]
-```
-
---
-
-## 10. Frontend Architecture
-
-The frontend is a **vanilla JavaScript SPA** with no build step. All logic resides in `app.js`, styled by `style.css`, and structured by `index.html`.
-
-### UI States
-
-```
-┌──────────────┐     ┌──────────────┐     ┌──────────────┐
-│ Splash Screen│────▶│  Login Form  │────▶│  Dashboard   │
-│ (on load)    │     │ (if no       │     │ (after auth) │
-│              │     │  session)    │     │              │
-└──────────────┘     └──────────────┘     └──────────────┘
-                                                │
-                                          ┌─────┴─────┐
-                                          │  Status   │
-                                          │  Panel    │
-                                          │ (admin)   │
-                                          └───────────┘
-```
-
-### Key Frontend Functions
-
-| Function | Purpose |
-|----------|---------|
-| `checkAuthentication()` | On load: check session → show dashboard or login |
-| `handleLogin()` | Authenticate, fade login → splash → dashboard |
-| `startSSE()` | Open `EventSource` to `/stream`; handles incoming data + first-message loading hide |
-| `stopSSE()` | Close `EventSource` and cancel reconnect timer |
-| `renderDownloads()` | Diff-based card rendering (create/update/remove) |
-| `createDownloadCard()` | Build DOM for a single download card; renders tag badges |
-| `updateDownloadCard()` | Update existing card in-place (progress, speed, etc.) |
-| `toggleStatusPanel()` | Show/hide admin status panel |
-| `renderStatusPanel()` | Build status HTML (server, polling, SSE clients, cache) |
-| `initThemeSwitcher()` | Light / Dark / Mono theme support |
-
-### Themes
-
-Three CSS themes via `data-theme` attribute on `<html>`:
- **Light** — Purple gradient header, white cards
- **Dark** — Dark surfaces, muted accents
- **Mono** — Monochrome, minimal colour
-
-Theme selection persists in `localStorage`.
-
-### Tag Badge Rendering
-
-Download cards render tag badges in the card header:
-
- **Normal user view**: a single accent-coloured badge showing the tag label that matched the current user's username (via `matchedUserTag`).
- **Admin `showAll` view**: all tags on the download are rendered using `tagBadges[]`:
-  - Tags with **no matching Emby user** → amber badge showing the raw tag label (leftmost)
-  - Tags **matched to a known Emby user** → accent badge showing the Emby display name (rightmost)
-
-### Live Push via SSE
-
-The dashboard receives updates via a persistent `EventSource` connection to `GET /api/dashboard/stream`. The server pushes a new `data:` event immediately after every poll cycle completes — there is no client-side timer. The browser's `EventSource` implementation handles reconnection automatically on network interruption.
-
-The status panel refreshes on a fixed 5-second timer and shows each SSE client with its connect duration.
-
---
-
-## 11. Configuration
-
-### Environment Variables
-
-#### Core
-
-| Variable | Required | Default | Description |
-|----------|:--------:|---------|-------------|
-| `PORT` | No | `3001` | Server listen port |
-| `NODE_ENV` | No | — | Set to `production` for production logging and startup validation. Does **not** control cookie `secure` flag or CSP `upgrade-insecure-requests` (both gated on `TRUST_PROXY`). |
-| `DATA_DIR` | No | `./data` | Directory for `tokens.json` and `server.log`. Must be writable by the server process. In Docker: `/app/data` (named volume). |
-| `COOKIE_SECRET` | No | — | If set, signs all session cookies with HMAC-SHA256. Strongly recommended in production. |
-| `TRUST_PROXY` | No | — | Express `trust proxy` setting. Set to `1` (or a hop count) when behind a reverse proxy (nginx, Traefik, etc.) so `req.ip` and `req.secure` are correct. |
-
-#### Emby
-
-| Variable | Required | Default | Description |
-|----------|:--------:|---------|-------------|
-| `EMBY_URL` | Yes | — | Emby/Jellyfin base URL (e.g. `https://emby.example.com`) |
-| `EMBY_API_KEY` | Yes | — | Emby API key (used by the poller to list users for tag badge classification) |
-
-#### Service Instances
-
-| Variable | Required | Default | Description |
-|----------|:--------:|---------|-------------|
-| `SONARR_INSTANCES` | Yes* | — | JSON array of Sonarr instances |
-| `SONARR_URL` | Yes* | — | Legacy: single Sonarr URL |
-| `SONARR_API_KEY` | Yes* | — | Legacy: single Sonarr API key |
-| `RADARR_INSTANCES` | Yes* | — | JSON array of Radarr instances |
-| `RADARR_URL` | Yes* | — | Legacy: single Radarr URL |
-| `RADARR_API_KEY` | Yes* | — | Legacy: single Radarr API key |
-| `SABNZBD_INSTANCES` | Yes* | — | JSON array of SABnzbd instances |
-| `SABNZBD_URL` | Yes* | — | Legacy: single SABnzbd URL |
-| `SABNZBD_API_KEY` | Yes* | — | Legacy: single SABnzbd API key |
-| `QBITTORRENT_INSTANCES` | No | — | JSON array of qBittorrent instances |
-
-\* Either `*_INSTANCES` (JSON array) or legacy `*_URL` + `*_API_KEY` format is required.
-
-#### Tuning
-
-| Variable | Required | Default | Description |
-|----------|:--------:|---------|-------------|
-| `POLL_INTERVAL` | No | `5000` | Poll interval in ms. Set to `0`, `off`, or `false` to disable background polling (on-demand mode). |
-| `LOG_LEVEL` | No | `info` | `debug`, `info`, `warn`, `error`, `silent` |
-
-### Instance JSON Format
-
-```json
-[
-  {
-    "name": "main",
-    "url": "https://sonarr.example.com",
-    "apiKey": "your-api-key"
-  },
-  {
-    "name": "4k",
-    "url": "https://sonarr4k.example.com",
-    "apiKey": "your-4k-api-key"
-  }
-]
-```
-
-qBittorrent instances use `username` and `password` instead of `apiKey`.
-
---
-
-## 12. Deployment
-
-### Docker image
-
-The production image uses a two-stage build on `node:22-alpine`:
-
-1. **`deps` stage** — runs `npm ci --omit=dev` to install only production dependencies.
-2. **`runtime` stage** — copies `node_modules`, `server/`, `public/`, and `package.json`. Runs as the built-in non-root `node` user (UID 1000). `/app/data` is owned by `node` for writable token store and logs.
-
-Key environment variables set in the image:
- `NODE_ENV=production` — enables production startup validation and logging
- `DATA_DIR=/app/data` — token store and log file location
-
-### Docker Compose
-
-```yaml
-services:
-  sofarr:
-    image: docker.i3omb.com/sofarr:latest
-    container_name: sofarr
-    restart: unless-stopped
-    ports:
-      - "3001:3001"
-    environment:
-      - NODE_ENV=production
-      - DATA_DIR=/app/data
-      - COOKIE_SECRET=change-me-to-a-long-random-string
-      - TRUST_PROXY=1                 # set if behind nginx/Traefik
-      - EMBY_URL=https://emby.example.com
-      - EMBY_API_KEY=your-emby-api-key
-      - SONARR_INSTANCES=[{"name":"main","url":"...","apiKey":"..."}]
-      - RADARR_INSTANCES=[{"name":"main","url":"...","apiKey":"..."}]
-      - SABNZBD_INSTANCES=[{"name":"main","url":"...","apiKey":"..."}]
-      - QBITTORRENT_INSTANCES=[{"name":"main","url":"...","username":"...","password":"..."}]
-      - POLL_INTERVAL=5000
-      - LOG_LEVEL=info
-    volumes:
-      - sofarr-data:/app/data         # persists tokens.json and server.log
-
-volumes:
-  sofarr-data:
-```
-
-### Security hardening checklist
-
- **Set `COOKIE_SECRET`** — enables HMAC-signed cookies, preventing client-side forgery.
- **Set `TRUST_PROXY=1`** when behind a reverse proxy — ensures `req.secure` is `true` so the `secure` cookie flag is enforced and HTTPS-upgrade CSP fires.
- **Mount a named volume** for `DATA_DIR` — token store and log file survive container recreates.
- **Use HTTPS** — set `TRUST_PROXY=1` to enable the CSP `upgrade-insecure-requests` directive, the `secure` cookie flag, and HSTS (1-year `maxAge`).
- **Rate limiting** — the login endpoint is limited to 10 failed attempts per IP per 15 minutes; all API endpoints share a 300 req/15 min window. Set `TRUST_PROXY` correctly so the client IP is not the proxy's IP.
-
-### CI / CD
-
-The `.gitea/workflows/` directory contains three pipeline definitions:
-
-| File | Trigger | Purpose |
-|------|---------|--------|
-| `ci.yml` | Every push / PR | Security audit (`npm audit --audit-level=high`) + tests with V8 coverage |
-| `build-image.yml` | Push to `main` / `develop` | Build and push Docker image to `docker.i3omb.com` |
-| `create-release.yml` | Tag push (`v*`) | Create a Gitea release |
-
---
-
-## 13. UML Diagrams (PlantUML)
-
-All diagrams below are in PlantUML syntax. Render with any PlantUML tool or VS Code extension.
-
-### 13.1 Component Diagram
-
-See [`diagrams/component.puml`](diagrams/component.puml)
-
-### 13.2 Sequence Diagrams
-
- **Authentication**: [`diagrams/seq-auth.puml`](diagrams/seq-auth.puml)
- **Dashboard Request**: [`diagrams/seq-dashboard.puml`](diagrams/seq-dashboard.puml)
- **Polling Cycle**: [`diagrams/seq-polling.puml`](diagrams/seq-polling.puml)
-
-### 13.3 Class / Entity Diagrams
-
- **Server Classes**: [`diagrams/class-server.puml`](diagrams/class-server.puml)
- **Data Model**: [`diagrams/class-data.puml`](diagrams/class-data.puml)
-
-### 13.4 State Diagrams
-
- **Frontend UI States**: [`diagrams/state-ui.puml`](diagrams/state-ui.puml)
- **Poller States**: [`diagrams/state-poller.puml`](diagrams/state-poller.puml)
-
-### 13.5 Activity Diagram
-
- **Download Matching**: [`diagrams/activity-matching.puml`](diagrams/activity-matching.puml)
@@ -1,156 +0,0 @@
-@startuml activity-matching
-!theme plain
-title sofarr — Download Matching Activity Diagram
-
-start
-
-:Read cached data from MemoryCache;
-note right
-  poll:sab-queue, poll:sab-history,
-  poll:sonarr-queue, poll:sonarr-history,
-  poll:radarr-queue, poll:radarr-history,
-  poll:sonarr-tags, poll:radarr-tags,
-  poll:qbittorrent
-end note
-
-:Build **seriesMap** from Sonarr queue records
-(seriesId → embedded series object);
-
-:Build **moviesMap** from Radarr queue records
-(movieId → embedded movie object);
-
-:Build **sonarrTagMap** (tagId → label)
-Build **radarrTagMap** (tagId → label);
-
-if (showAll?) then (yes)
-  :Fetch full Emby user list
-  Build **embyUserMap** (lowerName → displayName)
-  [cached 60s];  
-endif
-
-:Initialise **userDownloads** = [];
-
-partition "Process SABnzbd Queue Slots" {
-  while (More queue slots?) is (yes)
-    :Get slot filename (nzbName);
-    :nzbNameLower = nzbName.toLowerCase();
-
-    if (Title matches Sonarr **queue** record?) then (yes)
-      :series = seriesMap.get(match.seriesId)\n|| match.series;
-      if (series exists?) then (yes)
-        :allTags = extractAllTags(series.tags, sonarrTagMap)
-matchedUserTag = extractUserTag(series.tags, sonarrTagMap, username);
-        if (showAll AND hasAnyTag?) then (yes)
-          :Build download object (type=series)
-          Add coverArt, status, progress, speed, eta
-          Add allTags, matchedUserTag
-          Add tagBadges = buildTagBadges(allTags, embyUserMap)
-          Add importIssues if any
-          Add admin fields (paths, arrLink);
-          :Push to **userDownloads**;
-        elseif (NOT showAll AND matchedUserTag?) then (yes)
-          :Build download object (type=series)
-          Add matchedUserTag;
-          :Push to **userDownloads**;
-        endif
-      endif
-    endif
-
-    if (Title matches Radarr **queue** record?) then (yes)
-      :movie = moviesMap.get(match.movieId)\n|| match.movie;
-      if (movie exists?) then (yes)
-        :allTags = extractAllTags(movie.tags, radarrTagMap)
-matchedUserTag = extractUserTag(movie.tags, radarrTagMap, username);
-        if (showAll AND hasAnyTag?) then (yes)
-          :Build download object (type=movie)
-          Add coverArt, status, progress, speed, eta
-          Add allTags, matchedUserTag, tagBadges
-          Add importIssues if any
-          Add admin fields (paths, arrLink);
-          :Push to **userDownloads**;
-        elseif (NOT showAll AND matchedUserTag?) then (yes)
-          :Build download object (type=movie)
-          Add matchedUserTag;
-          :Push to **userDownloads**;
-        endif
-      endif
-    endif
-  endwhile (no)
-}
-
-partition "Process SABnzbd History Slots" {
-  while (More history slots?) is (yes)
-    :Get slot name (nzbName);
-    :nzbNameLower = nzbName.toLowerCase();
-
-    if (Title matches Sonarr **history** record?) then (yes)
-      :series = seriesMap.get(match.seriesId)\n|| match.series;
-      if (series found?) then (yes)
-        :extractAllTags + extractUserTag(username)
-Build download (type=series, completedAt)
-Add allTags, matchedUserTag, tagBadges if showAll;
-        :Push to **userDownloads** if showAll+anyTag or matchedUserTag;
-      endif
-    endif
-
-    if (Title matches Radarr **history** record?) then (yes)
-      :movie = moviesMap.get(match.movieId)\n|| match.movie;
-      if (movie found?) then (yes)
-        :extractAllTags + extractUserTag(username)
-Build download (type=movie, completedAt)
-Add allTags, matchedUserTag, tagBadges if showAll;
-        :Push to **userDownloads** if showAll+anyTag or matchedUserTag;
-      endif
-    endif
-  endwhile (no)
-}
-
-partition "Process qBittorrent Torrents" {
-  while (More torrents?) is (yes)
-    :Get torrent name;
-    :torrentNameLower = name.toLowerCase();
-
-    if (Matches Sonarr **queue**?) then (yes)
-      :Resolve series → check tag;
-      :mapTorrentToDownload() + enrich;
-      :Push if matches → **continue**;
-    elseif (Matches Radarr **queue**?) then (yes)
-      :Resolve movie → check tag;
-      :mapTorrentToDownload() + enrich;
-      :Push if matches → **continue**;
-    elseif (Matches Sonarr **history**?) then (yes)
-      :Resolve series via seriesMap;
-      :mapTorrentToDownload() + enrich;
-      :Push if matches → **continue**;
-    elseif (Matches Radarr **history**?) then (yes)
-      :Resolve movie via moviesMap;
-      :mapTorrentToDownload() + enrich;
-      :Push if matches → **continue**;
-    else (no match)
-      :Skip torrent (unmatched);
-    endif
-  endwhile (no)
-}
-
-:Return JSON response
-{ user, isAdmin, downloads: userDownloads };
-
-stop
-
-legend right
-  **Title Matching Logic**
-  (bidirectional substring, case-insensitive):
-  ""rTitle.includes(dlTitle) || dlTitle.includes(rTitle)""
-
-  **Tag Matching Logic** (tagMatchesUser):
-  1. Exact: tag.toLowerCase() === username
-  2. Sanitised: sanitizeTagLabel(tag) === sanitizeTagLabel(username)
-     (handles Ombi-mangled email-style usernames)
-
-  **extractAllTags**: returns all resolved tag labels
-  **extractUserTag**: returns the ONE label matching current user
-  **buildTagBadges**: classifies each tag against full Emby user
-    list → { label, matchedUser: displayName | null }
-end legend
-
-@enduml
@@ -1,230 +0,0 @@
-@startuml class-data
-!theme plain
-title sofarr — Data Model Diagram
-
-skinparam classAttributeIconSize 0
-
-package "External API Responses" {
-  class "SABnzbd Queue Slot" as sabq {
-    + filename : string
-    + nzbname : string
-    + percentage : string
-    + mb : string
-    + mbmissing : string
-    + size : string
-    + timeleft : string
-    + status : string
-    + storage : string
-  }
-
-  class "SABnzbd History Slot" as sabh {
-    + name : string
-    + nzb_name : string
-    + nzbname : string
-    + status : string
-    + size : string
-    + completed_time : string
-    + storage : string
-  }
-
-  class "Sonarr Queue Record" as sqr {
-    + id : number
-    + seriesId : number
-    + series : SonarrSeries
-    + title : string
-    + sourceTitle : string
-    + trackedDownloadStatus : string
-    + trackedDownloadState : string
-    + statusMessages : StatusMessage[]
-    + errorMessage : string
-  }
-
-  class "Sonarr History Record" as shr {
-    + id : number
-    + seriesId : number
-    + title : string
-    + sourceTitle : string
-    + eventType : string
-  }
-
-  class "SonarrSeries" as ss {
-    + id : number
-    + title : string
-    + titleSlug : string
-    + path : string
-    + tags : number[]
-    + images : Image[]
-    + _instanceUrl : string
-  }
-
-  class "Radarr Queue Record" as rqr {
-    + id : number
-    + movieId : number
-    + movie : RadarrMovie
-    + title : string
-    + sourceTitle : string
-    + trackedDownloadStatus : string
-    + trackedDownloadState : string
-    + statusMessages : StatusMessage[]
-    + errorMessage : string
-  }
-
-  class "Radarr History Record" as rhr {
-    + id : number
-    + movieId : number
-    + title : string
-    + sourceTitle : string
-    + eventType : string
-  }
-
-  class "RadarrMovie" as rm {
-    + id : number
-    + title : string
-    + titleSlug : string
-    + path : string
-    + tags : number[]
-    + images : Image[]
-    + _instanceUrl : string
-  }
-
-  class "Tag" as tag {
-    + id : number
-    + label : string
-  }
-
-  class "Image" as img {
-    + coverType : string
-    + remoteUrl : string
-    + url : string
-  }
-
-  class "StatusMessage" as sm {
-    + title : string
-    + messages : string[]
-  }
-
-  class "qBittorrent Torrent" as qbt {
-    + name : string
-    + hash : string
-    + size : number
-    + completed : number
-    + progress : number (0-1)
-    + state : string
-    + dlspeed : number
-    + eta : number
-    + num_seeds : number
-    + num_leechs : number
-    + availability : number
-    + category : string
-    + tags : string
-    + save_path : string
-    + content_path : string
-    + instanceId : string
-    + instanceName : string
-  }
-
-  class "Emby User" as eu {
-    + Id : string
-    + Name : string
-    + Policy : { IsAdministrator: boolean }
-  }
-
-  sqr *-- ss : embedded\n(includeSeries)
-  rqr *-- rm : embedded\n(includeMovie)
-  sqr *-- sm
-  rqr *-- sm
-  ss *-- img
-  rm *-- img
-}
-
-package "sofarr Internal Models" {
-  class "Download Object" as dl {
-    + type : 'series' | 'movie' | 'torrent'
-    + title : string
-    + coverArt : string | null
-    + status : string
-    + progress : string
-    + mb : string
-    + mbmissing : string
-    + size : string
-    + speed : string
-    + eta : string
-    + seriesName : string | null
-    + movieName : string | null
-    + episodeInfo : object | null
-    + movieInfo : object | null
-    + allTags : string[]
-    + matchedUserTag : string | null
-    + tagBadges : TagBadge[] | undefined
-    + importIssues : string[] | null
-    + downloadPath : string | null
-    + targetPath : string | null
-    + arrLink : string | null
-    + qbittorrent : boolean
-    + seeds : number
-    + peers : number
-    + availability : string
-    + rawSize : number
-    + rawSpeed : number
-    + rawEta : number
-    + hash : string
-    + category : string
-    + completedAt : string
-  }
-
-  class "TagBadge" as tagbadge <<value>> {
-    + label : string
-    + matchedUser : string | null
-  }
-
-  class "API Response\n/user-downloads" as apir {
-    + user : string
-    + isAdmin : boolean
-    + downloads : Download[]
-  }
-
-  class "Status Response\n/status" as statr {
-    + server : ServerInfo
-    + polling : PollingInfo
-    + cache : CacheStats
-    + clients : ClientInfo[]
-  }
-
-  class "ServerInfo" as si {
-    + uptimeSeconds : number
-    + nodeVersion : string
-    + memoryUsageMB : number
-    + heapUsedMB : number
-    + heapTotalMB : number
-  }
-
-  class "PollingInfo" as pi {
-    + enabled : boolean
-    + intervalMs : number
-    + lastPoll : PollTimings
-  }
-
-  class "Session Cookie\nemby_user" as cookie {
-    + id : string
-    + name : string
-    + isAdmin : boolean
-    ' Note: Emby AccessToken intentionally excluded
-  }
-
-  apir *-- dl
-  statr *-- si
-  statr *-- pi
-}
-
-' Data flow connections
-sabq ..> dl : matched &\ntransformed
-sabh ..> dl : matched &\ntransformed
-qbt ..> dl : mapTorrentToDownload()
-ss ..> dl : coverArt, seriesName,\npath, tags
-rm ..> dl : coverArt, movieName,\npath, tags
-tag ..> dl : allTags / matchedUserTag
-eu ..> cookie : login creates
-eu ..> tagbadge : buildTagBadges()
-dl *-- tagbadge : tagBadges[]
-
-@enduml
@@ -1,278 +0,0 @@
-@startuml class-server
-!theme plain
-title sofarr — Server Class / Module Diagram
-
-package "server/index.js" as entry {
-  class "EntryPoint" as ep <<module>> {
-    - LOG_LEVELS : Object
-    - currentLevel : number
-    - logFile : WriteStream
-    + shouldLog(level) : boolean
-    --
-    Logging setup, app.listen(),
-    static files, startPoller()
-  }
-}
-
-package "server/app.js" as appfactory {
-  class "createApp(options?)" as appfn <<factory>> {
-    + createApp(skipRateLimits?) : Express
-    --
-    Mounts helmet (CSP nonce),
-    rate limiters, cookie-parser,
-    auth routes (pre-CSRF),
-    verifyCsrf, all other routes,
-    /health, /ready, error handler
-  }
-}
-
-package "server/routes" {
-  class "auth.js" as auth <<router>> {
-    + POST /login (rate-limited)
-    + GET /me
-    + GET /csrf
-    + POST /logout
-    --
-    Authenticates via Emby API
-    Issues emby_user + csrf_token cookies
-    Stores/revokes Emby tokens server-side
-  }
-
-  class "dashboard.js" as dashboard <<router>> {
-    - activeClients : Map<string, ClientInfo>
-    - CLIENT_STALE_MS : 30000
-    --
-    + GET /stream (SSE, text/event-stream)
-    + GET /user-downloads
-    + GET /user-summary
-    + GET /status
-    + GET /cover-art
-    --
-    - getCoverArt(item) : string|null
-    - extractAllTags(tags, tagMap) : string[]
-    - extractUserTag(tags, tagMap, username) : string|null
-    - buildTagBadges(allTags, embyUserMap) : TagBadge[]
-    - getEmbyUsers() : Promise<Map>
-    - sanitizeTagLabel(input) : string
-    - tagMatchesUser(tag, username) : boolean
-    - getImportIssues(record) : string[]|null
-    - getSonarrLink(series) : string|null
-    - getRadarrLink(movie) : string|null
-    - getActiveClients() : ClientInfo[]
-  }
-
-  class "emby.js" as emby_r <<router>> {
-    + GET /sessions
-    + GET /users/:id
-    + GET /users
-    + GET /session/:sessionId/user
-  }
-
-  class "sabnzbd.js" as sab_r <<router>> {
-    + GET /queue
-    + GET /history
-  }
-
-  class "sonarr.js" as sonarr_r <<router>> {
-    + GET /queue
-    + GET /history
-    + GET /series/:id
-    + GET /series
-  }
-
-  class "radarr.js" as radarr_r <<router>> {
-    + GET /queue
-    + GET /history
-    + GET /movies/:id
-    + GET /movies
-  }
-}
-
-package "server/middleware" {
-  class "requireAuth.js" as requireauth <<middleware>> {
-    + requireAuth(req, res, next) : void
-    --
-    Reads emby_user cookie (signed if COOKIE_SECRET)
-    Validates schema: id, name, isAdmin
-    Attaches user to req.user
-    Returns 401 if absent/tampered/invalid
-  }
-
-  class "verifyCsrf.js" as verifycsrf <<middleware>> {
-    + verifyCsrf(req, res, next) : void
-    --
-    Exempt: GET, HEAD, OPTIONS
-    Compares csrf_token cookie
-    vs X-CSRF-Token header
-    using crypto.timingSafeEqual
-    Returns 403 on mismatch/missing
-  }
-}
-
-package "server/utils" {
-  class "MemoryCache" as cache {
-    - store : Map<string, CacheEntry>
-    + get(key) : any|null
-    + set(key, value, ttlMs) : void
-    + invalidate(key) : void
-    + clear() : void
-    + getStats() : CacheStats
-  }
-
-  class "CacheEntry" as ce <<value>> {
-    + value : any
-    + expiresAt : number
-  }
-
-  class "CacheStats" as cs <<value>> {
-    + entryCount : number
-    + totalSizeBytes : number
-    + entries : CacheEntryStats[]
-  }
-
-  class "Poller" as poller <<module>> {
-    - POLL_INTERVAL : number
-    - POLLING_ENABLED : boolean
-    - polling : boolean
-    - lastPollTimings : PollTimings|null
-    - intervalHandle : number|null
-    --
-    + startPoller() : void
-    + stopPoller() : void
-    + pollAllServices() : Promise<void>
-    + getLastPollTimings() : PollTimings|null
-    --
-    - timed(label, fn) : TimedResult
-  }
-
-  class "PollTimings" as pt <<value>> {
-    + totalMs : number
-    + timestamp : string (ISO)
-    + tasks : { label, ms }[]
-  }
-
-  class "Config" as config <<module>> {
-    + getSABnzbdInstances() : Instance[]
-    + getSonarrInstances() : Instance[]
-    + getRadarrInstances() : Instance[]
-    + getQbittorrentInstances() : Instance[]
-    --
-    - parseInstances(envVar, ...) : Instance[]
-  }
-
-  class "Instance" as inst <<value>> {
-    + id : string
-    + name : string
-    + url : string
-    + apiKey : string
-    + username? : string
-    + password? : string
-  }
-
-  class "QBittorrentClient" as qbt {
-    - id : string
-    - name : string
-    - url : string
-    - username : string
-    - password : string
-    - authCookie : string|null
-    --
-    + login() : Promise<boolean>
-    + makeRequest(endpoint, config) : Promise<Response>
-    + getTorrents() : Promise<Torrent[]>
-  }
-
-  class "qbittorrent.js" as qbt_mod <<module>> {
-    - persistedClients : QBittorrentClient[]|null
-    --
-    + getTorrents() : Promise<Torrent[]>
-    + getClients() : QBittorrentClient[]
-    + mapTorrentToDownload(torrent) : Download
-    + formatBytes(bytes) : string
-    + formatSpeed(bps) : string
-    + formatEta(seconds) : string
-  }
-
-  class "Logger" as logger <<module>> {
-    - logFile : WriteStream
-    + logToFile(message) : void
-  }
-
-  class "TokenStore" as tokenstore <<module>> {
-    - store : Object (in-memory)
-    - STORE_PATH : string (DATA_DIR/tokens.json)
-    - TOKEN_TTL_MS : 31 days
-    --
-    + storeToken(userId, accessToken) : void
-    + getToken(userId) : {accessToken}|null
-    + clearToken(userId) : void
-    --
-    Atomic write (.tmp → rename)
-    Pruned on startup + hourly
-  }
-
-  class "SanitizeError" as sanitize <<module>> {
-    + sanitizeError(err) : string
-    --
-    Redacts: query-param secrets,
-    auth headers, bearer tokens,
-    basic-auth URLs
-  }
-
-  class "TagBadge" as tb <<value>> {
-    + label : string
-    + matchedUser : string | null
-  }
-
-  class "ClientInfo" as ci <<value>> {
-    + user : string
-    + type : 'sse'
-    + connectedAt : number (timestamp)
-    + lastSeen : number (timestamp)
-  }
-}
-
-' Relationships
-ep --> appfn : createApp()
-ep --> poller : startPoller()
-
-appfn --> auth : /api/auth (pre-CSRF)
-appfn --> verifycsrf : /api (all routes below)
-appfn --> dashboard
-appfn --> emby_r
-appfn --> sab_r
-appfn --> sonarr_r
-appfn --> radarr_r
-
-dashboard --> requireauth : uses
-emby_r --> requireauth : uses
-sab_r --> requireauth : uses
-sonarr_r --> requireauth : uses
-radarr_r --> requireauth : uses
-
-auth --> tokenstore : storeToken / getToken / clearToken
-
-dashboard --> cache : read/write
-dashboard --> poller : pollAllServices()
-dashboard --> qbt_mod : mapTorrentToDownload()
-dashboard --> config
-
-poller --> cache : set poll:* keys
-poller --> config : get instances
-poller --> qbt_mod : getTorrents()
-
-qbt_mod --> config : getQbittorrentInstances()
-qbt_mod *-- qbt : creates
-qbt --> logger
-
-cache *-- ce : stores
-cache ..> cs : returns from getStats()
-poller ..> pt : stores/returns
-dashboard *-- ci : stores in activeClients
-
-config ..> inst : returns
-
-auth ..> sanitize : sanitizeError on catch
-dashboard ..> sanitize : sanitizeError on catch
-
-@enduml
@@ -1,118 +0,0 @@
-@startuml component
-!theme plain
-title sofarr — Component Diagram
-
-skinparam componentStyle rectangle
-skinparam packageStyle frame
-
-package "Browser" as browser {
-  [index.html] as html
-  [app.js] as appjs
-  [style.css] as css
-  html ..> appjs : loads
-  html ..> css : loads
-}
-
-package "Express Server" as server {
-
-  [index.js\nEntry Point] as entry
-  [app.js\ncreatApp() factory] as appfactory
-
-  package "Middleware" {
-    [helmet\n(CSP nonce, HSTS)] as hm
-    [express-rate-limit\n(API + login)] as rl
-    [cookie-parser\n(signed cookies)] as cp
-    [express.json\n(64kb limit)] as ej
-    [express.static] as es
-    [requireAuth.js] as requireauth
-    [verifyCsrf.js\n(double-submit)] as verifycsrf
-  }
-
-  package "Routes" as routes {
-    [auth.js\n/api/auth\n(pre-CSRF)] as auth
-    [dashboard.js\n/api/dashboard\n(+SSE /stream)] as dashboard
-    [emby.js\n/api/emby] as emby_route
-    [sabnzbd.js\n/api/sabnzbd] as sab_route
-    [sonarr.js\n/api/sonarr] as sonarr_route
-    [radarr.js\n/api/radarr] as radarr_route
-  }
-
-  package "Utilities" as utils {
-    [poller.js] as poller
-    [cache.js\nMemoryCache] as cache
-    [config.js] as config
-    [qbittorrent.js\nQBittorrentClient] as qbt
-    [tokenStore.js\n(tokens.json)] as tokenstore
-    [sanitizeError.js] as sanitize
-    [logger.js] as logger
-  }
-
-  entry --> appfactory : createApp()
-  entry --> es : serve public/
-  entry --> poller : startPoller()
-
-  appfactory --> hm
-  appfactory --> rl
-  appfactory --> cp
-  appfactory --> ej
-  appfactory --> auth : mount before verifyCsrf
-  appfactory --> verifycsrf : applied to all /api below
-  appfactory --> dashboard
-  appfactory --> emby_route
-  appfactory --> sab_route
-  appfactory --> sonarr_route
-  appfactory --> radarr_route
-
-  emby_route --> requireauth
-  sab_route --> requireauth
-  sonarr_route --> requireauth
-  radarr_route --> requireauth
-  dashboard --> requireauth
-
-  auth --> tokenstore : storeToken / getToken / clearToken
-
-  dashboard --> cache : read poll:* keys
-  dashboard --> poller : pollAllServices()\n(on-demand mode)
-  dashboard --> config : getSonarrInstances()\ngetRadarrInstances()
-  dashboard --> qbt : mapTorrentToDownload()
-
-  poller --> cache : set poll:* keys
-  poller --> config : get all instances
-  poller --> qbt : getTorrents()
-  poller --> logger
-
-  qbt --> config : getQbittorrentInstances()
-  qbt --> logger
-
-  auth ..> sanitize
-  dashboard ..> sanitize
-
-  note "Browser uses EventSource\n(SSE) to /stream.\nServer pushes on each\npoll cycle — no client timer." as sseNote
-  sseNote .. dashboard
-}
-
-cloud "External Services" as external {
-  [Emby / Jellyfin] as emby
-  [SABnzbd] as sab
-  [Sonarr] as sonarr
-  [Radarr] as radarr
-  [qBittorrent] as qbit
-}
-
-auth --> emby : authenticate\nuser profile
-dashboard --> emby : GET /Users\n(user-summary + tag badge classification)
-emby_route --> emby
-sab_route --> sab
-sonarr_route --> sonarr
-radarr_route --> radarr
-
-poller --> sab : queue + history
-poller --> sonarr : tags + queue + history
-poller --> radarr : tags + queue + history
-qbt --> qbit : login + torrents/info
-
-appjs --> auth : POST /login\nGET /me
-appjs --> dashboard : GET /user-downloads\nGET /status
-es --> html : serve static
-
-@enduml
@@ -1,104 +0,0 @@
-@startuml seq-auth
-!theme plain
-title sofarr — Authentication Sequence
-
-actor User as user
-participant "Browser\n(app.js)" as browser
-participant "Express\n/api/auth" as auth
-participant "TokenStore\n(tokens.json)" as tokens
-participant "Emby\nServer" as emby
-
-== Page Load ==
-user -> browser : Navigate to sofarr
-activate browser
-browser -> auth : GET /api/auth/me
-activate auth
-auth -> auth : Read emby_user cookie\n(signed if COOKIE_SECRET set)
-alt Cookie exists and valid
-  auth --> browser : { authenticated: true, user: { name, isAdmin } }
-  browser -> auth : GET /api/auth/csrf
-  activate auth
-  auth -> auth : Generate 32-byte hex csrfToken
-  auth --> browser : { csrfToken } + Set csrf_token cookie
-  deactivate auth
-  browser -> browser : store csrfToken in memory
-  browser -> browser : showDashboard()
-  browser -> browser : startAutoRefresh()
-  browser -> browser : dismissSplash()
-else No cookie / tampered
-  auth --> browser : { authenticated: false }
-  browser -> browser : dismissSplash()
-  browser -> browser : showLogin()
-end
-deactivate auth
-
-== Login ==
-user -> browser : Enter username + password\n(+ optional rememberMe checkbox)
-browser -> auth : POST /api/auth/login\n{ username, password, rememberMe }
-activate auth
-note right of auth
-  Rate limiter: max 10 failed
-  attempts per IP / 15 min
-  (successful requests excluded)
-end note
-auth -> emby : POST /Users/authenticatebyname\n{ Username, Pw }\nX-Emby-Authorization: MediaBrowser\nDeviceId = sha256(username)[0:16]
-activate emby
-alt Valid credentials
-  emby --> auth : { User: { Id }, AccessToken }
-  auth -> emby : GET /Users/{userId}\nX-MediaBrowser-Token: AccessToken
-  emby --> auth : { Name, Policy: { IsAdministrator } }
-  deactivate emby
-  auth -> tokens : storeToken(userId, AccessToken)
-  note right of tokens
-    Stored server-side only.
-    Never sent to the client.
-    31-day TTL, atomic JSON write.
-  end note
-  auth -> auth : Set emby_user cookie\n{ id, name, isAdmin }\nhttpOnly, sameSite=strict\nsecure (prod), signed (COOKIE_SECRET)\nrememberMe=true → Max-Age 30d\nrememberMe=false → session cookie
-  auth -> auth : Generate csrfToken\n(32-byte random hex)
-  auth -> auth : Set csrf_token cookie\nhttpOnly=false (JS-readable)\nsameSite=strict, secure (prod)
-  auth --> browser : { success: true, user, csrfToken }
-  browser -> browser : store csrfToken in memory
-  browser -> browser : fadeOutLogin()
-  browser -> browser : showDashboard()
-  browser -> browser : startAutoRefresh()
-  browser -> browser : dismissSplash()
-else Invalid credentials
-  emby --> auth : 401 Error
-  deactivate emby
-  auth --> browser : { success: false, error: "Invalid username or password" }
-  browser -> browser : showLoginError()
-end
-deactivate auth
-
-== CSRF Token Refresh (after page reload) ==
-note over browser : csrfToken lost from memory\non hard page reload
-browser -> auth : GET /api/auth/csrf
-activate auth
-auth -> auth : Generate new csrfToken
-auth --> browser : { csrfToken } + new csrf_token cookie
-deactivate auth
-browser -> browser : store new csrfToken in memory
-
-== Logout ==
-user -> browser : Click Logout
-browser -> browser : stopAutoRefresh()
-browser -> auth : POST /api/auth/logout\n(no CSRF required — auth routes\nexempt; sameSite:strict protects)
-activate auth
-auth -> auth : Parse emby_user cookie → user
-auth -> tokens : getToken(user.id)
-activate tokens
-tokens --> auth : { accessToken }
-deactivate tokens
-auth -> emby : POST /Sessions/Logout\nX-MediaBrowser-Token: accessToken
-activate emby
-emby --> auth : 204 / error (ignored)
-deactivate emby
-auth -> tokens : clearToken(user.id)
-auth -> auth : clearCookie(emby_user)\nclearCookie(csrf_token)
-auth --> browser : { success: true }
-deactivate auth
-browser -> browser : showLogin()
-
-deactivate browser
-@enduml
@@ -1,67 +0,0 @@
-@startuml seq-dashboard
-!theme plain
-title sofarr — Dashboard SSE Stream Sequence
-
-actor User as user
-participant "Browser\n(app.js)" as browser
-participant "Express\n/api/dashboard" as dashboard
-participant "MemoryCache" as cache
-participant "Poller" as poller
-participant "External\nServices" as ext
-
-== SSE Connection (on login / page load) ==
-user -> browser : Login success\nor valid session
-activate browser
-browser -> dashboard : GET /api/dashboard/stream\n(EventSource, Cookie: emby_user)
-activate dashboard
-
-dashboard -> dashboard : requireAuth: parse cookie\nextract username, isAdmin
-dashboard -> dashboard : Set headers:\nContent-Type: text/event-stream\nX-Accel-Buffering: no
-dashboard -> dashboard : Register in activeClients Map\n{ user, type:'sse', connectedAt }
-
-alt Polling disabled AND cache empty
-  dashboard -> poller : pollAllServices()
-  activate poller
-  poller -> ext : Parallel API calls
-  ext --> poller : Raw data
-  poller -> cache : set poll:* keys (TTL=30s)
-  deactivate poller
-end
-
-== Initial Payload (sent immediately on connect) ==
-dashboard -> cache : get all poll:* keys
-dashboard -> dashboard : Build seriesMap, moviesMap,\nsonarrTagMap, radarrTagMap
-alt showAll=true
-  dashboard -> cache : get('emby:users')
-  alt cache miss
-    dashboard -> ext : GET /Users (Emby)
-    ext --> dashboard : [{ Name, ... }]
-    dashboard -> cache : set('emby:users', map, 60s)
-  end
-end
-dashboard -> dashboard : Match SABnzbd/qBit downloads\nvs Sonarr/Radarr records\nextractUserTag / buildTagBadges
-dashboard --> browser : data: { user, isAdmin, downloads }
-browser -> browser : hideLoading()\nrenderDownloads()
-
-== Pushed Updates (on every poll cycle) ==
-loop Each poll cycle completes
-  poller -> poller : pollAllServices() complete
-  poller -> dashboard : onPollComplete callback fires
-  dashboard -> cache : get all poll:* keys
-  dashboard -> dashboard : Rebuild download payload
-  dashboard --> browser : data: { user, isAdmin, downloads }
-  browser -> browser : renderDownloads() (diff-based)
-end
-
-== Heartbeat (every 25s) ==
-dashboard --> browser : : heartbeat
-note right : Keeps connection alive\nthrough idle-timeout proxies
-
-== Client Disconnects ==
-user -> browser : Close tab / logout
-browser -> dashboard : TCP close (req 'close' event)
-dashboard -> dashboard : offPollComplete(callback)\nclearInterval(heartbeat)\ndelete activeClients[key]
-deactivate dashboard
-deactivate browser
-
-@enduml
@@ -1,93 +0,0 @@
-@startuml seq-polling
-!theme plain
-title sofarr — Background Polling Cycle
-
-participant "index.js\n(startup)" as entry
-participant "Poller" as poller
-participant "Config" as config
-participant "SABnzbd\n(per instance)" as sab
-participant "Sonarr\n(per instance)" as sonarr
-participant "Radarr\n(per instance)" as radarr
-participant "qBittorrent\nClient" as qbt
-participant "MemoryCache" as cache
-
-== Startup ==
-entry -> poller : startPoller()
-activate poller
-
-alt POLL_INTERVAL > 0
-  poller -> poller : pollAllServices() (immediate)
-  poller -> poller : setInterval(pollAllServices,\nPOLL_INTERVAL)
-else POLL_INTERVAL = 0
-  poller --> entry : "Polling disabled, on-demand mode"
-end
-
-== Poll Cycle ==
-poller -> poller : Check: polling flag?\n(skip if concurrent)
-poller -> poller : polling = true
-poller -> poller : start = Date.now()
-
-poller -> config : getSABnzbdInstances()
-config --> poller : [{ id, url, apiKey }]
-poller -> config : getSonarrInstances()
-config --> poller : [{ id, url, apiKey }]
-poller -> config : getRadarrInstances()
-config --> poller : [{ id, url, apiKey }]
-
-note over poller : All fetches run in\nparallel via Promise.all,\neach wrapped in timed()
-
-par SABnzbd Queue
-  poller -> sab : GET /api?mode=queue
-  sab --> poller : { queue: { slots, status, speed } }
-and SABnzbd History
-  poller -> sab : GET /api?mode=history&limit=10
-  sab --> poller : { history: { slots } }
-and Sonarr Tags
-  poller -> sonarr : GET /api/v3/tag
-  sonarr --> poller : [{ id, label }]
-and Sonarr Queue
-  poller -> sonarr : GET /api/v3/queue\n?includeSeries=true
-  sonarr --> poller : { records: [{ seriesId, series, ... }] }
-and Sonarr History
-  poller -> sonarr : GET /api/v3/history\n?pageSize=10
-  sonarr --> poller : { records: [{ seriesId, ... }] }
-and Radarr Queue
-  poller -> radarr : GET /api/v3/queue\n?includeMovie=true
-  radarr --> poller : { records: [{ movieId, movie, ... }] }
-and Radarr History
-  poller -> radarr : GET /api/v3/history\n?pageSize=10
-  radarr --> poller : { records: [{ movieId, ... }] }
-and Radarr Tags
-  poller -> radarr : GET /api/v3/tag
-  radarr --> poller : [{ id, label }]
-and qBittorrent
-  poller -> qbt : getTorrents()
-  qbt --> poller : [{ name, progress, ... }]
-end
-
-poller -> poller : Record per-task timings\nlastPollTimings = { totalMs,\ntimestamp, tasks: [{label, ms}] }
-
-poller -> poller : cacheTTL = POLL_INTERVAL × 3
-
-poller -> cache : set('poll:sab-queue', ..., cacheTTL)
-poller -> cache : set('poll:sab-history', ..., cacheTTL)
-poller -> cache : set('poll:sonarr-tags', ..., cacheTTL)
-
-note over poller : Tag queue records with\n_instanceUrl on embedded\nseries/movie objects
-
-poller -> cache : set('poll:sonarr-queue', ..., cacheTTL)
-poller -> cache : set('poll:sonarr-history', ..., cacheTTL)
-poller -> cache : set('poll:radarr-queue', ..., cacheTTL)
-poller -> cache : set('poll:radarr-history', ..., cacheTTL)
-poller -> cache : set('poll:radarr-tags', ..., cacheTTL)
-poller -> cache : set('poll:qbittorrent', ..., cacheTTL)
-
-poller -> poller : Notify SSE subscribers\npollSubscribers.forEach(cb => cb())
-
-note over poller : Each registered SSE client\ncallback rebuilds its payload\nand writes a data: frame
-
-poller -> poller : polling = false\nlog elapsed time
-
-deactivate poller
-
-@enduml
@@ -1,67 +0,0 @@
-@startuml state-poller
-!theme plain
-title sofarr — Poller State Diagram
-
-[*] --> CheckConfig : startPoller()
-
-state CheckConfig <<choice>>
-CheckConfig --> Disabled : POLL_INTERVAL = 0\nor 'off' / 'false'
-CheckConfig --> Idle : POLL_INTERVAL > 0
-
-state Disabled {
-  state "On-demand mode\nNo background timer" as od
-  od : Data fetched only when\na dashboard request\nfinds empty cache
-}
-
-Disabled --> Polling : pollAllServices()\n(triggered by dashboard request)
-Polling --> Disabled : Poll complete\n(return to on-demand)
-
-state Idle {
-  state "Waiting for\nnext interval" as waiting
-}
-
-Idle --> Polling : setInterval fires\nor immediate first poll
-
-state Polling {
-  state "polling = true" as lock
-  state "Fetching all services\n(Promise.all)" as fetching
-  state "Storing results\nin cache" as storing
-  state "Recording timings" as timing
-
-  [*] --> lock
-  lock --> fetching
-  fetching --> storing : All promises resolved
-  fetching --> ErrorState : Any individual service\nerror (caught per-service)
-  storing --> notifying : Cache updated
-  state "Notifying SSE\nsubscribers" as notifying
-  notifying --> timing
-  timing --> [*] : polling = false
-}
-
-state ErrorState as "Handle Error" {
-  state "Log error\npolling = false" as err
-}
-
-ErrorState --> Idle : Next interval
-Polling --> Idle : Poll complete\n(back to waiting)
-
-state "Concurrent Poll\nAttempt" as skip {
-  state "polling === true\n→ skip" as sk
-}
-
-Idle --> skip : Interval fires while\nprevious still running
-skip --> Idle : Log "still running,\nskipping"
-
-note right of Polling
-  **Cache TTL**: POLL_INTERVAL × 3
-  Ensures data survives between polls
-  even if one cycle is slow.
-end note
-
-note right of Disabled
-  **Cache TTL**: 30000ms (30s)
-  After expiry, next dashboard
-  request triggers a fresh poll.
-end note
-
-@enduml
@@ -1,73 +0,0 @@
-@startuml state-ui
-!theme plain
-title sofarr — Frontend UI State Diagram
-
-[*] --> SplashScreen : Page load
-
-state SplashScreen {
-  state "Showing splash\n(min 1.2s)" as showing
-}
-
-SplashScreen --> CheckAuth : checkAuthentication()
-
-state CheckAuth <<choice>>
-CheckAuth --> LoginForm : No session cookie
-CheckAuth --> Dashboard : Valid session
-
-state LoginForm {
-  state "Idle" as lf_idle
-  state "Submitting" as lf_submit
-  state "Error" as lf_error
-
-  lf_idle --> lf_submit : Submit form
-  lf_submit --> lf_error : Auth failed
-  lf_error --> lf_submit : Re-submit
-  lf_submit --> FadeOutLogin : Auth success
-}
-
-state FadeOutLogin {
-  state "CSS transition\n(opacity → 0)" as fade
-}
-
-FadeOutLogin --> SplashScreen2 : Show splash\nwhile loading
-
-state SplashScreen2 as "Splash (loading data)" {
-  state "startSSE() — awaiting\nfirst SSE message" as fetching
-}
-
-SplashScreen2 --> Dashboard : Data loaded\ndismissSplash()
-
-state Dashboard {
-  state "Rendering Cards" as rendering
-  state "Status Panel Open" as status_open
-  state "Status Panel Closed" as status_closed
-
-  [*] --> rendering
-  rendering --> rendering : SSE message received
-→ renderDownloads()
-  rendering --> rendering : Theme change
-
-  status_closed --> status_open : Click "Status" btn
-(admin only)
-  status_open --> status_closed : Click close (×)
-  status_open --> status_open : 5s timer
-→ renderStatusPanel()
-
-  [*] --> status_closed
-
-  state "SSE Connection" as sse {
-    state "Connecting" as sc
-    state "Connected" as scon
-    state "Reconnecting" as srec
-    sc --> scon : First message received
-    scon --> srec : Connection lost
-    srec --> scon : Browser auto-reconnects
-    scon --> sc : showAll toggle changed
-  }
-}
-
-Dashboard --> LoginForm : Logout
-(stopSSE,
-clear state)
-
-@enduml
@@ -1,12 +1,12 @@
 {
  "name": "sofarr",
-  "version": "0.1.5",
+  "version": "1.3.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "sofarr",
-      "version": "0.1.5",
+      "version": "1.3.1",
      "license": "MIT",
      "dependencies": {
        "axios": "^1.6.0",
@@ -14,7 +14,9 @@
        "dotenv": "^16.3.1",
        "express": "^4.18.2",
        "express-rate-limit": "^7.0.0",
-        "helmet": "^7.0.0"
+        "helmet": "^7.0.0",
+        "jsdom": "^29.1.1",
+        "xmlrpc": "^1.3.2"
      },
      "devDependencies": {
        "@vitest/coverage-v8": "^4.1.6",
@@ -25,6 +27,53 @@
        "vitest": "^4.1.6"
      }
    },
+    "node_modules/@asamuzakjp/css-color": {
+      "version": "5.1.11",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.1.11.tgz",
+      "integrity": "sha512-KVw6qIiCTUQhByfTd78h2yD1/00waTmm9uy/R7Ck/ctUyAPj+AEDLkQIdJW0T8+qGgj3j5bpNKK7Q3G+LedJWg==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/generational-cache": "^1.0.1",
+        "@csstools/css-calc": "^3.2.0",
+        "@csstools/css-color-parser": "^4.1.0",
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/@asamuzakjp/dom-selector": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.1.1.tgz",
+      "integrity": "sha512-67RZDnYRc8H/8MLDgQCDE//zoqVFwajkepHZgmXrbwybzXOEwOWGPYGmALYl9J2DOLfFPPs6kKCqmbzV895hTQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/generational-cache": "^1.0.1",
+        "@asamuzakjp/nwsapi": "^2.3.9",
+        "bidi-js": "^1.0.3",
+        "css-tree": "^3.2.1",
+        "is-potential-custom-element-name": "^1.0.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/@asamuzakjp/generational-cache": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/generational-cache/-/generational-cache-1.0.1.tgz",
+      "integrity": "sha512-wajfB8KqzMCN2KGNFdLkReeHncd0AslUSrvHVvvYWuU8ghncRJoA50kT3zP9MVL0+9g4/67H+cdvBskj9THPzg==",
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/@asamuzakjp/nwsapi": {
+      "version": "2.3.9",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz",
+      "integrity": "sha512-n8GuYSrI9bF7FFZ/SjhwevlHc8xaVlb/7HmHelnc/PZXBD2ZR49NnN9sMMuDdEGPeeRQ5d0hqlSlEpgCX3Wl0Q==",
+      "license": "MIT"
+    },
    "node_modules/@babel/helper-string-parser": {
      "version": "7.27.1",
      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
@@ -95,6 +144,152 @@
        "node": ">=18"
      }
    },
+    "node_modules/@bramus/specificity": {
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/@bramus/specificity/-/specificity-2.4.2.tgz",
+      "integrity": "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw==",
+      "license": "MIT",
+      "dependencies": {
+        "css-tree": "^3.0.0"
+      },
+      "bin": {
+        "specificity": "bin/cli.js"
+      }
+    },
+    "node_modules/@csstools/color-helpers": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-6.0.2.tgz",
+      "integrity": "sha512-LMGQLS9EuADloEFkcTBR3BwV/CGHV7zyDxVRtVDTwdI2Ca4it0CCVTT9wCkxSgokjE5Ho41hEPgb8OEUwoXr6Q==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0",
+      "engines": {
+        "node": ">=20.19.0"
+      }
+    },
+    "node_modules/@csstools/css-calc": {
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-3.2.1.tgz",
+      "integrity": "sha512-DtdHlgXh5ZkA43cwBcAm+huzgJiwx3ZTWVjBs94kwz2xKqSimDA3lBgCjphYgwgVUMWatSM0pDd8TILB1yrVVg==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-color-parser": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.1.1.tgz",
+      "integrity": "sha512-eZ5XOtyhK+mggRafYUWzA0tvaYOFgdY8AkgQiCJF9qNAePnUo/zmsqqYubBBb3sQ8uNUaSKTY9s9klfRaAXL0g==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "@csstools/color-helpers": "^6.0.2",
+        "@csstools/css-calc": "^3.2.1"
+      },
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-parser-algorithms": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-4.0.0.tgz",
+      "integrity": "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-syntax-patches-for-csstree": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.4.tgz",
+      "integrity": "sha512-wgsqt92b7C7tQhIdPNxj0n9zuUbQlvAuI1exyzeNrOKOi62SD7ren8zqszmpVREjAOqg8cD2FqYhQfAuKjk4sw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0",
+      "peerDependencies": {
+        "css-tree": "^3.2.1"
+      },
+      "peerDependenciesMeta": {
+        "css-tree": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@csstools/css-tokenizer": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-4.0.0.tgz",
+      "integrity": "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      }
+    },
    "node_modules/@emnapi/core": {
      "version": "1.10.0",
      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
@@ -129,6 +324,23 @@
        "tslib": "^2.4.0"
      }
    },
+    "node_modules/@exodus/bytes": {
+      "version": "1.15.0",
+      "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.15.0.tgz",
+      "integrity": "sha512-UY0nlA+feH81UGSHv92sLEPLCeZFjXOuHhrIo0HQydScuQc8s0A7kL/UdgwgDq8g8ilksmuoF35YVTNphV2aBQ==",
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "@noble/hashes": "^1.8.0 || ^2.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@noble/hashes": {
+          "optional": true
+        }
+      }
+    },
    "node_modules/@jridgewell/resolve-uri": {
      "version": "3.1.2",
      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
@@ -198,7 +410,7 @@
      "version": "1.8.0",
      "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz",
      "integrity": "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==",
-      "dev": true,
+      "devOptional": true,
      "license": "MIT",
      "engines": {
        "node": "^14.21.3 || >=16"
@@ -854,6 +1066,15 @@
        "node": "18 || 20 || >=22"
      }
    },
+    "node_modules/bidi-js": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
+      "integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==",
+      "license": "MIT",
+      "dependencies": {
+        "require-from-string": "^2.0.2"
+      }
+    },
    "node_modules/binary-extensions": {
      "version": "2.3.0",
      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
@@ -1168,6 +1389,32 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/css-tree": {
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-3.2.1.tgz",
+      "integrity": "sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==",
+      "license": "MIT",
+      "dependencies": {
+        "mdn-data": "2.27.1",
+        "source-map-js": "^1.2.1"
+      },
+      "engines": {
+        "node": "^10 || ^12.20.0 || ^14.13.0 || >=15.0.0"
+      }
+    },
+    "node_modules/data-urls": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/data-urls/-/data-urls-7.0.0.tgz",
+      "integrity": "sha512-23XHcCF+coGYevirZceTVD7NdJOqVn+49IHyxgszm+JIiHLoB2TkmPtsYkNWT1pvRSGkc35L6NHs0yHkN2SumA==",
+      "license": "MIT",
+      "dependencies": {
+        "whatwg-mimetype": "^5.0.0",
+        "whatwg-url": "^16.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
    "node_modules/date-fns": {
      "version": "2.30.0",
      "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-2.30.0.tgz",
@@ -1194,6 +1441,12 @@
        "ms": "2.0.0"
      }
    },
+    "node_modules/decimal.js": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
+      "integrity": "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==",
+      "license": "MIT"
+    },
    "node_modules/delayed-stream": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
@@ -1291,6 +1544,18 @@
        "node": ">= 0.8"
      }
    },
+    "node_modules/entities": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-8.0.0.tgz",
+      "integrity": "sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
    "node_modules/es-define-property": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
@@ -1713,6 +1978,18 @@
        "node": ">=16.0.0"
      }
    },
+    "node_modules/html-encoding-sniffer": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-6.0.0.tgz",
+      "integrity": "sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.6.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
    "node_modules/html-escaper": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
@@ -1873,6 +2150,12 @@
        "node": ">=0.12.0"
      }
    },
+    "node_modules/is-potential-custom-element-name": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz",
+      "integrity": "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==",
+      "license": "MIT"
+    },
    "node_modules/istanbul-lib-coverage": {
      "version": "3.2.2",
      "resolved": "https://registry.npmjs.org/istanbul-lib-coverage/-/istanbul-lib-coverage-3.2.2.tgz",
@@ -1932,6 +2215,46 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/jsdom": {
+      "version": "29.1.1",
+      "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-29.1.1.tgz",
+      "integrity": "sha512-ECi4Fi2f7BdJtUKTflYRTiaMxIB0O6zfR1fX0GXpUrf6flp8QIYn1UT20YQqdSOfk2dfkCwS8LAFoJDEppNK5Q==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/css-color": "^5.1.11",
+        "@asamuzakjp/dom-selector": "^7.1.1",
+        "@bramus/specificity": "^2.4.2",
+        "@csstools/css-syntax-patches-for-csstree": "^1.1.3",
+        "@exodus/bytes": "^1.15.0",
+        "css-tree": "^3.2.1",
+        "data-urls": "^7.0.0",
+        "decimal.js": "^10.6.0",
+        "html-encoding-sniffer": "^6.0.0",
+        "is-potential-custom-element-name": "^1.0.1",
+        "lru-cache": "^11.3.5",
+        "parse5": "^8.0.1",
+        "saxes": "^6.0.0",
+        "symbol-tree": "^3.2.4",
+        "tough-cookie": "^6.0.1",
+        "undici": "^7.25.0",
+        "w3c-xmlserializer": "^5.0.0",
+        "webidl-conversions": "^8.0.1",
+        "whatwg-mimetype": "^5.0.0",
+        "whatwg-url": "^16.0.1",
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "canvas": "^3.0.0"
+      },
+      "peerDependenciesMeta": {
+        "canvas": {
+          "optional": true
+        }
+      }
+    },
    "node_modules/json-stringify-safe": {
      "version": "5.0.1",
      "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz",
@@ -2207,6 +2530,15 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/lru-cache": {
+      "version": "11.3.6",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.3.6.tgz",
+      "integrity": "sha512-Gf/KoL3C/MlI7Bt0PGI9I+TeTC/I6r/csU58N4BSNc4lppLBeKsOdFYkK+dX0ABDUMJNfCHTyPpzwwO21Awd3A==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
    "node_modules/magic-string": {
      "version": "0.30.21",
      "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.21.tgz",
@@ -2254,6 +2586,12 @@
        "node": ">= 0.4"
      }
    },
+    "node_modules/mdn-data": {
+      "version": "2.27.1",
+      "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.27.1.tgz",
+      "integrity": "sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==",
+      "license": "CC0-1.0"
+    },
    "node_modules/media-typer": {
      "version": "0.3.0",
      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
@@ -2518,6 +2856,18 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/parse5": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.1.tgz",
+      "integrity": "sha512-z1e/HMG90obSGeidlli3hj7cbocou0/wa5HacvI3ASx34PecNjNQeaHNo5WIZpWofN9kgkqV1q5YvXe3F0FoPw==",
+      "license": "MIT",
+      "dependencies": {
+        "entities": "^8.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/inikulin/parse5?sponsor=1"
+      }
+    },
    "node_modules/parseurl": {
      "version": "1.3.3",
      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
@@ -2628,6 +2978,15 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/punycode": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
+      "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
    "node_modules/qs": {
      "version": "6.15.2",
      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz",
@@ -2690,6 +3049,15 @@
        "node": ">=0.10.0"
      }
    },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/rolldown": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.1.tgz",
@@ -2760,6 +3128,24 @@
      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
      "license": "MIT"
    },
+    "node_modules/sax": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
+      "integrity": "sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw==",
+      "license": "ISC"
+    },
+    "node_modules/saxes": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/saxes/-/saxes-6.0.0.tgz",
+      "integrity": "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA==",
+      "license": "ISC",
+      "dependencies": {
+        "xmlchars": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=v12.22.7"
+      }
+    },
    "node_modules/semver": {
      "version": "7.8.0",
      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz",
@@ -2933,7 +3319,6 @@
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
      "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
-      "dev": true,
      "license": "BSD-3-Clause",
      "engines": {
        "node": ">=0.10.0"
@@ -3103,6 +3488,12 @@
        "url": "https://github.com/chalk/supports-color?sponsor=1"
      }
    },
+    "node_modules/symbol-tree": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/symbol-tree/-/symbol-tree-3.2.4.tgz",
+      "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==",
+      "license": "MIT"
+    },
    "node_modules/tinybench": {
      "version": "2.9.0",
      "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
@@ -3178,6 +3569,24 @@
        "node": ">=14.0.0"
      }
    },
+    "node_modules/tldts": {
+      "version": "7.0.30",
+      "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.30.tgz",
+      "integrity": "sha512-ELrFxuqsDdHUwoh0XxDbxuLD3Wnz49Z57IFvTtvWy1hJdcMZjXLIuonjilCiWHlT2GbE4Wlv1wKVTzDFnXH1aw==",
+      "license": "MIT",
+      "dependencies": {
+        "tldts-core": "^7.0.30"
+      },
+      "bin": {
+        "tldts": "bin/cli.js"
+      }
+    },
+    "node_modules/tldts-core": {
+      "version": "7.0.30",
+      "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.30.tgz",
+      "integrity": "sha512-uiHN8PIB1VmWyS98eZYja4xzlYqeFZVjb4OuYlJQnZAuJhMw4PbKQOKgHKhBdJR3FE/t5mUQ1Kd80++B+qhD1Q==",
+      "license": "MIT"
+    },
    "node_modules/to-regex-range": {
      "version": "5.0.1",
      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -3210,6 +3619,30 @@
        "nodetouch": "bin/nodetouch.js"
      }
    },
+    "node_modules/tough-cookie": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-6.0.1.tgz",
+      "integrity": "sha512-LktZQb3IeoUWB9lqR5EWTHgW/VTITCXg4D21M+lvybRVdylLrRMnqaIONLVb5mav8vM19m44HIcGq4qASeu2Qw==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "tldts": "^7.0.5"
+      },
+      "engines": {
+        "node": ">=16"
+      }
+    },
+    "node_modules/tr46": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
+      "integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
+      "license": "MIT",
+      "dependencies": {
+        "punycode": "^2.3.1"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
    "node_modules/tree-kill": {
      "version": "1.2.2",
      "resolved": "https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.2.tgz",
@@ -3247,6 +3680,15 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/undici": {
+      "version": "7.25.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz",
+      "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.18.1"
+      }
+    },
    "node_modules/unpipe": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
@@ -3468,6 +3910,50 @@
        "url": "https://github.com/sponsors/jonschlinkert"
      }
    },
+    "node_modules/w3c-xmlserializer": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz",
+      "integrity": "sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==",
+      "license": "MIT",
+      "dependencies": {
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/webidl-conversions": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
+      "integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/whatwg-mimetype": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-5.0.0.tgz",
+      "integrity": "sha512-sXcNcHOC51uPGF0P/D4NVtrkjSU2fNsm9iog4ZvZJsL3rjoDAzXZhkm2MWt1y+PUdggKAYVoMAIYcs78wJ51Cw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/whatwg-url": {
+      "version": "16.0.1",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
+      "integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.11.0",
+        "tr46": "^6.0.0",
+        "webidl-conversions": "^8.0.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
    "node_modules/why-is-node-running": {
      "version": "2.3.0",
      "resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
@@ -3510,6 +3996,44 @@
      "dev": true,
      "license": "ISC"
    },
+    "node_modules/xml-name-validator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
+      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/xmlbuilder": {
+      "version": "8.2.2",
+      "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-8.2.2.tgz",
+      "integrity": "sha512-eKRAFz04jghooy8muekqzo8uCSVNeyRedbuJrp0fovbLIi7wlsYtdUn3vBAAPq2Y3/0xMz2WMEUQ8yhVVO9Stw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/xmlchars": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz",
+      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==",
+      "license": "MIT"
+    },
+    "node_modules/xmlrpc": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/xmlrpc/-/xmlrpc-1.3.2.tgz",
+      "integrity": "sha512-jQf5gbrP6wvzN71fgkcPPkF4bF/Wyovd7Xdff8d6/ihxYmgETQYSuTc+Hl+tsh/jmgPLro/Aro48LMFlIyEKKQ==",
+      "license": "MIT",
+      "dependencies": {
+        "sax": "1.2.x",
+        "xmlbuilder": "8.2.x"
+      },
+      "engines": {
+        "node": ">=0.8",
+        "npm": ">=1.0.0"
+      }
+    },
    "node_modules/y18n": {
      "version": "5.0.8",
      "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
@@ -1,6 +1,6 @@
 {
  "name": "sofarr",
-  "version": "1.0.0",
+  "version": "1.6.0",
  "description": "A personal media download dashboard that shows your downloads 'so far' while you relax on the sofa waiting for your *arr services to finish",
  "main": "server/index.js",
  "scripts": {
@@ -21,7 +21,9 @@
    "dotenv": "^16.3.1",
    "express": "^4.18.2",
    "express-rate-limit": "^7.0.0",
-    "helmet": "^7.0.0"
+    "helmet": "^7.0.0",
+    "jsdom": "^29.1.1",
+    "xmlrpc": "^1.3.2"
  },
  "devDependencies": {
    "@vitest/coverage-v8": "^4.1.6",
@@ -0,0 +1,5 @@
+Contact: mailto:gordon@i3omb.com
+Expires: 2026-12-31T23:59:00.000Z
+Preferred-Languages: en
+Canonical: https://git.i3omb.com/Gandalf/sofarr
+Policy: https://git.i3omb.com/Gandalf/sofarr/src/branch/main/SECURITY.md
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" viewBox="0 0 512 512"><path d="m256.1 2.6 142 217.2c91 139.2-4.7 289.6-142.1 289.6S22.8 358.9 113.9 219.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#4c90e8;stroke:#094491;stroke-width:3.1904"/><path d="M306.7 255.2c-77.6-31.7-118.4 49.2-105.4 87C229.5 424.4 335.8 445 414.2 308c0 0 .8 16.5 1.7 24.4 10.5 99.9-73.5 163.4-158.6 162.2s-111.1-34.3-136.2-72.3C80.4 360.6 90.5 260 145.2 212.9c62.5-51.6 131.2-24 161.5 42.3" style="fill-rule:evenodd;clip-rule:evenodd;fill:#094491"/><path d="M257.9 225.3c-87 2.1-103.5 102.3-79.4 145.3 33.5 59.7 84.3 71.2 153.8 49.1-39.7 43.2-121.2 54.6-176.5-7.1-38.1-42.4-41.4-101.6-15-151.1 26.5-49.4 79.2-63.2 117.1-36.2" style="fill-rule:evenodd;clip-rule:evenodd;fill:#83b8f9"/></svg>
@@ -0,0 +1 @@
+<svg height="1024" viewBox="0 0 1024 1024" width="1024" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><linearGradient id="a" gradientUnits="userSpaceOnUse" x1="348.2829" x2="782.05951" y1="0" y2="786.48322"><stop offset="0" stop-color="#72b4f5"/><stop offset="1" stop-color="#356ebf"/></linearGradient><g fill="none" fill-rule="evenodd" transform="matrix(.97656268 0 0 .9765624 11.999908 12.000051)"><circle cx="512" cy="512" fill="url(#a)" r="496" stroke="#daefff" stroke-width="32"/><path d="m712.898 332.399q66.657 0 103.38 45.671 37.03 45.364 37.03 128.684 0 83.32-37.34 129.61-37.03 45.98-103.07 45.98-33.02 0-60.484-12.035-27.156-12.344-45.672-37.649h-3.703l-10.8 43.512h-36.724v-480.172h51.227v116.65q0 39.191-2.469 70.359h2.47q35.796-50.61 106.155-50.61zm-7.406 42.894q-52.46 0-75.605 30.242-23.145 29.934-23.145 101.219 0 71.285 23.762 102.145 23.761 30.55 76.222 30.55 47.215 0 70.36-34.254 23.144-34.562 23.144-99.058 0-66.04-23.144-98.442-23.145-32.402-71.594-32.402z" fill="#fff"/><path d="m317.273 639.45q51.227 0 74.68-27.466 23.453-27.464 24.996-92.578v-11.418q0-70.976-24.07-102.144-24.07-31.168-76.223-31.168-45.055 0-69.125 35.18-23.762 34.87-23.762 98.75 0 63.879 23.454 97.515 23.761 33.328 70.05 33.328zm-7.715 42.894q-65.421 0-102.144-45.98-36.723-45.981-36.723-128.376 0-83.011 37.032-129.609 37.03-46.598 103.07-46.598 69.433 0 106.773 52.461h2.778l7.406-46.289h40.426v490.047h-51.227v-144.73q0-30.86 3.395-52.461h-4.012q-35.488 51.535-106.774 51.535z" fill="#c8e8ff"/></g></svg>
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 1000"><path fill="#f5f5f5000" stroke="#f5f5f5" stroke-linejoin="round" stroke-width="74" d="M200.4 39.3h598.1v437.8h161l-460.1 483L39.4 477h161z"/><path fill="#ffb300" fill-rule="evenodd" d="M200.4 39.3h598.1v437.8h161l-460.1 483-460-483h161z"/><path fill="#ffca28" fill-rule="evenodd" d="M499.4 960.2 201.1 39.4h596.7z"/><path fill="#f5f5f5000" stroke="#f5f5f5" stroke-linecap="round" stroke-linejoin="round" stroke-width="74" d="M329.2 843.5H83v-51.8h146.1v-45.9H83V596.9h246.2v51.5H183.1v45.9h146.1zm292.2 0H375.2V694.3h146.1v-45.9H375.2v-51.5h246.2zm-146.1-97.8h46v46h-46zm192.1 97.8v-344h100.1v97.4h146.1v246.6zm100.1-195.2h46v143.4h-46z"/><path fill="#0f0f0f" fill-rule="evenodd" d="M329.2 843.5H83v-51.8h146.1v-45.9H83V596.9h246.2v51.5H183.1v45.9h146.1zm292.2 0H375.2V694.3h146.1v-45.9H375.2v-51.5h246.2zm-146.1-51.8h46v-46h-46zm192.1 51.9v-344h100.1V597h146.1v246.6zm100.1-51.9h46V648.4h-46z"/></svg>
@@ -18,7 +18,7 @@

    <div class="app">
        <!-- Login Form -->
-        <div id="login-container" class="login-container" style="display: none;">
+        <div id="login-container" class="login-container hidden">
            <div class="login-box">
                <img src="images/sofarr-flashscreen.png" alt="sofarr" class="login-logo">
                <p class="login-subtitle">Login with your Emby credentials</p>
@@ -39,21 +39,21 @@
                    </div>
                    <button type="submit" class="login-btn">Login</button>
                </form>
-                <div id="login-error" class="error-message" style="display: none;"></div>
+                <div id="login-error" class="error-message hidden"></div>
            </div>
        </div>

        <!-- Dashboard -->
-        <div id="dashboard-container" class="dashboard-container" style="display: none;">
+        <div id="dashboard-container" class="dashboard-container hidden">
            <header class="app-header">
-                <h1>sofarr</h1>
+                <h1><a href="#" class="title-link" id="title-home-link"><img src="favicon-192.png" alt="" class="title-logo">sofarr</a></h1>
                <div class="header-controls">
                    <div class="theme-switcher">
                        <button class="theme-btn active" data-theme="light">Light</button>
                        <button class="theme-btn" data-theme="dark">Dark</button>
                        <button class="theme-btn" data-theme="mono">Mono</button>
                    </div>
-                    <div id="admin-controls" class="admin-controls" style="display: none;">
+                    <div id="admin-controls" class="admin-controls hidden">
                        <label class="toggle-label">
                            <input type="checkbox" id="show-all-toggle">
                            <span>Show all users</span>
@@ -68,23 +68,137 @@
                </div>
            </header>

-            <div id="status-panel" class="status-panel" style="display: none;"></div>
+            <div id="status-panel" class="status-panel hidden">
+                <!-- Status content gets rendered here -->
+                <div id="status-content"><p class="status-loading">Loading status...</p></div>
+            </div>

-            <div id="error-message" class="error-message" style="display: none;"></div>
-
-            <div id="loading" class="loading" style="display: none;">Loading downloads...</div>
-
-            <div class="downloads-container">
-                <h2>Your Downloads</h2>
-                <div id="no-downloads" class="no-downloads" style="display: none;">
-                    <p>No downloads found for your user.</p>
-                    <p>Make sure your shows and movies are tagged with your username in Sonarr/Radarr.</p>
+            <!-- Webhooks Configuration Panel (sibling to status-panel) -->
+            <div class="webhooks-section hidden" id="webhooks-section">
+                <div class="webhooks-header" id="webhooks-header">
+                    <h2>⚡ Webhooks Configuration</h2>
+                    <span class="webhooks-toggle" id="webhooks-toggle">▼</span>
+                </div>
+                <div class="webhooks-content hidden" id="webhooks-content">
+                    <div id="webhook-loading" class="webhook-loading hidden">Loading webhook status...</div>
+
+                    <!-- Sonarr Webhook -->
+                    <div class="webhook-instance">
+                        <h3>Sonarr</h3>
+                        <div class="webhook-status">
+                            <span class="status-indicator" id="sonarr-status">○ Disabled</span>
+                            <button id="enable-sonarr-webhook" class="enable-webhook-btn hidden">Enable Sofarr Webhooks</button>
+                            <button id="test-sonarr-webhook" class="test-webhook-btn hidden">Test</button>
+                        </div>
+                        <div class="webhook-triggers hidden" id="sonarr-triggers">
+                            <div class="trigger-item"><span class="trigger-label">On Grab</span><span class="trigger-value" id="sonarr-onGrab">✗</span></div>
+                            <div class="trigger-item"><span class="trigger-label">On Download</span><span class="trigger-value" id="sonarr-onDownload">✗</span></div>
+                            <div class="trigger-item"><span class="trigger-label">On Import</span><span class="trigger-value" id="sonarr-onImport">✗</span></div>
+                            <div class="trigger-item"><span class="trigger-label">On Upgrade</span><span class="trigger-value" id="sonarr-onUpgrade">✗</span></div>
+                        </div>
+                        <div class="webhook-stats hidden" id="sonarr-stats">
+                            <div class="webhook-stats-title">Statistics</div>
+                            <div class="webhook-stats-grid">
+                                <div class="webhook-stat"><span class="webhook-stat-label">Events Received</span><span class="webhook-stat-value" id="sonarr-events">0</span></div>
+                                <div class="webhook-stat"><span class="webhook-stat-label">Polls Skipped</span><span class="webhook-stat-value" id="sonarr-polls">0</span></div>
+                                <div class="webhook-stat"><span class="webhook-stat-label">Last Event</span><span class="webhook-stat-value" id="sonarr-last">Never</span></div>
+                            </div>
+                        </div>
+                    </div>
+
+                    <!-- Radarr Webhook -->
+                    <div class="webhook-instance">
+                        <h3>Radarr</h3>
+                        <div class="webhook-status">
+                            <span class="status-indicator" id="radarr-status">○ Disabled</span>
+                            <button id="enable-radarr-webhook" class="enable-webhook-btn hidden">Enable Sofarr Webhooks</button>
+                            <button id="test-radarr-webhook" class="test-webhook-btn hidden">Test</button>
+                        </div>
+                        <div class="webhook-triggers hidden" id="radarr-triggers">
+                            <div class="trigger-item"><span class="trigger-label">On Grab</span><span class="trigger-value" id="radarr-onGrab">✗</span></div>
+                            <div class="trigger-item"><span class="trigger-label">On Download</span><span class="trigger-value" id="radarr-onDownload">✗</span></div>
+                            <div class="trigger-item"><span class="trigger-label">On Import</span><span class="trigger-value" id="radarr-onImport">✗</span></div>
+                            <div class="trigger-item"><span class="trigger-label">On Upgrade</span><span class="trigger-value" id="radarr-onUpgrade">✗</span></div>
+                        </div>
+                        <div class="webhook-stats hidden" id="radarr-stats">
+                            <div class="webhook-stats-title">Statistics</div>
+                            <div class="webhook-stats-grid">
+                                <div class="webhook-stat"><span class="webhook-stat-label">Events Received</span><span class="webhook-stat-value" id="radarr-events">0</span></div>
+                                <div class="webhook-stat"><span class="webhook-stat-label">Polls Skipped</span><span class="webhook-stat-value" id="radarr-polls">0</span></div>
+                                <div class="webhook-stat"><span class="webhook-stat-label">Last Event</span><span class="webhook-stat-value" id="radarr-last">Never</span></div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+
+            <div id="error-message" class="error-message hidden"></div>
+
+            <div id="loading" class="loading hidden">Loading downloads...</div>
+
+            <div class="main-tabs">
+                <div class="tab-bar">
+                    <button class="tab-btn active" data-tab="downloads">Active Downloads</button>
+                    <button class="tab-btn" data-tab="history">Recently Completed</button>
+                </div>
+
+                <div class="tab-panel" id="tab-downloads">
+                    <div class="downloads-container">
+                        <div class="downloads-header">
+                            <div class="downloads-controls">
+                                <label class="download-client-label" for="download-client-filter">Download client:</label>
+                                <div class="download-client-filter" id="download-client-filter">
+                                    <button class="download-client-dropdown-btn" id="download-client-dropdown-btn" type="button" aria-expanded="false">
+                                        <span id="download-client-selected-text">All clients</span>
+                                        <span class="dropdown-arrow">▼</span>
+                                    </button>
+                                    <div class="download-client-dropdown" id="download-client-dropdown">
+                                        <div class="download-client-dropdown-header">
+                                            <button class="download-client-dropdown-btn-small" id="download-client-select-all" type="button">Select All</button>
+                                            <button class="download-client-dropdown-btn-small" id="download-client-deselect-all" type="button">Deselect All</button>
+                                        </div>
+                                        <div class="download-client-options" id="download-client-options">
+                                            <!-- Options will be populated by JavaScript -->
+                                        </div>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                        <div id="no-downloads" class="no-downloads hidden">
+                            <p>No downloads found for your user.</p>
+                            <p>Make sure your shows and movies are tagged with your username in Sonarr/Radarr.</p>
+                        </div>
+                        <div id="downloads-list" class="downloads-list"></div>
+                    </div>
+                </div>
+
+                <div class="tab-panel hidden" id="tab-history">
+                    <div class="history-container" id="history-container">
+                        <div class="history-header">
+                            <div class="history-controls">
+                                <label class="history-days-label" for="history-days">Last</label>
+                                <input type="number" id="history-days" class="history-days-input" value="7" min="1" max="90">
+                                <span class="history-days-label">days</span>
+                                <button id="history-refresh-btn" class="history-refresh-btn" title="Refresh history">&#8635;</button>
+                                <label class="history-toggle-label" id="ignore-available-label" data-tooltip="Hide failed downloads where the item is already available on disk (i.e. a failed upgrade attempt)">
+                                    <input type="checkbox" id="ignore-available-toggle">
+                                    <span>Hide upgrade failures</span>
+                                </label>
+                            </div>
+                        </div>
+                        <div id="history-loading" class="history-loading hidden">Loading history...</div>
+                        <div id="history-error" class="history-error hidden"></div>
+                        <div id="no-history" class="no-history hidden">
+                            <p>No completed downloads found in this period.</p>
+                        </div>
+                        <div id="history-list" class="history-list"></div>
+                    </div>
                </div>
-                <div id="downloads-list" class="downloads-list"></div>
            </div>

            <footer class="app-footer">
                <p>Ensure your media is tagged with your username in Sonarr/Radarr to match downloads to users.</p>
+                <a href="https://git.i3omb.com/Gandalf/sofarr" target="_blank" rel="noopener noreferrer" class="app-version" id="app-version"></a>
            </footer>
        </div>
    </div>
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
 * Express application factory — imported by both server/index.js (production)
 * and the test suite. Keeping app creation separate from app.listen() means
@@ -16,7 +17,10 @@ const sonarrRoutes = require('./routes/sonarr');
 const radarrRoutes = require('./routes/radarr');
 const embyRoutes = require('./routes/emby');
 const dashboardRoutes = require('./routes/dashboard');
+const statusRoutes = require('./routes/status');
+const historyRoutes = require('./routes/history');
 const authRoutes = require('./routes/auth');
+const webhookRoutes = require('./routes/webhook');
 const verifyCsrf = require('./middleware/verifyCsrf');

 function createApp({ skipRateLimits = false } = {}) {
@@ -92,6 +96,7 @@ function createApp({ skipRateLimits = false } = {}) {
  // API routes
  app.use('/api', apiLimiter);
  app.use('/api/auth', authRoutes);
+  app.use('/api/webhook', webhookRoutes);

  // CSRF protection for all state-changing API requests below
  app.use('/api', verifyCsrf);
@@ -100,6 +105,8 @@ function createApp({ skipRateLimits = false } = {}) {
  app.use('/api/radarr', radarrRoutes);
  app.use('/api/emby', embyRoutes);
  app.use('/api/dashboard', dashboardRoutes);
+  app.use('/api/status', statusRoutes);
+  app.use('/api/history', historyRoutes);

  // Global error handler
  // eslint-disable-next-line no-unused-vars
@@ -0,0 +1,78 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+/**
+ * Abstract base class for all *arr data retrievers.
+ * Defines the common interface that all retrievers must implement.
+ * This pluggable layer enables future retrieval strategies (e.g., webhook listeners)
+ * to push normalized data directly into the existing cache and SSE system
+ * without touching the poller logic.
+ */
+class ArrRetriever {
+  /**
+   * @param {Object} instanceConfig - Configuration for this retriever instance
+   * @param {string} instanceConfig.id - Unique identifier for this instance
+   * @param {string} instanceConfig.name - Display name for this instance
+   * @param {string} instanceConfig.url - Base URL for the *arr API
+   * @param {string} instanceConfig.apiKey - API key for authentication
+   */
+  constructor(instanceConfig) {
+    if (this.constructor === ArrRetriever) {
+      throw new Error('ArrRetriever is an abstract class and cannot be instantiated directly');
+    }
+    
+    this.id = instanceConfig.id;
+    this.name = instanceConfig.name;
+    this.url = instanceConfig.url;
+    this.apiKey = instanceConfig.apiKey;
+  }
+
+  /**
+   * Get the retriever type identifier (e.g., 'sonarr', 'radarr')
+   * @returns {string} The retriever type
+   */
+  getRetrieverType() {
+    throw new Error('getRetrieverType() must be implemented by subclass');
+  }
+
+  /**
+   * Get the unique instance ID
+   * @returns {string} The instance ID
+   */
+  getInstanceId() {
+    return this.id;
+  }
+
+  /**
+   * Get tags from this *arr instance
+   * @returns {Promise<Array>} Array of tag objects
+   */
+  async getTags() {
+    throw new Error('getTags() must be implemented by subclass');
+  }
+
+  /**
+   * Get queue from this *arr instance
+   * @returns {Promise<Object>} Queue object with records array
+   */
+  async getQueue() {
+    throw new Error('getQueue() must be implemented by subclass');
+  }
+
+  /**
+   * Get history from this *arr instance
+   * @param {Object} options - Optional parameters for history fetch
+   * @param {number} [options.pageSize] - Number of records to fetch
+   * @param {string} [options.sortKey] - Field to sort by
+   * @param {string} [options.sortDir] - Sort direction ('ascending' or 'descending')
+   * @param {boolean} [options.includeSeries] - Include series data (Sonarr)
+   * @param {boolean} [options.includeEpisode] - Include episode data (Sonarr)
+   * @param {boolean} [options.includeMovie] - Include movie data (Radarr)
+   * @param {string} [options.startDate] - ISO date string for filtering
+   * @returns {Promise<Object>} History object with records array
+   */
+  async getHistory(options = {}) {
+    throw new Error('getHistory() must be implemented by subclass');
+  }
+}
+
+module.exports = ArrRetriever;
@@ -0,0 +1,103 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+/**
+ * Abstract base class for all download clients.
+ * Defines the common interface that all download clients must implement.
+ */
+class DownloadClient {
+  /**
+   * @param {Object} instanceConfig - Configuration for this client instance
+   * @param {string} instanceConfig.id - Unique identifier for this instance
+   * @param {string} instanceConfig.name - Display name for this instance
+   * @param {string} instanceConfig.url - Base URL for the client API
+   * @param {string} [instanceConfig.apiKey] - API key for authentication (if applicable)
+   * @param {string} [instanceConfig.username] - Username for authentication (if applicable)
+   * @param {string} [instanceConfig.password] - Password for authentication (if applicable)
+   */
+  constructor(instanceConfig) {
+    if (this.constructor === DownloadClient) {
+      throw new Error('DownloadClient is an abstract class and cannot be instantiated directly');
+    }
+    
+    this.id = instanceConfig.id;
+    this.name = instanceConfig.name;
+    this.url = instanceConfig.url;
+    this.apiKey = instanceConfig.apiKey;
+    this.username = instanceConfig.username;
+    this.password = instanceConfig.password;
+  }
+
+  /**
+   * Get the client type identifier (e.g., 'qbittorrent', 'sabnzbd', 'transmission')
+   * @returns {string} The client type
+   */
+  getClientType() {
+    throw new Error('getClientType() must be implemented by subclass');
+  }
+
+  /**
+   * Get the unique instance ID
+   * @returns {string} The instance ID
+   */
+  getInstanceId() {
+    return this.id;
+  }
+
+  /**
+   * Test connection to the download client
+   * @returns {Promise<boolean>} True if connection is successful
+   */
+  async testConnection() {
+    throw new Error('testConnection() must be implemented by subclass');
+  }
+
+  /**
+   * Get active downloads from this client
+   * @returns {Promise<Array<NormalizedDownload>>} Array of normalized download objects
+   */
+  async getActiveDownloads() {
+    throw new Error('getActiveDownloads() must be implemented by subclass');
+  }
+
+  /**
+   * Optional: Get client status information
+   * @returns {Promise<Object|null>} Client status object or null if not supported
+   */
+  async getClientStatus() {
+    return null; // Default implementation - optional method
+  }
+
+  /**
+   * Normalize a download object to the standard schema
+   * @param {Object} download - Raw download object from client
+   * @returns {NormalizedDownload} Normalized download object
+   */
+  normalizeDownload(download) {
+    throw new Error('normalizeDownload() must be implemented by subclass');
+  }
+}
+
+/**
+ * @typedef {Object} NormalizedDownload
+ * @property {string} id - Client-specific unique ID
+ * @property {string} title - Download title/name
+ * @property {'usenet'|'torrent'} type - Download type
+ * @property {string} client - Client identifier ('sabnzbd', 'qbittorrent', 'transmission', etc.)
+ * @property {string} instanceId - Instance identifier
+ * @property {string} instanceName - Instance display name
+ * @property {string} status - Normalized status (Downloading, Seeding, Paused, etc.)
+ * @property {number} progress - Progress percentage (0-100)
+ * @property {number} size - Total size in bytes
+ * @property {number} downloaded - Downloaded bytes
+ * @property {number} speed - Current speed in bytes/sec
+ * @property {number|null} eta - Estimated time remaining in seconds, null if unknown
+ * @property {string|undefined} category - Download category (optional)
+ * @property {string[]|undefined} tags - Download tags (optional)
+ * @property {string|undefined} savePath - Save path (optional)
+ * @property {string|undefined} addedOn - Added timestamp (optional)
+ * @property {number|undefined} arrQueueId - Sonarr/Radarr queue ID (optional)
+ * @property {'series'|'movie'|undefined} arrType - Sonarr/Radarr type (optional)
+ * @property {any|undefined} raw - Original client response (escape hatch)
+ */
+
+module.exports = DownloadClient;
@@ -0,0 +1,134 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const axios = require('axios');
+const ArrRetriever = require('./ArrRetriever');
+const { logToFile } = require('../utils/logger');
+
+/**
+ * Polling-based Radarr data retriever.
+ * Implements the ArrRetriever interface using direct HTTP polling.
+ */
+class PollingRadarrRetriever extends ArrRetriever {
+  constructor(instanceConfig) {
+    super(instanceConfig);
+  }
+
+  getRetrieverType() {
+    return 'radarr';
+  }
+
+  /**
+   * Get tags from Radarr instance
+   * @returns {Promise<Array>} Array of tag objects
+   */
+  async getTags() {
+    try {
+      const response = await axios.get(`${this.url}/api/v3/tag`, {
+        headers: { 'X-Api-Key': this.apiKey }
+      });
+      return response.data;
+    } catch (error) {
+      logToFile(`[PollingRadarrRetriever] ${this.id} tags error: ${error.message}`);
+      return [];
+    }
+  }
+
+  /**
+   * Get queue from Radarr instance
+   * @returns {Promise<Object>} Queue object with records array
+   */
+  async getQueue() {
+    const instanceName = this.name;
+    let page = 1;
+    let allRecords = [];
+    let responseData = null;
+
+    do {
+      try {
+        const response = await axios.get(`${this.url}/api/v3/queue`, {
+          headers: { 'X-Api-Key': this.apiKey },
+          params: { includeMovie: true, page, pageSize: 1000 }
+        });
+        responseData = response.data;
+      } catch (error) {
+        console.error(`Radarr queue fetch failed for instance ${instanceName}:`, error.response?.data || error.message);
+        throw error;
+      }
+
+      const records = responseData.records || (Array.isArray(responseData) ? responseData : []);
+      allRecords = allRecords.concat(records);
+      page++;
+    } while (
+      (responseData.records || (Array.isArray(responseData) ? responseData : [])).length === 1000 &&
+      page <= 50
+    );
+
+    return {
+      ...responseData,
+      records: allRecords
+    };
+  }
+
+  /**
+   * Get history from Radarr instance
+   * @param {Object} options - Optional parameters for history fetch
+   * @param {number} [options.pageSize=100] - Number of records to fetch per page
+   * @param {number} [options.maxPages=1] - Maximum pages to fetch (for pagination control)
+   * @param {string} [options.sortKey] - Field to sort by
+   * @param {string} [options.sortDir] - Sort direction ('ascending' or 'descending')
+   * @param {boolean} [options.includeMovie=true] - Include movie data
+   * @param {string} [options.startDate] - ISO date string for filtering
+   * @returns {Promise<Object>} History object with records array
+   */
+  async getHistory(options = {}) {
+    const {
+      pageSize = 100,
+      maxPages = 1,
+      sortKey,
+      sortDir,
+      includeMovie = true,
+      startDate
+    } = options;
+
+    const instanceName = this.name;
+    let page = 1;
+    let allRecords = [];
+    let responseData = null;
+
+    do {
+      const params = {
+        page,
+        pageSize,
+        includeMovie
+      };
+
+      if (sortKey) params.sortKey = sortKey;
+      if (sortDir) params.sortDir = sortDir;
+      if (startDate) params.startDate = startDate;
+
+      try {
+        const response = await axios.get(`${this.url}/api/v3/history`, {
+          headers: { 'X-Api-Key': this.apiKey },
+          params
+        });
+        responseData = response.data;
+      } catch (error) {
+        console.error(`Radarr history fetch failed for instance ${instanceName}:`, error.response?.data || error.message);
+        throw error;
+      }
+
+      const records = responseData.records || (Array.isArray(responseData) ? responseData : []);
+      allRecords = allRecords.concat(records);
+      page++;
+    } while (
+      (responseData.records || (Array.isArray(responseData) ? responseData : [])).length === pageSize &&
+      page <= maxPages
+    );
+
+    return {
+      ...responseData,
+      records: allRecords
+    };
+  }
+}
+
+module.exports = PollingRadarrRetriever;
@@ -0,0 +1,137 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const axios = require('axios');
+const ArrRetriever = require('./ArrRetriever');
+const { logToFile } = require('../utils/logger');
+
+/**
+ * Polling-based Sonarr data retriever.
+ * Implements the ArrRetriever interface using direct HTTP polling.
+ */
+class PollingSonarrRetriever extends ArrRetriever {
+  constructor(instanceConfig) {
+    super(instanceConfig);
+  }
+
+  getRetrieverType() {
+    return 'sonarr';
+  }
+
+  /**
+   * Get tags from Sonarr instance
+   * @returns {Promise<Array>} Array of tag objects
+   */
+  async getTags() {
+    try {
+      const response = await axios.get(`${this.url}/api/v3/tag`, {
+        headers: { 'X-Api-Key': this.apiKey }
+      });
+      return response.data;
+    } catch (error) {
+      logToFile(`[PollingSonarrRetriever] ${this.id} tags error: ${error.message}`);
+      return [];
+    }
+  }
+
+  /**
+   * Get queue from Sonarr instance
+   * @returns {Promise<Object>} Queue object with records array
+   */
+  async getQueue() {
+    const instanceName = this.name;
+    let page = 1;
+    let allRecords = [];
+    let responseData = null;
+
+    do {
+      try {
+        const response = await axios.get(`${this.url}/api/v3/queue`, {
+          headers: { 'X-Api-Key': this.apiKey },
+          params: { includeSeries: true, includeEpisode: true, page, pageSize: 1000 }
+        });
+        responseData = response.data;
+      } catch (error) {
+        console.error(`Sonarr queue fetch failed for instance ${instanceName}:`, error.response?.data || error.message);
+        throw error;
+      }
+
+      const records = responseData.records || (Array.isArray(responseData) ? responseData : []);
+      allRecords = allRecords.concat(records);
+      page++;
+    } while (
+      (responseData.records || (Array.isArray(responseData) ? responseData : [])).length === 1000 &&
+      page <= 50
+    );
+
+    return {
+      ...responseData,
+      records: allRecords
+    };
+  }
+
+  /**
+   * Get history from Sonarr instance
+   * @param {Object} options - Optional parameters for history fetch
+   * @param {number} [options.pageSize=100] - Number of records to fetch per page
+   * @param {number} [options.maxPages=1] - Maximum pages to fetch (for pagination control)
+   * @param {string} [options.sortKey] - Field to sort by
+   * @param {string} [options.sortDir] - Sort direction ('ascending' or 'descending')
+   * @param {boolean} [options.includeSeries=true] - Include series data
+   * @param {boolean} [options.includeEpisode=true] - Include episode data
+   * @param {string} [options.startDate] - ISO date string for filtering
+   * @returns {Promise<Object>} History object with records array
+   */
+  async getHistory(options = {}) {
+    const {
+      pageSize = 100,
+      maxPages = 1,
+      sortKey,
+      sortDir,
+      includeSeries = true,
+      includeEpisode = true,
+      startDate
+    } = options;
+
+    const instanceName = this.name;
+    let page = 1;
+    let allRecords = [];
+    let responseData = null;
+
+    do {
+      const params = {
+        page,
+        pageSize,
+        includeSeries,
+        includeEpisode
+      };
+
+      if (sortKey) params.sortKey = sortKey;
+      if (sortDir) params.sortDir = sortDir;
+      if (startDate) params.startDate = startDate;
+
+      try {
+        const response = await axios.get(`${this.url}/api/v3/history`, {
+          headers: { 'X-Api-Key': this.apiKey },
+          params
+        });
+        responseData = response.data;
+      } catch (error) {
+        console.error(`Sonarr history fetch failed for instance ${instanceName}:`, error.response?.data || error.message);
+        throw error;
+      }
+
+      const records = responseData.records || (Array.isArray(responseData) ? responseData : []);
+      allRecords = allRecords.concat(records);
+      page++;
+    } while (
+      (responseData.records || (Array.isArray(responseData) ? responseData : [])).length === pageSize &&
+      page <= maxPages
+    );
+
+    return {
+      ...responseData,
+      records: allRecords
+    };
+  }
+}
+
+module.exports = PollingSonarrRetriever;
@@ -0,0 +1,266 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const axios = require('axios');
+const DownloadClient = require('./DownloadClient');
+const { logToFile } = require('../utils/logger');
+
+class QBittorrentClient extends DownloadClient {
+  constructor(instance) {
+    super(instance);
+    this.authCookie = null;
+    // Sync API incremental state
+    this.lastRid = 0;
+    this.torrentMap = new Map();
+    this.fallbackThisCycle = false;
+  }
+
+  getClientType() {
+    return 'qbittorrent';
+  }
+
+  async testConnection() {
+    try {
+      await this.login();
+      // Try a simple API call to verify connection
+      await this.makeRequest('/api/v2/app/version');
+      logToFile(`[qBittorrent:${this.name}] Connection test successful`);
+      return true;
+    } catch (error) {
+      logToFile(`[qBittorrent:${this.name}] Connection test failed: ${error.message}`);
+      return false;
+    }
+  }
+
+  async login() {
+    try {
+      logToFile(`[qBittorrent:${this.name}] Attempting login...`);
+      const response = await axios.post(`${this.url}/api/v2/auth/login`, 
+        `username=${encodeURIComponent(this.username)}&password=${encodeURIComponent(this.password)}`,
+        {
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded'
+          },
+          maxRedirects: 0,
+          validateStatus: (status) => status >= 200 && status < 400
+        }
+      );
+      
+      if (response.headers['set-cookie']) {
+        this.authCookie = response.headers['set-cookie'][0];
+        logToFile(`[qBittorrent:${this.name}] Login successful`);
+        return true;
+      }
+      
+      logToFile(`[qBittorrent:${this.name}] Login failed - no cookie`);
+      return false;
+    } catch (error) {
+      logToFile(`[qBittorrent:${this.name}] Login error: ${error.message}`);
+      return false;
+    }
+  }
+
+  async makeRequest(endpoint, config = {}) {
+    const url = `${this.url}${endpoint}`;
+    
+    if (!this.authCookie) {
+      const loggedIn = await this.login();
+      if (!loggedIn) {
+        throw new Error(`Failed to authenticate with ${this.name}`);
+      }
+    }
+    
+    try {
+      const response = await axios.get(url, {
+        ...config,
+        headers: {
+          ...config.headers,
+          'Cookie': this.authCookie
+        }
+      });
+      return response;
+    } catch (error) {
+      // If unauthorized, try re-authenticating once
+      if (error.response && error.response.status === 403) {
+        logToFile(`[qBittorrent:${this.name}] Auth expired, re-authenticating...`);
+        this.authCookie = null;
+        const loggedIn = await this.login();
+        if (loggedIn) {
+          return axios.get(url, {
+            ...config,
+            headers: {
+              ...config.headers,
+              'Cookie': this.authCookie
+            }
+          });
+        }
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Fetches incremental torrent data using the qBittorrent Sync API.
+   */
+  async getMainData() {
+    const response = await this.makeRequest(`/api/v2/sync/maindata?rid=${this.lastRid}`);
+    const data = response.data;
+
+    if (data.full_update) {
+      // Full refresh: rebuild the entire map
+      this.torrentMap.clear();
+      if (data.torrents) {
+        for (const [hash, props] of Object.entries(data.torrents)) {
+          this.torrentMap.set(hash, { ...props, hash });
+        }
+      }
+    } else {
+      // Delta update: merge changed fields into existing torrent objects
+      if (data.torrents) {
+        for (const [hash, delta] of Object.entries(data.torrents)) {
+          const existing = this.torrentMap.get(hash) || { hash };
+          this.torrentMap.set(hash, { ...existing, ...delta });
+        }
+      }
+    }
+
+    // Remove torrents that the server reports as deleted
+    if (data.torrents_removed) {
+      for (const hash of data.torrents_removed) {
+        this.torrentMap.delete(hash);
+      }
+    }
+
+    // Ensure every torrent has a computed 'completed' field for downstream consumers
+    for (const torrent of this.torrentMap.values()) {
+      if (torrent.completed === undefined && torrent.size !== undefined && torrent.progress !== undefined) {
+        torrent.completed = Math.round(torrent.size * torrent.progress);
+      }
+    }
+
+    this.lastRid = data.rid;
+    return Array.from(this.torrentMap.values());
+  }
+
+  /**
+   * Legacy full-list fetch. Used as a fallback when the Sync API fails.
+   */
+  async getTorrentsLegacy() {
+    try {
+      const response = await this.makeRequest('/api/v2/torrents/info');
+      logToFile(`[qBittorrent:${this.name}] Retrieved ${response.data.length} torrents (legacy)`);
+      return response.data;
+    } catch (error) {
+      logToFile(`[qBittorrent:${this.name}] Error fetching torrents (legacy): ${error.message}`);
+      throw error;
+    }
+  }
+
+  async getActiveDownloads() {
+    try {
+      if (this.fallbackThisCycle) {
+        logToFile(`[qBittorrent:${this.name}] Already fell back this cycle, using legacy`);
+        const torrents = await this.getTorrentsLegacy();
+        this.torrentMap = new Map();
+        for (const torrent of torrents) {
+          this.torrentMap.set(torrent.hash, torrent);
+        }
+        this.lastRid = 0;
+        return torrents.map(torrent => this.normalizeDownload(torrent));
+      }
+
+      const torrents = await this.getMainData();
+      logToFile(`[qBittorrent:${this.name}] Sync: ${torrents.length} torrents (rid=${this.lastRid})`);
+      return torrents.map(torrent => this.normalizeDownload(torrent));
+    } catch (error) {
+      logToFile(`[qBittorrent:${this.name}] Sync failed, falling back to legacy: ${error.message}`);
+      this.fallbackThisCycle = true;
+      try {
+        const torrents = await this.getTorrentsLegacy();
+        this.torrentMap = new Map();
+        for (const torrent of torrents) {
+          this.torrentMap.set(torrent.hash, torrent);
+        }
+        this.lastRid = 0;
+        return torrents.map(torrent => this.normalizeDownload(torrent));
+      } catch (fallbackError) {
+        logToFile(`[qBittorrent:${this.name}] Fallback also failed: ${fallbackError.message}`);
+        return [];
+      }
+    }
+  }
+
+  async getClientStatus() {
+    try {
+      const response = await this.makeRequest('/api/v2/sync/maindata');
+      const data = response.data;
+      
+      return {
+        serverState: data.server_state || {},
+        rid: data.rid,
+        fullUpdate: data.full_update
+      };
+    } catch (error) {
+      logToFile(`[qBittorrent:${this.name}] Error getting client status: ${error.message}`);
+      return null;
+    }
+  }
+
+  normalizeDownload(torrent) {
+    const totalSize = torrent.size;
+    const downloadedSize = torrent.completed || Math.round(torrent.size * torrent.progress);
+    const progress = torrent.progress * 100;
+    
+    // Map qBittorrent states to our normalized status
+    const stateMap = {
+      'downloading': 'Downloading',
+      'stalledDL': 'Downloading',
+      'metaDL': 'Downloading',
+      'forcedDL': 'Downloading',
+      'allocating': 'Downloading',
+      'uploading': 'Seeding',
+      'stalledUP': 'Seeding',
+      'forcedUP': 'Seeding',
+      'queuedUP': 'Queued',
+      'queuedDL': 'Queued',
+      'checkingUP': 'Checking',
+      'checkingDL': 'Checking',
+      'checkingResumeData': 'Checking',
+      'moving': 'Moving',
+      'pausedUP': 'Paused',
+      'pausedDL': 'Paused',
+      'stoppedUP': 'Stopped',
+      'stoppedDL': 'Stopped',
+      'error': 'Error',
+      'missingFiles': 'Error',
+      'unknown': 'Unknown'
+    };
+    
+    const status = stateMap[torrent.state] || torrent.state;
+    
+    return {
+      id: torrent.hash,
+      title: torrent.name,
+      type: 'torrent',
+      client: 'qbittorrent',
+      instanceId: this.id,
+      instanceName: this.name,
+      status: status,
+      progress: Math.round(progress),
+      size: totalSize,
+      downloaded: downloadedSize,
+      speed: torrent.dlspeed,
+      eta: torrent.eta < 0 || torrent.eta === 8640000 ? null : torrent.eta,
+      category: torrent.category || undefined,
+      tags: torrent.tags ? torrent.tags.split(',').filter(tag => tag.trim()) : [],
+      savePath: torrent.content_path || torrent.save_path || undefined,
+      addedOn: torrent.added_on ? new Date(torrent.added_on * 1000).toISOString() : undefined,
+      raw: torrent
+    };
+  }
+
+  // Reset fallback flag (called by registry at start of each poll cycle)
+  resetFallbackFlag() {
+    this.fallbackThisCycle = false;
+  }
+}
+
+module.exports = QBittorrentClient;
@@ -0,0 +1,185 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const xmlrpc = require('xmlrpc');
+const DownloadClient = require('./DownloadClient');
+const { logToFile } = require('../utils/logger');
+
+/**
+ * rTorrent download client implementation.
+ * Communicates via XML-RPC over HTTP.
+ * Supports HTTP Basic Auth when username/password are configured.
+ * The URL field must include the full XML-RPC endpoint path (e.g., http://rtorrent.local:8080/RPC2 or https://user.whatbox.ca/xmlrpc).
+ */
+class RTorrentClient extends DownloadClient {
+  constructor(instance) {
+    super(instance);
+    this._createClient();
+  }
+
+  _createClient() {
+    const clientOptions = { url: this.url };
+
+    if (this.username && this.password) {
+      clientOptions.headers = {
+        Authorization: `Basic ${Buffer.from(`${this.username}:${this.password}`).toString('base64')}`
+      };
+    }
+
+    this.client = xmlrpc.createClient(clientOptions);
+  }
+
+  getClientType() {
+    return 'rtorrent';
+  }
+
+  async testConnection() {
+    try {
+      await this._methodCall('system.client_version');
+      logToFile(`[rtorrent:${this.name}] Connection test successful`);
+      return true;
+    } catch (error) {
+      logToFile(`[rtorrent:${this.name}] Connection test failed: ${error.message}`);
+      return false;
+    }
+  }
+
+  /**
+   * Wrap xmlrpc methodCall in a Promise.
+   * @param {string} method - XML-RPC method name
+   * @param {Array} params - Method parameters
+   * @returns {Promise<any>}
+   */
+  _methodCall(method, params = []) {
+    return new Promise((resolve, reject) => {
+      this.client.methodCall(method, params, (error, value) => {
+        if (error) {
+          reject(error);
+        } else {
+          resolve(value);
+        }
+      });
+    });
+  }
+
+  async getActiveDownloads() {
+    try {
+      const torrents = await this._methodCall('d.multicall2', [
+        '',
+        'd.hash=',
+        'd.name=',
+        'd.size_bytes=',
+        'd.completed_bytes=',
+        'd.down.rate=',
+        'd.up.rate=',
+        'd.state=',
+        'd.is_active=',
+        'd.is_hash_checking=',
+        'd.directory=',
+        'd.custom1='
+      ]);
+
+      logToFile(`[rtorrent:${this.name}] Retrieved ${torrents.length} torrents`);
+      return torrents.map(torrent => this.normalizeDownload(torrent));
+    } catch (error) {
+      logToFile(`[rtorrent:${this.name}] Error fetching torrents: ${error.message}`);
+      return [];
+    }
+  }
+
+  async getClientStatus() {
+    try {
+      const [downRate, upRate] = await Promise.all([
+        this._methodCall('throttle.global_down.rate'),
+        this._methodCall('throttle.global_up.rate')
+      ]);
+
+      return {
+        globalDownRate: downRate,
+        globalUpRate: upRate
+      };
+    } catch (error) {
+      logToFile(`[rtorrent:${this.name}] Error getting client status: ${error.message}`);
+      return null;
+    }
+  }
+
+  normalizeDownload(torrent) {
+    const [
+      hash,
+      name,
+      sizeBytes,
+      completedBytes,
+      downRate,
+      upRate,
+      state,
+      isActive,
+      isHashChecking,
+      directory,
+      custom1
+    ] = torrent;
+
+    const status = this._mapStatus(state, isActive, isHashChecking, completedBytes, sizeBytes);
+    const progress = sizeBytes > 0 ? Math.round((completedBytes / sizeBytes) * 100) : 0;
+
+    // Calculate ETA when actively downloading
+    let eta = null;
+    if (status === 'Downloading' && downRate > 0 && completedBytes < sizeBytes) {
+      eta = Math.round((sizeBytes - completedBytes) / downRate);
+    }
+
+    const arrInfo = this._extractArrInfo(name);
+
+    return {
+      id: hash,
+      title: name,
+      type: 'torrent',
+      client: 'rtorrent',
+      instanceId: this.id,
+      instanceName: this.name,
+      status,
+      progress,
+      size: sizeBytes,
+      downloaded: completedBytes,
+      speed: status === 'Seeding' ? upRate : downRate,
+      eta,
+      category: custom1 || undefined,
+      tags: custom1 ? [custom1] : [],
+      savePath: directory || undefined,
+      addedOn: undefined, // rtorrent does not expose added time via multicall2
+      arrQueueId: arrInfo.queueId,
+      arrType: arrInfo.type,
+      raw: torrent
+    };
+  }
+
+  _mapStatus(state, isActive, isHashChecking, completedBytes, sizeBytes) {
+    if (isHashChecking === 1) {
+      return 'Checking';
+    }
+
+    if (state === 0) {
+      return 'Stopped';
+    }
+
+    if (isActive === 1) {
+      return completedBytes >= sizeBytes && sizeBytes > 0 ? 'Seeding' : 'Downloading';
+    }
+
+    return 'Paused';
+  }
+
+  _extractArrInfo(filename) {
+    const seriesMatch = filename.match(/[-\s]S(\d{2})E(\d{2})/i);
+    if (seriesMatch) {
+      return { type: 'series' };
+    }
+
+    const movieMatch = filename.match(/\((\d{4})\)/);
+    if (movieMatch) {
+      return { type: 'movie' };
+    }
+
+    return {};
+  }
+}
+
+module.exports = RTorrentClient;
@@ -0,0 +1,258 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const axios = require('axios');
+const DownloadClient = require('./DownloadClient');
+const { logToFile } = require('../utils/logger');
+
+class SABnzbdClient extends DownloadClient {
+  constructor(instance) {
+    super(instance);
+  }
+
+  getClientType() {
+    return 'sabnzbd';
+  }
+
+  async testConnection() {
+    try {
+      const response = await this.makeRequest('', { mode: 'version' });
+      logToFile(`[SABnzbd:${this.name}] Connection test successful, version: ${response.data.version}`);
+      return true;
+    } catch (error) {
+      logToFile(`[SABnzbd:${this.name}] Connection test failed: ${error.message}`);
+      return false;
+    }
+  }
+
+  async makeRequest(additionalParams = {}, config = {}) {
+    const params = {
+      output: 'json',
+      apikey: this.apiKey,
+      ...additionalParams
+    };
+
+    try {
+      const response = await axios.get(`${this.url}/api`, {
+        params,
+        ...config
+      });
+      return response;
+    } catch (error) {
+      logToFile(`[SABnzbd:${this.name}] API request failed: ${error.message}`);
+      throw error;
+    }
+  }
+
+  async getActiveDownloads() {
+    try {
+      // Get both queue and history to provide complete picture
+      const [queueResponse, historyResponse, clientStatus] = await Promise.all([
+        this.makeRequest({ mode: 'queue' }),
+        this.makeRequest({ mode: 'history', limit: 10 }),
+        this.getClientStatus()
+      ]);
+
+      const queueData = queueResponse.data;
+      const historyData = historyResponse.data;
+
+      const downloads = [];
+
+      // Process active queue items
+      if (queueData.queue && queueData.queue.slots) {
+        const kbpersec = (queueData.queue && queueData.queue.kbpersec) || (clientStatus && clientStatus.kbpersec) || 0;
+        const globalSpeed = parseFloat(kbpersec) * 1024;
+
+        logToFile(`[SABnzbd:${this.name}] Global Speed: ${globalSpeed}, Client status: ${clientStatus ? JSON.stringify({ kbpersec: clientStatus.kbpersec }) : 'none'}`);
+
+        for (const slot of queueData.queue.slots) {
+          let slotSpeed = 0;
+          if (slot.status === 'Downloading') {
+            slotSpeed = globalSpeed;
+          } else if (slot.status === 'Paused' && slot.kbpersec && parseFloat(slot.kbpersec) > 0) {
+            slotSpeed = globalSpeed;
+          }
+          logToFile(`[SABnzbd:${this.name}] Slot ${slot.nzo_id} status ${slot.status}, speed ${slotSpeed}`);
+          downloads.push(this.normalizeDownload(slot, 'queue', slotSpeed));
+        }
+      }
+
+      // Process recent history items (last 10)
+      if (historyData.history && historyData.history.slots) {
+        for (const slot of historyData.history.slots) {
+          downloads.push(this.normalizeDownload(slot, 'history', 0));
+        }
+      }
+
+      logToFile(`[SABnzbd:${this.name}] Retrieved ${downloads.length} downloads`);
+      return downloads;
+    } catch (error) {
+      logToFile(`[SABnzbd:${this.name}] Error fetching downloads: ${error.message}`);
+      return [];
+    }
+  }
+
+  async getClientStatus() {
+    try {
+      const response = await this.makeRequest({ mode: 'queue' });
+      const queueData = response.data.queue;
+      
+      if (!queueData) return null;
+
+      return {
+        status: queueData.status,
+        speed: queueData.speed,
+        kbpersec: queueData.kbpersec,
+        sizeleft: queueData.sizeleft,
+        mbleft: queueData.mbleft,
+        mb: queueData.mb,
+        diskspace1: queueData.diskspace1,
+        diskspace2: queueData.diskspace2,
+        loadavg: queueData.loadavg,
+        pause_int: queueData.pause_int
+      };
+    } catch (error) {
+      logToFile(`[SABnzbd:${this.name}] Error getting client status: ${error.message}`);
+      return null;
+    }
+  }
+
+  normalizeDownload(slot, source, speed) {
+    const isHistory = source === 'history';
+    const finalSpeed = speed !== undefined ? speed : (slot.kbpersec ? parseFloat(slot.kbpersec) * 1024 : 0);
+
+    // Map SABnzbd statuses to normalized status
+    const statusMap = {
+      'Downloading': 'Downloading',
+      'Paused': 'Paused',
+      'Waiting': 'Queued',
+      'Completed': 'Completed',
+      'Failed': 'Error',
+      'Verifying': 'Checking',
+      'Extracting': 'Extracting',
+      'Moving': 'Moving',
+      'QuickCheck': 'Checking',
+      'Repairing': 'Repairing'
+    };
+
+    const status = statusMap[slot.status] || slot.status;
+
+    // Calculate progress
+    let progress = 0;
+    let downloaded = 0;
+    let size = 0;
+
+    const hasMb = slot.mb !== undefined && slot.mb !== null;
+    const hasMbLeft = slot.mbleft !== undefined && slot.mbleft !== null;
+    const mbValue = hasMb ? parseFloat(slot.mb) : 0;
+    const mbLeftValue = hasMbLeft ? parseFloat(slot.mbleft) : 0;
+
+    if (hasMb && hasMbLeft && mbValue !== 0) {
+      size = mbValue * 1024 * 1024; // Convert MB to bytes
+      downloaded = (mbValue - mbLeftValue) * 1024 * 1024;
+      progress = mbValue > 0 ? ((mbValue - mbLeftValue) / mbValue) * 100 : 0;
+    } else if (slot.size) {
+      // Try to parse size string (e.g., "1.5 GB")
+      const sizeMatch = slot.size.match(/^([\d.]+)\s*(\w+)$/i);
+      if (sizeMatch) {
+        const [, sizeValue, sizeUnit] = sizeMatch;
+        const multiplier = this.getUnitMultiplier(sizeUnit);
+        size = parseFloat(sizeValue) * multiplier;
+        
+        if (slot.sizeleft) {
+          const leftMatch = slot.sizeleft.match(/^([\d.]+)\s*(\w+)$/i);
+          if (leftMatch) {
+            const [, leftValue, leftUnit] = leftMatch;
+            const leftMultiplier = this.getUnitMultiplier(leftUnit);
+            downloaded = size - (parseFloat(leftValue) * leftMultiplier);
+            progress = size > 0 ? (downloaded / size) * 100 : 0;
+          }
+        }
+      }
+    }
+
+    // Extract Sonarr/Radarr info from nzb_name if present
+    const arrInfo = this.extractArrInfo(slot.nzb_name || slot.filename || '');
+
+    return {
+      id: slot.nzo_id || slot.id,
+      title: slot.filename || slot.nzb_name || 'Unknown',
+      type: 'usenet',
+      client: 'sabnzbd',
+      instanceId: this.id,
+      instanceName: this.name,
+      status: status,
+      progress: Math.round(progress),
+      size: Math.round(size),
+      downloaded: Math.round(downloaded),
+      speed: finalSpeed,
+      eta: this.calculateEta(slot.timeleft || slot.eta),
+      category: slot.cat || undefined,
+      tags: slot.labels ? (Array.isArray(slot.labels) ? slot.labels : slot.labels.split(',')).filter(tag => tag && tag.trim()) : [],
+      savePath: slot.final_name || undefined,
+      addedOn: slot.added ? new Date(slot.added * 1000).toISOString() : undefined,
+      arrQueueId: arrInfo.queueId,
+      arrType: arrInfo.type,
+      raw: { ...slot, source }
+    };
+  }
+
+  getUnitMultiplier(unit) {
+    const unitMap = {
+      'b': 1,
+      'byte': 1,
+      'bytes': 1,
+      'kb': 1024,
+      'k': 1024,
+      'mb': 1024 * 1024,
+      'm': 1024 * 1024,
+      'gb': 1024 * 1024 * 1024,
+      'g': 1024 * 1024 * 1024,
+      'tb': 1024 * 1024 * 1024 * 1024,
+      't': 1024 * 1024 * 1024 * 1024
+    };
+    return unitMap[unit.toLowerCase()] || 1;
+  }
+
+  calculateEta(timeLeft) {
+    if (!timeLeft || timeLeft === '0:00' || timeLeft === 'unknown') {
+      return null;
+    }
+
+    // Parse time in various formats: "0:05:30", "15:30", "330"
+    const parts = timeLeft.split(':').reverse();
+    let totalSeconds = 0;
+
+    if (parts.length === 1) {
+      // Just seconds
+      totalSeconds = parseInt(parts[0], 10);
+    } else if (parts.length === 2) {
+      // MM:SS
+      totalSeconds = parseInt(parts[0], 10) + parseInt(parts[1], 10) * 60;
+    } else if (parts.length === 3) {
+      // HH:MM:SS
+      totalSeconds = parseInt(parts[0], 10) + parseInt(parts[1], 10) * 60 + parseInt(parts[2], 10) * 3600;
+    }
+
+    return isNaN(totalSeconds) ? null : totalSeconds;
+  }
+
+  extractArrInfo(filename) {
+    // Try to extract Sonarr/Radarr info from filename patterns
+    // This is a simple implementation - could be enhanced with regex patterns
+    
+    // Look for patterns like "Series Name - S01E02 - Episode Title"
+    const seriesMatch = filename.match(/[-\s]S(\d{2})E(\d{2})/i);
+    if (seriesMatch) {
+      return { type: 'series' };
+    }
+
+    // Look for movie year patterns like "Movie Title (2023)"
+    const movieMatch = filename.match(/\((\d{4})\)/);
+    if (movieMatch && !seriesMatch) {
+      return { type: 'movie' };
+    }
+
+    return {};
+  }
+}
+
+module.exports = SABnzbdClient;
@@ -0,0 +1,181 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const axios = require('axios');
+const DownloadClient = require('./DownloadClient');
+const { logToFile } = require('../utils/logger');
+
+class TransmissionClient extends DownloadClient {
+  constructor(instance) {
+    super(instance);
+    this.sessionId = null;
+    this.rpcUrl = `${this.url}/transmission/rpc`;
+  }
+
+  getClientType() {
+    return 'transmission';
+  }
+
+  async testConnection() {
+    try {
+      await this.makeRequest('session-get');
+      logToFile(`[Transmission:${this.name}] Connection test successful`);
+      return true;
+    } catch (error) {
+      logToFile(`[Transmission:${this.name}] Connection test failed: ${error.message}`);
+      return false;
+    }
+  }
+
+  async makeRequest(method, arguments_ = {}, config = {}) {
+    const payload = {
+      method,
+      arguments: arguments_
+    };
+
+    const headers = {
+      'Content-Type': 'application/json'
+    };
+
+    if (this.sessionId) {
+      headers['X-Transmission-Session-Id'] = this.sessionId;
+    }
+
+    try {
+      const response = await axios.post(this.rpcUrl, payload, {
+        headers,
+        ...config
+      });
+
+      if (response.data.result !== 'success') {
+        throw new Error(`Transmission RPC error: ${response.data.result}`);
+      }
+
+      return response;
+    } catch (error) {
+      // Handle session ID conflict (409 Conflict)
+      if (error.response && error.response.status === 409) {
+        const sessionId = error.response.headers['x-transmission-session-id'];
+        if (sessionId) {
+          this.sessionId = sessionId;
+          logToFile(`[Transmission:${this.name}] Updated session ID`);
+          return this.makeRequest(method, arguments_, config);
+        }
+      }
+      logToFile(`[Transmission:${this.name}] RPC request failed: ${error.message}`);
+      throw error;
+    }
+  }
+
+  async getActiveDownloads() {
+    try {
+      // Get all torrents with detailed fields
+      const response = await this.makeRequest('torrent-get', {
+        fields: [
+          'id', 'name', 'hashString', 'status', 'totalSize', 'sizeWhenDone',
+          'leftUntilDone', 'rateDownload', 'rateUpload', 'eta', 'downloadedEver',
+          'uploadedEver', 'percentDone', 'addedDate', 'doneDate', 'trackerStats',
+          'labels', 'downloadDir', 'error', 'errorString', 'peersConnected',
+          'peersGettingFromUs', 'peersSendingToUs', 'queuePosition'
+        ]
+      });
+
+      const torrents = response.data.arguments.torrents || [];
+      logToFile(`[Transmission:${this.name}] Retrieved ${torrents.length} torrents`);
+      
+      return torrents.map(torrent => this.normalizeDownload(torrent));
+    } catch (error) {
+      logToFile(`[Transmission:${this.name}] Error fetching torrents: ${error.message}`);
+      return [];
+    }
+  }
+
+  async getClientStatus() {
+    try {
+      const response = await this.makeRequest('session-get');
+      const sessionStats = await this.makeRequest('session-stats');
+      
+      return {
+        session: response.data.arguments,
+        stats: sessionStats.data.arguments
+      };
+    } catch (error) {
+      logToFile(`[Transmission:${this.name}] Error getting client status: ${error.message}`);
+      return null;
+    }
+  }
+
+  normalizeDownload(torrent) {
+    // Map Transmission status codes to normalized status
+    const statusMap = {
+      0: 'Stopped',      // TORRENT_STOPPED
+      1: 'Queued',       // TORRENT_CHECK_WAIT
+      2: 'Checking',     // TORRENT_CHECK
+      3: 'Queued',       // TORRENT_DOWNLOAD_WAIT
+      4: 'Downloading',  // TORRENT_DOWNLOAD
+      5: 'Queued',       // TORRENT_SEED_WAIT
+      6: 'Seeding',      // TORRENT_SEED
+      7: 'Unknown'       // TORRENT_IS_CHECKING (alias for 2)
+    };
+
+    const status = statusMap[torrent.status] || 'Unknown';
+
+    // Calculate progress and sizes
+    const progress = torrent.percentDone * 100;
+    const size = torrent.totalSize;
+    const downloaded = torrent.sizeWhenDone - torrent.leftUntilDone;
+
+    // Handle ETA - Transmission uses -1 for unknown, -2 for infinite
+    let eta = null;
+    if (torrent.eta >= 0) {
+      eta = torrent.eta;
+    }
+
+    // Extract category/labels
+    const labels = torrent.labels || [];
+    const category = labels.length > 0 ? labels[0] : undefined;
+
+    // Try to extract Sonarr/Radarr info from name
+    const arrInfo = this.extractArrInfo(torrent.name);
+
+    return {
+      id: torrent.hashString,
+      title: torrent.name,
+      type: 'torrent',
+      client: 'transmission',
+      instanceId: this.id,
+      instanceName: this.name,
+      status: status,
+      progress: Math.round(progress),
+      size: size,
+      downloaded: downloaded,
+      speed: torrent.rateDownload,
+      eta: eta,
+      category: category,
+      tags: labels,
+      savePath: torrent.downloadDir || undefined,
+      addedOn: torrent.addedDate ? new Date(torrent.addedDate * 1000).toISOString() : undefined,
+      arrQueueId: arrInfo.queueId,
+      arrType: arrInfo.type,
+      raw: torrent
+    };
+  }
+
+  extractArrInfo(filename) {
+    // Similar to SABnzbdClient, try to extract Sonarr/Radarr info
+    
+    // Look for patterns like "Series Name - S01E02 - Episode Title"
+    const seriesMatch = filename.match(/[-\s]S(\d{2})E(\d{2})/i);
+    if (seriesMatch) {
+      return { type: 'series' };
+    }
+
+    // Look for movie year patterns like "Movie Title (2023)"
+    const movieMatch = filename.match(/\((\d{4})\)/);
+    if (movieMatch && !seriesMatch) {
+      return { type: 'movie' };
+    }
+
+    return {};
+  }
+}
+
+module.exports = TransmissionClient;
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const path = require('path');
 const cookieParser = require('cookie-parser');
@@ -5,7 +6,11 @@ const helmet = require('helmet');
 const rateLimit = require('express-rate-limit');
 const crypto = require('crypto');
 const fs = require('fs');
+const http = require('http');
+const https = require('https');
 require('dotenv').config();
+require('./utils/loadSecrets')();
+const { version } = require('../package.json');

 // Setup logging with levels
 // Levels: debug (0), info (1), warn (2), error (3), silent (4)
@@ -77,9 +82,13 @@ const sonarrRoutes = require('./routes/sonarr');
 const radarrRoutes = require('./routes/radarr');
 const embyRoutes = require('./routes/emby');
 const dashboardRoutes = require('./routes/dashboard');
+const statusRoutes = require('./routes/status');
+const historyRoutes = require('./routes/history');
 const authRoutes = require('./routes/auth');
+const webhookRoutes = require('./routes/webhook');
 const verifyCsrf = require('./middleware/verifyCsrf');
 const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller');
+const { validateInstanceUrl } = require('./utils/config');

 // ---------------------------------------------------------------------------
 // Startup environment validation
@@ -90,15 +99,23 @@ if (!cookieSecret && process.env.NODE_ENV === 'production') {
  process.exit(1);
 } else if (!cookieSecret) {
  console.warn('[Security] COOKIE_SECRET not set — unsigned cookies (dev only)');
+} else if (cookieSecret.length < 32) {
+  console.warn('[Security] COOKIE_SECRET is shorter than 32 characters — use openssl rand -hex 32');
 }
 if (!process.env.EMBY_URL && process.env.NODE_ENV === 'production') {
  console.error('[Config] EMBY_URL is required');
  process.exit(1);
 }
+if (process.env.EMBY_URL) {
+  validateInstanceUrl(process.env.EMBY_URL, 'EMBY_URL');
+}

 const app = express();
 const PORT = process.env.PORT || 3001;

+// Resolve TLS_ENABLED early — used in Helmet CSP and server startup
+const TLS_ENABLED = (process.env.TLS_ENABLED || 'true').toLowerCase() !== 'false';
+
 // ---------------------------------------------------------------------------
 // Trust proxy — required when behind Nginx/Caddy/Traefik so that
 // req.ip reflects the real client IP (not 127.0.0.1) and
@@ -137,7 +154,7 @@ app.use((req, res, next) => {
        baseUri: ["'self'"],
        frameAncestors: ["'none'"],
        formAction: ["'self'"],
-        upgradeInsecureRequests: process.env.TRUST_PROXY ? [] : null
+        upgradeInsecureRequests: (process.env.TRUST_PROXY || TLS_ENABLED) ? [] : null
      }
    },
    hsts: {
@@ -182,7 +199,7 @@ app.use(express.json({ limit: '64kb' })); // prevent oversized JSON payloads
 // Used by Docker HEALTHCHECK and orchestrators.
 // ---------------------------------------------------------------------------
 app.get('/health', (req, res) => {
-  res.json({ status: 'ok', uptime: process.uptime() });
+  res.json({ status: 'ok', uptime: process.uptime(), version });
 });

 app.get('/ready', (req, res) => {
@@ -237,6 +254,7 @@ function serveIndex(req, res) {
 // ---------------------------------------------------------------------------
 app.use('/api', apiLimiter);
 app.use('/api/auth', authRoutes);
+app.use('/api/webhook', webhookRoutes);

 // All routes below this point require CSRF validation on mutating methods
 app.use('/api', verifyCsrf);
@@ -245,6 +263,8 @@ app.use('/api/sonarr', sonarrRoutes);
 app.use('/api/radarr', radarrRoutes);
 app.use('/api/emby', embyRoutes);
 app.use('/api/dashboard', dashboardRoutes);
+app.use('/api/status', statusRoutes);
+app.use('/api/history', historyRoutes);

 // SPA catch-all — serve index.html for any unmatched path
 app.get('*', serveIndex);
@@ -258,13 +278,79 @@ app.use((err, req, res, next) => {
  res.status(500).json({ error: 'Internal server error' });
 });

-app.listen(PORT, () => {
+// ---------------------------------------------------------------------------
+// TLS / HTTPS support
+// Set TLS_CERT and TLS_KEY to paths of your certificate and private key.
+// If unset, defaults to the bundled snakeoil self-signed certificate
+// (localhost/127.0.0.1 only — suitable for local testing).
+// Set TLS_ENABLED=false to force plain HTTP even if cert files exist.
+// ---------------------------------------------------------------------------
+const CERTS_DIR = path.join(__dirname, '../certs');
+const TLS_CERT_PATH = process.env.TLS_CERT || path.join(CERTS_DIR, 'snakeoil.crt');
+const TLS_KEY_PATH  = process.env.TLS_KEY  || path.join(CERTS_DIR, 'snakeoil.key');
+
+function loadTlsCredentials() {
+  if (!TLS_ENABLED) return null;
+  try {
+    return {
+      cert: fs.readFileSync(TLS_CERT_PATH),
+      key:  fs.readFileSync(TLS_KEY_PATH)
+    };
+  } catch (err) {
+    console.warn(`[TLS] Could not load certificate files — falling back to HTTP. (${err.message})`);
+    return null;
+  }
+}
+
+const tlsCredentials = loadTlsCredentials();
+const server = tlsCredentials
+  ? https.createServer(tlsCredentials, app)
+  : http.createServer(app);
+
+const protocol = tlsCredentials ? 'https' : 'http';
+const isSnakeoil = TLS_ENABLED &&
+  (!process.env.TLS_CERT || process.env.TLS_CERT === TLS_CERT_PATH);
+
+server.listen(PORT, () => {
  console.log(`=================================`);
-  console.log(`  sofarr - Your Downloads Dashboard`);
-  console.log(`  Server running on port ${PORT}`);
+  console.log(`  sofarr v${version} - Your Downloads Dashboard`);
+  console.log(`  Server running on ${protocol}://localhost:${PORT}`);
+  if (tlsCredentials && isSnakeoil) {
+    console.warn(`  [TLS] Using bundled snakeoil certificate (self-signed).`);
+    console.warn(`  [TLS] Set TLS_CERT and TLS_KEY for a trusted certificate.`);
+    console.warn(`  [TLS] Set TLS_ENABLED=false to disable TLS entirely.`);
+  } else if (tlsCredentials) {
+    console.log(`  [TLS] Certificate: ${TLS_CERT_PATH}`);
+  } else {
+    console.warn(`  [TLS] Running in plain HTTP mode — not suitable for production.`);
+  }
  console.log(`  Log level: ${process.env.LOG_LEVEL || 'info'}`);
  console.log(`  Polling: ${POLLING_ENABLED ? POLL_INTERVAL + 'ms' : 'disabled (on-demand)'}`);
  console.log(`  Trust proxy: ${process.env.TRUST_PROXY || 'disabled'}`);
  console.log(`=================================`);
  startPoller();
 });
+
+// ---------------------------------------------------------------------------
+// Graceful shutdown — handle SIGTERM (Docker stop) and SIGINT (Ctrl+C)
+// Stop the poller, close the HTTP server (stops accepting new connections),
+// then let Node drain existing keep-alive connections and exit cleanly.
+// ---------------------------------------------------------------------------
+const { stopPoller } = require('./utils/poller');
+
+function shutdown(signal) {
+  console.log(`[Server] ${signal} received — shutting down gracefully`);
+  stopPoller();
+  server.close(() => {
+    console.log('[Server] HTTP server closed');
+    process.exit(0);
+  });
+  // Force exit after 10 s if connections don't drain
+  setTimeout(() => {
+    console.error('[Server] Forced exit after 10 s timeout');
+    process.exit(1);
+  }, 10000).unref();
+}
+
+process.on('SIGTERM', () => shutdown('SIGTERM'));
+process.on('SIGINT',  () => shutdown('SIGINT'));
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 function requireAuth(req, res, next) {
  const signed = !!process.env.COOKIE_SECRET;
  const raw = signed ? req.signedCookies.emby_user : req.cookies.emby_user;
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
 * CSRF protection using the double-submit cookie pattern.
 *
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const crypto = require('crypto');
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();
@@ -0,0 +1,386 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const express = require('express');
+const router = express.Router();
+const axios = require('axios');
+const requireAuth = require('../middleware/requireAuth');
+const cache = require('../utils/cache');
+const { fetchSonarrHistory, fetchRadarrHistory, classifySonarrEvent, classifyRadarrEvent } = require('../utils/historyFetcher');
+const { getSonarrInstances, getRadarrInstances } = require('../utils/config');
+const sanitizeError = require('../utils/sanitizeError');
+
+// Re-use the same tag/cover-art helpers as dashboard.js by importing them
+// from a shared location.  For now they are inlined here to keep dashboard.js
+// untouched (zero-conflict v1 merges).  If these diverge they can be extracted
+// into server/utils/dashboardHelpers.js in a later refactor.
+
+function getCoverArt(item) {
+  if (!item || !item.images) return null;
+  const poster = item.images.find(img => img.coverType === 'poster');
+  if (poster) return poster.remoteUrl || poster.url || null;
+  const fanart = item.images.find(img => img.coverType === 'fanart');
+  return fanart ? (fanart.remoteUrl || fanart.url || null) : null;
+}
+
+function sanitizeTagLabel(input) {
+  if (!input) return '';
+  return input.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '');
+}
+
+function tagMatchesUser(tag, username) {
+  if (!tag || !username) return false;
+  const tagLower = tag.toLowerCase();
+  if (tagLower === username) return true;
+  if (tagLower === sanitizeTagLabel(username)) return true;
+  return false;
+}
+
+function extractAllTags(tags, tagMap) {
+  if (!tags || tags.length === 0) return [];
+  if (tagMap) return tags.map(id => tagMap.get(id)).filter(Boolean);
+  return tags.map(t => t && t.label).filter(Boolean);
+}
+
+function extractUserTag(tags, tagMap, username) {
+  const allLabels = extractAllTags(tags, tagMap);
+  if (!allLabels.length) return null;
+  if (username) {
+    const match = allLabels.find(label => tagMatchesUser(label, username));
+    if (match) return match;
+  }
+  return null;
+}
+
+async function getEmbyUsers() {
+  const cached = cache.get('emby:users');
+  if (cached) return cached;
+  try {
+    const embyUrl = process.env.EMBY_URL;
+    const embyKey = process.env.EMBY_API_KEY;
+    if (!embyUrl || !embyKey) return new Map();
+    const res = await axios.get(`${embyUrl}/Users`, { params: { api_key: embyKey } });
+    const users = res.data || [];
+    const map = new Map();
+    for (const u of users) {
+      if (!u.Name) continue;
+      const lower = u.Name.toLowerCase();
+      map.set(lower, u.Name);
+      map.set(sanitizeTagLabel(lower), u.Name);
+    }
+    cache.set('emby:users', map, 60000);
+    return map;
+  } catch (err) {
+    console.error('[History] Failed to fetch Emby users:', err.message);
+    return new Map();
+  }
+}
+
+function buildTagBadges(allTags, embyUserMap) {
+  return allTags.map(label => {
+    const lower = label.toLowerCase();
+    const sanitized = sanitizeTagLabel(label);
+    const matchedUser = embyUserMap.get(lower) || embyUserMap.get(sanitized) || null;
+    return { label, matchedUser };
+  });
+}
+
+// Extract episode info from a Sonarr history record.
+function extractEpisode(record) {
+  const ep = record.episode || {};
+  const s = ep.seasonNumber != null ? ep.seasonNumber : record.seasonNumber;
+  const e = ep.episodeNumber != null ? ep.episodeNumber : record.episodeNumber;
+  if (s == null || e == null) return null;
+  const title = ep.title || null;
+  return { season: s, episode: e, title };
+}
+
+// Find all episodes associated with a download by matching all history records
+// that share the same source title.  Returns sorted, deduplicated array.
+function gatherEpisodes(titleLower, records) {
+  const episodes = [];
+  const seen = new Set();
+  for (const r of records) {
+    const rTitle = (r.sourceTitle || r.title || '').toLowerCase();
+    if (rTitle && (rTitle.includes(titleLower) || titleLower.includes(rTitle))) {
+      const ep = extractEpisode(r);
+      if (ep) {
+        const key = `${ep.season}x${ep.episode}`;
+        if (!seen.has(key)) {
+          seen.add(key);
+          episodes.push(ep);
+        }
+      }
+    }
+  }
+  episodes.sort((a, b) => a.season - b.season || a.episode - b.episode);
+  return episodes;
+}
+
+/**
+ * Deduplicate history items so that for each unique content item (episode or
+ * movie) only the most-recent record is shown, with the following rules:
+ *
+ *  - If the most recent event is 'imported'  → show it; suppress older failures.
+ *  - If the most recent event is 'failed' and the item currently has a file
+ *    (hasFile = true) → show the failure but flag it as availableForUpgrade:true
+ *    so the UI can indicate the item is available but an upgrade is in progress.
+ *  - If the most recent event is 'failed' and hasFile is false → show normally.
+ *
+ * Items are keyed by: type + instanceName + contentId (episodeId or movieId).
+ * Records without a contentId fall through unchanged (no deduplication possible).
+ *
+ * @param {Array} items - Already-built history items (unsorted)
+ * @param {Array} sonarrRaw - Raw Sonarr records (for hasFile lookup)
+ * @param {Array} radarrRaw - Raw Radarr records (for hasFile lookup)
+ * @returns {Array}
+ */
+function deduplicateHistoryItems(items, sonarrRaw, radarrRaw) {
+  // Build hasFile lookup: contentId → boolean
+  const sonarrHasFile = new Map();
+  for (const r of sonarrRaw) {
+    const id = r.episodeId;
+    if (id != null) {
+      const hf = r.episode && r.episode.hasFile != null ? r.episode.hasFile : undefined;
+      if (hf !== undefined && !sonarrHasFile.has(id)) sonarrHasFile.set(id, hf);
+    }
+  }
+  const radarrHasFile = new Map();
+  for (const r of radarrRaw) {
+    const id = r.movieId;
+    if (id != null) {
+      const hf = r.movie && r.movie.hasFile != null ? r.movie.hasFile : undefined;
+      if (hf !== undefined && !radarrHasFile.has(id)) radarrHasFile.set(id, hf);
+    }
+  }
+
+  // Group items by dedup key; preserve insertion order (newest first from caller)
+  const groups = new Map();
+  const noKey = [];
+  for (const item of items) {
+    const cid = item._contentId;
+    if (cid == null) { noKey.push(item); continue; }
+    const key = `${item.type}|${item.instanceName}|${cid}`;
+    if (!groups.has(key)) groups.set(key, []);
+    groups.get(key).push(item);
+  }
+
+  const result = [...noKey];
+  for (const [, group] of groups) {
+    // group[0] is the most recent (items are pushed in date-descending order)
+    const best = group[0];
+    if (best.outcome === 'imported') {
+      result.push(best);
+      continue;
+    }
+    if (best.outcome === 'failed') {
+      const hasFile = best.type === 'series'
+        ? sonarrHasFile.get(best._contentId)
+        : radarrHasFile.get(best._contentId);
+      if (hasFile) best.availableForUpgrade = true;
+      result.push(best);
+      continue;
+    }
+    result.push(best);
+  }
+  return result;
+}
+
+function getSonarrLink(series) {
+  if (!series || !series._instanceUrl || !series.titleSlug) return null;
+  return `${series._instanceUrl}/series/${series.titleSlug}`;
+}
+
+function getRadarrLink(movie) {
+  if (!movie || !movie._instanceUrl || !movie.titleSlug) return null;
+  return `${movie._instanceUrl}/movie/${movie.titleSlug}`;
+}
+
+/**
+ * GET /api/history/recent
+ *
+ * Returns Sonarr/Radarr history records (imported + failed) for the
+ * authenticated user, filtered to the last RECENT_COMPLETED_DAYS days
+ * (default 7, overridable via env or ?days= query param).
+ *
+ * Response shape:
+ * {
+ *   user: string,
+ *   isAdmin: boolean,
+ *   days: number,
+ *   history: HistoryItem[]
+ * }
+ *
+ * HistoryItem shape:
+ * {
+ *   type: 'series'|'movie',
+ *   outcome: 'imported'|'failed',
+ *   title: string,            // sourceTitle from arr record
+ *   seriesName?: string,      // series.title (Sonarr)
+ *   movieName?: string,       // movie.title (Radarr)
+ *   coverArt: string|null,
+ *   completedAt: string,      // ISO date string from arr record
+ *   quality: string|null,
+ *   instanceName: string,     // arr instance name
+ *   arrLink: string|null,     // link to item in Sonarr/Radarr UI
+ *   allTags: string[],
+ *   matchedUserTag: string|null,
+ *   // admin-only:
+ *   arrRecordId?: number,
+ *   failureMessage?: string,
+ * }
+ */
+router.get('/recent', requireAuth, async (req, res) => {
+  try {
+    const user = req.user;
+    const username = user.name.toLowerCase();
+    const isAdmin = !!user.isAdmin;
+    const showAll = isAdmin && req.query.showAll === 'true';
+
+    const defaultDays = parseInt(process.env.RECENT_COMPLETED_DAYS, 10) || 7;
+    const requestedDays = parseInt(req.query.days, 10);
+    const days = (requestedDays > 0 && requestedDays <= 90) ? requestedDays : defaultDays;
+
+    const since = new Date(Date.now() - days * 24 * 60 * 60 * 1000);
+
+    // Fetch tag maps and history in parallel
+    const sonarrInstances = getSonarrInstances();
+    const radarrInstances = getRadarrInstances();
+
+    const [sonarrHistory, radarrHistory, embyUserMap] = await Promise.all([
+      fetchSonarrHistory(since),
+      fetchRadarrHistory(since),
+      showAll ? getEmbyUsers() : Promise.resolve(new Map())
+    ]);
+
+    // Build tag maps from the cached poll data where available,
+    // falling back to what's embedded in history records
+    const sonarrTagsData = cache.get('poll:sonarr-tags') || [];
+    const radarrTagsData = cache.get('poll:radarr-tags') || [];
+    const sonarrTagMap = new Map(sonarrTagsData.flatMap(t => t.data || []).map(t => [t.id, t.label]));
+    const radarrTagMap = new Map(radarrTagsData.map(t => [t.id, t.label]));
+
+    const historyItems = [];
+
+    // --- Sonarr history ---
+    for (const record of sonarrHistory) {
+      try {
+        const outcome = classifySonarrEvent(record.eventType);
+        if (outcome === 'other') continue;
+
+        const series = record.series;
+        if (!series) continue;
+
+        const allTags = extractAllTags(series.tags, sonarrTagMap);
+        const matchedUserTag = extractUserTag(series.tags, sonarrTagMap, username);
+        const hasAnyTag = allTags.length > 0;
+
+        if (!(showAll ? hasAnyTag : !!matchedUserTag)) continue;
+
+        const quality = record.quality && record.quality.quality && record.quality.quality.name
+          ? record.quality.quality.name
+          : null;
+
+        const sourceTitle = record.sourceTitle || record.title || series.title;
+        const item = {
+          type: 'series',
+          outcome,
+          title: sourceTitle,
+          seriesName: series.title,
+          episodes: gatherEpisodes(sourceTitle.toLowerCase(), sonarrHistory),
+          coverArt: getCoverArt(series),
+          completedAt: record.date,
+          quality,
+          instanceName: record._instanceName || null,
+          arrLink: getSonarrLink(series),
+          allTags,
+          matchedUserTag: matchedUserTag || null,
+          tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined,
+          _contentId: record.episodeId != null ? record.episodeId : null
+        };
+
+        if (isAdmin) {
+          item.arrRecordId = record.id;
+          if (outcome === 'failed' && record.data && record.data.message) {
+            item.failureMessage = record.data.message;
+          }
+        }
+
+        historyItems.push(item);
+      } catch (err) {
+        console.error('[History] Error processing Sonarr record:', err.message);
+      }
+    }
+
+    // --- Radarr history ---
+    for (const record of radarrHistory) {
+      try {
+        const outcome = classifyRadarrEvent(record.eventType);
+        if (outcome === 'other') continue;
+
+        const movie = record.movie;
+        if (!movie) continue;
+
+        const allTags = extractAllTags(movie.tags, radarrTagMap);
+        const matchedUserTag = extractUserTag(movie.tags, radarrTagMap, username);
+        const hasAnyTag = allTags.length > 0;
+
+        if (!(showAll ? hasAnyTag : !!matchedUserTag)) continue;
+
+        const quality = record.quality && record.quality.quality && record.quality.quality.name
+          ? record.quality.quality.name
+          : null;
+
+        const item = {
+          type: 'movie',
+          outcome,
+          title: record.sourceTitle || record.title || movie.title,
+          movieName: movie.title,
+          coverArt: getCoverArt(movie),
+          completedAt: record.date,
+          quality,
+          instanceName: record._instanceName || null,
+          arrLink: getRadarrLink(movie),
+          allTags,
+          matchedUserTag: matchedUserTag || null,
+          tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined,
+          _contentId: record.movieId != null ? record.movieId : null
+        };
+
+        if (isAdmin) {
+          item.arrRecordId = record.id;
+          if (outcome === 'failed' && record.data && record.data.message) {
+            item.failureMessage = record.data.message;
+          }
+        }
+
+        historyItems.push(item);
+      } catch (err) {
+        console.error('[History] Error processing Radarr record:', err.message);
+      }
+    }
+
+    // Deduplicate: for each content item keep only the most-recent record,
+    // suppressing failures that were superseded by a successful import.
+    // Must run before sort so insertion order (newest-first from arr API) is preserved.
+    const dedupedItems = deduplicateHistoryItems(historyItems, sonarrHistory, radarrHistory);
+
+    // Strip internal dedup key before sending to client
+    for (const item of dedupedItems) delete item._contentId;
+
+    // Sort newest first
+    dedupedItems.sort((a, b) => new Date(b.completedAt) - new Date(a.completedAt));
+
+    console.log(`[History] Returning ${dedupedItems.length} items for user ${user.name} (days=${days}, showAll=${showAll})`);
+
+    res.json({
+      user: user.name,
+      isAdmin,
+      days,
+      history: dedupedItems
+    });
+  } catch (err) {
+    console.error('[History] Error:', err.message);
+    res.status(500).json({ error: 'Failed to fetch history', details: sanitizeError(err) });
+  }
+});
+
+module.exports = router;
@@ -1,8 +1,19 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();
 const requireAuth = require('../middleware/requireAuth');
 const sanitizeError = require('../utils/sanitizeError');
+const { getWebhookSecret, getSofarrBaseUrl, getRadarrInstances } = require('../utils/config');
+
+// Helper to get first Radarr instance (for notification proxy routes)
+function getFirstRadarrInstance() {
+  const instances = getRadarrInstances();
+  if (!instances || instances.length === 0) {
+    return null;
+  }
+  return instances[0];
+}

 router.use(requireAuth);

@@ -55,4 +66,174 @@ router.get('/movies', async (req, res) => {
  }
 });

+// Notification proxy routes (Phase 3)
+// GET /api/radarr/notifications - list all notifications
+router.get('/notifications', async (req, res) => {
+  const instance = getFirstRadarrInstance();
+  if (!instance) {
+    return res.status(503).json({ error: 'Radarr not configured' });
+  }
+  try {
+    const response = await axios.get(`${instance.url}/api/v3/notification`, {
+      headers: { 'X-Api-Key': instance.apiKey }
+    });
+    res.json(response.data);
+  } catch (error) {
+    console.error('[Radarr] Failed to fetch notifications:', error.message);
+    res.status(500).json({ error: 'Failed to fetch Radarr notifications', details: sanitizeError(error) });
+  }
+});
+
+// GET /api/radarr/notifications/:id - get specific notification
+router.get('/notifications/:id', async (req, res) => {
+  try {
+    const response = await axios.get(`${process.env.RADARR_URL}/api/v3/notification/${req.params.id}`, {
+      headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch Radarr notification', details: sanitizeError(error) });
+  }
+});
+
+// POST /api/radarr/notifications - create notification
+router.post('/notifications', async (req, res) => {
+  try {
+    const response = await axios.post(`${process.env.RADARR_URL}/api/v3/notification`, req.body, {
+      headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to create Radarr notification', details: sanitizeError(error) });
+  }
+});
+
+// PUT /api/radarr/notifications/:id - update notification
+router.put('/notifications/:id', async (req, res) => {
+  try {
+    const response = await axios.put(`${process.env.RADARR_URL}/api/v3/notification/${req.params.id}`, req.body, {
+      headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to update Radarr notification', details: sanitizeError(error) });
+  }
+});
+
+// DELETE /api/radarr/notifications/:id - delete notification
+router.delete('/notifications/:id', async (req, res) => {
+  try {
+    const response = await axios.delete(`${process.env.RADARR_URL}/api/v3/notification/${req.params.id}`, {
+      headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to delete Radarr notification', details: sanitizeError(error) });
+  }
+});
+
+// POST /api/radarr/notifications/test - test notification
+router.post('/notifications/test', async (req, res) => {
+  const instance = getFirstRadarrInstance();
+  if (!instance) {
+    return res.status(503).json({ error: 'Radarr not configured' });
+  }
+  try {
+    const response = await axios.post(`${instance.url}/api/v3/notification/test`, req.body, {
+      headers: { 'X-Api-Key': instance.apiKey }
+    });
+    res.json(response.data);
+  } catch (error) {
+    console.error('[Radarr] Failed to test notification:', error.message);
+    if (error.response) {
+      console.error('[Radarr] Test response status:', error.response.status);
+      console.error('[Radarr] Test response data:', error.response.data);
+    }
+    res.status(500).json({ error: 'Failed to test Radarr notification', details: sanitizeError(error) });
+  }
+});
+
+// GET /api/radarr/notifications/schema - get notification schema
+router.get('/notifications/schema', async (req, res) => {
+  try {
+    const response = await axios.get(`${process.env.RADARR_URL}/api/v3/notification/schema`, {
+      headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch Radarr notification schema', details: sanitizeError(error) });
+  }
+});
+
+// POST /api/radarr/notifications/sofarr-webhook - one-click Sofarr webhook setup
+router.post('/notifications/sofarr-webhook', async (req, res) => {
+  const instance = getFirstRadarrInstance();
+  if (!instance) {
+    return res.status(503).json({ error: 'Radarr not configured' });
+  }
+  try {
+    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookSecret = getWebhookSecret();
+
+    if (!sofarrBaseUrl) {
+      return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
+    }
+    if (!webhookSecret) {
+      return res.status(400).json({ error: 'SOFARR_WEBHOOK_SECRET not configured' });
+    }
+
+    const webhookUrl = `${sofarrBaseUrl}/api/webhook/radarr`;
+
+    // Check if Sofarr webhook already exists
+    const listResponse = await axios.get(`${instance.url}/api/v3/notification`, {
+      headers: { 'X-Api-Key': instance.apiKey }
+    });
+    const existingNotification = listResponse.data.find(n => n.name === 'Sofarr');
+
+    const notificationPayload = {
+      name: 'Sofarr',
+      implementation: 'Webhook',
+      configContract: 'WebhookSettings',
+      fields: [
+        { name: 'url', value: webhookUrl },
+        { name: 'method', value: 1 },
+        { name: 'headers', value: [{ key: 'X-Sofarr-Webhook-Secret', value: webhookSecret }] }
+      ],
+      onGrab: true,
+      onDownload: true,
+      onUpgrade: true,
+      onImport: true,
+      onRename: false,
+      onHealthIssue: false,
+      onApplicationUpdate: false,
+      onManualInteractionRequired: false
+    };
+
+    if (existingNotification) {
+      // Update existing notification
+      const response = await axios.put(
+        `${instance.url}/api/v3/notification/${existingNotification.id}`,
+        { ...notificationPayload, id: existingNotification.id },
+        { headers: { 'X-Api-Key': instance.apiKey } }
+      );
+      res.json(response.data);
+    } else {
+      // Create new notification
+      const response = await axios.post(
+        `${instance.url}/api/v3/notification`,
+        notificationPayload,
+        { headers: { 'X-Api-Key': instance.apiKey } }
+      );
+      res.json(response.data);
+    }
+  } catch (error) {
+    console.error('[Radarr] Failed to configure webhook:', error.message);
+    if (error.response) {
+      console.error('[Radarr] Response status:', error.response.status);
+      console.error('[Radarr] Response data:', error.response.data);
+    }
+    res.status(500).json({ error: 'Failed to configure Sofarr webhook', details: sanitizeError(error) });
+  }
+});
+
 module.exports = router;
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();
@@ -1,8 +1,19 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();
 const requireAuth = require('../middleware/requireAuth');
 const sanitizeError = require('../utils/sanitizeError');
+const { getWebhookSecret, getSofarrBaseUrl, getSonarrInstances } = require('../utils/config');
+
+// Helper to get first Sonarr instance (for notification proxy routes)
+function getFirstSonarrInstance() {
+  const instances = getSonarrInstances();
+  if (!instances || instances.length === 0) {
+    return null;
+  }
+  return instances[0];
+}

 router.use(requireAuth);

@@ -55,4 +66,174 @@ router.get('/series', async (req, res) => {
  }
 });

+// Notification proxy routes (Phase 3)
+// GET /api/sonarr/notifications - list all notifications
+router.get('/notifications', async (req, res) => {
+  const instance = getFirstSonarrInstance();
+  if (!instance) {
+    return res.status(503).json({ error: 'Sonarr not configured' });
+  }
+  try {
+    const response = await axios.get(`${instance.url}/api/v3/notification`, {
+      headers: { 'X-Api-Key': instance.apiKey }
+    });
+    res.json(response.data);
+  } catch (error) {
+    console.error('[Sonarr] Failed to fetch notifications:', error.message);
+    res.status(500).json({ error: 'Failed to fetch Sonarr notifications', details: sanitizeError(error) });
+  }
+});
+
+// GET /api/sonarr/notifications/:id - get specific notification
+router.get('/notifications/:id', async (req, res) => {
+  try {
+    const response = await axios.get(`${process.env.SONARR_URL}/api/v3/notification/${req.params.id}`, {
+      headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch Sonarr notification', details: sanitizeError(error) });
+  }
+});
+
+// POST /api/sonarr/notifications - create notification
+router.post('/notifications', async (req, res) => {
+  try {
+    const response = await axios.post(`${process.env.SONARR_URL}/api/v3/notification`, req.body, {
+      headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to create Sonarr notification', details: sanitizeError(error) });
+  }
+});
+
+// PUT /api/sonarr/notifications/:id - update notification
+router.put('/notifications/:id', async (req, res) => {
+  try {
+    const response = await axios.put(`${process.env.SONARR_URL}/api/v3/notification/${req.params.id}`, req.body, {
+      headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to update Sonarr notification', details: sanitizeError(error) });
+  }
+});
+
+// DELETE /api/sonarr/notifications/:id - delete notification
+router.delete('/notifications/:id', async (req, res) => {
+  try {
+    const response = await axios.delete(`${process.env.SONARR_URL}/api/v3/notification/${req.params.id}`, {
+      headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to delete Sonarr notification', details: sanitizeError(error) });
+  }
+});
+
+// POST /api/sonarr/notifications/test - test notification
+router.post('/notifications/test', async (req, res) => {
+  const instance = getFirstSonarrInstance();
+  if (!instance) {
+    return res.status(503).json({ error: 'Sonarr not configured' });
+  }
+  try {
+    const response = await axios.post(`${instance.url}/api/v3/notification/test`, req.body, {
+      headers: { 'X-Api-Key': instance.apiKey }
+    });
+    res.json(response.data);
+  } catch (error) {
+    console.error('[Sonarr] Failed to test notification:', error.message);
+    if (error.response) {
+      console.error('[Sonarr] Test response status:', error.response.status);
+      console.error('[Sonarr] Test response data:', error.response.data);
+    }
+    res.status(500).json({ error: 'Failed to test Sonarr notification', details: sanitizeError(error) });
+  }
+});
+
+// GET /api/sonarr/notifications/schema - get notification schema
+router.get('/notifications/schema', async (req, res) => {
+  try {
+    const response = await axios.get(`${process.env.SONARR_URL}/api/v3/notification/schema`, {
+      headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
+    });
+    res.json(response.data);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch Sonarr notification schema', details: sanitizeError(error) });
+  }
+});
+
+// POST /api/sonarr/notifications/sofarr-webhook - one-click Sofarr webhook setup
+router.post('/notifications/sofarr-webhook', async (req, res) => {
+  const instance = getFirstSonarrInstance();
+  if (!instance) {
+    return res.status(503).json({ error: 'Sonarr not configured' });
+  }
+  try {
+    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookSecret = getWebhookSecret();
+
+    if (!sofarrBaseUrl) {
+      return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
+    }
+    if (!webhookSecret) {
+      return res.status(400).json({ error: 'SOFARR_WEBHOOK_SECRET not configured' });
+    }
+
+    const webhookUrl = `${sofarrBaseUrl}/api/webhook/sonarr`;
+
+    // Check if Sofarr webhook already exists
+    const listResponse = await axios.get(`${instance.url}/api/v3/notification`, {
+      headers: { 'X-Api-Key': instance.apiKey }
+    });
+    const existingNotification = listResponse.data.find(n => n.name === 'Sofarr');
+
+    const notificationPayload = {
+      name: 'Sofarr',
+      implementation: 'Webhook',
+      configContract: 'WebhookSettings',
+      fields: [
+        { name: 'url', value: webhookUrl },
+        { name: 'method', value: 1 },
+        { name: 'headers', value: [{ key: 'X-Sofarr-Webhook-Secret', value: webhookSecret }] }
+      ],
+      onGrab: true,
+      onDownload: true,
+      onUpgrade: true,
+      onImport: true,
+      onRename: false,
+      onHealthIssue: false,
+      onApplicationUpdate: false,
+      onManualInteractionRequired: false
+    };
+
+    if (existingNotification) {
+      // Update existing notification
+      const response = await axios.put(
+        `${instance.url}/api/v3/notification/${existingNotification.id}`,
+        { ...notificationPayload, id: existingNotification.id },
+        { headers: { 'X-Api-Key': instance.apiKey } }
+      );
+      res.json(response.data);
+    } else {
+      // Create new notification
+      const response = await axios.post(
+        `${instance.url}/api/v3/notification`,
+        notificationPayload,
+        { headers: { 'X-Api-Key': instance.apiKey } }
+      );
+      res.json(response.data);
+    }
+  } catch (error) {
+    console.error('[Sonarr] Failed to configure webhook:', error.message);
+    if (error.response) {
+      console.error('[Sonarr] Response status:', error.response.status);
+      console.error('[Sonarr] Response data:', error.response.data);
+    }
+    res.status(500).json({ error: 'Failed to configure Sofarr webhook', details: sanitizeError(error) });
+  }
+});
+
 module.exports = router;
@@ -0,0 +1,71 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const express = require('express');
+const router = express.Router();
+const requireAuth = require('../middleware/requireAuth');
+const cache = require('../utils/cache');
+const { getLastPollTimings, POLLING_ENABLED } = require('../utils/poller');
+const { getSonarrInstances, getRadarrInstances } = require('../utils/config');
+const { getGlobalWebhookMetrics } = require('../utils/cache');
+const { checkWebhookConfigured, aggregateMetrics } = require('../services/WebhookStatus');
+
+// Admin-only status page with cache stats
+router.get('/', requireAuth, async (req, res) => {
+  try {
+    const user = req.user;
+    if (!user.isAdmin) {
+      return res.status(403).json({ error: 'Admin access required' });
+    }
+
+    const cacheStats = cache.getStats();
+    const uptime = process.uptime();
+
+    // Get webhook metrics
+    const webhookMetrics = getGlobalWebhookMetrics();
+
+    // Check webhook configuration for each service
+    const sonarrInstances = getSonarrInstances();
+    const radarrInstances = getRadarrInstances();
+
+    const sonarrWebhookConfigured = sonarrInstances.length > 0
+      ? await checkWebhookConfigured(sonarrInstances[0], 'Sonarr')
+      : false;
+    const radarrWebhookConfigured = radarrInstances.length > 0
+      ? await checkWebhookConfigured(radarrInstances[0], 'Radarr')
+      : false;
+
+    // Find Sonarr and Radarr metrics from instances
+    const sonarrMetrics = {};
+    const radarrMetrics = {};
+    for (const [url, metrics] of Object.entries(webhookMetrics.instances || {})) {
+      if (url.includes('sonarr')) {
+        sonarrMetrics[url] = metrics;
+      } else if (url.includes('radarr')) {
+        radarrMetrics[url] = metrics;
+      }
+    }
+
+    res.json({
+      server: {
+        uptimeSeconds: Math.floor(uptime),
+        nodeVersion: process.version,
+        memoryUsageMB: Math.round(process.memoryUsage().rss / 1024 / 1024 * 10) / 10,
+        heapUsedMB: Math.round(process.memoryUsage().heapUsed / 1024 / 1024 * 10) / 10,
+        heapTotalMB: Math.round(process.memoryUsage().heapTotal / 1024 / 1024 * 10) / 10
+      },
+      polling: {
+        enabled: POLLING_ENABLED,
+        intervalMs: POLLING_ENABLED ? require('../utils/poller').POLL_INTERVAL : 0,
+        lastPoll: getLastPollTimings()
+      },
+      cache: cacheStats,
+      webhooks: {
+        sonarr: aggregateMetrics(sonarrMetrics, sonarrWebhookConfigured),
+        radarr: aggregateMetrics(radarrMetrics, radarrWebhookConfigured)
+      }
+    });
+  } catch (err) {
+    res.status(500).json({ error: 'Failed to get status', details: err.message });
+  }
+});
+
+module.exports = router;
@@ -0,0 +1,325 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const express = require('express');
+const rateLimit = require('express-rate-limit');
+const { logToFile } = require('../utils/logger');
+const { getWebhookSecret, getSonarrInstances, getRadarrInstances } = require('../utils/config');
+const cache = require('../utils/cache');
+const arrRetrieverRegistry = require('../utils/arrRetrievers');
+const { pollAllServices, POLL_INTERVAL, POLLING_ENABLED } = require('../utils/poller');
+
+const router = express.Router();
+
+// Dedicated rate limiter for webhook endpoints — stricter than the global API limiter.
+// Sonarr/Radarr send at most one event per action; 60/min per IP is generous.
+// In tests, SKIP_RATE_LIMIT=1 raises the ceiling to effectively unlimited.
+const webhookLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: process.env.SKIP_RATE_LIMIT ? Number.MAX_SAFE_INTEGER : 60,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many webhook requests' }
+});
+
+// Valid *arr eventType strings — used for strict input validation.
+const VALID_EVENT_TYPES = new Set([
+  'Test',
+  'Grab', 'Download', 'DownloadFailed', 'ManualInteractionRequired',
+  'DownloadFolderImported', 'ImportFailed',
+  'EpisodeFileRenamed', 'MovieFileRenamed', 'EpisodeFileRenamedBySeries',
+  'Rename', 'SeriesAdd', 'SeriesDelete', 'MovieAdd', 'MovieDelete',
+  'MovieFileDelete', 'Health', 'ApplicationUpdate', 'HealthRestored'
+]);
+
+// Replay protection — cache recently-seen (eventType+instanceName+timestamp) keys.
+// *arr sends a `date` field on every event; we use it as the replay key component.
+// TTL = 5 minutes; an event replayed after that window is considered fresh.
+const REPLAY_WINDOW_MS = 5 * 60 * 1000;
+const recentEvents = new Map();
+
+function pruneReplayCache() {
+  const cutoff = Date.now() - REPLAY_WINDOW_MS;
+  for (const [key, ts] of recentEvents) {
+    if (ts < cutoff) recentEvents.delete(key);
+  }
+}
+
+// Prune the replay cache once per minute
+setInterval(pruneReplayCache, 60 * 1000).unref();
+
+function isReplay(eventType, instanceName, eventDate) {
+  if (!eventDate) return false;
+  const key = `${eventType}:${instanceName || ''}:${eventDate}`;
+  if (recentEvents.has(key)) return true;
+  recentEvents.set(key, Date.now());
+  return false;
+}
+
+// Cache TTL mirrors poller.js logic: 3x poll interval when active, 30s when on-demand
+const CACHE_TTL = POLLING_ENABLED ? POLL_INTERVAL * 3 : 30000;
+
+// Event classification — determines which cache keys to refresh
+const QUEUE_EVENTS = new Set([
+  'Grab',
+  'Download',
+  'DownloadFailed',
+  'ManualInteractionRequired'
+]);
+
+const HISTORY_EVENTS = new Set([
+  'DownloadFolderImported',
+  'ImportFailed',
+  'EpisodeFileRenamed',
+  'MovieFileRenamed',
+  'EpisodeFileRenamedBySeries'
+]);
+
+/**
+ * Validate webhook secret from the X-Sofarr-Webhook-Secret header
+ * @param {Object} req - Express request object
+ * @returns {boolean} True if secret is valid, false otherwise
+ */
+function validateWebhookSecret(req) {
+  const expectedSecret = getWebhookSecret();
+  const providedSecret = req.get('X-Sofarr-Webhook-Secret');
+
+  if (!expectedSecret) {
+    logToFile('[Webhook] WARNING: SOFARR_WEBHOOK_SECRET not configured, rejecting webhook');
+    return false;
+  }
+
+  if (!providedSecret) {
+    logToFile('[Webhook] WARNING: Missing X-Sofarr-Webhook-Secret header');
+    return false;
+  }
+
+  if (providedSecret !== expectedSecret) {
+    logToFile('[Webhook] WARNING: Invalid webhook secret provided');
+    return false;
+  }
+
+  return true;
+}
+
+/**
+ * Process a webhook event by refreshing the affected cache and broadcasting SSE.
+ * This is a fire-and-forget background task — callers must respond to the webhook
+ * sender before awaiting this function.
+ *
+ * Phase 2: lightweight refresh via arrRetrieverRegistry + cache update + SSE broadcast.
+ *
+ * @param {string} serviceType - 'sonarr' or 'radarr'
+ * @param {string} eventType   - the eventType from the *arr webhook payload
+ */
+async function processWebhookEvent(serviceType, eventType) {
+  const affectsQueue = QUEUE_EVENTS.has(eventType);
+  const affectsHistory = HISTORY_EVENTS.has(eventType);
+
+  if (!affectsQueue && !affectsHistory) {
+    logToFile(`[Webhook] Event ${eventType} does not affect queue or history, skipping refresh`);
+    return;
+  }
+
+  logToFile(`[Webhook] ${serviceType} event "${eventType}" → queue=${affectsQueue}, history=${affectsHistory}`);
+
+  // Ensure retrievers are initialized (idempotent)
+  await arrRetrieverRegistry.initialize();
+
+  if (serviceType === 'sonarr') {
+    const sonarrInstances = getSonarrInstances();
+
+    if (affectsQueue) {
+      const queuesByType = await arrRetrieverRegistry.getQueuesByType();
+      const sonarrQueues = queuesByType.sonarr || [];
+      cache.set('poll:sonarr-queue', {
+        records: sonarrQueues.flatMap(q => {
+          const inst = sonarrInstances.find(i => i.id === q.instance);
+          const url = inst ? inst.url : null;
+          const key = inst ? inst.apiKey : null;
+          return (q.data.records || []).map(r => {
+            if (r.series) r.series._instanceUrl = url;
+            r._instanceUrl = url;
+            r._instanceKey = key;
+            return r;
+          });
+        })
+      }, CACHE_TTL);
+      logToFile(`[Webhook] Refreshed poll:sonarr-queue (${sonarrQueues.length} instance(s))`);
+    }
+
+    if (affectsHistory) {
+      const historyByType = await arrRetrieverRegistry.getHistoryByType({ pageSize: 10 });
+      const sonarrHistories = historyByType.sonarr || [];
+      cache.set('poll:sonarr-history', {
+        records: sonarrHistories.flatMap(h => h.data.records || [])
+      }, CACHE_TTL);
+      logToFile(`[Webhook] Refreshed poll:sonarr-history (${sonarrHistories.length} instance(s))`);
+    }
+  } else if (serviceType === 'radarr') {
+    const radarrInstances = getRadarrInstances();
+
+    if (affectsQueue) {
+      const queuesByType = await arrRetrieverRegistry.getQueuesByType();
+      const radarrQueues = queuesByType.radarr || [];
+      cache.set('poll:radarr-queue', {
+        records: radarrQueues.flatMap(q => {
+          const inst = radarrInstances.find(i => i.id === q.instance);
+          const url = inst ? inst.url : null;
+          const key = inst ? inst.apiKey : null;
+          return (q.data.records || []).map(r => {
+            if (r.movie) r.movie._instanceUrl = url;
+            r._instanceUrl = url;
+            r._instanceKey = key;
+            return r;
+          });
+        })
+      }, CACHE_TTL);
+      logToFile(`[Webhook] Refreshed poll:radarr-queue (${radarrQueues.length} instance(s))`);
+    }
+
+    if (affectsHistory) {
+      const historyByType = await arrRetrieverRegistry.getHistoryByType({ pageSize: 10 });
+      const radarrHistories = historyByType.radarr || [];
+      cache.set('poll:radarr-history', {
+        records: radarrHistories.flatMap(h => h.data.records || [])
+      }, CACHE_TTL);
+      logToFile(`[Webhook] Refreshed poll:radarr-history (${radarrHistories.length} instance(s))`);
+    }
+  }
+
+  // Broadcast to all SSE subscribers using the same mechanism poller.js uses.
+  // pollAllServices() refreshes all data, updates every cache key, and then
+  // iterates pollSubscribers to push fresh payloads to every open SSE connection.
+  // If a poll is already in progress this call is a no-op, but the cache keys
+  // above were already updated so the next broadcast (or dashboard request)
+  // will see fresh data.
+  logToFile('[Webhook] Triggering SSE broadcast via pollAllServices()');
+  await pollAllServices();
+}
+
+/**
+ * Validate and sanitize the incoming webhook payload.
+ * Returns { valid, eventType, instanceName, eventDate } or { valid: false, reason }.
+ */
+function validatePayload(body) {
+  if (!body || typeof body !== 'object' || Array.isArray(body)) {
+    return { valid: false, reason: 'Payload must be a JSON object' };
+  }
+  const { eventType, instanceName } = body;
+  if (typeof eventType !== 'string' || eventType.length === 0 || eventType.length > 64) {
+    return { valid: false, reason: 'eventType must be a non-empty string (max 64 chars)' };
+  }
+  if (!VALID_EVENT_TYPES.has(eventType)) {
+    return { valid: false, reason: `Unknown eventType: ${eventType}` };
+  }
+  if (instanceName !== undefined && typeof instanceName !== 'string') {
+    return { valid: false, reason: 'instanceName must be a string if provided' };
+  }
+  const eventDate = body.date || null;
+  return { valid: true, eventType, instanceName: instanceName || null, eventDate };
+}
+
+/**
+ * POST /api/webhook/sonarr
+ * Receives webhook events from Sonarr instances.
+ * Validates the secret, logs the event, refreshes cache, broadcasts SSE, and returns 200.
+ *
+ * Phase 2: integrated with PALDRA cache + SSE for real-time dashboard updates.
+ * Phase 6: rate limiting, input validation, replay protection.
+ */
+router.post('/sonarr', webhookLimiter, (req, res) => {
+  if (!validateWebhookSecret(req)) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
+  const validation = validatePayload(req.body);
+  if (!validation.valid) {
+    logToFile(`[Webhook] Sonarr payload rejected: ${validation.reason}`);
+    return res.status(400).json({ error: validation.reason });
+  }
+
+  const { eventType, instanceName, eventDate } = validation;
+
+  const sonarrInstances = getSonarrInstances();
+  const inst = sonarrInstances.find(i => i.name === instanceName || i.id === instanceName) || sonarrInstances[0];
+  const resolvedInstanceName = inst ? inst.name : instanceName;
+
+  if (isReplay(eventType, resolvedInstanceName, eventDate)) {
+    logToFile(`[Webhook] Sonarr duplicate event ignored: ${eventType} @ ${eventDate}`);
+    return res.status(200).json({ received: true, duplicate: true });
+  }
+
+  try {
+    logToFile(`[Webhook] Sonarr event received - Type: ${eventType}, Instance: ${resolvedInstanceName || 'unknown'}`);
+    logToFile(`[Webhook] Sonarr payload: ${JSON.stringify(req.body)}`);
+
+    // Phase 5.1: update webhook metrics for polling optimization
+    if (inst) {
+      cache.updateWebhookMetrics(inst.url);
+      logToFile(`[Webhook] Updated metrics for Sonarr instance: ${inst.name} (${inst.url})`);
+    }
+
+    // Phase 2: background cache refresh + SSE broadcast (fire-and-forget)
+    processWebhookEvent('sonarr', eventType).catch(err => {
+      logToFile(`[Webhook] Sonarr background refresh error: ${err.message}`);
+    });
+
+    res.status(200).json({ received: true });
+  } catch (error) {
+    logToFile(`[Webhook] Sonarr error: ${error.message}`);
+    res.status(200).json({ received: true });
+  }
+});
+
+/**
+ * POST /api/webhook/radarr
+ * Receives webhook events from Radarr instances.
+ * Validates the secret, logs the event, refreshes cache, broadcasts SSE, and returns 200.
+ *
+ * Phase 2: integrated with PALDRA cache + SSE for real-time dashboard updates.
+ * Phase 6: rate limiting, input validation, replay protection.
+ */
+router.post('/radarr', webhookLimiter, (req, res) => {
+  if (!validateWebhookSecret(req)) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
+  const validation = validatePayload(req.body);
+  if (!validation.valid) {
+    logToFile(`[Webhook] Radarr payload rejected: ${validation.reason}`);
+    return res.status(400).json({ error: validation.reason });
+  }
+
+  const { eventType, instanceName, eventDate } = validation;
+
+  const radarrInstances = getRadarrInstances();
+  const inst = radarrInstances.find(i => i.name === instanceName || i.id === instanceName) || radarrInstances[0];
+  const resolvedInstanceName = inst ? inst.name : instanceName;
+
+  if (isReplay(eventType, resolvedInstanceName, eventDate)) {
+    logToFile(`[Webhook] Radarr duplicate event ignored: ${eventType} @ ${eventDate}`);
+    return res.status(200).json({ received: true, duplicate: true });
+  }
+
+  try {
+    logToFile(`[Webhook] Radarr event received - Type: ${eventType}, Instance: ${resolvedInstanceName || 'unknown'}`);
+    logToFile(`[Webhook] Radarr payload: ${JSON.stringify(req.body)}`);
+
+    // Phase 5.1: update webhook metrics for polling optimization
+    if (inst) {
+      cache.updateWebhookMetrics(inst.url);
+      logToFile(`[Webhook] Updated metrics for Radarr instance: ${inst.name} (${inst.url})`);
+    }
+
+    // Phase 2: background cache refresh + SSE broadcast (fire-and-forget)
+    processWebhookEvent('radarr', eventType).catch(err => {
+      logToFile(`[Webhook] Radarr background refresh error: ${err.message}`);
+    });
+
+    res.status(200).json({ received: true });
+  } catch (error) {
+    logToFile(`[Webhook] Radarr error: ${error.message}`);
+    res.status(200).json({ received: true });
+  }
+});
+
+module.exports = router;
@@ -0,0 +1,107 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+// Helper function to extract poster/cover art URL from a movie or series object
+function getCoverArt(item) {
+  if (!item || !item.images) return null;
+  const poster = item.images.find(img => img.coverType === 'poster');
+  if (poster) return poster.remoteUrl || poster.url || null;
+  // Fallback to fanart if no poster
+  const fanart = item.images.find(img => img.coverType === 'fanart');
+  return fanart ? (fanart.remoteUrl || fanart.url || null) : null;
+}
+
+// Extract import issues from a Sonarr/Radarr queue record
+function getImportIssues(queueRecord) {
+  if (!queueRecord) return null;
+  const state = queueRecord.trackedDownloadState;
+  const status = queueRecord.trackedDownloadStatus;
+  if (state !== 'importPending' && status !== 'warning' && status !== 'error') return null;
+  const messages = [];
+  if (queueRecord.statusMessages && queueRecord.statusMessages.length > 0) {
+    for (const sm of queueRecord.statusMessages) {
+      if (sm.messages && sm.messages.length > 0) {
+        messages.push(...sm.messages);
+      } else if (sm.title) {
+        messages.push(sm.title);
+      }
+    }
+  }
+  if (queueRecord.errorMessage) {
+    messages.push(queueRecord.errorMessage);
+  }
+  if (messages.length === 0) return null;
+  return messages;
+}
+
+// Helper to build Sonarr web UI link for a series
+function getSonarrLink(series) {
+  if (!series || !series._instanceUrl || !series.titleSlug) return null;
+  return `${series._instanceUrl}/series/${series.titleSlug}`;
+}
+
+// Helper to build Radarr web UI link for a movie
+function getRadarrLink(movie) {
+  if (!movie || !movie._instanceUrl || !movie.titleSlug) return null;
+  return `${movie._instanceUrl}/movie/${movie.titleSlug}`;
+}
+
+// Determine if a download can be blocklisted by the current user
+// Admins: always true (they have arrQueueId)
+// Non-admins: true if importIssues OR (torrent >1h old AND availability<100%)
+function canBlocklist(download, isAdmin) {
+  if (isAdmin) return true;
+  if (download.importIssues && download.importIssues.length > 0) return true;
+  if (download.qbittorrent && download.addedOn && download.availability) {
+    const oneHourAgo = Date.now() - 3600000; // 1 hour in ms
+    const addedOn = new Date(download.addedOn).getTime();
+    const isOldEnough = addedOn < oneHourAgo;
+    const availability = parseFloat(download.availability);
+    const isLowAvailability = availability < 100;
+    return isOldEnough && isLowAvailability;
+  }
+  return false;
+}
+
+// Extract episode info from a Sonarr queue/history record.
+// Returns { season, episode, title } or null if data is missing.
+function extractEpisode(record) {
+  if (!record) return null;
+  const ep = record.episode || {};
+  const s = ep.seasonNumber != null ? ep.seasonNumber : record.seasonNumber;
+  const e = ep.episodeNumber != null ? ep.episodeNumber : record.episodeNumber;
+  if (s == null || e == null) return null;
+  const title = ep.title || null;
+  return { season: s, episode: e, title };
+}
+
+// Find all episodes associated with a download by matching all queue/history records
+// that share the same title string.  Returns sorted array of { season, episode, title }.
+function gatherEpisodes(titleLower, sonarrRecords) {
+  const episodes = [];
+  const seen = new Set();
+  for (const r of sonarrRecords) {
+    const rTitle = (r.title || r.sourceTitle || '').toLowerCase();
+    if (rTitle && (rTitle.includes(titleLower) || titleLower.includes(rTitle))) {
+      const ep = extractEpisode(r);
+      if (ep) {
+        const key = `${ep.season}x${ep.episode}`;
+        if (!seen.has(key)) {
+          seen.add(key);
+          episodes.push(ep);
+        }
+      }
+    }
+  }
+  episodes.sort((a, b) => a.season - b.season || a.episode - b.episode);
+  return episodes;
+}
+
+module.exports = {
+  getCoverArt,
+  getImportIssues,
+  getSonarrLink,
+  getRadarrLink,
+  canBlocklist,
+  extractEpisode,
+  gatherEpisodes
+};
@@ -0,0 +1,112 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+/**
+ * DownloadBuilder - Aggregates and matches download data from multiple sources.
+ * This service processes cached data from SABnzbd, qBittorrent, Sonarr, and Radarr to build
+ * a unified view of downloads for each user, matching downloads to media metadata via tags.
+ */
+
+const DownloadMatcher = require('./DownloadMatcher');
+
+/**
+ * Builds a unified list of downloads for a user from multiple download clients.
+ * Matches SABnzbd and qBittorrent downloads to Sonarr/Radarr activity using tags.
+ * @param {Object} cacheSnapshot - Cached data from all services
+ * @param {Object} options - User context and metadata maps
+ * @param {string} options.username - Lowercase username for tag matching
+ * @param {string} options.usernameSanitized - Original username
+ * @param {boolean} options.isAdmin - Whether user is admin
+ * @param {boolean} options.showAll - Whether to show all users' downloads
+ * @param {Map} options.seriesMap - Map of seriesId to series object
+ * @param {Map} options.moviesMap - Map of movieId to movie object
+ * @param {Map} options.sonarrTagMap - Map of Sonarr tag IDs to labels
+ * @param {Map} options.radarrTagMap - Map of Radarr tag IDs to labels
+ * @param {Map} options.embyUserMap - Map of Emby users for admin view
+ * @returns {Array} Array of download objects for the user
+ */
+function buildUserDownloads(cacheSnapshot, { username, usernameSanitized, isAdmin, showAll, seriesMap, moviesMap, sonarrTagMap, radarrTagMap, embyUserMap }) {
+  // Input validation
+  if (!cacheSnapshot || typeof cacheSnapshot !== 'object') {
+    console.error('[DownloadBuilder] Invalid cacheSnapshot provided');
+    return [];
+  }
+
+  try {
+    // Handle null/undefined cache data
+  const sabnzbdQueue = cacheSnapshot.sabnzbdQueue || { data: { queue: { slots: [] } } };
+  const sabnzbdHistory = cacheSnapshot.sabnzbdHistory || { data: { history: { slots: [] } } };
+  const sonarrQueue = cacheSnapshot.sonarrQueue || { data: { records: [] } };
+  const sonarrHistory = cacheSnapshot.sonarrHistory || { data: { records: [] } };
+  const radarrQueue = cacheSnapshot.radarrQueue || { data: { records: [] } };
+  const radarrHistory = cacheSnapshot.radarrHistory || { data: { records: [] } };
+  const qbittorrentTorrents = cacheSnapshot.qbittorrentTorrents || [];
+
+  // Get queue status for SABnzbd
+  const queueStatus = sabnzbdQueue.data?.queue?.status || null;
+  const queueSpeed = sabnzbdQueue.data?.queue?.speed || null;
+  const queueKbpersec = sabnzbdQueue.data?.queue?.kbpersec || null;
+
+  // Build context for matching functions
+  const context = {
+    sonarrQueueRecords: sonarrQueue.data?.records || [],
+    sonarrHistoryRecords: sonarrHistory.data?.records || [],
+    radarrQueueRecords: radarrQueue.data?.records || [],
+    radarrHistoryRecords: radarrHistory.data?.records || [],
+    seriesMap: seriesMap || new Map(),
+    moviesMap: moviesMap || new Map(),
+    sonarrTagMap: sonarrTagMap || new Map(),
+    radarrTagMap: radarrTagMap || new Map(),
+    username,
+    isAdmin,
+    showAll,
+    embyUserMap: embyUserMap || new Map(),
+    queueStatus,
+    queueSpeed,
+    queueKbpersec
+  };
+
+  // Match all download sources
+  const userDownloads = [];
+  const seenDownloadKeys = new Set();
+  
+  if (sabnzbdQueue.data?.queue?.slots) {
+    const sabMatches = DownloadMatcher.matchSabSlots(sabnzbdQueue.data.queue.slots, context);
+    for (const dl of sabMatches) {
+      const key = `${dl.type}:${dl.title}`;
+      if (!seenDownloadKeys.has(key)) {
+        seenDownloadKeys.add(key);
+        userDownloads.push(dl);
+      }
+    }
+  }
+
+  if (sabnzbdHistory.data?.history?.slots) {
+    const sabHistoryMatches = DownloadMatcher.matchSabHistory(sabnzbdHistory.data.history.slots, context);
+    for (const dl of sabHistoryMatches) {
+      const key = `${dl.type}:${dl.title}`;
+      if (!seenDownloadKeys.has(key)) {
+        seenDownloadKeys.add(key);
+        userDownloads.push(dl);
+      }
+    }
+  }
+
+  const torrentMatches = DownloadMatcher.matchTorrents(qbittorrentTorrents, context);
+  for (const dl of torrentMatches) {
+    const key = `${dl.type}:${dl.title}`;
+    if (!seenDownloadKeys.has(key)) {
+      seenDownloadKeys.add(key);
+      userDownloads.push(dl);
+    }
+  }
+
+    return userDownloads;
+  } catch (error) {
+    console.error('[DownloadBuilder] Error building user downloads:', error.message);
+    return [];
+  }
+}
+
+module.exports = {
+  buildUserDownloads
+};
@@ -0,0 +1,561 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+/**
+ * DownloadMatcher - Matches download client data to Sonarr/Radarr activity.
+ * Contains logic for matching SABnzbd slots and qBittorrent torrents to media metadata
+ * via download IDs and title matching.
+ */
+
+const { mapTorrentToDownload } = require('../utils/qbittorrent');
+const TagMatcher = require('./TagMatcher');
+const DownloadAssembler = require('./DownloadAssembler');
+
+/**
+ * Builds a Map of series metadata from Sonarr queue and history records.
+ * @param {Array} queueRecords - Sonarr queue records
+ * @param {Array} historyRecords - Sonarr history records
+ * @returns {Map} Map of seriesId to series object
+ */
+function buildSeriesMapFromRecords(queueRecords, historyRecords) {
+  const seriesMap = new Map();
+  for (const r of queueRecords) {
+    if (r.series && r.seriesId) seriesMap.set(r.seriesId, r.series);
+  }
+  for (const r of historyRecords) {
+    if (r.series && r.seriesId && !seriesMap.has(r.seriesId)) seriesMap.set(r.seriesId, r.series);
+  }
+  return seriesMap;
+}
+
+/**
+ * Builds a Map of movie metadata from Radarr queue and history records.
+ * @param {Array} queueRecords - Radarr queue records
+ * @param {Array} historyRecords - Radarr history records
+ * @returns {Map} Map of movieId to movie object
+ */
+function buildMoviesMapFromRecords(queueRecords, historyRecords) {
+  const moviesMap = new Map();
+  for (const r of queueRecords) {
+    if (r.movie && r.movieId) moviesMap.set(r.movieId, r.movie);
+  }
+  for (const r of historyRecords) {
+    if (r.movie && r.movieId && !moviesMap.has(r.movieId)) moviesMap.set(r.movieId, r.movie);
+  }
+  return moviesMap;
+}
+
+/**
+ * Determines the status and speed for a SABnzbd slot based on queue state.
+ * @param {Object} slot - SABnzbd queue slot
+ * @param {string} queueStatus - Overall queue status (e.g., 'Paused')
+ * @param {string} queueSpeed - Queue speed string
+ * @param {string} queueKbpersec - Queue speed in KB/s
+ * @returns {Object} Object with status and speed properties
+ */
+function getSlotStatusAndSpeed(slot, queueStatus, queueSpeed, queueKbpersec) {
+  if (queueStatus === 'Paused') {
+    return { status: 'Paused', speed: '0' };
+  }
+  return {
+    status: slot.status || 'Unknown',
+    speed: queueSpeed || queueKbpersec || '0'
+  };
+}
+
+/**
+ * Matches SABnzbd queue slots to Sonarr/Radarr activity using download IDs and title matching.
+ * @param {Array} slots - SABnzbd queue slots
+ * @param {Object} context - Matching context with records, maps, and user info
+ * @returns {Array} Array of matched download objects
+ */
+function matchSabSlots(slots, context) {
+  const {
+    sonarrQueueRecords,
+    sonarrHistoryRecords,
+    radarrQueueRecords,
+    radarrHistoryRecords,
+    seriesMap,
+    moviesMap,
+    sonarrTagMap,
+    radarrTagMap,
+    username,
+    isAdmin,
+    showAll,
+    embyUserMap,
+    queueStatus,
+    queueSpeed,
+    queueKbpersec
+  } = context;
+
+  const matched = [];
+  for (const slot of slots) {
+    const nzbName = slot.filename || slot.nzbname;
+    if (!nzbName) continue;
+
+    const slotState = getSlotStatusAndSpeed(slot, queueStatus, queueSpeed, queueKbpersec);
+    const nzbNameLower = nzbName.toLowerCase();
+
+    // Normalize SAB name (dots to spaces) for better matching
+    const nzbNameNormalized = nzbNameLower.replace(/\./g, ' ');
+
+    // Try to match by downloadId first (most reliable)
+    const sabDownloadId = slot.nzo_id || slot.id;
+    let sonarrMatch = sabDownloadId ? sonarrQueueRecords.find(r => r.downloadId === sabDownloadId) : null;
+    let radarrMatch = sabDownloadId ? radarrQueueRecords.find(r => r.downloadId === sabDownloadId) : null;
+
+    // Also check HISTORY by downloadId
+    if (!sonarrMatch && sabDownloadId) {
+      sonarrMatch = sonarrHistoryRecords.find(r => r.downloadId === sabDownloadId);
+    }
+    if (!radarrMatch && sabDownloadId) {
+      radarrMatch = radarrHistoryRecords.find(r => r.downloadId === sabDownloadId);
+    }
+
+    // Fallback: Check by title matching
+    if (!sonarrMatch) {
+      sonarrMatch = sonarrQueueRecords.find(r => {
+        const rTitle = (r.title || r.sourceTitle || '').toLowerCase();
+        return rTitle && (
+          rTitle.includes(nzbNameLower) || nzbNameLower.includes(rTitle) ||
+          rTitle.includes(nzbNameNormalized) || nzbNameNormalized.includes(rTitle)
+        );
+      });
+    }
+    if (!radarrMatch) {
+      radarrMatch = radarrQueueRecords.find(r => {
+        const rTitle = (r.title || r.sourceTitle || '').toLowerCase();
+        return rTitle && (
+          rTitle.includes(nzbNameLower) || nzbNameLower.includes(rTitle) ||
+          rTitle.includes(nzbNameNormalized) || nzbNameNormalized.includes(rTitle)
+        );
+      });
+    }
+
+    // Also check HISTORY (completed downloads) if no queue match
+    if (!sonarrMatch) {
+      sonarrMatch = sonarrHistoryRecords.find(r => {
+        const rTitle = (r.title || r.sourceTitle || '').toLowerCase();
+        return rTitle && (
+          rTitle.includes(nzbNameLower) || nzbNameLower.includes(rTitle) ||
+          rTitle.includes(nzbNameNormalized) || nzbNameNormalized.includes(rTitle)
+        );
+      });
+    }
+    if (!radarrMatch) {
+      radarrMatch = radarrHistoryRecords.find(r => {
+        const rTitle = (r.title || r.sourceTitle || '').toLowerCase();
+        return rTitle && (
+          rTitle.includes(nzbNameLower) || nzbNameLower.includes(rTitle) ||
+          rTitle.includes(nzbNameNormalized) || nzbNameNormalized.includes(rTitle)
+        );
+      });
+    }
+
+    if (sonarrMatch && sonarrMatch.seriesId) {
+      const series = seriesMap.get(sonarrMatch.seriesId) || sonarrMatch.series;
+      if (series) {
+        const allTags = TagMatcher.extractAllTags(series.tags, sonarrTagMap);
+        const matchedUserTag = TagMatcher.extractUserTag(series.tags, sonarrTagMap, username);
+        if (showAll ? allTags.length > 0 : !!matchedUserTag) {
+          // Calculate progress from SABnzbd slot data
+          const mbValue = slot.mb !== undefined && slot.mb !== null ? parseFloat(slot.mb) : 0;
+          const mbLeftValue = (slot.mbleft !== undefined && slot.mbleft !== null) || (slot.mbmissing !== undefined && slot.mbmissing !== null)
+            ? parseFloat(slot.mbleft || slot.mbmissing)
+            : 0;
+          const progress = mbValue > 0 ? ((mbValue - mbLeftValue) / mbValue) * 100 : 0;
+
+          const dlObj = {
+            type: 'series',
+            title: nzbName,
+            coverArt: DownloadAssembler.getCoverArt(series),
+            status: slotState.status,
+            progress: Math.round(progress),
+            mb: slot.mb,
+            mbmissing: slot.mbleft,
+            size: Math.round(slot.mb * 1024 * 1024),
+            speed: Math.round((slot.kbpersec || 0) * 1024),
+            eta: slot.timeleft,
+            seriesName: series.title,
+            episodes: DownloadAssembler.gatherEpisodes(nzbNameLower, sonarrQueueRecords),
+            allTags,
+            matchedUserTag: matchedUserTag || null,
+            tagBadges: showAll ? TagMatcher.buildTagBadges(allTags, embyUserMap) : undefined,
+            client: 'sabnzbd',
+            instanceId: slot.instanceId || 'sabnzbd-default',
+            instanceName: slot.instanceName || 'SABnzbd'
+          };
+          const issues = DownloadAssembler.getImportIssues(sonarrMatch);
+          if (issues) dlObj.importIssues = issues;
+          if (isAdmin) {
+            dlObj.downloadPath = slot.storage || null;
+            dlObj.targetPath = series.path || null;
+            dlObj.arrLink = DownloadAssembler.getSonarrLink(series);
+            dlObj.arrQueueId = sonarrMatch.id;
+            dlObj.arrType = 'sonarr';
+            dlObj.arrInstanceUrl = sonarrMatch._instanceUrl || null;
+            dlObj.arrInstanceKey = sonarrMatch._instanceKey || null;
+            dlObj.arrContentId = sonarrMatch.episodeId || null;
+            dlObj.arrContentType = 'episode';
+          }
+          dlObj.canBlocklist = DownloadAssembler.canBlocklist(dlObj, isAdmin);
+          matched.push(dlObj);
+        }
+      }
+    }
+
+    if (radarrMatch && radarrMatch.movieId) {
+      const movie = moviesMap.get(radarrMatch.movieId) || radarrMatch.movie;
+      if (movie) {
+        const allTags = TagMatcher.extractAllTags(movie.tags, radarrTagMap);
+        const matchedUserTag = TagMatcher.extractUserTag(movie.tags, radarrTagMap, username);
+        if (showAll ? allTags.length > 0 : !!matchedUserTag) {
+          // Calculate progress from SABnzbd slot data
+          const mbValue = slot.mb !== undefined && slot.mb !== null ? parseFloat(slot.mb) : 0;
+          const mbLeftValue = (slot.mbleft !== undefined && slot.mbleft !== null) || (slot.mbmissing !== undefined && slot.mbmissing !== null)
+            ? parseFloat(slot.mbleft || slot.mbmissing)
+            : 0;
+          const progress = mbValue > 0 ? ((mbValue - mbLeftValue) / mbValue) * 100 : 0;
+
+          const dlObj = {
+            type: 'movie',
+            title: nzbName,
+            coverArt: DownloadAssembler.getCoverArt(movie),
+            status: slotState.status,
+            progress: Math.round(progress),
+            mb: slot.mb,
+            mbmissing: slot.mbleft,
+            size: Math.round(slot.mb * 1024 * 1024),
+            speed: Math.round((slot.kbpersec || 0) * 1024),
+            eta: slot.timeleft,
+            movieName: movie.title,
+            movieInfo: radarrMatch,
+            allTags,
+            matchedUserTag: matchedUserTag || null,
+            tagBadges: showAll ? TagMatcher.buildTagBadges(allTags, embyUserMap) : undefined,
+            client: 'sabnzbd',
+            instanceId: slot.instanceId || 'sabnzbd-default',
+            instanceName: slot.instanceName || 'SABnzbd'
+          };
+          const issues = DownloadAssembler.getImportIssues(radarrMatch);
+          if (issues) dlObj.importIssues = issues;
+          if (isAdmin) {
+            dlObj.downloadPath = slot.storage || null;
+            dlObj.targetPath = movie.path || null;
+            dlObj.arrLink = DownloadAssembler.getRadarrLink(movie);
+            dlObj.arrQueueId = radarrMatch.id;
+            dlObj.arrType = 'radarr';
+            dlObj.arrInstanceUrl = radarrMatch._instanceUrl || null;
+            dlObj.arrInstanceKey = radarrMatch._instanceKey || null;
+            dlObj.arrContentId = radarrMatch.movieId || null;
+            dlObj.arrContentType = 'movie';
+          }
+          dlObj.canBlocklist = DownloadAssembler.canBlocklist(dlObj, isAdmin);
+          matched.push(dlObj);
+        }
+      }
+    }
+  }
+  return matched;
+}
+
+/**
+ * Matches SABnzbd history slots to Sonarr/Radarr activity using title matching.
+ * @param {Array} slots - SABnzbd history slots
+ * @param {Object} context - Matching context with records, maps, and user info
+ * @returns {Array} Array of matched download objects
+ */
+function matchSabHistory(slots, context) {
+  const {
+    sonarrHistoryRecords,
+    radarrHistoryRecords,
+    seriesMap,
+    moviesMap,
+    sonarrTagMap,
+    radarrTagMap,
+    username,
+    isAdmin,
+    showAll,
+    embyUserMap
+  } = context;
+
+  const matched = [];
+  for (const slot of slots) {
+    const nzbName = slot.name || slot.nzb_name || slot.nzbname;
+    if (!nzbName) continue;
+    const nzbNameLower = nzbName.toLowerCase();
+
+    const sonarrMatch = sonarrHistoryRecords.find(r => {
+      const rTitle = (r.sourceTitle || r.title || '').toLowerCase();
+      return rTitle && (rTitle.includes(nzbNameLower) || nzbNameLower.includes(rTitle));
+    });
+    if (sonarrMatch && sonarrMatch.seriesId) {
+      const series = seriesMap.get(sonarrMatch.seriesId) || sonarrMatch.series;
+      if (series) {
+        const allTags = TagMatcher.extractAllTags(series.tags, sonarrTagMap);
+        const matchedUserTag = TagMatcher.extractUserTag(series.tags, sonarrTagMap, username);
+        if (showAll ? allTags.length > 0 : !!matchedUserTag) {
+          const dlObj = {
+            type: 'series',
+            title: nzbName,
+            coverArt: DownloadAssembler.getCoverArt(series),
+            status: slot.status,
+            progress: 100, // History items are completed
+            mb: slot.mb,
+            size: Math.round((slot.mb || 0) * 1024 * 1024),
+            completedAt: slot.completed_time,
+            seriesName: series.title,
+            episodes: DownloadAssembler.gatherEpisodes(nzbNameLower, sonarrHistoryRecords),
+            allTags,
+            matchedUserTag: matchedUserTag || null,
+            tagBadges: showAll ? TagMatcher.buildTagBadges(allTags, embyUserMap) : undefined,
+            client: 'sabnzbd',
+            instanceId: slot.instanceId || 'sabnzbd-default',
+            instanceName: slot.instanceName || 'SABnzbd'
+          };
+          if (isAdmin) {
+            dlObj.downloadPath = slot.storage || null;
+            dlObj.targetPath = series.path || null;
+            dlObj.arrLink = DownloadAssembler.getSonarrLink(series);
+          }
+          matched.push(dlObj);
+        }
+      }
+    }
+
+    const radarrMatch = radarrHistoryRecords.find(r => {
+      const rTitle = (r.sourceTitle || r.title || '').toLowerCase();
+      return rTitle && (rTitle.includes(nzbNameLower) || nzbNameLower.includes(rTitle));
+    });
+    if (radarrMatch && radarrMatch.movieId) {
+      const movie = moviesMap.get(radarrMatch.movieId) || radarrMatch.movie;
+      if (movie) {
+        const allTags = TagMatcher.extractAllTags(movie.tags, radarrTagMap);
+        const matchedUserTag = TagMatcher.extractUserTag(movie.tags, radarrTagMap, username);
+        if (showAll ? allTags.length > 0 : !!matchedUserTag) {
+          const dlObj = {
+            type: 'movie',
+            title: nzbName,
+            coverArt: DownloadAssembler.getCoverArt(movie),
+            status: slot.status,
+            progress: 100, // History items are completed
+            mb: slot.mb,
+            size: Math.round((slot.mb || 0) * 1024 * 1024),
+            completedAt: slot.completed_time,
+            movieName: movie.title,
+            movieInfo: radarrMatch,
+            allTags,
+            matchedUserTag: matchedUserTag || null,
+            tagBadges: showAll ? TagMatcher.buildTagBadges(allTags, embyUserMap) : undefined,
+            client: 'sabnzbd',
+            instanceId: slot.instanceId || 'sabnzbd-default',
+            instanceName: slot.instanceName || 'SABnzbd'
+          };
+          if (isAdmin) {
+            dlObj.downloadPath = slot.storage || null;
+            dlObj.targetPath = movie.path || null;
+            dlObj.arrLink = DownloadAssembler.getRadarrLink(movie);
+          }
+          matched.push(dlObj);
+        }
+      }
+    }
+  }
+  return matched;
+}
+
+/**
+ * Matches qBittorrent torrents to Sonarr/Radarr activity using title matching.
+ * @param {Array} torrents - qBittorrent torrent list
+ * @param {Object} context - Matching context with records, maps, and user info
+ * @returns {Array} Array of matched download objects
+ */
+function matchTorrents(torrents, context) {
+  const {
+    sonarrQueueRecords,
+    sonarrHistoryRecords,
+    radarrQueueRecords,
+    radarrHistoryRecords,
+    seriesMap,
+    moviesMap,
+    sonarrTagMap,
+    radarrTagMap,
+    username,
+    isAdmin,
+    showAll,
+    embyUserMap
+  } = context;
+
+  const matched = [];
+  for (const torrent of torrents) {
+    const torrentName = torrent.name || '';
+    if (!torrentName) continue;
+    const torrentNameLower = torrentName.toLowerCase();
+
+    let matchedAny = false;
+
+    const sonarrMatch = sonarrQueueRecords.find(r => {
+      const rTitle = (r.title || r.sourceTitle || '').toLowerCase();
+      return rTitle && (rTitle.includes(torrentNameLower) || torrentNameLower.includes(rTitle));
+    });
+    if (sonarrMatch && sonarrMatch.seriesId) {
+      const series = seriesMap.get(sonarrMatch.seriesId) || sonarrMatch.series;
+      if (series) {
+        const allTags = TagMatcher.extractAllTags(series.tags, sonarrTagMap);
+        const matchedUserTag = TagMatcher.extractUserTag(series.tags, sonarrTagMap, username);
+        if (showAll ? allTags.length > 0 : !!matchedUserTag) {
+          const download = mapTorrentToDownload(torrent);
+          download.id = download.hash || torrent.hash;
+          download.progress = parseFloat(download.progress) || torrent.progress || 0;
+          download.speed = download.rawSpeed || torrent.dlspeed || 0;
+          Object.assign(download, {
+            type: 'series',
+            coverArt: DownloadAssembler.getCoverArt(series),
+            seriesName: series.title,
+            episodes: DownloadAssembler.gatherEpisodes(torrentNameLower, sonarrQueueRecords),
+            allTags,
+            matchedUserTag: matchedUserTag || null,
+            tagBadges: showAll ? TagMatcher.buildTagBadges(allTags, embyUserMap) : undefined
+          });
+          const issues = DownloadAssembler.getImportIssues(sonarrMatch);
+          if (issues) download.importIssues = issues;
+          if (isAdmin) {
+            download.downloadPath = download.savePath || null;
+            download.targetPath = series.path || null;
+            download.arrLink = DownloadAssembler.getSonarrLink(series);
+            download.arrQueueId = sonarrMatch.id;
+            download.arrType = 'sonarr';
+            download.arrInstanceUrl = sonarrMatch._instanceUrl || null;
+            download.arrInstanceKey = sonarrMatch._instanceKey || null;
+            download.arrContentId = sonarrMatch.episodeId || null;
+            download.arrContentType = 'episode';
+          }
+          download.canBlocklist = DownloadAssembler.canBlocklist(download, isAdmin);
+          matched.push(download);
+          matchedAny = true;
+          continue;
+        }
+      }
+    }
+
+    const radarrMatch = radarrQueueRecords.find(r => {
+      const rTitle = (r.title || r.sourceTitle || '').toLowerCase();
+      return rTitle && (rTitle.includes(torrentNameLower) || torrentNameLower.includes(rTitle));
+    });
+    if (radarrMatch && radarrMatch.movieId) {
+      const movie = moviesMap.get(radarrMatch.movieId) || radarrMatch.movie;
+      if (movie) {
+        const allTags = TagMatcher.extractAllTags(movie.tags, radarrTagMap);
+        const matchedUserTag = TagMatcher.extractUserTag(movie.tags, radarrTagMap, username);
+        if (showAll ? allTags.length > 0 : !!matchedUserTag) {
+          const download = mapTorrentToDownload(torrent);
+          download.id = download.hash || torrent.hash;
+          download.progress = parseFloat(download.progress) || torrent.progress || 0;
+          download.speed = download.rawSpeed || torrent.dlspeed || 0;
+          Object.assign(download, {
+            type: 'movie',
+            coverArt: DownloadAssembler.getCoverArt(movie),
+            movieName: movie.title,
+            movieInfo: radarrMatch,
+            allTags,
+            matchedUserTag: matchedUserTag || null,
+            tagBadges: showAll ? TagMatcher.buildTagBadges(allTags, embyUserMap) : undefined
+          });
+          const issues = DownloadAssembler.getImportIssues(radarrMatch);
+          if (issues) download.importIssues = issues;
+          if (isAdmin) {
+            download.downloadPath = download.savePath || null;
+            download.targetPath = movie.path || null;
+            download.arrLink = DownloadAssembler.getRadarrLink(movie);
+            download.arrQueueId = radarrMatch.id;
+            download.arrType = 'radarr';
+            download.arrInstanceUrl = radarrMatch._instanceUrl || null;
+            download.arrInstanceKey = radarrMatch._instanceKey || null;
+            download.arrContentId = radarrMatch.movieId || null;
+            download.arrContentType = 'movie';
+          }
+          download.canBlocklist = DownloadAssembler.canBlocklist(download, isAdmin);
+          matched.push(download);
+          matchedAny = true;
+          continue;
+        }
+      }
+    }
+
+    const sonarrHistoryMatch = sonarrHistoryRecords.find(r => {
+      const rTitle = (r.sourceTitle || r.title || '').toLowerCase();
+      return rTitle && (rTitle.includes(torrentNameLower) || torrentNameLower.includes(rTitle));
+    });
+    if (sonarrHistoryMatch && sonarrHistoryMatch.seriesId) {
+      const series = seriesMap.get(sonarrHistoryMatch.seriesId) || sonarrHistoryMatch.series;
+      if (series) {
+        const allTags = TagMatcher.extractAllTags(series.tags, sonarrTagMap);
+        const matchedUserTag = TagMatcher.extractUserTag(series.tags, sonarrTagMap, username);
+        if (showAll ? allTags.length > 0 : !!matchedUserTag) {
+          const download = mapTorrentToDownload(torrent);
+          Object.assign(download, {
+            type: 'series',
+            coverArt: DownloadAssembler.getCoverArt(series),
+            seriesName: series.title,
+            episodes: DownloadAssembler.gatherEpisodes(torrentNameLower, sonarrHistoryRecords),
+            allTags,
+            matchedUserTag: matchedUserTag || null,
+            tagBadges: showAll ? TagMatcher.buildTagBadges(allTags, embyUserMap) : undefined
+          });
+          if (isAdmin) {
+            download.downloadPath = download.savePath || null;
+            download.targetPath = series.path || null;
+            download.arrLink = DownloadAssembler.getSonarrLink(series);
+          }
+          matched.push(download);
+          matchedAny = true;
+          continue;
+        }
+      }
+    }
+
+    const radarrHistoryMatch = radarrHistoryRecords.find(r => {
+      const rTitle = (r.sourceTitle || r.title || '').toLowerCase();
+      return rTitle && (rTitle.includes(torrentNameLower) || torrentNameLower.includes(rTitle));
+    });
+    if (radarrHistoryMatch && radarrHistoryMatch.movieId) {
+      const movie = moviesMap.get(radarrHistoryMatch.movieId) || radarrHistoryMatch.movie;
+      if (movie) {
+        const allTags = TagMatcher.extractAllTags(movie.tags, radarrTagMap);
+        const matchedUserTag = TagMatcher.extractUserTag(movie.tags, radarrTagMap, username);
+        if (showAll ? allTags.length > 0 : !!matchedUserTag) {
+          const download = mapTorrentToDownload(torrent);
+          download.id = download.hash || torrent.hash;
+          download.progress = parseFloat(download.progress) || torrent.progress || 0;
+          download.speed = download.rawSpeed || torrent.dlspeed || 0;
+          Object.assign(download, {
+            type: 'movie',
+            coverArt: DownloadAssembler.getCoverArt(movie),
+            movieName: movie.title,
+            movieInfo: radarrHistoryMatch,
+            allTags,
+            matchedUserTag: matchedUserTag || null,
+            tagBadges: showAll ? TagMatcher.buildTagBadges(allTags, embyUserMap) : undefined
+          });
+          if (isAdmin) {
+            download.downloadPath = download.savePath || null;
+            download.targetPath = movie.path || null;
+            download.arrLink = DownloadAssembler.getRadarrLink(movie);
+          }
+          matched.push(download);
+          matchedAny = true;
+        }
+      }
+    }
+
+  }
+  return matched;
+}
+
+module.exports = {
+  buildSeriesMapFromRecords,
+  buildMoviesMapFromRecords,
+  getSlotStatusAndSpeed,
+  matchSabSlots,
+  matchSabHistory,
+  matchTorrents
+};
@@ -0,0 +1,86 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const axios = require('axios');
+const cache = require('../utils/cache');
+
+// Return all resolved tag labels for a series/movie.
+// For Radarr: tags is array of IDs, tagMap is id -> label mapping.
+// For Sonarr: tags are objects with a label property.
+function extractAllTags(tags, tagMap) {
+  if (!tags || tags.length === 0) return [];
+  if (tagMap) {
+    return tags.map(id => tagMap.get(id)).filter(Boolean);
+  }
+  return tags.map(t => t && t.label).filter(Boolean);
+}
+
+// Return the tag label that matches the current username, or null.
+function extractUserTag(tags, tagMap, username) {
+  const allLabels = extractAllTags(tags, tagMap);
+  if (!allLabels.length) return null;
+  if (username) {
+    const match = allLabels.find(label => tagMatchesUser(label, username));
+    if (match) return match;
+  }
+  return null;
+}
+
+// Replicate Ombi's StringHelper.SanitizeTagLabel: lowercase, replace non-alphanumeric with hyphen, collapse, trim
+function sanitizeTagLabel(input) {
+  if (!input) return '';
+  return input.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '');
+}
+
+// Check if a tag matches the username: exact match first, then sanitized match
+function tagMatchesUser(tag, username) {
+  if (!tag || !username) return false;
+  const tagLower = tag.toLowerCase();
+  // Exact match (handles users whose tags weren't mangled)
+  if (tagLower === username) return true;
+  // Sanitized match (handles Ombi-mangled tags for email-style usernames)
+  if (tagLower === sanitizeTagLabel(username)) return true;
+  return false;
+}
+
+// Fetch all Emby users and return a Map<lowerName -> displayName> (and sanitized variants).
+// Result is cached for 60s to avoid hammering Emby on every dashboard poll.
+async function getEmbyUsers() {
+  const cached = cache.get('emby:users');
+  if (cached) return cached;
+  try {
+    const response = await axios.get(`${process.env.EMBY_URL}/Users`, {
+      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
+    });
+    // Build map: both raw lowercase and sanitized form -> display name
+    const map = new Map();
+    for (const u of response.data) {
+      const name = u.Name || '';
+      map.set(name.toLowerCase(), name);
+      map.set(sanitizeTagLabel(name), name);
+    }
+    cache.set('emby:users', map, 60000);
+    return map;
+  } catch (err) {
+    console.error('[Dashboard] Failed to fetch Emby users:', err.message);
+    return new Map();
+  }
+}
+
+// Classify each tag label: matched to a known Emby user, or unmatched.
+// Returns array of { label, matchedUser: string|null }
+function buildTagBadges(allTags, embyUserMap) {
+  return allTags.map(label => {
+    const lower = label.toLowerCase();
+    const sanitized = sanitizeTagLabel(label);
+    const displayName = embyUserMap.get(lower) || embyUserMap.get(sanitized) || null;
+    return { label, matchedUser: displayName };
+  });
+}
+
+module.exports = {
+  extractAllTags,
+  extractUserTag,
+  sanitizeTagLabel,
+  tagMatchesUser,
+  getEmbyUsers,
+  buildTagBadges
+};
@@ -0,0 +1,55 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const axios = require('axios');
+const { getSonarrInstances, getRadarrInstances } = require('../utils/config');
+
+/**
+ * Check if Sofarr webhook is configured in a Sonarr/Radarr instance.
+ * @param {Object} instance - The Sonarr/Radarr instance config
+ * @param {string} type - 'Sonarr' or 'Radarr'
+ * @returns {Promise<boolean>} true if webhook is configured
+ */
+async function checkWebhookConfigured(instance, type) {
+  try {
+    const response = await axios.get(`${instance.url}/api/v3/notification`, {
+      headers: { 'X-Api-Key': instance.apiKey },
+      timeout: 5000
+    });
+    const notifications = response.data || [];
+    return notifications.some(n => n.name === 'Sofarr' && n.implementation === 'Webhook');
+  } catch (err) {
+    console.log(`[WebhookStatus] Failed to check ${type} webhook config: ${err.message}`);
+    return false;
+  }
+}
+
+/**
+ * Aggregate webhook metrics for a service type.
+ * @param {Object} metricsMap - Map of instance URLs to their metrics
+ * @param {boolean} configured - Whether the service is configured
+ * @returns {Object|null} Aggregated metrics or null if not configured
+ */
+function aggregateMetrics(metricsMap, configured) {
+  const values = Object.values(metricsMap);
+  if (values.length === 0) {
+    // Return default metrics if configured but no events yet
+    return configured ? {
+      enabled: true,
+      eventsReceived: 0,
+      pollsSkipped: 0,
+      lastEvent: null
+    } : null;
+  }
+  return {
+    enabled: true,
+    eventsReceived: values.reduce((sum, m) => sum + (m.eventsReceived || 0), 0),
+    pollsSkipped: values.reduce((sum, m) => sum + (m.pollsSkipped || 0), 0),
+    lastEvent: values.reduce((latest, m) => {
+      return m.lastWebhookTimestamp > latest ? m.lastWebhookTimestamp : latest;
+    }, 0)
+  };
+}
+
+module.exports = {
+  checkWebhookConfigured,
+  aggregateMetrics
+};
@@ -0,0 +1,405 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const { logToFile } = require('./logger');
+const cache = require('./cache');
+const {
+  getSonarrInstances,
+  getRadarrInstances
+} = require('./config');
+
+// Import retriever classes
+const PollingSonarrRetriever = require('../clients/PollingSonarrRetriever');
+const PollingRadarrRetriever = require('../clients/PollingRadarrRetriever');
+
+// Retriever type mapping
+const retrieverClasses = {
+  sonarr: PollingSonarrRetriever,
+  radarr: PollingRadarrRetriever
+};
+
+/**
+ * Singleton registry for *arr data retrievers
+ */
+const arrRetrieverRegistry = {
+  retrievers: new Map(),
+  initialized: false,
+
+  /**
+   * Initialize all configured *arr retrievers
+   */
+  async initialize() {
+    if (this.initialized) {
+      return;
+    }
+
+    logToFile('[ArrRetrieverRegistry] Initializing *arr retrievers...');
+
+    // Get all instance configurations
+    const sonarrInstances = getSonarrInstances();
+    const radarrInstances = getRadarrInstances();
+
+    // Create retriever instances
+    const instanceConfigs = [
+      ...sonarrInstances.map(inst => ({ ...inst, type: 'sonarr' })),
+      ...radarrInstances.map(inst => ({ ...inst, type: 'radarr' }))
+    ];
+
+    for (const config of instanceConfigs) {
+      try {
+        const RetrieverClass = retrieverClasses[config.type];
+        if (!RetrieverClass) {
+          logToFile(`[ArrRetrieverRegistry] Unknown retriever type: ${config.type}`);
+          continue;
+        }
+
+        const retriever = new RetrieverClass(config);
+        const uniqueKey = `${config.type}:${config.id}`;
+        this.retrievers.set(uniqueKey, retriever);
+        logToFile(`[ArrRetrieverRegistry] Created ${config.type} retriever: ${config.name} (${uniqueKey})`);
+      } catch (error) {
+        logToFile(`[ArrRetrieverRegistry] Failed to create retriever ${config.id}: ${error.message}`);
+      }
+    }
+
+    this.initialized = true;
+    logToFile(`[ArrRetrieverRegistry] Initialized ${this.retrievers.size} *arr retrievers`);
+  },
+
+  /**
+   * Get all registered retrievers
+   * @returns {Array<ArrRetriever>} Array of retriever instances
+   */
+  getAllRetrievers() {
+    return Array.from(this.retrievers.values());
+  },
+
+  /**
+   * Get retriever by instance ID
+   * @param {string} instanceId - The instance ID
+   * @returns {ArrRetriever|null} Retriever instance or null if not found
+   */
+  getRetriever(instanceId) {
+    return this.retrievers.get(instanceId) || null;
+  },
+
+  /**
+   * Get retrievers by type
+   * @param {string} type - Retriever type ('sonarr', 'radarr')
+   * @returns {Array<ArrRetriever>} Array of retriever instances
+   */
+  getRetrieversByType(type) {
+    return this.getAllRetrievers().filter(retriever => retriever.getRetrieverType() === type);
+  },
+
+  /**
+   * Get tags from all retrievers
+   * @returns {Promise<Array<Object>>} Array of tag results with instance info
+   */
+  async getAllTags() {
+    const retrievers = this.getAllRetrievers();
+    if (retrievers.length === 0) {
+      return [];
+    }
+
+    // Fetch tags from all retrievers in parallel
+    const results = await Promise.allSettled(
+      retrievers.map(async (retriever) => {
+        try {
+          const tags = await retriever.getTags();
+          logToFile(`[ArrRetrieverRegistry] ${retriever.name}: ${tags.length} tags`);
+          return { instance: retriever.getInstanceId(), data: tags };
+        } catch (error) {
+          logToFile(`[ArrRetrieverRegistry] Error fetching tags from ${retriever.name}: ${error.message}`);
+          return { instance: retriever.getInstanceId(), data: [] };
+        }
+      })
+    );
+
+    return results
+      .filter(result => result.status === 'fulfilled')
+      .map(result => result.value);
+  },
+
+  /**
+   * Get queue from all retrievers
+   * @returns {Promise<Array<Object>>} Array of queue results with instance info
+   */
+  async getAllQueues() {
+    const retrievers = this.getAllRetrievers();
+    if (retrievers.length === 0) {
+      return [];
+    }
+
+    // Fetch queues from all retrievers in parallel
+    const results = await Promise.allSettled(
+      retrievers.map(async (retriever) => {
+        try {
+          const queue = await retriever.getQueue();
+          logToFile(`[ArrRetrieverRegistry] ${retriever.name}: ${(queue.records || []).length} queue items`);
+          return { instance: retriever.getInstanceId(), data: queue };
+        } catch (error) {
+          logToFile(`[ArrRetrieverRegistry] Error fetching queue from ${retriever.name}: ${error.message}`);
+          return { instance: retriever.getInstanceId(), data: { records: [] } };
+        }
+      })
+    );
+
+    return results
+      .filter(result => result.status === 'fulfilled')
+      .map(result => result.value);
+  },
+
+  /**
+   * Get history from all retrievers
+   * @param {Object} options - Optional parameters for history fetch
+   * @returns {Promise<Array<Object>>} Array of history results with instance info
+   */
+  async getAllHistory(options = {}) {
+    const retrievers = this.getAllRetrievers();
+    if (retrievers.length === 0) {
+      return [];
+    }
+
+    // Fetch history from all retrievers in parallel
+    const results = await Promise.allSettled(
+      retrievers.map(async (retriever) => {
+        try {
+          const history = await retriever.getHistory(options);
+          logToFile(`[ArrRetrieverRegistry] ${retriever.name}: ${(history.records || []).length} history records`);
+          return { instance: retriever.getInstanceId(), data: history };
+        } catch (error) {
+          logToFile(`[ArrRetrieverRegistry] Error fetching history from ${retriever.name}: ${error.message}`);
+          return { instance: retriever.getInstanceId(), data: { records: [] } };
+        }
+      })
+    );
+
+    return results
+      .filter(result => result.status === 'fulfilled')
+      .map(result => result.value);
+  },
+
+  /**
+   * Get tags grouped by retriever type
+   * @returns {Promise<Object>} Tags grouped by retriever type (array of { instance, data } objects)
+   */
+  async getTagsByType() {
+    const sonarrRetrievers = this.getRetrieversByType('sonarr');
+    const radarrRetrievers = this.getRetrieversByType('radarr');
+
+    const sonarrTags = await Promise.allSettled(
+      sonarrRetrievers.map(async (retriever) => {
+        try {
+          const tags = await retriever.getTags();
+          return { instance: retriever.getInstanceId(), data: tags };
+        } catch (error) {
+          logToFile(`[ArrRetrieverRegistry] Error fetching tags from ${retriever.name}: ${error.message}`);
+          return { instance: retriever.getInstanceId(), data: [] };
+        }
+      })
+    );
+
+    const radarrTags = await Promise.allSettled(
+      radarrRetrievers.map(async (retriever) => {
+        try {
+          const tags = await retriever.getTags();
+          return { instance: retriever.getInstanceId(), data: tags };
+        } catch (error) {
+          logToFile(`[ArrRetrieverRegistry] Error fetching tags from ${retriever.name}: ${error.message}`);
+          return { instance: retriever.getInstanceId(), data: [] };
+        }
+      })
+    );
+
+    return {
+      sonarr: sonarrTags
+        .filter(result => result.status === 'fulfilled')
+        .map(result => result.value),
+      radarr: radarrTags
+        .filter(result => result.status === 'fulfilled')
+        .map(result => result.value)
+    };
+  },
+
+  /**
+   * Get queue grouped by retriever type
+   * @returns {Promise<Object>} Queue grouped by retriever type
+   */
+  async getQueuesByType() {
+    const sonarrRetrievers = this.getRetrieversByType('sonarr');
+    const radarrRetrievers = this.getRetrieversByType('radarr');
+
+    const sonarrQueues = await Promise.allSettled(
+      sonarrRetrievers.map(async (retriever) => {
+        try {
+          const queue = await retriever.getQueue();
+          return { instance: retriever.getInstanceId(), data: queue };
+        } catch (error) {
+          logToFile(`[ArrRetrieverRegistry] Error fetching queue from ${retriever.name}: ${error.message}`);
+          return { instance: retriever.getInstanceId(), data: { records: [] } };
+        }
+      })
+    );
+
+    const radarrQueues = await Promise.allSettled(
+      radarrRetrievers.map(async (retriever) => {
+        try {
+          const queue = await retriever.getQueue();
+          return { instance: retriever.getInstanceId(), data: queue };
+        } catch (error) {
+          logToFile(`[ArrRetrieverRegistry] Error fetching queue from ${retriever.name}: ${error.message}`);
+          return { instance: retriever.getInstanceId(), data: { records: [] } };
+        }
+      })
+    );
+
+    return {
+      sonarr: sonarrQueues
+        .filter(result => result.status === 'fulfilled')
+        .map(result => result.value),
+      radarr: radarrQueues
+        .filter(result => result.status === 'fulfilled')
+        .map(result => result.value)
+    };
+  },
+
+  /**
+   * Get history grouped by retriever type
+   * @param {Object} options - Optional parameters for history fetch
+   * @returns {Promise<Object>} History grouped by retriever type
+   */
+  async getHistoryByType(options = {}) {
+    const sonarrRetrievers = this.getRetrieversByType('sonarr');
+    const radarrRetrievers = this.getRetrieversByType('radarr');
+
+    const sonarrHistory = await Promise.allSettled(
+      sonarrRetrievers.map(async (retriever) => {
+        try {
+          const history = await retriever.getHistory(options);
+          return { instance: retriever.getInstanceId(), data: history };
+        } catch (error) {
+          logToFile(`[ArrRetrieverRegistry] Error fetching history from ${retriever.name}: ${error.message}`);
+          return { instance: retriever.getInstanceId(), data: { records: [] } };
+        }
+      })
+    );
+
+    const radarrHistory = await Promise.allSettled(
+      radarrRetrievers.map(async (retriever) => {
+        try {
+          const history = await retriever.getHistory(options);
+          return { instance: retriever.getInstanceId(), data: history };
+        } catch (error) {
+          logToFile(`[ArrRetrieverRegistry] Error fetching history from ${retriever.name}: ${error.message}`);
+          return { instance: retriever.getInstanceId(), data: { records: [] } };
+        }
+      })
+    );
+
+    return {
+      sonarr: sonarrHistory
+        .filter(result => result.status === 'fulfilled')
+        .map(result => result.value),
+      radarr: radarrHistory
+        .filter(result => result.status === 'fulfilled')
+        .map(result => result.value)
+    };
+  }
+};
+
+/**
+ * Replicate Ombi's StringHelper.SanitizeTagLabel: lowercase, replace non-alphanumeric with hyphen, collapse, trim
+ */
+function sanitizeTagLabel(input) {
+  if (!input) return '';
+  return input.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '');
+}
+
+/**
+ * Check if a tag matches the username: exact match first, then sanitized match
+ */
+function tagMatchesUser(tag, username) {
+  if (!tag || !username) return false;
+  const tagLower = tag.toLowerCase();
+  const usernameLower = username.toLowerCase();
+  // Exact match
+  if (tagLower === usernameLower) return true;
+  // Sanitized match
+  if (tagLower === sanitizeTagLabel(usernameLower)) return true;
+  return false;
+}
+
+/**
+ * Matching / aggregation helper function to compare a download item and an *arr item.
+ */
+function matchDownload(download, arrItem, username, tagMap) {
+  if (!download || !arrItem) return false;
+
+  // 1. First attempt an exact ID match using the stable fields that exist in the fetched data
+  if (download.arrInfo) {
+    // Sonarr stable IDs
+    if (download.arrInfo.episodeFileId !== undefined && arrItem.episodeFileId !== undefined) {
+      if (download.arrInfo.episodeFileId === arrItem.episodeFileId) return true;
+    }
+    if (download.arrInfo.episodeId !== undefined && arrItem.episodeId !== undefined) {
+      if (download.arrInfo.episodeId === arrItem.episodeId) return true;
+    }
+    if (download.arrInfo.seriesId !== undefined && arrItem.seriesId !== undefined) {
+      if (download.arrInfo.seriesId === arrItem.seriesId) return true;
+    }
+
+    // Radarr stable IDs
+    if (download.arrInfo.movieFileId !== undefined && arrItem.movieFileId !== undefined) {
+      if (download.arrInfo.movieFileId === arrItem.movieFileId) return true;
+    }
+    if (download.arrInfo.movieId !== undefined && arrItem.movieId !== undefined) {
+      if (download.arrInfo.movieId === arrItem.movieId) return true;
+    }
+  }
+
+  // 2. Only fall back to the existing title + tag string matching if no ID match is possible
+  const dlTitle = (download.title || '').toLowerCase();
+  const arrTitle = (arrItem.title || arrItem.sourceTitle || '').toLowerCase();
+  const titleMatches = dlTitle && arrTitle && (dlTitle.includes(arrTitle) || arrTitle.includes(dlTitle));
+
+  if (!titleMatches) return false;
+
+  // Preserve the existing lowercase-username tag logic exactly
+  if (!username) return true;
+
+  const getLabels = (item) => {
+    if (!item) return [];
+    const tags = item.tags || (item.series && item.series.tags) || (item.movie && item.movie.tags) || [];
+    return tags.map(t => {
+      if (typeof t === 'object' && t !== null) {
+        return t.label || t.name;
+      }
+      if (tagMap && tagMap.has && tagMap.has(t)) {
+        return tagMap.get(t);
+      }
+      
+      // Try resolving from cache as fallback
+      const cachedSonarrTags = cache.get('poll:sonarr-tags') || [];
+      const cachedRadarrTags = cache.get('poll:radarr-tags') || [];
+      const allCachedTags = [...cachedSonarrTags, ...cachedRadarrTags];
+      const found = allCachedTags.find(tag => tag && tag.id === t);
+      if (found) return found.label || found.name;
+      
+      return t;
+    }).filter(Boolean);
+  };
+
+  const dlTags = getLabels(download);
+  const arrTags = getLabels(arrItem);
+  const allTags = [...dlTags, ...arrTags];
+
+  return allTags.some(tag => tagMatchesUser(tag, username));
+}
+
+// Attach matching helper functions to the registry object
+arrRetrieverRegistry.matchDownload = matchDownload;
+arrRetrieverRegistry.matchDownloadToArr = matchDownload;
+arrRetrieverRegistry.aggregateMatch = matchDownload;
+arrRetrieverRegistry.matchingHelper = matchDownload;
+arrRetrieverRegistry.compareDownloadAndArr = matchDownload;
+
+module.exports = arrRetrieverRegistry;
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const { logToFile } = require('./logger');

 class MemoryCache {
@@ -71,4 +72,64 @@ class MemoryCache {

 const cache = new MemoryCache();

+// Webhook metrics for polling optimization
+// These are stored separately from regular cache entries
+const webhookMetrics = {
+  // Per-instance metrics: key = instance URL, value = { lastWebhookTimestamp, eventsReceived, pollsSkipped }
+  instances: new Map(),
+  // Global metrics
+  lastGlobalWebhookTimestamp: null,
+  totalWebhookEventsReceived: 0
+};
+
+function getWebhookMetrics(instanceUrl) {
+  if (!instanceUrl) return null;
+  return webhookMetrics.instances.get(instanceUrl) || {
+    lastWebhookTimestamp: null,
+    eventsReceived: 0,
+    pollsSkipped: 0
+  };
+}
+
+function updateWebhookMetrics(instanceUrl) {
+  const now = Date.now();
+  webhookMetrics.lastGlobalWebhookTimestamp = now;
+  webhookMetrics.totalWebhookEventsReceived++;
+  
+  if (instanceUrl) {
+    const metrics = webhookMetrics.instances.get(instanceUrl) || {
+      lastWebhookTimestamp: null,
+      eventsReceived: 0,
+      pollsSkipped: 0
+    };
+    metrics.lastWebhookTimestamp = now;
+    metrics.eventsReceived++;
+    webhookMetrics.instances.set(instanceUrl, metrics);
+  }
+}
+
+function incrementPollsSkipped(instanceUrl) {
+  if (instanceUrl) {
+    const metrics = webhookMetrics.instances.get(instanceUrl) || {
+      lastWebhookTimestamp: null,
+      eventsReceived: 0,
+      pollsSkipped: 0
+    };
+    metrics.pollsSkipped++;
+    webhookMetrics.instances.set(instanceUrl, metrics);
+  }
+}
+
+function getGlobalWebhookMetrics() {
+  return {
+    lastGlobalWebhookTimestamp: webhookMetrics.lastGlobalWebhookTimestamp,
+    totalWebhookEventsReceived: webhookMetrics.totalWebhookEventsReceived,
+    instances: Object.fromEntries(webhookMetrics.instances)
+  };
+}
+
 module.exports = cache;
+module.exports.getWebhookMetrics = getWebhookMetrics;
+module.exports.updateWebhookMetrics = updateWebhookMetrics;
+module.exports.incrementPollsSkipped = incrementPollsSkipped;
+module.exports.getGlobalWebhookMetrics = getGlobalWebhookMetrics;
@@ -1,5 +1,28 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const { logToFile } = require('./logger');

+// Validate that a configured service URL is well-formed and uses http(s).
+// Emits a warning (never throws) so a misconfigured instance degrades
+// gracefully rather than crashing the whole server.
+function validateInstanceUrl(url, instanceId) {
+  if (!url || typeof url !== 'string') {
+    logToFile(`[Config] WARNING: instance "${instanceId}" has no URL configured`);
+    return false;
+  }
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    logToFile(`[Config] WARNING: instance "${instanceId}" has an invalid URL: "${url}"`);
+    return false;
+  }
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+    logToFile(`[Config] WARNING: instance "${instanceId}" URL must use http or https, got "${parsed.protocol}"`);
+    return false;
+  }
+  return true;
+}
+
 function parseInstances(envVar, legacyUrl, legacyKey, legacyUsername, legacyPassword) {
  // Try to parse JSON array format first
  if (envVar) {
@@ -9,10 +32,11 @@ function parseInstances(envVar, legacyUrl, legacyKey, legacyUsername, legacyPass
      const instances = JSON.parse(cleaned);
      if (Array.isArray(instances) && instances.length > 0) {
        logToFile(`[Config] Parsed ${instances.length} instances from JSON array`);
-        return instances.map((inst, idx) => ({
-          ...inst,
-          id: inst.name || `instance-${idx + 1}`
-        }));
+        return instances.map((inst, idx) => {
+          const id = inst.name || `instance-${idx + 1}`;
+          validateInstanceUrl(inst.url, id);
+          return { ...inst, id };
+        });
      }
    } catch (err) {
      logToFile(`[Config] Failed to parse JSON array: ${err.message}`);
@@ -22,6 +46,7 @@ function parseInstances(envVar, legacyUrl, legacyKey, legacyUsername, legacyPass
  // Fall back to legacy single-instance format
  if (legacyUrl && legacyKey) {
    logToFile(`[Config] Using legacy single-instance format`);
+    validateInstanceUrl(legacyUrl, 'default');
    return [{
      id: 'default',
      name: 'Default',
@@ -69,10 +94,43 @@ function getQbittorrentInstances() {
  );
 }

+function getTransmissionInstances() {
+  return parseInstances(
+    process.env.TRANSMISSION_INSTANCES,
+    process.env.TRANSMISSION_URL,
+    null, // no apiKey for Transmission
+    process.env.TRANSMISSION_USERNAME,
+    process.env.TRANSMISSION_PASSWORD
+  );
+}
+
+function getRtorrentInstances() {
+  return parseInstances(
+    process.env.RTORRENT_INSTANCES,
+    process.env.RTORRENT_URL,
+    null, // no apiKey for rtorrent
+    process.env.RTORRENT_USERNAME,
+    process.env.RTORRENT_PASSWORD
+  );
+}
+
+function getWebhookSecret() {
+  return process.env.SOFARR_WEBHOOK_SECRET || '';
+}
+
+function getSofarrBaseUrl() {
+  return process.env.SOFARR_BASE_URL || '';
+}
+
 module.exports = {
  getSABnzbdInstances,
  getSonarrInstances,
  getRadarrInstances,
  getQbittorrentInstances,
-  parseInstances
+  getTransmissionInstances,
+  getRtorrentInstances,
+  getWebhookSecret,
+  getSofarrBaseUrl,
+  parseInstances,
+  validateInstanceUrl
 };
@@ -0,0 +1,255 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const { logToFile } = require('./logger');
+const {
+  getSABnzbdInstances,
+  getQbittorrentInstances,
+  getTransmissionInstances,
+  getRtorrentInstances
+} = require('./config');
+
+// Import client classes
+const SABnzbdClient = require('../clients/SABnzbdClient');
+const QBittorrentClient = require('../clients/QBittorrentClient');
+const TransmissionClient = require('../clients/TransmissionClient');
+const RTorrentClient = require('../clients/RTorrentClient');
+
+// Client type mapping
+const clientClasses = {
+  sabnzbd: SABnzbdClient,
+  qbittorrent: QBittorrentClient,
+  transmission: TransmissionClient,
+  rtorrent: RTorrentClient
+};
+
+/**
+ * Registry and factory for download clients
+ */
+class DownloadClientRegistry {
+  constructor() {
+    this.clients = new Map();
+    this.initialized = false;
+  }
+
+  /**
+   * Initialize all configured download clients
+   */
+  async initialize() {
+    if (this.initialized) {
+      return;
+    }
+
+    logToFile('[DownloadClientRegistry] Initializing download clients...');
+
+    // Get all instance configurations
+    const sabnzbdInstances = getSABnzbdInstances();
+    const qbittorrentInstances = getQbittorrentInstances();
+    const transmissionInstances = getTransmissionInstances();
+    const rtorrentInstances = getRtorrentInstances();
+
+    // Create client instances
+    const instanceConfigs = [
+      ...sabnzbdInstances.map(inst => ({ ...inst, type: 'sabnzbd' })),
+      ...qbittorrentInstances.map(inst => ({ ...inst, type: 'qbittorrent' })),
+      ...transmissionInstances.map(inst => ({ ...inst, type: 'transmission' })),
+      ...rtorrentInstances.map(inst => ({ ...inst, type: 'rtorrent' }))
+    ];
+
+    for (const config of instanceConfigs) {
+      try {
+        const ClientClass = clientClasses[config.type];
+        if (!ClientClass) {
+          logToFile(`[DownloadClientRegistry] Unknown client type: ${config.type}`);
+          continue;
+        }
+
+        const client = new ClientClass(config);
+        const uniqueKey = `${config.type}:${config.id}`;
+        this.clients.set(uniqueKey, client);
+        logToFile(`[DownloadClientRegistry] Created ${config.type} client: ${config.name} (${uniqueKey})`);
+      } catch (error) {
+        logToFile(`[DownloadClientRegistry] Failed to create client ${config.id}: ${error.message}`);
+      }
+    }
+
+    this.initialized = true;
+    logToFile(`[DownloadClientRegistry] Initialized ${this.clients.size} download clients`);
+  }
+
+  /**
+   * Get all registered clients
+   * @returns {Array<DownloadClient>} Array of client instances
+   */
+  getAllClients() {
+    return Array.from(this.clients.values());
+  }
+
+  /**
+   * Get client by instance ID
+   * @param {string} instanceId - The instance ID
+   * @returns {DownloadClient|null} Client instance or null if not found
+   */
+  getClient(instanceId) {
+    return this.clients.get(instanceId) || null;
+  }
+
+  /**
+   * Get clients by type
+   * @param {string} type - Client type ('sabnzbd', 'qbittorrent', 'transmission')
+   * @returns {Array<DownloadClient>} Array of client instances
+   */
+  getClientsByType(type) {
+    return this.getAllClients().filter(client => client.getClientType() === type);
+  }
+
+  /**
+   * Get active downloads from all clients
+   * @returns {Promise<Array<NormalizedDownload>>} Array of all downloads
+   */
+  async getAllDownloads() {
+    const clients = this.getAllClients();
+    if (clients.length === 0) {
+      return [];
+    }
+
+    // Reset fallback flags for qBittorrent clients
+    for (const client of clients) {
+      if (client.resetFallbackFlag) {
+        client.resetFallbackFlag();
+      }
+    }
+
+    // Fetch downloads from all clients in parallel
+    const results = await Promise.allSettled(
+      clients.map(async (client) => {
+        try {
+          const downloads = await client.getActiveDownloads();
+          logToFile(`[DownloadClientRegistry] ${client.name}: ${downloads.length} downloads`);
+          return downloads;
+        } catch (error) {
+          logToFile(`[DownloadClientRegistry] Error fetching from ${client.name}: ${error.message}`);
+          return [];
+        }
+      })
+    );
+
+    // Flatten and return all downloads
+    const allDownloads = results
+      .filter(result => result.status === 'fulfilled')
+      .flatMap(result => result.value);
+
+    logToFile(`[DownloadClientRegistry] Total downloads from all clients: ${allDownloads.length}`);
+    return allDownloads;
+  }
+
+  /**
+   * Get downloads grouped by client type (for backward compatibility)
+   * @returns {Promise<Object>} Downloads grouped by client type
+   */
+  async getDownloadsByClientType() {
+    const clients = this.getAllClients();
+    const result = {};
+
+    // Group by client type
+    for (const client of clients) {
+      const type = client.getClientType();
+      if (!result[type]) {
+        result[type] = [];
+      }
+
+      try {
+        const downloads = await client.getActiveDownloads();
+        result[type].push(...downloads);
+      } catch (error) {
+        logToFile(`[DownloadClientRegistry] Error fetching from ${client.name}: ${error.message}`);
+      }
+    }
+
+    return result;
+  }
+
+  /**
+   * Test connection to all clients
+   * @returns {Promise<Array<Object>>} Array of connection test results
+   */
+  async testAllConnections() {
+    const clients = this.getAllClients();
+    const results = await Promise.allSettled(
+      clients.map(async (client) => {
+        try {
+          const success = await client.testConnection();
+          return {
+            instanceId: client.getInstanceId(),
+            instanceName: client.name,
+            clientType: client.getClientType(),
+            success,
+            error: null
+          };
+        } catch (error) {
+          return {
+            instanceId: client.getInstanceId(),
+            instanceName: client.name,
+            clientType: client.getClientType(),
+            success: false,
+            error: error.message
+          };
+        }
+      })
+    );
+
+    return results
+      .filter(result => result.status === 'fulfilled')
+      .map(result => result.value);
+  }
+
+  /**
+   * Get client status information from all clients
+   * @returns {Promise<Array<Object>>} Array of client status objects
+   */
+  async getAllClientStatuses() {
+    const clients = this.getAllClients();
+    const results = await Promise.allSettled(
+      clients.map(async (client) => {
+        try {
+          const status = await client.getClientStatus();
+          return {
+            instanceId: client.getInstanceId(),
+            instanceName: client.name,
+            clientType: client.getClientType(),
+            status
+          };
+        } catch (error) {
+          logToFile(`[DownloadClientRegistry] Error getting status from ${client.name}: ${error.message}`);
+          return {
+            instanceId: client.getInstanceId(),
+            instanceName: client.name,
+            clientType: client.getClientType(),
+            status: null,
+            error: error.message
+          };
+        }
+      })
+    );
+
+    return results
+      .filter(result => result.status === 'fulfilled')
+      .map(result => result.value);
+  }
+}
+
+// Create singleton instance
+const registry = new DownloadClientRegistry();
+
+module.exports = {
+  DownloadClientRegistry,
+  registry,
+  
+  // Convenience functions
+  initializeClients: () => registry.initialize(),
+  getAllClients: () => registry.getAllClients(),
+  getClient: (instanceId) => registry.getClient(instanceId),
+  getClientsByType: (type) => registry.getClientsByType(type),
+  getAllDownloads: () => registry.getAllDownloads(),
+  getDownloadsByClientType: () => registry.getDownloadsByClientType(),
+  testAllConnections: () => registry.testAllConnections(),
+  getAllClientStatuses: () => registry.getAllClientStatuses()
+};
@@ -0,0 +1,357 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const cache = require('./cache');
+const { getSonarrInstances, getRadarrInstances } = require('./config');
+const arrRetrieverRegistry = require('./arrRetrievers');
+
+// Cache TTL for recent-history data: 5 minutes.
+// History changes slowly compared to active downloads.
+const HISTORY_CACHE_TTL = 5 * 60 * 1000;
+
+// Staged loading configuration
+const INITIAL_PAGE_SIZE = 100;
+const MAX_TOTAL_RECORDS = 1000;
+const MAX_PAGES = 10; // 10 pages * 100 records = 1000 total
+
+// Background fetch state to prevent concurrent fetches
+const backgroundFetchState = {
+  sonarr: { inProgress: false, lastFetchTime: 0 },
+  radarr: { inProgress: false, lastFetchTime: 0 }
+};
+
+// Event subscribers for history updates
+const historyUpdateSubscribers = new Set();
+
+// Sonarr event types that represent a successful import
+const SONARR_IMPORTED_EVENTS = new Set(['downloadFolderImported', 'downloadImported']);
+// Sonarr event types that represent a failed import
+const SONARR_FAILED_EVENTS = new Set(['downloadFailed', 'importFailed']);
+// Radarr equivalents
+const RADARR_IMPORTED_EVENTS = new Set(['downloadFolderImported', 'downloadImported']);
+const RADARR_FAILED_EVENTS = new Set(['downloadFailed', 'importFailed']);
+
+/**
+ * Fetch recent history records from all Sonarr instances for the given date window.
+ * Results are cached under 'history:sonarr' for HISTORY_CACHE_TTL.
+ * Uses staged loading: fetches 100 records immediately, then background-fetches up to 1000.
+ * @param {Date} since - Only include records on or after this date
+ * @returns {Promise<Array>} Flat array of Sonarr history records (with _instanceUrl and _instanceName)
+ */
+async function fetchSonarrHistory(since) {
+  const cacheKey = 'history:sonarr';
+  const cached = cache.get(cacheKey);
+  if (cached) {
+    // Only trigger background refresh if cache is incomplete (less than max records)
+    if (!backgroundFetchState.sonarr.inProgress && cached.length < MAX_TOTAL_RECORDS) {
+      triggerBackgroundSonarrFetch(since);
+    }
+    return cached;
+  }
+
+  // Ensure retrievers are initialized
+  await arrRetrieverRegistry.initialize();
+
+  const instances = getSonarrInstances();
+  const sonarrRetrievers = arrRetrieverRegistry.getRetrieversByType('sonarr');
+
+  // Stage 1: Fetch initial batch (100 records)
+  const results = await Promise.all(sonarrRetrievers.map(async (retriever) => {
+    const inst = instances.find(i => i.id === retriever.getInstanceId());
+    if (!inst) return [];
+
+    try {
+      const response = await retriever.getHistory({
+        pageSize: INITIAL_PAGE_SIZE,
+        maxPages: 1,
+        sortKey: 'date',
+        sortDir: 'descending',
+        includeSeries: true,
+        includeEpisode: true,
+        startDate: since.toISOString()
+      });
+      const records = (response && response.records) || [];
+      return records.map(r => {
+        if (r.series) r.series._instanceUrl = inst.url;
+        if (r.series) r.series._instanceName = inst.name || inst.id;
+        r._instanceUrl = inst.url;
+        r._instanceName = inst.name || inst.id;
+        return r;
+      });
+    } catch (err) {
+      console.error(`[HistoryFetcher] Sonarr ${inst.id} error:`, err.message);
+      return [];
+    }
+  }));
+
+  const flat = results.flat();
+  cache.set(cacheKey, flat, HISTORY_CACHE_TTL);
+
+  // Stage 2: Trigger background fetch for remaining records
+  triggerBackgroundSonarrFetch(since);
+
+  return flat;
+}
+
+/**
+ * Trigger background fetch for remaining Sonarr history records.
+ * Uses the retriever's built-in pagination to fetch up to 1000 records.
+ */
+async function triggerBackgroundSonarrFetch(since) {
+  if (backgroundFetchState.sonarr.inProgress) return;
+  
+  // Debounce: don't fetch if we fetched within the last minute
+  const now = Date.now();
+  if (now - backgroundFetchState.sonarr.lastFetchTime < 60000) return;
+  
+  backgroundFetchState.sonarr.inProgress = true;
+  backgroundFetchState.sonarr.lastFetchTime = now;
+
+  try {
+    await arrRetrieverRegistry.initialize();
+    const instances = getSonarrInstances();
+    const sonarrRetrievers = arrRetrieverRegistry.getRetrieversByType('sonarr');
+
+    // Fetch all records up to MAX_PAGES using built-in pagination
+    const results = await Promise.all(sonarrRetrievers.map(async (retriever) => {
+      const inst = instances.find(i => i.id === retriever.getInstanceId());
+      if (!inst) return [];
+
+      try {
+        const response = await retriever.getHistory({
+          pageSize: INITIAL_PAGE_SIZE,
+          maxPages: MAX_PAGES,
+          sortKey: 'date',
+          sortDir: 'descending',
+          includeSeries: true,
+          includeEpisode: true,
+          startDate: since.toISOString()
+        });
+        const records = (response && response.records) || [];
+        return records.map(r => {
+          if (r.series) r.series._instanceUrl = inst.url;
+          if (r.series) r.series._instanceName = inst.name || inst.id;
+          r._instanceUrl = inst.url;
+          r._instanceName = inst.name || inst.id;
+          return r;
+        });
+      } catch (err) {
+        console.error(`[HistoryFetcher] Sonarr background fetch ${inst.id} error:`, err.message);
+        return [];
+      }
+    }));
+
+    const allRecords = results.flat();
+    
+    // Only update cache if we got records (don't overwrite with empty data on failure)
+    if (allRecords.length > 0) {
+      cache.set('history:sonarr', allRecords, HISTORY_CACHE_TTL);
+      
+      // Emit SSE event for history update
+      emitHistoryUpdate('sonarr');
+      
+      console.log(`[HistoryFetcher] Background fetch complete: ${allRecords.length} Sonarr records`);
+    }
+  } catch (err) {
+    console.error('[HistoryFetcher] Background Sonarr fetch error:', err.message);
+  } finally {
+    backgroundFetchState.sonarr.inProgress = false;
+  }
+}
+
+/**
+ * Fetch recent history records from all Radarr instances for the given date window.
+ * Results are cached under 'history:radarr' for HISTORY_CACHE_TTL.
+ * Uses staged loading: fetches 100 records immediately, then background-fetches up to 1000.
+ * @param {Date} since - Only include records on or after this date
+ * @returns {Promise<Array>} Flat array of Radarr history records (with _instanceUrl and _instanceName)
+ */
+async function fetchRadarrHistory(since) {
+  const cacheKey = 'history:radarr';
+  const cached = cache.get(cacheKey);
+  if (cached) {
+    // Only trigger background refresh if cache is incomplete (less than max records)
+    if (!backgroundFetchState.radarr.inProgress && cached.length < MAX_TOTAL_RECORDS) {
+      triggerBackgroundRadarrFetch(since);
+    }
+    return cached;
+  }
+
+  // Ensure retrievers are initialized
+  await arrRetrieverRegistry.initialize();
+
+  const instances = getRadarrInstances();
+  const radarrRetrievers = arrRetrieverRegistry.getRetrieversByType('radarr');
+
+  // Stage 1: Fetch initial batch (100 records)
+  const results = await Promise.all(radarrRetrievers.map(async (retriever) => {
+    const inst = instances.find(i => i.id === retriever.getInstanceId());
+    if (!inst) return [];
+
+    try {
+      const response = await retriever.getHistory({
+        pageSize: INITIAL_PAGE_SIZE,
+        maxPages: 1,
+        sortKey: 'date',
+        sortDir: 'descending',
+        includeMovie: true,
+        startDate: since.toISOString()
+      });
+      const records = (response && response.records) || [];
+      return records.map(r => {
+        if (r.movie) r.movie._instanceUrl = inst.url;
+        if (r.movie) r.movie._instanceName = inst.name || inst.id;
+        r._instanceUrl = inst.url;
+        r._instanceName = inst.name || inst.id;
+        return r;
+      });
+    } catch (err) {
+      console.error(`[HistoryFetcher] Radarr ${inst.id} error:`, err.message);
+      return [];
+    }
+  }));
+
+  const flat = results.flat();
+  cache.set(cacheKey, flat, HISTORY_CACHE_TTL);
+
+  // Stage 2: Trigger background fetch for remaining records
+  triggerBackgroundRadarrFetch(since);
+
+  return flat;
+}
+
+/**
+ * Trigger background fetch for remaining Radarr history records.
+ * Uses the retriever's built-in pagination to fetch up to 1000 records.
+ */
+async function triggerBackgroundRadarrFetch(since) {
+  if (backgroundFetchState.radarr.inProgress) return;
+  
+  // Debounce: don't fetch if we fetched within the last minute
+  const now = Date.now();
+  if (now - backgroundFetchState.radarr.lastFetchTime < 60000) return;
+  
+  backgroundFetchState.radarr.inProgress = true;
+  backgroundFetchState.radarr.lastFetchTime = now;
+
+  try {
+    await arrRetrieverRegistry.initialize();
+    const instances = getRadarrInstances();
+    const radarrRetrievers = arrRetrieverRegistry.getRetrieversByType('radarr');
+
+    // Fetch all records up to MAX_PAGES using built-in pagination
+    const results = await Promise.all(radarrRetrievers.map(async (retriever) => {
+      const inst = instances.find(i => i.id === retriever.getInstanceId());
+      if (!inst) return [];
+
+      try {
+        const response = await retriever.getHistory({
+          pageSize: INITIAL_PAGE_SIZE,
+          maxPages: MAX_PAGES,
+          sortKey: 'date',
+          sortDir: 'descending',
+          includeMovie: true,
+          startDate: since.toISOString()
+        });
+        const records = (response && response.records) || [];
+        return records.map(r => {
+          if (r.movie) r.movie._instanceUrl = inst.url;
+          if (r.movie) r.movie._instanceName = inst.name || inst.id;
+          r._instanceUrl = inst.url;
+          r._instanceName = inst.name || inst.id;
+          return r;
+        });
+      } catch (err) {
+        console.error(`[HistoryFetcher] Radarr background fetch ${inst.id} error:`, err.message);
+        return [];
+      }
+    }));
+
+    const allRecords = results.flat();
+    
+    // Only update cache if we got records (don't overwrite with empty data on failure)
+    if (allRecords.length > 0) {
+      cache.set('history:radarr', allRecords, HISTORY_CACHE_TTL);
+      
+      // Emit SSE event for history update
+      emitHistoryUpdate('radarr');
+      
+      console.log(`[HistoryFetcher] Background fetch complete: ${allRecords.length} Radarr records`);
+    }
+  } catch (err) {
+    console.error('[HistoryFetcher] Background Radarr fetch error:', err.message);
+  } finally {
+    backgroundFetchState.radarr.inProgress = false;
+  }
+}
+
+/**
+ * Subscribe to history update events.
+ * @param {Function} callback - Function to call when history is updated
+ */
+function onHistoryUpdate(callback) {
+  historyUpdateSubscribers.add(callback);
+}
+
+/**
+ * Unsubscribe from history update events.
+ * @param {Function} callback - Function to remove from subscribers
+ */
+function offHistoryUpdate(callback) {
+  historyUpdateSubscribers.delete(callback);
+}
+
+/**
+ * Emit SSE event for history update.
+ * Notifies all subscribers when history cache is updated.
+ */
+function emitHistoryUpdate(type) {
+  console.log(`[HistoryFetcher] History updated for ${type}, notifying ${historyUpdateSubscribers.size} subscribers`);
+  historyUpdateSubscribers.forEach(callback => {
+    try {
+      callback(type);
+    } catch (err) {
+      console.error('[HistoryFetcher] Error in history update subscriber:', err.message);
+    }
+  });
+}
+
+/**
+ * Classify a Sonarr history record's event type.
+ * @param {string} eventType
+ * @returns {'imported'|'failed'|'other'}
+ */
+function classifySonarrEvent(eventType) {
+  if (SONARR_IMPORTED_EVENTS.has(eventType)) return 'imported';
+  if (SONARR_FAILED_EVENTS.has(eventType)) return 'failed';
+  return 'other';
+}
+
+/**
+ * Classify a Radarr history record's event type.
+ * @param {string} eventType
+ * @returns {'imported'|'failed'|'other'}
+ */
+function classifyRadarrEvent(eventType) {
+  if (RADARR_IMPORTED_EVENTS.has(eventType)) return 'imported';
+  if (RADARR_FAILED_EVENTS.has(eventType)) return 'failed';
+  return 'other';
+}
+
+/**
+ * Invalidate cached history so the next request fetches fresh data.
+ * Called externally if needed (e.g. after a forced refresh).
+ */
+function invalidateHistoryCache() {
+  cache.invalidate('history:sonarr');
+  cache.invalidate('history:radarr');
+}
+
+module.exports = {
+  fetchSonarrHistory,
+  fetchRadarrHistory,
+  classifySonarrEvent,
+  classifyRadarrEvent,
+  invalidateHistoryCache,
+  onHistoryUpdate,
+  offHistoryUpdate,
+  HISTORY_CACHE_TTL
+};
@@ -0,0 +1,52 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+//
+// Docker secrets support: if an environment variable named FOO_FILE is set,
+// read its contents from the file at that path and expose it as FOO.
+// This follows the standard *_FILE convention used by official Docker images.
+//
+// Supported secrets:
+//   COOKIE_SECRET_FILE       → COOKIE_SECRET
+//   EMBY_API_KEY_FILE        → EMBY_API_KEY
+//   SABNZBD_API_KEY_FILE     → SABNZBD_API_KEY   (legacy single-instance)
+//   SONARR_API_KEY_FILE      → SONARR_API_KEY    (legacy single-instance)
+//   RADARR_API_KEY_FILE      → RADARR_API_KEY    (legacy single-instance)
+//   QBITTORRENT_PASSWORD_FILE → QBITTORRENT_PASSWORD (legacy single-instance)
+//
+// For multi-instance JSON arrays the secret values must be embedded in the
+// JSON string itself; file-based loading is for the legacy single-key format.
+
+const fs = require('fs');
+
+const SECRET_MAPPINGS = [
+  'COOKIE_SECRET',
+  'EMBY_API_KEY',
+  'SABNZBD_API_KEY',
+  'SONARR_API_KEY',
+  'RADARR_API_KEY',
+  'QBITTORRENT_PASSWORD',
+];
+
+function loadSecrets() {
+  for (const key of SECRET_MAPPINGS) {
+    const fileEnv = `${key}_FILE`;
+    const filePath = process.env[fileEnv];
+    if (!filePath) continue;
+    if (process.env[key]) {
+      console.warn(`[Secrets] Both ${key} and ${fileEnv} are set — ${fileEnv} takes precedence`);
+    }
+    try {
+      const value = fs.readFileSync(filePath, 'utf8').trim();
+      if (!value) {
+        console.warn(`[Secrets] ${fileEnv} points to an empty file: ${filePath}`);
+        continue;
+      }
+      process.env[key] = value;
+      console.log(`[Secrets] Loaded ${key} from ${fileEnv}`);
+    } catch (err) {
+      console.error(`[Secrets] Failed to read ${fileEnv} (${filePath}): ${err.message}`);
+      process.exit(1);
+    }
+  }
+}
+
+module.exports = loadSecrets;
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const fs = require('fs');
 const path = require('path');

@@ -1,8 +1,9 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const axios = require('axios');
 const cache = require('./cache');
-const { getTorrents } = require('./qbittorrent');
+const { initializeClients, getAllDownloads, getDownloadsByClientType } = require('./downloadClients');
+const arrRetrieverRegistry = require('./arrRetrievers');
 const {
-  getSABnzbdInstances,
  getSonarrInstances,
  getRadarrInstances
 } = require('./config');
@@ -13,6 +14,13 @@ const POLL_INTERVAL = (rawPollInterval === 'off' || rawPollInterval === 'false'
  : (parseInt(process.env.POLL_INTERVAL, 10) || 5000);
 const POLLING_ENABLED = POLL_INTERVAL > 0;

+// Webhook fallback timeout in minutes (default 10)
+const WEBHOOK_FALLBACK_TIMEOUT_MINUTES = parseInt(process.env.WEBHOOK_FALLBACK_TIMEOUT, 10) || 10;
+const WEBHOOK_FALLBACK_TIMEOUT_MS = WEBHOOK_FALLBACK_TIMEOUT_MINUTES * 60 * 1000;
+
+// Webhook poll interval multiplier when webhooks are active (default 3x)
+const WEBHOOK_POLL_INTERVAL_MULTIPLIER = parseInt(process.env.WEBHOOK_POLL_INTERVAL_MULTIPLIER, 10) || 3;
+
 let polling = false;
 let lastPollTimings = null;

@@ -29,6 +37,42 @@ async function timed(label, fn) {
  return { label, result, ms: Date.now() - t0 };
 }

+// Helper function to determine if instance polling should be skipped
+function shouldSkipInstancePolling(instances, instanceType) {
+  if (!instances || instances.length === 0) {
+    return false;
+  }
+
+  const now = Date.now();
+  let allInstancesHaveRecentWebhooks = true;
+  let skippedCount = 0;
+
+  for (const instance of instances) {
+    const metrics = cache.getWebhookMetrics(instance.url);
+    
+    // Skip polling if:
+    // 1. Webhook events have been received (eventsReceived > 0)
+    // 2. Last webhook was recent (within fallback timeout)
+    // 3. Webhook has been enabled (we have metrics)
+    const hasWebhookActivity = metrics && metrics.eventsReceived > 0;
+    const isRecent = metrics && metrics.lastWebhookTimestamp && (now - metrics.lastWebhookTimestamp) < WEBHOOK_FALLBACK_TIMEOUT_MS;
+    
+    if (hasWebhookActivity && isRecent) {
+      skippedCount++;
+      cache.incrementPollsSkipped(instance.url);
+    } else {
+      allInstancesHaveRecentWebhooks = false;
+    }
+  }
+
+  if (allInstancesHaveRecentWebhooks && skippedCount > 0) {
+    console.log(`[Poller] Skipping ${instanceType} polling for ${skippedCount} instance(s) with active webhooks`);
+    return true;
+  }
+
+  return false;
+}
+
 async function pollAllServices() {
  if (polling) {
    console.log('[Poller] Previous poll still running, skipping');
@@ -38,93 +82,65 @@ async function pollAllServices() {
  const start = Date.now();

  try {
-    const sabInstances = getSABnzbdInstances();
+    // Ensure download clients and *arr retrievers are initialized
+    await initializeClients();
+    await arrRetrieverRegistry.initialize();
+
    const sonarrInstances = getSonarrInstances();
    const radarrInstances = getRadarrInstances();

+    // Check webhook fallback: if no webhook events for WEBHOOK_FALLBACK_TIMEOUT, force full poll
+    const globalMetrics = cache.getGlobalWebhookMetrics();
+    const now = Date.now();
+    const lastWebhookTime = globalMetrics.lastGlobalWebhookTimestamp;
+    const fallbackTriggered = lastWebhookTime && (now - lastWebhookTime) > WEBHOOK_FALLBACK_TIMEOUT_MS;
+    
+    if (fallbackTriggered) {
+      console.log(`[Poller] Webhook fallback triggered: no webhook events for ${WEBHOOK_FALLBACK_TIMEOUT_MINUTES} minutes, forcing full poll`);
+    }
+
+    // Determine which instances should be polled based on webhook activity
+    const shouldPollSonarr = fallbackTriggered || !shouldSkipInstancePolling(sonarrInstances, 'sonarr');
+    const shouldPollRadarr = fallbackTriggered || !shouldSkipInstancePolling(radarrInstances, 'radarr');
+
    // All fetches in parallel, each individually timed
    const results = await Promise.all([
-      timed('SABnzbd Queue', () => Promise.all(sabInstances.map(inst =>
-        axios.get(`${inst.url}/api`, {
-          params: { mode: 'queue', apikey: inst.apiKey, output: 'json' }
-        }).then(res => ({ instance: inst.id, data: res.data })).catch(err => {
-          console.error(`[Poller] SABnzbd ${inst.id} queue error:`, err.message);
-          return { instance: inst.id, data: { queue: { slots: [] } } };
-        })
-      ))),
-      timed('SABnzbd History', () => Promise.all(sabInstances.map(inst =>
-        axios.get(`${inst.url}/api`, {
-          params: { mode: 'history', apikey: inst.apiKey, output: 'json', limit: 10 }
-        }).then(res => ({ instance: inst.id, data: res.data })).catch(err => {
-          console.error(`[Poller] SABnzbd ${inst.id} history error:`, err.message);
-          return { instance: inst.id, data: { history: { slots: [] } } };
-        })
-      ))),
-      timed('Sonarr Tags', () => Promise.all(sonarrInstances.map(inst =>
-        axios.get(`${inst.url}/api/v3/tag`, {
-          headers: { 'X-Api-Key': inst.apiKey }
-        }).then(res => ({ instance: inst.id, data: res.data })).catch(err => {
-          console.error(`[Poller] Sonarr ${inst.id} tags error:`, err.message);
-          return { instance: inst.id, data: [] };
-        })
-      ))),
-      timed('Sonarr Queue', () => Promise.all(sonarrInstances.map(inst =>
-        axios.get(`${inst.url}/api/v3/queue`, {
-          headers: { 'X-Api-Key': inst.apiKey },
-          params: { includeSeries: true }
-        }).then(res => ({ instance: inst.id, data: res.data })).catch(err => {
-          console.error(`[Poller] Sonarr ${inst.id} queue error:`, err.message);
-          return { instance: inst.id, data: { records: [] } };
-        })
-      ))),
-      timed('Sonarr History', () => Promise.all(sonarrInstances.map(inst =>
-        axios.get(`${inst.url}/api/v3/history`, {
-          headers: { 'X-Api-Key': inst.apiKey },
-          params: { pageSize: 10 }
-        }).then(res => ({ instance: inst.id, data: res.data })).catch(err => {
-          console.error(`[Poller] Sonarr ${inst.id} history error:`, err.message);
-          return { instance: inst.id, data: { records: [] } };
-        })
-      ))),
-      timed('Radarr Queue', () => Promise.all(radarrInstances.map(inst =>
-        axios.get(`${inst.url}/api/v3/queue`, {
-          headers: { 'X-Api-Key': inst.apiKey },
-          params: { includeMovie: true }
-        }).then(res => ({ instance: inst.id, data: res.data })).catch(err => {
-          console.error(`[Poller] Radarr ${inst.id} queue error:`, err.message);
-          return { instance: inst.id, data: { records: [] } };
-        })
-      ))),
-      timed('Radarr History', () => Promise.all(radarrInstances.map(inst =>
-        axios.get(`${inst.url}/api/v3/history`, {
-          headers: { 'X-Api-Key': inst.apiKey },
-          params: { pageSize: 10 }
-        }).then(res => ({ instance: inst.id, data: res.data })).catch(err => {
-          console.error(`[Poller] Radarr ${inst.id} history error:`, err.message);
-          return { instance: inst.id, data: { records: [] } };
-        })
-      ))),
-      timed('Radarr Tags', () => Promise.all(radarrInstances.map(inst =>
-        axios.get(`${inst.url}/api/v3/tag`, {
-          headers: { 'X-Api-Key': inst.apiKey }
-        }).then(res => ({ instance: inst.id, data: res.data })).catch(err => {
-          console.error(`[Poller] Radarr ${inst.id} tags error:`, err.message);
-          return { instance: inst.id, data: [] };
-        })
-      ))),
-      timed('qBittorrent', () => getTorrents().catch(err => {
-        console.error(`[Poller] qBittorrent error:`, err.message);
-        return [];
-      }))
+      timed('Download Clients', async () => {
+        const downloadsByType = await getDownloadsByClientType();
+        return downloadsByType;
+      }),
+      shouldPollSonarr ? timed('Sonarr Tags', async () => {
+        const tagsByType = await arrRetrieverRegistry.getTagsByType();
+        return tagsByType.sonarr || [];
+      }) : timed('Sonarr Tags', async () => []),
+      shouldPollSonarr ? timed('Sonarr Queue', async () => {
+        const queuesByType = await arrRetrieverRegistry.getQueuesByType();
+        return queuesByType.sonarr || [];
+      }) : timed('Sonarr Queue', async () => []),
+      shouldPollSonarr ? timed('Sonarr History', async () => {
+        const historyByType = await arrRetrieverRegistry.getHistoryByType({ pageSize: 50 });
+        return historyByType.sonarr || [];
+      }) : timed('Sonarr History', async () => []),
+      shouldPollRadarr ? timed('Radarr Queue', async () => {
+        const queuesByType = await arrRetrieverRegistry.getQueuesByType();
+        return queuesByType.radarr || [];
+      }) : timed('Radarr Queue', async () => []),
+      shouldPollRadarr ? timed('Radarr History', async () => {
+        const historyByType = await arrRetrieverRegistry.getHistoryByType({ pageSize: 50 });
+        return historyByType.radarr || [];
+      }) : timed('Radarr History', async () => []),
+      shouldPollRadarr ? timed('Radarr Tags', async () => {
+        const tagsByType = await arrRetrieverRegistry.getTagsByType();
+        return tagsByType.radarr || [];
+      }) : timed('Radarr Tags', async () => []),
    ]);

    const [
-      { result: sabQueues }, { result: sabHistories },
+      { result: downloadsByType },
      { result: sonarrTagsResults }, { result: sonarrQueues },
      { result: sonarrHistories },
      { result: radarrQueues }, { result: radarrHistories },
-      { result: radarrTagsResults },
-      { result: qbittorrentTorrents }
+      { result: radarrTagsResults }
    ] = results;

    // Store per-task timings
@@ -139,54 +155,134 @@ async function pollAllServices() {
    // When polling is disabled (on-demand), use 30s so data refreshes on next request after expiry
    const cacheTTL = POLLING_ENABLED ? POLL_INTERVAL * 3 : 30000;

-    // SABnzbd
-    const firstSabQueue = sabQueues[0] && sabQueues[0].data && sabQueues[0].data.queue;
-    cache.set('poll:sab-queue', {
-      slots: sabQueues.flatMap(q => (q.data.queue && q.data.queue.slots) || []),
-      status: firstSabQueue && firstSabQueue.status,
-      speed: firstSabQueue && firstSabQueue.speed,
-      kbpersec: firstSabQueue && firstSabQueue.kbpersec
-    }, cacheTTL);
+    // Download Clients (SABnzbd, qBittorrent, Transmission)
+    // Preserve backward compatibility with existing cache keys
+    const sabnzbdDownloads = downloadsByType.sabnzbd || [];
+    const qbittorrentDownloads = downloadsByType.qbittorrent || [];
+    
+    // SABnzbd - separate queue and history based on source
+    const sabQueue = sabnzbdDownloads.filter(d => d.raw && d.raw.source === 'queue');
+    const sabHistory = sabnzbdDownloads.filter(d => d.raw && d.raw.source === 'history');
+    
+    // Transform SABnzbd downloads to legacy format for cache
+    const sabQueueLegacy = {
+      slots: sabQueue.map(d => ({
+        nzo_id: d.id,
+        filename: d.title,
+        status: d.status,
+        progress: d.progress / 100,
+        mb: d.size / (1024 * 1024),
+        mbleft: (d.size - d.downloaded) / (1024 * 1024),
+        kbpersec: d.speed / 1024,
+        timeleft: d.eta ? `${Math.floor(d.eta / 60)}:${String(Math.floor(d.eta % 60)).padStart(2, '0')}` : 'unknown',
+        cat: d.category,
+        labels: d.tags.join(','),
+        added: d.addedOn ? Math.floor(new Date(d.addedOn).getTime() / 1000) : null,
+        raw: d.raw,
+        instanceId: d.instanceId,
+        instanceName: d.instanceName
+      }))
+    };

-    cache.set('poll:sab-history', {
-      slots: sabHistories.flatMap(h => (h.data.history && h.data.history.slots) || [])
+    const sabHistoryLegacy = {
+      slots: sabHistory.map(d => ({
+        nzo_id: d.id,
+        filename: d.title,
+        status: d.status,
+        mb: d.size / (1024 * 1024),
+        cat: d.category,
+        labels: d.tags.join(','),
+        added: d.addedOn ? Math.floor(new Date(d.addedOn).getTime() / 1000) : null,
+        raw: d.raw,
+        instanceId: d.instanceId,
+        instanceName: d.instanceName
+      }))
+    };
+    
+    // Extract status from first SABnzbd download if available
+    const firstSabDownload = sabQueue[0];
+    const sabStatus = firstSabDownload ? {
+      status: 'Active',
+      speed: firstSabDownload.speed,
+      kbpersec: firstSabDownload.speed / 1024
+    } : { status: 'Idle', speed: 0, kbpersec: 0 };
+    
+    cache.set('poll:sab-queue', {
+      ...sabQueueLegacy,
+      ...sabStatus
    }, cacheTTL);
+    
+    cache.set('poll:sab-history', sabHistoryLegacy, cacheTTL);
+    
+    // qBittorrent - transform to legacy format
+    const qbittorrentLegacy = qbittorrentDownloads.map(d => ({
+      ...d.raw,
+      instanceId: d.instanceId,
+      instanceName: d.instanceName
+    }));
+    
+    cache.set('poll:qbittorrent', qbittorrentLegacy, cacheTTL);

    // Sonarr
-    cache.set('poll:sonarr-tags', sonarrTagsResults, cacheTTL);
-    // Tag queue/history records with _instanceUrl so embedded series/movie objects can build links
-    cache.set('poll:sonarr-queue', {
-      records: sonarrQueues.flatMap(q => {
-        const inst = sonarrInstances.find(i => i.id === q.instance);
-        const url = inst ? inst.url : null;
-        return (q.data.records || []).map(r => {
-          if (r.series) r.series._instanceUrl = url;
-          return r;
-        });
-      })
-    }, cacheTTL);
-    cache.set('poll:sonarr-history', {
-      records: sonarrHistories.flatMap(h => h.data.records || [])
-    }, cacheTTL);
+    if (shouldPollSonarr) {
+      cache.set('poll:sonarr-tags', sonarrTagsResults, cacheTTL);
+      // Tag queue/history records with _instanceUrl so embedded series/movie objects can build links
+      cache.set('poll:sonarr-queue', {
+        records: sonarrQueues.flatMap(q => {
+          const inst = sonarrInstances.find(i => i.id === q.instance);
+          const url = inst ? inst.url : null;
+          const key = inst ? inst.apiKey : null;
+          return (q.data.records || []).map(r => {
+            if (r.series) r.series._instanceUrl = url;
+            r._instanceUrl = url;
+            r._instanceKey = key;
+            return r;
+          });
+        })
+      }, cacheTTL);
+      cache.set('poll:sonarr-history', {
+        records: sonarrHistories.flatMap(h => h.data.records || [])
+      }, cacheTTL);
+    } else {
+      // Extend TTL of existing cached data when polling is skipped
+      const existingSonarrTags = cache.get('poll:sonarr-tags');
+      const existingSonarrQueue = cache.get('poll:sonarr-queue');
+      const existingSonarrHistory = cache.get('poll:sonarr-history');
+      if (existingSonarrTags) cache.set('poll:sonarr-tags', existingSonarrTags, cacheTTL);
+      if (existingSonarrQueue) cache.set('poll:sonarr-queue', existingSonarrQueue, cacheTTL);
+      if (existingSonarrHistory) cache.set('poll:sonarr-history', existingSonarrHistory, cacheTTL);
+    }

    // Radarr
-    cache.set('poll:radarr-queue', {
-      records: radarrQueues.flatMap(q => {
-        const inst = radarrInstances.find(i => i.id === q.instance);
-        const url = inst ? inst.url : null;
-        return (q.data.records || []).map(r => {
-          if (r.movie) r.movie._instanceUrl = url;
-          return r;
-        });
-      })
-    }, cacheTTL);
-    cache.set('poll:radarr-history', {
-      records: radarrHistories.flatMap(h => h.data.records || [])
-    }, cacheTTL);
-    cache.set('poll:radarr-tags', radarrTagsResults.flatMap(t => t.data || []), cacheTTL);
+    if (shouldPollRadarr) {
+      cache.set('poll:radarr-queue', {
+        records: radarrQueues.flatMap(q => {
+          const inst = radarrInstances.find(i => i.id === q.instance);
+          const url = inst ? inst.url : null;
+          const key = inst ? inst.apiKey : null;
+          return (q.data.records || []).map(r => {
+            if (r.movie) r.movie._instanceUrl = url;
+            r._instanceUrl = url;
+            r._instanceKey = key;
+            return r;
+          });
+        })
+      }, cacheTTL);
+      cache.set('poll:radarr-history', {
+        records: radarrHistories.flatMap(h => h.data.records || [])
+      }, cacheTTL);
+      cache.set('poll:radarr-tags', radarrTagsResults.flatMap(t => t.data || []), cacheTTL);
+    } else {
+      // Extend TTL of existing cached data when polling is skipped
+      const existingRadarrQueue = cache.get('poll:radarr-queue');
+      const existingRadarrHistory = cache.get('poll:radarr-history');
+      const existingRadarrTags = cache.get('poll:radarr-tags');
+      if (existingRadarrQueue) cache.set('poll:radarr-queue', existingRadarrQueue, cacheTTL);
+      if (existingRadarrHistory) cache.set('poll:radarr-history', existingRadarrHistory, cacheTTL);
+      if (existingRadarrTags) cache.set('poll:radarr-tags', existingRadarrTags, cacheTTL);
+    }

-    // qBittorrent
-    cache.set('poll:qbittorrent', qbittorrentTorrents, cacheTTL);
+    // qBittorrent (already set above in download clients section)

    const elapsed = Date.now() - start;
    console.log(`[Poller] Poll complete in ${elapsed}ms`);
@@ -1,132 +1,47 @@
-const axios = require('axios');
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+// Legacy compatibility layer - delegates to new DownloadClient system
 const { logToFile } = require('./logger');
-const { getQbittorrentInstances } = require('./config');
-
-class QBittorrentClient {
-  constructor(instance) {
-    this.id = instance.id;
-    this.name = instance.name;
-    this.url = instance.url;
-    this.username = instance.username;
-    this.password = instance.password;
-    this.authCookie = null;
-  }
-
-  async login() {
-    try {
-      logToFile(`[qBittorrent:${this.name}] Attempting login...`);
-      const response = await axios.post(`${this.url}/api/v2/auth/login`, 
-        `username=${encodeURIComponent(this.username)}&password=${encodeURIComponent(this.password)}`,
-        {
-          headers: {
-            'Content-Type': 'application/x-www-form-urlencoded'
-          },
-          maxRedirects: 0,
-          validateStatus: (status) => status >= 200 && status < 400
-        }
-      );
-      
-      if (response.headers['set-cookie']) {
-        this.authCookie = response.headers['set-cookie'][0];
-        logToFile(`[qBittorrent:${this.name}] Login successful`);
-        return true;
-      }
-      
-      logToFile(`[qBittorrent:${this.name}] Login failed - no cookie`);
-      return false;
-    } catch (error) {
-      logToFile(`[qBittorrent:${this.name}] Login error: ${error.message}`);
-      return false;
-    }
-  }
-
-  async makeRequest(endpoint, config = {}) {
-    const url = `${this.url}${endpoint}`;
-    
-    if (!this.authCookie) {
-      const loggedIn = await this.login();
-      if (!loggedIn) {
-        throw new Error(`Failed to authenticate with ${this.name}`);
-      }
-    }
-    
-    try {
-      const response = await axios.get(url, {
-        ...config,
-        headers: {
-          ...config.headers,
-          'Cookie': this.authCookie
-        }
-      });
-      return response;
-    } catch (error) {
-      // If unauthorized, try re-authenticating once
-      if (error.response && error.response.status === 403) {
-        logToFile(`[qBittorrent:${this.name}] Auth expired, re-authenticating...`);
-        this.authCookie = null;
-        const loggedIn = await this.login();
-        if (loggedIn) {
-          return axios.get(url, {
-            ...config,
-            headers: {
-              ...config.headers,
-              'Cookie': this.authCookie
-            }
-          });
-        }
-      }
-      throw error;
-    }
-  }
-
-  async getTorrents() {
-    try {
-      const response = await this.makeRequest('/api/v2/torrents/info');
-      logToFile(`[qBittorrent:${this.name}] Retrieved ${response.data.length} torrents`);
-      // Add instance info to each torrent
-      return response.data.map(torrent => ({
-        ...torrent,
-        instanceId: this.id,
-        instanceName: this.name
-      }));
-    } catch (error) {
-      logToFile(`[qBittorrent:${this.name}] Error fetching torrents: ${error.message}`);
-      return [];
-    }
-  }
-}
-
-// Persist clients so auth cookies survive between requests
-let persistedClients = null;
-
-function getClients() {
-  if (persistedClients) return persistedClients;
-  const instances = getQbittorrentInstances();
-  if (instances.length === 0) {
-    logToFile('[qBittorrent] No instances configured');
-    return [];
-  }
-  logToFile(`[qBittorrent] Created ${instances.length} persistent client(s)`);
-  persistedClients = instances.map(inst => new QBittorrentClient(inst));
-  return persistedClients;
-}
+const { initializeClients, getClientsByType } = require('./downloadClients');

+/**
+ * Legacy function for backward compatibility
+ * Returns all torrents from all qBittorrent instances
+ */
 async function getAllTorrents() {
-  const clients = getClients();
-  if (clients.length === 0) {
+  try {
+    await initializeClients();
+    const clients = getClientsByType('qbittorrent');
+    
+    if (clients.length === 0) {
+      logToFile('[qBittorrent] No instances configured');
+      return [];
+    }
+
+    const results = await Promise.all(
+      clients.map(client => client.getActiveDownloads().catch(err => {
+        logToFile(`[qBittorrent] Error from ${client.name}: ${err.message}`);
+        return [];
+      }))
+    );
+    
+    const allTorrents = results.flat();
+    // Convert back to legacy format for backward compatibility
+    const legacyTorrents = allTorrents.map(download => download.raw);
+    
+    logToFile(`[qBittorrent] Total torrents from all instances: ${legacyTorrents.length}`);
+    return legacyTorrents;
+  } catch (error) {
+    logToFile(`[qBittorrent] Error in getAllTorrents: ${error.message}`);
    return [];
  }
-  
-  const results = await Promise.all(
-    clients.map(client => client.getTorrents().catch(err => {
-      logToFile(`[qBittorrent] Error from ${client.name}: ${err.message}`);
-      return [];
-    }))
-  );
-  
-  const allTorrents = results.flat();
-  logToFile(`[qBittorrent] Total torrents from all instances: ${allTorrents.length}`);
-  return allTorrents;
+}
+
+/**
+ * Legacy function for backward compatibility
+ */
+function getClients() {
+  logToFile('[qBittorrent] getClients() called - delegating to new system');
+  return []; // Not used in new system
 }

 function formatBytes(bytes) {
@@ -187,6 +102,8 @@ function mapTorrentToDownload(torrent) {
  return {
    type: 'torrent',
    title: torrent.name,
+    client: 'qbittorrent',
+    instanceId: torrent.instanceId,
    instanceName: torrent.instanceName,
    status: status,
    progress: progress.toFixed(1),
@@ -204,12 +121,13 @@ function mapTorrentToDownload(torrent) {
    category: torrent.category,
    tags: torrent.tags,
    savePath: torrent.content_path || torrent.save_path || null,
+    addedOn: torrent.added_on || null,
    qbittorrent: true
  };
 }

 module.exports = {
-  getTorrents: getAllTorrents,
+  getAllTorrents,
  getClients,
  mapTorrentToDownload,
  formatBytes,
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 // Query-param secrets (SABnzbd apikey, generic token/password params)
 const QUERY_SECRET_PATTERN = /([?&](?:apikey|token|password|api_key|key|secret)=)[^&\s#]*/gi;
 // HTTP auth header values (X-Api-Key, X-MediaBrowser-Token, Authorization, X-Emby-Authorization)
@@ -7,13 +8,18 @@ const HEADER_PATTERN = /(?:x-api-key|x-mediabrowser-token|x-emby-authorization|a
 const BEARER_PATTERN = /bearer\s+[A-Za-z0-9\-._~+/]+=*/gi;
 // Basic auth credentials in URLs (http://user:pass@host)
 const BASIC_AUTH_URL_PATTERN = /\/\/[^:@/\s]+:[^@/\s]+@/gi;
+// Redact only the host:port authority portion of URLs, preserving path/query so
+// other patterns (QUERY_SECRET_PATTERN etc.) can still act on them.
+// Negative lookahead skips URLs already handled by BASIC_AUTH_URL_PATTERN.
+const HOST_PATTERN = /(https?:\/\/)(?!\[REDACTED\]@)([^\s/?#]+)/gi;

 function sanitizeError(err) {
  let msg = (err && err.message) ? err.message : String(err);
  msg = msg.replace(QUERY_SECRET_PATTERN, '$1[REDACTED]');
  msg = msg.replace(HEADER_PATTERN, (m) => m.split(/[\s:]/)[0] + ':[REDACTED]');
  msg = msg.replace(BEARER_PATTERN, 'bearer [REDACTED]');
-  msg = msg.replace(BASIC_AUTH_URL_PATTERN, '//[REDACTED]@');
+  msg = msg.replace(BASIC_AUTH_URL_PATTERN, '//[REDACTED]@');  // must run before HOST_PATTERN
+  msg = msg.replace(HOST_PATTERN, '$1[HOST]');
  // Never leak stack traces to API responses
  return msg;
 }
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
 * Persistent token store backed by a JSON file.
 *
@@ -38,10 +38,24 @@ tests/
 │   ├── requireAuth.test.js    # Auth middleware: valid/invalid/tampered cookies
 │   ├── verifyCsrf.test.js     # CSRF double-submit cookie pattern + timing-safe compare
 │   ├── qbittorrent.test.js    # Pure utils: formatBytes, formatEta, mapTorrentToDownload
-│   └── tokenStore.test.js     # JSON file token store: store/get/clear, TTL expiry
+│   ├── tokenStore.test.js     # JSON file token store: store/get/clear, TTL expiry
+│   └── dashboard.test.js      # Pure helper functions: getCoverArt, extractAllTags,
+│                              #   extractUserTag, sanitizeTagLabel, tagMatchesUser,
+│                              #   getImportIssues, getSonarrLink, getRadarrLink,
+│                              #   canBlocklist, extractEpisode, gatherEpisodes, buildTagBadges
 └── integration/
    ├── health.test.js         # GET /health and /ready endpoints
-    └── auth.test.js           # Full login/logout/me/csrf flows via supertest + nock
+    ├── auth.test.js           # Full login/logout/me/csrf flows via supertest + nock
+    ├── history.test.js        # GET /api/history/recent: auth, filtering, deduplication
+    ├── webhook.test.js        # POST /api/webhook/sonarr+radarr: secret, validation,
+    │                          #   replay protection, metrics, security assertions
+    ├── dashboard.test.js      # GET /user-downloads (SAB+Sonarr, SAB+Radarr, qBit, showAll,
+    │                          #   paused queue, history, importIssues), GET /status,
+    │                          #   GET /webhook-metrics, GET /cover-art, POST /blocklist-search
+    ├── emby.test.js           # GET /sessions, /users, /users/:id, /session/:id/user
+    └── arrRoutes.test.js      # Sonarr + Radarr: queue, history, series/movies, notifications
+                               #   CRUD, /test, /schema, /sofarr-webhook (create + update)
+                               # SABnzbd: queue, history
 ```

 ## Key design decisions
@@ -54,14 +68,30 @@ tests/

 ## Coverage targets

-The tested files meet these per-file minimums (enforced in CI):
+Global thresholds (enforced in CI via `vitest.config.js`):

-| File | Lines | Branches |
-|---|---|---|
-| `server/app.js` | 85% | 65% |
-| `server/routes/auth.js` | 85% | 70% |
-| `server/middleware/requireAuth.js` | 75% | 80% |
-| `server/utils/sanitizeError.js` | 60% | — |
-| `server/utils/config.js` | 50% | 55% |
+| Metric | Threshold |
+|---|---|
+| Statements | 55% |
+| Functions | 55% |
+| Branches | 40% |
+| Lines | 55% |

-`dashboard.js` and `poller.js` are large files requiring complex external-service mocks (Sonarr, Radarr, qBittorrent, Emby) and are tracked as future test coverage work.
+Notable per-file coverage after the current suite:
+
+| File | Lines | Branches | Notes |
+|---|---|---|---|
+| `server/app.js` | ~92% | ~71% | |
+| `server/routes/auth.js` | ~88% | ~78% | |
+| `server/routes/dashboard.js` | ~42% | ~25% | SSE `/stream` endpoint intentionally untested |
+| `server/routes/emby.js` | 100% | 100% | |
+| `server/routes/radarr.js` | ~87% | ~77% | |
+| `server/routes/sonarr.js` | ~89% | ~82% | |
+| `server/routes/sabnzbd.js` | 100% | 100% | |
+| `server/routes/webhook.js` | ~85% | ~79% | |
+| `server/middleware/requireAuth.js` | ~92% | ~81% | |
+| `server/middleware/verifyCsrf.js` | 100% | 80% | |
+| `server/utils/sanitizeError.js` | 100% | 75% | |
+| `server/utils/config.js` | ~70% | ~58% | |
+
+`poller.js` (background polling engine) and the SSE `/stream` endpoint in `dashboard.js` require time-based behaviour and long-lived HTTP connections; they remain tracked as future test coverage work.
@@ -0,0 +1,100 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+/**
+ * @vitest-environment jsdom
+ * Tests for client/src/ui/downloads.js
+ *
+ * Verifies DOM rendering functions for tag badges and client logos.
+ * Uses jsdom to create and assert DOM structure.
+ */
+
+import { renderTagBadges } from '../../../client/src/ui/downloads.js';
+
+describe('renderTagBadges', () => {
+  it('returns empty fragment when showAll is false and no matchedUserTag', () => {
+    const result = renderTagBadges([], false, null);
+    expect(result).toBeTruthy();
+    expect(result.childNodes.length).toBe(0);
+  });
+
+  it('returns empty fragment when tagBadges is empty', () => {
+    const result = renderTagBadges([], true, null);
+    expect(result).toBeTruthy();
+    expect(result.childNodes.length).toBe(0);
+  });
+
+  it('renders single matched badge when matchedUserTag is provided', () => {
+    const result = renderTagBadges([], false, 'user1');
+    expect(result.childNodes.length).toBe(1);
+    const badge = result.childNodes[0];
+    expect(badge.className).toBe('download-user-badge');
+    expect(badge.textContent).toBe('user1');
+  });
+
+  it('renders unmatched badges when showAll is true', () => {
+    const tagBadges = [{ label: 'tag1', matchedUser: null }];
+    const result = renderTagBadges(tagBadges, true, null);
+    expect(result.childNodes.length).toBe(1);
+    const badge = result.childNodes[0];
+    expect(badge.className).toBe('download-user-badge unmatched');
+    expect(badge.textContent).toBe('tag1');
+  });
+
+  it('renders matched badges when showAll is true', () => {
+    const tagBadges = [{ label: 'tag1', matchedUser: 'user1' }];
+    const result = renderTagBadges(tagBadges, true, null);
+    expect(result.childNodes.length).toBe(1);
+    const badge = result.childNodes[0];
+    expect(badge.className).toBe('download-user-badge');
+    expect(badge.textContent).toBe('user1');
+  });
+
+  it('renders multiple badges in correct order (unmatched first)', () => {
+    const tagBadges = [
+      { label: 'tag1', matchedUser: 'user1' },
+      { label: 'tag2', matchedUser: null }
+    ];
+    const result = renderTagBadges(tagBadges, true, null);
+    expect(result.childNodes.length).toBe(2);
+    expect(result.childNodes[0].textContent).toBe('tag2');
+    expect(result.childNodes[0].className).toBe('download-user-badge unmatched');
+    expect(result.childNodes[1].textContent).toBe('user1');
+    expect(result.childNodes[1].className).toBe('download-user-badge');
+  });
+
+  it('handles mixed matched and unmatched badges', () => {
+    const tagBadges = [
+      { label: 'tag1', matchedUser: null },
+      { label: 'tag2', matchedUser: 'user2' },
+      { label: 'tag3', matchedUser: null }
+    ];
+    const result = renderTagBadges(tagBadges, true, null);
+    expect(result.childNodes.length).toBe(3);
+    // Unmatched badges come first
+    expect(result.childNodes[0].className).toBe('download-user-badge unmatched');
+    expect(result.childNodes[0].textContent).toBe('tag1');
+    expect(result.childNodes[1].className).toBe('download-user-badge unmatched');
+    expect(result.childNodes[1].textContent).toBe('tag3');
+    // Matched badges come after
+    expect(result.childNodes[2].className).toBe('download-user-badge');
+    expect(result.childNodes[2].textContent).toBe('user2');
+  });
+
+  it('prefers matchedUserTag over tagBadges when showAll is false', () => {
+    const tagBadges = [{ label: 'tag1', matchedUser: 'user1' }];
+    const result = renderTagBadges(tagBadges, false, 'override');
+    expect(result.childNodes.length).toBe(1);
+    expect(result.childNodes[0].textContent).toBe('override');
+  });
+
+  it('handles null tagBadges gracefully', () => {
+    const result = renderTagBadges(null, true, null);
+    expect(result).toBeTruthy();
+    expect(result.childNodes.length).toBe(0);
+  });
+
+  it('handles undefined tagBadges gracefully', () => {
+    const result = renderTagBadges(undefined, true, null);
+    expect(result).toBeTruthy();
+    expect(result.childNodes.length).toBe(0);
+  });
+});
@@ -0,0 +1,127 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+/**
+ * @vitest-environment jsdom
+ * Tests for client/src/utils/format.js
+ *
+ * Verifies formatting utilities for sizes, speeds, dates, and HTML escaping.
+ * These are pure functions that handle edge cases like null, zero, and large numbers.
+ */
+
+import { formatSize, formatSpeed, formatDate, formatTimeAgo, escapeHtml } from '../../../client/src/utils/format.js';
+
+describe('formatSize', () => {
+  it('returns N/A for null/undefined', () => {
+    expect(formatSize(null)).toBe('N/A');
+    expect(formatSize(undefined)).toBe('N/A');
+  });
+
+  it('returns string as-is when already formatted', () => {
+    expect(formatSize('21.5 GB')).toBe('21.5 GB');
+  });
+
+  it('formats bytes correctly', () => {
+    expect(formatSize(512)).toBe('512 B');
+  });
+
+  it('formats kilobytes correctly', () => {
+    expect(formatSize(1024)).toBe('1 KB');
+  });
+
+  it('formats megabytes correctly', () => {
+    expect(formatSize(1024 * 1024)).toBe('1 MB');
+  });
+
+  it('formats gigabytes correctly', () => {
+    expect(formatSize(1024 * 1024 * 1024)).toBe('1 GB');
+  });
+
+  it('handles zero', () => {
+    expect(formatSize(0)).toBe('N/A');
+  });
+});
+
+describe('formatSpeed', () => {
+  it('returns 0 B/s for zero', () => {
+    expect(formatSpeed(0)).toBe('0 B/s');
+  });
+
+  it('returns 0 B/s for null/undefined', () => {
+    expect(formatSpeed(null)).toBe('0 B/s');
+    expect(formatSpeed(undefined)).toBe('0 B/s');
+  });
+
+  it('formats bytes per second correctly', () => {
+    expect(formatSpeed(512)).toBe('512.00 B/s');
+  });
+
+  it('formats kilobytes per second correctly', () => {
+    expect(formatSpeed(1024)).toBe('1.00 KB/s');
+  });
+
+  it('formats megabytes per second correctly', () => {
+    expect(formatSpeed(1024 * 1024)).toBe('1.00 MB/s');
+  });
+
+  it('handles large numbers', () => {
+    expect(formatSpeed(1024 * 1024 * 1024)).toBe('1.00 GB/s');
+  });
+});
+
+describe('formatDate', () => {
+  it('returns N/A for null/undefined', () => {
+    expect(formatDate(null)).toBe('N/A');
+    expect(formatDate(undefined)).toBe('N/A');
+  });
+
+  it('formats valid date string', () => {
+    const dateStr = '2024-01-15T10:30:00Z';
+    const result = formatDate(dateStr);
+    expect(result).toBeTruthy();
+    expect(result).not.toBe('N/A');
+  });
+});
+
+describe('formatTimeAgo', () => {
+  it('returns Never for null/undefined', () => {
+    expect(formatTimeAgo(null)).toBe('Never');
+    expect(formatTimeAgo(undefined)).toBe('Never');
+  });
+
+  it('returns seconds ago for recent timestamps', () => {
+    const now = Date.now();
+    expect(formatTimeAgo(now - 30000)).toBe('30s ago');
+  });
+
+  it('returns minutes ago for older timestamps', () => {
+    const now = Date.now();
+    expect(formatTimeAgo(now - 60000 * 5)).toBe('5m ago');
+  });
+
+  it('returns hours ago for hours-old timestamps', () => {
+    const now = Date.now();
+    expect(formatTimeAgo(now - 60000 * 60 * 3)).toBe('3h ago');
+  });
+
+  it('returns days ago for day-old timestamps', () => {
+    const now = Date.now();
+    expect(formatTimeAgo(now - 60000 * 60 * 24 * 2)).toBe('2d ago');
+  });
+});
+
+describe('escapeHtml', () => {
+  it('escapes HTML special characters', () => {
+    expect(escapeHtml('<script>alert("xss")</script>')).toBe('&lt;script&gt;alert("xss")&lt;/script&gt;');
+  });
+
+  it('escapes quotes', () => {
+    expect(escapeHtml('"test"')).toBe('"test"');
+  });
+
+  it('handles empty string', () => {
+    expect(escapeHtml('')).toBe('');
+  });
+
+  it('handles normal text without special chars', () => {
+    expect(escapeHtml('normal text')).toBe('normal text');
+  });
+});
@@ -0,0 +1,899 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+/**
+ * Integration tests for server/routes/sonarr.js, server/routes/radarr.js,
+ * and server/routes/sabnzbd.js.
+ *
+ * Covers:
+ *  Sonarr: queue, history, series, series/:id, notifications CRUD,
+ *          notifications/test, notifications/schema, sofarr-webhook (create + update)
+ *  Radarr: same set, movies instead of series
+ *  SABnzbd: queue, history
+ *
+ * All routes require auth; state-changing requests (POST/PUT/DELETE) must also
+ * carry the CSRF token issued by GET /api/auth/csrf (verifyCsrf middleware).
+ */
+
+import request from 'supertest';
+import nock from 'nock';
+import { createApp } from '../../server/app.js';
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const EMBY_BASE    = 'https://emby.test';
+const SONARR_BASE  = 'https://sonarr.test';
+const RADARR_BASE  = 'https://radarr.test';
+const SABNZBD_BASE = 'https://sabnzbd.test';
+
+// ---------------------------------------------------------------------------
+// Fixtures
+// ---------------------------------------------------------------------------
+
+const EMBY_AUTH = { AccessToken: 'tok', User: { Id: 'uid1', Name: 'alice' } };
+const EMBY_USER = { Id: 'uid1', Name: 'alice', Policy: { IsAdministrator: false } };
+
+const SONARR_QUEUE = { records: [{ id: 1, title: 'Show.S01E01', seriesId: 10 }] };
+const SONARR_HISTORY = { records: [{ id: 100, eventType: 'downloadFolderImported', sourceTitle: 'Show.S01E01' }] };
+const SONARR_SERIES_LIST = [{ id: 10, title: 'My Show', titleSlug: 'my-show', tags: [] }];
+const SONARR_SERIES_ITEM = { id: 10, title: 'My Show', titleSlug: 'my-show', tags: [] };
+const SONARR_NOTIFICATIONS = [{ id: 5, name: 'Plex', implementation: 'Plex' }];
+const SONARR_NOTIF_ITEM = { id: 5, name: 'Plex', implementation: 'Plex', fields: [] };
+
+const RADARR_QUEUE = { records: [{ id: 2, title: 'Movie.2024.1080p', movieId: 20 }] };
+const RADARR_HISTORY = { records: [{ id: 200, eventType: 'downloadFolderImported', sourceTitle: 'Movie.2024.1080p' }] };
+const RADARR_MOVIES_LIST = [{ id: 20, title: 'My Movie', titleSlug: 'my-movie-2024', tags: [] }];
+const RADARR_MOVIE_ITEM = { id: 20, title: 'My Movie', titleSlug: 'my-movie-2024', tags: [] };
+const RADARR_NOTIFICATIONS = [{ id: 7, name: 'Plex', implementation: 'Plex' }];
+const RADARR_NOTIF_ITEM = { id: 7, name: 'Plex', implementation: 'Plex', fields: [] };
+
+const SAB_QUEUE_RESP = { queue: { status: 'Downloading', slots: [{ filename: 'Show.S01E01', percentage: '50' }] } };
+const SAB_HISTORY_RESP = { history: { slots: [{ name: 'Show.S01E01.Done', status: 'Completed' }] } };
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function interceptLogin() {
+  nock(EMBY_BASE).post('/Users/authenticatebyname').reply(200, EMBY_AUTH);
+  nock(EMBY_BASE).get(/\/Users\//).reply(200, EMBY_USER);
+}
+
+async function loginAs(app) {
+  interceptLogin();
+  const res = await request(app)
+    .post('/api/auth/login')
+    .send({ username: 'alice', password: 'pw' });
+  return { cookies: res.headers['set-cookie'], csrf: res.body.csrfToken };
+}
+
+async function getSessionWithCsrf(app) {
+  const { cookies, csrf } = await loginAs(app);
+  // Obtain a fresh csrf cookie as well (login already sets one, but keep consistent)
+  const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
+  return { cookies, csrf, csrfCookie };
+}
+
+// Build the Cookie header for state-changing requests: session + csrf cookies
+function joinCookies(sessionCookies, csrfCookie) {
+  const all = Array.isArray(sessionCookies) ? [...sessionCookies] : [sessionCookies];
+  if (csrfCookie && !all.includes(csrfCookie)) all.push(csrfCookie);
+  return all.join('; ');
+}
+
+// ---------------------------------------------------------------------------
+// Environment
+// ---------------------------------------------------------------------------
+
+beforeAll(() => {
+  process.env.EMBY_URL    = EMBY_BASE;
+  process.env.SONARR_URL  = SONARR_BASE;
+  process.env.SONARR_API_KEY = 'sk';
+  process.env.SONARR_INSTANCES = JSON.stringify([{ id: 'sonarr-1', name: 'Main Sonarr', url: SONARR_BASE, apiKey: 'sk' }]);
+  process.env.RADARR_URL  = RADARR_BASE;
+  process.env.RADARR_API_KEY = 'rk';
+  process.env.RADARR_INSTANCES = JSON.stringify([{ id: 'radarr-1', name: 'Main Radarr', url: RADARR_BASE, apiKey: 'rk' }]);
+  process.env.SABNZBD_URL = SABNZBD_BASE;
+  process.env.SABNZBD_API_KEY = 'sabkey';
+  process.env.SOFARR_BASE_URL = 'https://sofarr.test';
+  process.env.SOFARR_WEBHOOK_SECRET = 'webhook-secret-abc';
+});
+
+afterAll(() => {
+  delete process.env.EMBY_URL;
+  delete process.env.SONARR_URL;
+  delete process.env.SONARR_API_KEY;
+  delete process.env.SONARR_INSTANCES;
+  delete process.env.RADARR_URL;
+  delete process.env.RADARR_API_KEY;
+  delete process.env.RADARR_INSTANCES;
+  delete process.env.SABNZBD_URL;
+  delete process.env.SABNZBD_API_KEY;
+  delete process.env.SOFARR_BASE_URL;
+  delete process.env.SOFARR_WEBHOOK_SECRET;
+});
+
+afterEach(() => {
+  nock.cleanAll();
+});
+
+// ===========================================================================
+// SONARR ROUTES
+// ===========================================================================
+
+describe('Sonarr routes', () => {
+  describe('GET /api/sonarr/queue', () => {
+    it('returns 401 when unauthenticated', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/sonarr/queue');
+      expect(res.status).toBe(401);
+    });
+
+    it('proxies Sonarr queue', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/queue').reply(200, SONARR_QUEUE);
+      const res = await request(app).get('/api/sonarr/queue').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(res.body.records).toBeDefined();
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/queue').replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/sonarr/queue').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+      expect(res.body.error).toMatch(/queue/i);
+    });
+  });
+
+  describe('GET /api/sonarr/history', () => {
+    it('returns 401 when unauthenticated', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/sonarr/history');
+      expect(res.status).toBe(401);
+    });
+
+    it('proxies Sonarr history with default pageSize', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/history').query(true).reply(200, SONARR_HISTORY);
+      const res = await request(app).get('/api/sonarr/history').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(res.body.records).toBeDefined();
+    });
+
+    it('passes through custom pageSize', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/history').query({ pageSize: '100' }).reply(200, SONARR_HISTORY);
+      const res = await request(app).get('/api/sonarr/history?pageSize=100').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/history').query(true).replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/sonarr/history').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/sonarr/series', () => {
+    it('returns 401 when unauthenticated', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/sonarr/series');
+      expect(res.status).toBe(401);
+    });
+
+    it('proxies series list', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/series').reply(200, SONARR_SERIES_LIST);
+      const res = await request(app).get('/api/sonarr/series').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(Array.isArray(res.body)).toBe(true);
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/series').replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/sonarr/series').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/sonarr/series/:id', () => {
+    it('proxies individual series', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/series/10').reply(200, SONARR_SERIES_ITEM);
+      const res = await request(app).get('/api/sonarr/series/10').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(res.body.title).toBe('My Show');
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/series/999').replyWithError('not found');
+      const res = await request(app).get('/api/sonarr/series/999').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/sonarr/notifications', () => {
+    it('returns 503 when no Sonarr instance configured', async () => {
+      const app = createApp({ skipRateLimits: true });
+      // Temporarily clear instances
+      const saved = process.env.SONARR_INSTANCES;
+      delete process.env.SONARR_INSTANCES;
+      delete process.env.SONARR_URL;
+      delete process.env.SONARR_API_KEY;
+
+      interceptLogin();
+      const loginRes = await request(app).post('/api/auth/login').send({ username: 'alice', password: 'pw' });
+      const cookies = loginRes.headers['set-cookie'];
+
+      const res = await request(app).get('/api/sonarr/notifications').set('Cookie', cookies);
+      expect(res.status).toBe(503);
+
+      process.env.SONARR_INSTANCES = saved;
+      process.env.SONARR_URL = SONARR_BASE;
+      process.env.SONARR_API_KEY = 'sk';
+    });
+
+    it('proxies notifications list', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/notification').reply(200, SONARR_NOTIFICATIONS);
+      const res = await request(app).get('/api/sonarr/notifications').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(Array.isArray(res.body)).toBe(true);
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/notification').replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/sonarr/notifications').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/sonarr/notifications/:id', () => {
+    it('proxies a single notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/notification/5').reply(200, SONARR_NOTIF_ITEM);
+      const res = await request(app).get('/api/sonarr/notifications/5').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('Plex');
+    });
+  });
+
+  describe('POST /api/sonarr/notifications', () => {
+    it('returns 403 (CSRF missing) without auth', async () => {
+      // verifyCsrf fires before requireAuth on POST routes — no CSRF → 403
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).post('/api/sonarr/notifications').send({});
+      expect(res.status).toBe(403);
+    });
+
+    it('creates a notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(SONARR_BASE).post('/api/v3/notification').reply(200, { id: 99, name: 'New' });
+      const res = await request(app)
+        .post('/api/sonarr/notifications')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ name: 'New' });
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('New');
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(SONARR_BASE).post('/api/v3/notification').replyWithError('ECONNREFUSED');
+      const res = await request(app)
+        .post('/api/sonarr/notifications')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ name: 'New' });
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('PUT /api/sonarr/notifications/:id', () => {
+    it('updates a notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(SONARR_BASE).put('/api/v3/notification/5').reply(200, { id: 5, name: 'Updated' });
+      const res = await request(app)
+        .put('/api/sonarr/notifications/5')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ id: 5, name: 'Updated' });
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('Updated');
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(SONARR_BASE).put('/api/v3/notification/5').replyWithError('ECONNREFUSED');
+      const res = await request(app)
+        .put('/api/sonarr/notifications/5')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ id: 5 });
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('DELETE /api/sonarr/notifications/:id', () => {
+    it('deletes a notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(SONARR_BASE).delete('/api/v3/notification/5').reply(200, {});
+      const res = await request(app)
+        .delete('/api/sonarr/notifications/5')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf);
+      expect(res.status).toBe(200);
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(SONARR_BASE).delete('/api/v3/notification/5').replyWithError('ECONNREFUSED');
+      const res = await request(app)
+        .delete('/api/sonarr/notifications/5')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('POST /api/sonarr/notifications/test', () => {
+    it('returns 503 when no Sonarr instance configured', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const saved = process.env.SONARR_INSTANCES;
+      const savedUrl = process.env.SONARR_URL;
+      const savedKey = process.env.SONARR_API_KEY;
+      delete process.env.SONARR_INSTANCES;
+      delete process.env.SONARR_URL;
+      delete process.env.SONARR_API_KEY;
+
+      interceptLogin();
+      const loginRes = await request(app).post('/api/auth/login').send({ username: 'alice', password: 'pw' });
+      const cookies = loginRes.headers['set-cookie'];
+      const csrf = loginRes.body.csrfToken;
+      const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
+
+      const res = await request(app)
+        .post('/api/sonarr/notifications/test')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({});
+      expect(res.status).toBe(503);
+
+      process.env.SONARR_INSTANCES = saved;
+      process.env.SONARR_URL = savedUrl;
+      process.env.SONARR_API_KEY = savedKey;
+    });
+
+    it('tests a notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(SONARR_BASE).post('/api/v3/notification/test').reply(200, {});
+      const res = await request(app)
+        .post('/api/sonarr/notifications/test')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ id: 5 });
+      expect(res.status).toBe(200);
+    });
+
+    it('returns 500 when test fails', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(SONARR_BASE).post('/api/v3/notification/test').replyWithError('ECONNREFUSED');
+      const res = await request(app)
+        .post('/api/sonarr/notifications/test')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ id: 5 });
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/sonarr/notifications/schema', () => {
+    it('proxies the schema', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SONARR_BASE).get('/api/v3/notification/schema').reply(200, [{ implementation: 'Webhook' }]);
+      const res = await request(app).get('/api/sonarr/notifications/schema').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(Array.isArray(res.body)).toBe(true);
+    });
+  });
+
+  describe('POST /api/sonarr/notifications/sofarr-webhook', () => {
+    it('returns 400 when SOFARR_BASE_URL is not configured', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const saved = process.env.SOFARR_BASE_URL;
+      delete process.env.SOFARR_BASE_URL;
+
+      interceptLogin();
+      const loginRes = await request(app).post('/api/auth/login').send({ username: 'alice', password: 'pw' });
+      const cookies = loginRes.headers['set-cookie'];
+      const csrf = loginRes.body.csrfToken;
+      const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
+
+      const res = await request(app)
+        .post('/api/sonarr/notifications/sofarr-webhook')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({});
+      expect(res.status).toBe(400);
+      expect(res.body.error).toMatch(/SOFARR_BASE_URL/);
+
+      process.env.SOFARR_BASE_URL = saved;
+    });
+
+    it('creates a new webhook notification when none exists', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+
+      nock(SONARR_BASE).get('/api/v3/notification').reply(200, []);
+      nock(SONARR_BASE).post('/api/v3/notification').reply(200, { id: 10, name: 'Sofarr' });
+
+      const res = await request(app)
+        .post('/api/sonarr/notifications/sofarr-webhook')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({});
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('Sofarr');
+    });
+
+    it('updates an existing Sofarr notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+
+      nock(SONARR_BASE)
+        .get('/api/v3/notification')
+        .reply(200, [{ id: 10, name: 'Sofarr', implementation: 'Webhook' }]);
+      nock(SONARR_BASE)
+        .put('/api/v3/notification/10')
+        .reply(200, { id: 10, name: 'Sofarr' });
+
+      const res = await request(app)
+        .post('/api/sonarr/notifications/sofarr-webhook')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({});
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('Sofarr');
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+
+      nock(SONARR_BASE).get('/api/v3/notification').replyWithError('ECONNREFUSED');
+
+      const res = await request(app)
+        .post('/api/sonarr/notifications/sofarr-webhook')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({});
+      expect(res.status).toBe(500);
+    });
+  });
+});
+
+// ===========================================================================
+// RADARR ROUTES
+// ===========================================================================
+
+describe('Radarr routes', () => {
+  describe('GET /api/radarr/queue', () => {
+    it('returns 401 when unauthenticated', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/radarr/queue');
+      expect(res.status).toBe(401);
+    });
+
+    it('proxies Radarr queue', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/queue').reply(200, RADARR_QUEUE);
+      const res = await request(app).get('/api/radarr/queue').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(res.body.records).toBeDefined();
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/queue').replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/radarr/queue').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/radarr/history', () => {
+    it('proxies Radarr history', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/history').query(true).reply(200, RADARR_HISTORY);
+      const res = await request(app).get('/api/radarr/history').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/history').query(true).replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/radarr/history').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/radarr/movies', () => {
+    it('returns 401 when unauthenticated', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/radarr/movies');
+      expect(res.status).toBe(401);
+    });
+
+    it('proxies movies list', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/movie').reply(200, RADARR_MOVIES_LIST);
+      const res = await request(app).get('/api/radarr/movies').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(Array.isArray(res.body)).toBe(true);
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/movie').replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/radarr/movies').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/radarr/movies/:id', () => {
+    it('proxies a single movie', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/movie/20').reply(200, RADARR_MOVIE_ITEM);
+      const res = await request(app).get('/api/radarr/movies/20').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(res.body.title).toBe('My Movie');
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/movie/999').replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/radarr/movies/999').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/radarr/notifications', () => {
+    it('returns 503 when no Radarr instance configured', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const saved = process.env.RADARR_INSTANCES;
+      const savedUrl = process.env.RADARR_URL;
+      const savedKey = process.env.RADARR_API_KEY;
+      delete process.env.RADARR_INSTANCES;
+      delete process.env.RADARR_URL;
+      delete process.env.RADARR_API_KEY;
+
+      interceptLogin();
+      const loginRes = await request(app).post('/api/auth/login').send({ username: 'alice', password: 'pw' });
+      const cookies = loginRes.headers['set-cookie'];
+
+      const res = await request(app).get('/api/radarr/notifications').set('Cookie', cookies);
+      expect(res.status).toBe(503);
+
+      process.env.RADARR_INSTANCES = saved;
+      process.env.RADARR_URL = savedUrl;
+      process.env.RADARR_API_KEY = savedKey;
+    });
+
+    it('proxies notifications list', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/notification').reply(200, RADARR_NOTIFICATIONS);
+      const res = await request(app).get('/api/radarr/notifications').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(Array.isArray(res.body)).toBe(true);
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/notification').replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/radarr/notifications').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('POST /api/radarr/notifications', () => {
+    it('creates a Radarr notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(RADARR_BASE).post('/api/v3/notification').reply(200, { id: 88, name: 'New' });
+      const res = await request(app)
+        .post('/api/radarr/notifications')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ name: 'New' });
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('New');
+    });
+  });
+
+  describe('PUT /api/radarr/notifications/:id', () => {
+    it('updates a Radarr notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(RADARR_BASE).put('/api/v3/notification/7').reply(200, { id: 7, name: 'Updated' });
+      const res = await request(app)
+        .put('/api/radarr/notifications/7')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ id: 7, name: 'Updated' });
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('Updated');
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(RADARR_BASE).put('/api/v3/notification/7').replyWithError('ECONNREFUSED');
+      const res = await request(app)
+        .put('/api/radarr/notifications/7')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ id: 7 });
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('DELETE /api/radarr/notifications/:id', () => {
+    it('deletes a Radarr notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(RADARR_BASE).delete('/api/v3/notification/7').reply(200, {});
+      const res = await request(app)
+        .delete('/api/radarr/notifications/7')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf);
+      expect(res.status).toBe(200);
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(RADARR_BASE).delete('/api/v3/notification/7').replyWithError('ECONNREFUSED');
+      const res = await request(app)
+        .delete('/api/radarr/notifications/7')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf);
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/radarr/notifications/:id', () => {
+    it('proxies a single Radarr notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/notification/7').reply(200, RADARR_NOTIF_ITEM);
+      const res = await request(app).get('/api/radarr/notifications/7').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('Plex');
+    });
+  });
+
+  describe('POST /api/radarr/notifications/test', () => {
+    it('tests a Radarr notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(RADARR_BASE).post('/api/v3/notification/test').reply(200, {});
+      const res = await request(app)
+        .post('/api/radarr/notifications/test')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ id: 7 });
+      expect(res.status).toBe(200);
+    });
+
+    it('returns 500 when test fails', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(RADARR_BASE).post('/api/v3/notification/test').replyWithError('ECONNREFUSED');
+      const res = await request(app)
+        .post('/api/radarr/notifications/test')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({ id: 7 });
+      expect(res.status).toBe(500);
+    });
+  });
+
+  describe('GET /api/radarr/notifications/schema', () => {
+    it('proxies the Radarr notification schema', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(RADARR_BASE).get('/api/v3/notification/schema').reply(200, [{ implementation: 'Webhook' }]);
+      const res = await request(app).get('/api/radarr/notifications/schema').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+    });
+  });
+
+  describe('POST /api/radarr/notifications/sofarr-webhook', () => {
+    it('creates a new Radarr webhook when none exists', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+
+      nock(RADARR_BASE).get('/api/v3/notification').reply(200, []);
+      nock(RADARR_BASE).post('/api/v3/notification').reply(200, { id: 20, name: 'Sofarr' });
+
+      const res = await request(app)
+        .post('/api/radarr/notifications/sofarr-webhook')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({});
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('Sofarr');
+    });
+
+    it('updates an existing Sofarr Radarr notification', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+
+      nock(RADARR_BASE)
+        .get('/api/v3/notification')
+        .reply(200, [{ id: 20, name: 'Sofarr', implementation: 'Webhook' }]);
+      nock(RADARR_BASE)
+        .put('/api/v3/notification/20')
+        .reply(200, { id: 20, name: 'Sofarr' });
+
+      const res = await request(app)
+        .post('/api/radarr/notifications/sofarr-webhook')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({});
+      expect(res.status).toBe(200);
+    });
+
+    it('returns 400 when SOFARR_WEBHOOK_SECRET is not configured', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const saved = process.env.SOFARR_WEBHOOK_SECRET;
+      delete process.env.SOFARR_WEBHOOK_SECRET;
+
+      interceptLogin();
+      const loginRes = await request(app).post('/api/auth/login').send({ username: 'alice', password: 'pw' });
+      const cookies = loginRes.headers['set-cookie'];
+      const csrf = loginRes.body.csrfToken;
+      const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
+
+      const res = await request(app)
+        .post('/api/radarr/notifications/sofarr-webhook')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({});
+      expect(res.status).toBe(400);
+      expect(res.body.error).toMatch(/SOFARR_WEBHOOK_SECRET/);
+
+      process.env.SOFARR_WEBHOOK_SECRET = saved;
+    });
+
+    it('returns 500 on upstream failure', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies, csrf, csrfCookie } = await getSessionWithCsrf(app);
+      nock(RADARR_BASE).get('/api/v3/notification').replyWithError('ECONNREFUSED');
+      const res = await request(app)
+        .post('/api/radarr/notifications/sofarr-webhook')
+        .set('Cookie', joinCookies(cookies, csrfCookie))
+        .set('X-CSRF-Token', csrf)
+        .send({});
+      expect(res.status).toBe(500);
+    });
+  });
+});
+
+// ===========================================================================
+// SABNZBD ROUTES
+// ===========================================================================
+
+describe('SABnzbd routes', () => {
+  describe('GET /api/sabnzbd/queue', () => {
+    it('returns 401 when unauthenticated', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/sabnzbd/queue');
+      expect(res.status).toBe(401);
+    });
+
+    it('proxies SABnzbd queue', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SABNZBD_BASE)
+        .get('/api')
+        .query({ mode: 'queue', apikey: 'sabkey', output: 'json' })
+        .reply(200, SAB_QUEUE_RESP);
+      const res = await request(app).get('/api/sabnzbd/queue').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(res.body.queue).toBeDefined();
+      expect(res.body.queue.status).toBe('Downloading');
+    });
+
+    it('returns 500 when SABnzbd is unreachable', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SABNZBD_BASE)
+        .get('/api')
+        .query(true)
+        .replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/sabnzbd/queue').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+      expect(res.body.error).toMatch(/queue/i);
+    });
+  });
+
+  describe('GET /api/sabnzbd/history', () => {
+    it('returns 401 when unauthenticated', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/sabnzbd/history');
+      expect(res.status).toBe(401);
+    });
+
+    it('proxies SABnzbd history with default limit', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SABNZBD_BASE)
+        .get('/api')
+        .query({ mode: 'history', apikey: 'sabkey', output: 'json', limit: '50' })
+        .reply(200, SAB_HISTORY_RESP);
+      const res = await request(app).get('/api/sabnzbd/history').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      expect(res.body.history).toBeDefined();
+    });
+
+    it('passes through custom limit', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SABNZBD_BASE)
+        .get('/api')
+        .query({ mode: 'history', apikey: 'sabkey', output: 'json', limit: '100' })
+        .reply(200, SAB_HISTORY_RESP);
+      const res = await request(app).get('/api/sabnzbd/history?limit=100').set('Cookie', cookies);
+      expect(res.status).toBe(200);
+    });
+
+    it('returns 500 when SABnzbd is unreachable', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app);
+      nock(SABNZBD_BASE)
+        .get('/api')
+        .query(true)
+        .replyWithError('ECONNREFUSED');
+      const res = await request(app).get('/api/sabnzbd/history').set('Cookie', cookies);
+      expect(res.status).toBe(500);
+      expect(res.body.error).toMatch(/history/i);
+    });
+  });
+});
@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
 * Integration tests for authentication routes.
 *
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" viewBox="0 0 512 512"><path d="m256.1 2.6 142 217.2c91 139.2-4.7 289.6-142.1 289.6S22.8 358.9 113.9 219.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#4c90e8;stroke:#094491;stroke-width:3.1904"/><path d="M306.7 255.2c-77.6-31.7-118.4 49.2-105.4 87C229.5 424.4 335.8 445 414.2 308c0 0 .8 16.5 1.7 24.4 10.5 99.9-73.5 163.4-158.6 162.2s-111.1-34.3-136.2-72.3C80.4 360.6 90.5 260 145.2 212.9c62.5-51.6 131.2-24 161.5 42.3" style="fill-rule:evenodd;clip-rule:evenodd;fill:#094491"/><path d="M257.9 225.3c-87 2.1-103.5 102.3-79.4 145.3 33.5 59.7 84.3 71.2 153.8 49.1-39.7 43.2-121.2 54.6-176.5-7.1-38.1-42.4-41.4-101.6-15-151.1 26.5-49.4 79.2-63.2 117.1-36.2" style="fill-rule:evenodd;clip-rule:evenodd;fill:#83b8f9"/></svg>
				`@@ -0,0 +1 @@`
				<svg height="1024" viewBox="0 0 1024 1024" width="1024" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><linearGradient id="a" gradientUnits="userSpaceOnUse" x1="348.2829" x2="782.05951" y1="0" y2="786.48322"><stop offset="0" stop-color="#72b4f5"/><stop offset="1" stop-color="#356ebf"/></linearGradient><g fill="none" fill-rule="evenodd" transform="matrix(.97656268 0 0 .9765624 11.999908 12.000051)"><circle cx="512" cy="512" fill="url(#a)" r="496" stroke="#daefff" stroke-width="32"/><path d="m712.898 332.399q66.657 0 103.38 45.671 37.03 45.364 37.03 128.684 0 83.32-37.34 129.61-37.03 45.98-103.07 45.98-33.02 0-60.484-12.035-27.156-12.344-45.672-37.649h-3.703l-10.8 43.512h-36.724v-480.172h51.227v116.65q0 39.191-2.469 70.359h2.47q35.796-50.61 106.155-50.61zm-7.406 42.894q-52.46 0-75.605 30.242-23.145 29.934-23.145 101.219 0 71.285 23.762 102.145 23.761 30.55 76.222 30.55 47.215 0 70.36-34.254 23.144-34.562 23.144-99.058 0-66.04-23.144-98.442-23.145-32.402-71.594-32.402z" fill="#fff"/><path d="m317.273 639.45q51.227 0 74.68-27.466 23.453-27.464 24.996-92.578v-11.418q0-70.976-24.07-102.144-24.07-31.168-76.223-31.168-45.055 0-69.125 35.18-23.762 34.87-23.762 98.75 0 63.879 23.454 97.515 23.761 33.328 70.05 33.328zm-7.715 42.894q-65.421 0-102.144-45.98-36.723-45.981-36.723-128.376 0-83.011 37.032-129.609 37.03-46.598 103.07-46.598 69.433 0 106.773 52.461h2.778l7.406-46.289h40.426v490.047h-51.227v-144.73q0-30.86 3.395-52.461h-4.012q-35.488 51.535-106.774 51.535z" fill="#c8e8ff"/></g></svg>