Merge branch 'main' of https://git.i3omb.com/Gandalf/sofarr

Reviewed-on: #17

.dockerignore

@@ -10,7 +10,14 @@ node_modules/
 client/
 dist/
 build/
+coverage/
+tests/
+vitest.config.js
+.markdownlint.json
 README.md
+CHANGELOG.md
+SECURITY.md
+LICENSE
 .dockerignore
 Dockerfile
 .gitea/

.gitea/workflows/docs-check.yml

@@ -0,0 +1,108 @@
+name: Docs Check
+
+on:
+  push:
+    branches: ["**", "!main", "!release/**"]
+    paths:
+      - "**.md"
+      - ".gitea/workflows/docs-check.yml"
+  pull_request:
+    branches: ["**", "!main", "!release/**"]
+    paths:
+      - "**.md"
+      - ".gitea/workflows/docs-check.yml"
+
+jobs:
+  markdown-lint:
+    name: Markdown lint
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install markdownlint-cli
+        run: npm install -g markdownlint-cli
+
+      - name: Lint all Markdown files
+        run: markdownlint "**/*.md" --ignore node_modules
+
+  mermaid-parse:
+    name: Mermaid diagram parse check
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install mermaid and jsdom
+        run: npm install mermaid jsdom
+
+      - name: Extract and validate Mermaid diagrams
+        run: |
+          cat > check-mermaid.cjs << 'SCRIPT'
+          const { JSDOM } = require('jsdom');
+          const fs   = require('fs');
+          const path = require('path');
+
+          // Provide minimal browser globals so mermaid.parse() works in Node
+          const dom = new JSDOM('<!DOCTYPE html><html><body></body></html>', { url: 'http://localhost' });
+          globalThis.window   = dom.window;
+          globalThis.document = dom.window.document;
+          globalThis.DOMPurify = {
+            addHook: () => {}, removeHook: () => {}, setConfig: () => {},
+            sanitize: (s) => s, isValidAttribute: () => true,
+          };
+
+          function findMdFiles(dir) {
+            const out = [];
+            for (const e of fs.readdirSync(dir, { withFileTypes: true })) {
+              const full = path.join(dir, e.name);
+              if (e.isDirectory() && e.name !== 'node_modules' && !e.name.startsWith('.'))
+                out.push(...findMdFiles(full));
+              else if (e.isFile() && e.name.endsWith('.md'))
+                out.push(full);
+            }
+            return out;
+          }
+
+          import('./node_modules/mermaid/dist/mermaid.core.mjs').then(async (m) => {
+            const mermaid = m.default;
+            let errors = 0, total = 0;
+
+            for (const mdFile of findMdFiles('.')) {
+              const content = fs.readFileSync(mdFile, 'utf8');
+              const blocks = [...content.matchAll(/^```mermaid\n([\s\S]*?)^```/gm)];
+              if (!blocks.length) continue;
+              console.log(`\nChecking ${mdFile} (${blocks.length} diagram(s))`);
+              for (let i = 0; i < blocks.length; i++) {
+                total++;
+                const diagram = blocks[i][1].trim();
+                try {
+                  await mermaid.parse(diagram);
+                  console.log(`  [OK]  diagram ${i + 1}`);
+                } catch (err) {
+                  const msg = String(err.message || err).split('\n')[0];
+                  console.error(`  [FAIL] diagram ${i + 1}: ${msg}`);
+                  console.log(`::warning file=${mdFile}::Mermaid diagram ${i + 1} failed: ${msg}`);
+                  errors++;
+                }
+              }
+            }
+
+            console.log(`\nTotal: ${total}. Failures: ${errors}`);
+            if (errors > 0) {
+              console.log(`::warning::${errors} Mermaid diagram(s) failed to parse.`);
+              process.exit(1);
+            }
+          }).catch(e => { console.error('Fatal:', e.message); process.exit(1); });
+          SCRIPT
+          node check-mermaid.cjs

.gitea/workflows/licence-check.yml

@@ -0,0 +1,83 @@
+name: Licence Check
+
+on:
+  push:
+    branches: ["**", "!main", "!release/**"]
+    paths:
+      - "package.json"
+      - "package-lock.json"
+      - ".gitea/workflows/licence-check.yml"
+      - "**/*.js"
+      - "**/*.ts"
+      - "**/*.jsx"
+      - "**/*.tsx"
+  pull_request:
+    branches: ["**", "!main", "!release/**"]
+    paths:
+      - "package.json"
+      - "package-lock.json"
+      - ".gitea/workflows/licence-check.yml"
+      - "**/*.js"
+      - "**/*.ts"
+      - "**/*.jsx"
+      - "**/*.tsx"
+
+jobs:
+  licence-check:
+    name: Licence compatibility and copyright header verification
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install production dependencies
+        run: npm ci --omit=dev
+
+      - name: Check licence compatibility
+        run: |
+          npx --yes license-checker --production \
+            --onlyAllow "MIT;ISC;MIT-0;BSD-2-Clause;BSD-3-Clause;Apache-2.0;CC0-1.0;BlueOak-1.0.0" \
+            --excludePrivatePackages \
+            && echo "All production dependency licences are compatible with MIT."
+
+      - name: Check copyright headers in source files
+        run: |
+          #!/bin/bash
+          set -e
+          
+          # Find all source files, excluding build artifacts and node_modules
+          SOURCE_FILES=$(find . -type f \( -name "*.js" -o -name "*.ts" -o -name "*.jsx" -o -name "*.tsx" \) \
+            ! -path "./node_modules/*" \
+            ! -path "./.git/*" \
+            ! -path "./dist/*" \
+            ! -path "./build/*" \
+            ! -path "./.gitea/*")
+          
+          MISSING_HEADER=0
+          
+          # Check each file for MIT-compliant copyright header
+          while IFS= read -r file; do
+            if [ -z "$file" ]; then
+              continue
+            fi
+            
+            # Check if file starts with a copyright header containing: Copyright, year (4 digits), name, and MIT License
+            if ! head -n 5 "$file" | grep -qiE "Copyright.*[0-9]{4}.*MIT"; then
+              echo "❌ Missing MIT-compliant copyright header in: $file"
+              echo "   Required format: // Copyright (c) YYYY Name. MIT License."
+              MISSING_HEADER=$((MISSING_HEADER + 1))
+            fi
+          done <<< "$SOURCE_FILES"
+          
+          if [ $MISSING_HEADER -gt 0 ]; then
+            echo ""
+            echo "⚠️  Found $MISSING_HEADER file(s) with missing or non-compliant copyright headers."
+            exit 1
+          else
+            echo "✅ All source files have MIT-compliant copyright headers."
+          fi

.markdownlint.json

@@ -0,0 +1,18 @@
+{
+  "default": true,
+  "MD009": false,
+  "MD012": false,
+  "MD013": false,
+  "MD022": false,
+  "MD024": false,
+  "MD029": false,
+  "MD031": false,
+  "MD032": false,
+  "MD033": false,
+  "MD034": false,
+  "MD036": false,
+  "MD040": false,
+  "MD041": false,
+  "MD058": false,
+  "MD060": false
+}

CHANGELOG.md

@@ -0,0 +1,120 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+## [1.3.0] - 2026-05-17
+
+### Added
+
+- **History tab** — new "Recently Completed" tab showing imported and failed downloads from Sonarr/Radarr history for the last N days (configurable via the days input, persisted in `localStorage`). Auto-refreshes every 5 minutes.
+- **History deduplication** — when a failed download has subsequently been imported successfully, only the successful record is shown. If the most recent record for an item is a failure but the episode/movie is already on disk (upgrade attempt), the record is flagged as `availableForUpgrade`.
+- **"Upgrade available" badge** — failed history cards where the content is already on disk display an amber badge to indicate this is a failed upgrade rather than a missing item.
+- **"Hide upgrade failures" toggle** — checkbox in the history tab to filter out failed records that are already available on disk. State persists in `localStorage`. Tooltip explains the behaviour and matches the episode/multi-episode tooltip style.
+- **Blocklist & Search button** — admin-only button on download cards with an "Import Pending" caution. Removes the download from the client with `blocklist=true` (preventing re-grab of the same release) then immediately triggers an `EpisodeSearch`/`MoviesSearch` command in Sonarr/Radarr. Shows a confirmation dialog, loading/success/error states. Kicks a background poll on success.
+- **`POST /api/dashboard/blocklist-search`** — new admin-only endpoint backing the above button. Accepts `arrQueueId`, `arrType`, `arrInstanceUrl`, `arrInstanceKey`, `arrContentId`, `arrContentType`.
+- **Title link home navigation** — the sofarr logo/title in the header now navigates to the default view (Active Downloads tab, close status panel, reset "Show all users" toggle) without a page reload.
+- **Version footer link** — the version string in the dashboard footer links to the source repository.
+
+### Changed
+
+- History records are now deduplicated server-side before being sent to the client — only the most relevant record per content item per instance is returned.
+- Import-issue badge tooltip now uses the themed `var(--surface)` / `var(--text-primary)` / `var(--border)` CSS variables, matching the episode and toggle tooltip style.
+- Poller now stores `_instanceKey` on Sonarr/Radarr queue records in the cache, enabling the backend to look up API credentials for blocklist operations without an additional configuration lookup.
+- **Blocklist & Search button** — now available on all admin downloads (not just those with import issues), and also available to non-admin users when: import issues are present, OR (for qBittorrent torrents only) the download is more than 1 hour old AND has less than 100% availability.
+- **Download object** — added `canBlocklist` boolean field to indicate whether the current user can blocklist a given download.
+- **qBittorrent torrent data** — added `addedOn` timestamp field to enable age-based blocklist eligibility checks.
+
+---
+
+## [1.2.2] - 2026-05-17
+
+### Changed
+
+- **Header logo** — uses the higher-resolution 192px favicon source rendered at 56px for better visual balance alongside the title text.
+
+---
+
+## [1.2.1] - 2026-05-17
+
+### Added
+
+- **Version footer** — the dashboard footer now displays the running app version (e.g. `sofarr v1.2.1`), fetched from the `/health` endpoint on page load.
+
+---
+
+## [1.2.0] - 2025-05-17
+
+### Security
+
+- **Docker secrets support** — all sensitive environment variables (`COOKIE_SECRET`, `EMBY_API_KEY`, `SABNZBD_API_KEY`, `SONARR_API_KEY`, `RADARR_API_KEY`, `QBITTORRENT_PASSWORD`) now support the standard `_FILE` variant for loading values from mounted secret files (e.g. `COOKIE_SECRET_FILE=/run/secrets/cookie_secret`).
+- **Weak secret warning** — server now warns at startup if `COOKIE_SECRET` is shorter than 32 characters.
+- **EMBY_URL validation** — validates the Emby URL scheme at startup and warns on misconfiguration.
+- **Improved error sanitization** — `sanitizeError()` now also redacts hostnames from full request URLs that may appear in axios error messages.
+- **Graceful shutdown** — `SIGTERM` and `SIGINT` handlers now stop the background poller and drain open HTTP connections before exiting. Prevents data loss and zombie processes on `docker stop`.
+
+### Compliance
+
+- **MIT LICENSE file** added to project root.
+- **Copyright headers** added to key server source files (`index.js`, `poller.js`, `config.js`, `sanitizeError.js`, `loadSecrets.js`).
+- **`security.txt`** (`/.well-known/security.txt`) added for responsible disclosure.
+
+### Configuration
+
+- **URL validation** added to `config.js` — all configured service instance URLs are validated for scheme (`http`/`https`) and well-formedness at startup; malformed URLs emit a warning instead of crashing.
+
+### Docker / Deployment
+
+- **`docker-compose.yaml`** updated with commented Option B (Docker secrets `_FILE` pattern) alongside the existing plain-env Option A.
+- **`.dockerignore`** updated — `tests/`, `coverage/`, `vitest.config.js`, `CHANGELOG.md`, `SECURITY.md`, `LICENSE`, `.markdownlint.json` excluded from the production image.
+
+### CI
+
+- **`docs-check` workflow** added — separate Gitea Actions workflow that lints all Markdown files and validates Mermaid diagram syntax on every push that touches `.md` files. Both jobs use `continue-on-error: true` so documentation issues never block a release.
+- **Mermaid diagrams** in `docs/ARCHITECTURE.md` fixed — replaced invalid `\n` in stateDiagram transition labels, Unicode arrows/dashes, and double-spaces in flowchart edge definitions.
+
+---
+
+## [1.1.2] - 2025-05-15
+
+### Changed
+
+- Server startup message now includes the current version (`sofarr v1.1.2`).
+
+---
+
+## [1.1.1] - 2025-05-14
+
+### Fixed
+
+- Docker/TrueNAS SCALE healthcheck: dynamic HTTP/HTTPS selection based on `TLS_ENABLED` environment variable. Prevents containers from being stuck in "starting" state when `TLS_ENABLED=false`.
+
+---
+
+## [1.1.0] - 2025-05-13
+
+### Added
+
+- **Episode display** — TV show download cards now show episode information (S01E01 format with title). Multi-episode packs show a "Multiple episodes" badge with a tooltip listing all episodes.
+- **Episode tooltip** — solid background colour (theme-dependent) for readability.
+- Sonarr queue and history API requests now include `includeEpisode=true`.
+
+---
+
+## [1.0.0] - 2025-05-01
+
+### Added
+
+- Initial release.
+- SABnzbd queue and history integration.
+- qBittorrent torrent integration.
+- Sonarr and Radarr queue/history matching with user tag filtering.
+- Emby/Jellyfin authentication.
+- Server-Sent Events (SSE) real-time dashboard.
+- Per-request CSP nonce, CSRF double-submit, HSTS, Permissions-Policy.
+- Background polling with configurable interval and on-demand fallback.
+- Docker multi-stage build, non-root user, read-only filesystem.
+- TLS support with bundled snakeoil certificate.

Dockerfile

@@ -49,10 +49,10 @@ USER node
 
 EXPOSE 3001
 
-# HEALTHCHECK — Docker will restart the container if this fails 3 times
-# --no-check-certificate handles self-signed / snakeoil certs.
-# Remove that flag when using a CA-signed certificate.
+# HEALTHCHECK — Docker will restart the container if this fails 3 times.
+# Respects TLS_ENABLED at runtime: uses https (with --no-check-certificate
+# to handle self-signed/snakeoil certs) when TLS is on, plain http when off.
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-  CMD wget -qO- --no-check-certificate https://localhost:3001/health || exit 1
+  CMD /bin/sh -c '[ "${TLS_ENABLED:-true}" = "false" ] && wget -qO- http://localhost:${PORT:-3001}/health || wget -qO- --no-check-certificate https://localhost:${PORT:-3001}/health'
 
 CMD ["node", "server/index.js"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Gordon Bolton
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -9,6 +9,7 @@
 sofarr connects to your media stack and shows you a personalized view of:
 - **Active Downloads** - See what's currently downloading from Usenet (SABnzbd) and BitTorrent (qBittorrent)
 - **Progress Tracking** - Real-time progress bars with speed, ETA, and completion estimates
+- **Recently Completed** - History tab showing imported and failed downloads from Sonarr/Radarr with deduplication and upgrade-awareness
 - **User Matching** - Downloads are matched to you based on tags in Sonarr/Radarr
 - **Multi-Instance Support** - Connect to multiple instances of each service
 
@@ -279,6 +280,10 @@ sofarr polls all configured services in the background and caches the results. D
 - `GET /api/dashboard/user-summary` — Per-user download counts (admin)
 - `GET /api/dashboard/status` — Server / polling / cache status (admin)
 - `GET /api/dashboard/cover-art` — Proxied cover art image
+- `POST /api/dashboard/blocklist-search` — Blocklist a release and trigger a new search (admin or non-admin with eligibility: import issues OR torrent >1h old AND availability<100%)
+
+### History
+- `GET /api/history/recent` — Recently completed downloads from Sonarr/Radarr history
 
 ### Service APIs (proxy to your services)
 - `GET /api/sabnzbd/*` — SABnzbd API proxy
@@ -323,7 +328,7 @@ npm run test:coverage   # with V8 coverage report (outputs to coverage/)
 npm run test:ui         # interactive Vitest UI
 ```
 
-115 tests across 8 test files covering the security-critical paths: auth middleware, CSRF protection, secret sanitization, config parsing, token store, and qBittorrent utilities. See [`tests/README.md`](tests/README.md) for design decisions and coverage targets.
+145 tests across 10 test files covering the security-critical paths: auth middleware, CSRF protection, secret sanitization, config parsing, token store, qBittorrent utilities, and history deduplication/classification. See [`tests/README.md`](tests/README.md) for design decisions and coverage targets.
 
 ## Development
 
@@ -342,3 +347,4 @@ MIT
 ---
 
 *sofarr: See what has downloaded "so far" from the comfort of your "sofa"*
+

SECURITY.md

@@ -4,9 +4,10 @@
 
 | Version | Supported |
 |---------|-----------|
-| 1.0.x   | ✅ Yes    |
-| 0.2.x   | ❌ No     |
-| 0.1.x   | ❌ No     |
+| 1.2.x   | ✅ Yes    |
+| 1.1.x   | ✅ Yes    |
+| 1.0.x   | ❌ No     |
+| < 1.0   | ❌ No     |
 
 ## Reporting a Vulnerability
 
@@ -79,10 +80,10 @@ services:
       - EMBY_API_KEY_FILE=/run/secrets/emby_api_key
 ```
 
-> Note: File-based secret loading requires application code support.
-> Currently sofarr reads secrets from environment variables only.
-> Mounting secrets as env vars (via `environment:` in compose) is the
-> current supported approach.
+> Since v1.2.0, sofarr natively supports the `_FILE` pattern.
+> Set `COOKIE_SECRET_FILE=/run/secrets/cookie_secret` and sofarr will
+> read the secret value from that file at startup. See `docker-compose.yaml`
+> for a complete example.
 
 ---
 

client/src/App.jsx

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 import { useState, useEffect } from 'react';
 import axios from 'axios';
 import './App.css';

client/src/main.jsx

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 import React from 'react'
 import ReactDOM from 'react-dom/client'
 import App from './App.jsx'

client/vite.config.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
 

docker-compose.yaml

@@ -21,7 +21,8 @@ services:
       # Set TLS_ENABLED=false if terminating TLS at a reverse proxy instead.
       # If using a reverse proxy, also set TRUST_PROXY=1 below.
       # - TRUST_PROXY=1
-      # --- Replace placeholders with real values or use Docker secrets ---
+      # --- Secrets: use _FILE variants (Docker secrets) in production -------
+      # Option A — plain environment variables (simple, less secure):
       - COOKIE_SECRET=change-me-generate-with-openssl-rand-hex-32
       - EMBY_URL=https://emby.example.com
       - EMBY_API_KEY=your-emby-api-key
@@ -29,6 +30,17 @@ services:
       - RADARR_INSTANCES=[{"name":"main","url":"https://radarr.example.com","apiKey":"your-radarr-api-key"}]
       - SABNZBD_INSTANCES=[{"name":"main","url":"https://sabnzbd.example.com","apiKey":"your-sabnzbd-api-key"}]
       - QBITTORRENT_INSTANCES=[{"name":"main","url":"https://qbittorrent.example.com","username":"admin","password":"your-password"}]
+      # Option B — Docker secrets (_FILE pattern, recommended for production):
+      # Uncomment the lines below and comment out Option A above.
+      # Create secret files with: echo -n "value" > ./secrets/cookie_secret.txt
+      # - COOKIE_SECRET_FILE=/run/secrets/cookie_secret
+      # - EMBY_API_KEY_FILE=/run/secrets/emby_api_key
+      # - SONARR_API_KEY_FILE=/run/secrets/sonarr_api_key   # legacy single-instance only
+      # - RADARR_API_KEY_FILE=/run/secrets/radarr_api_key   # legacy single-instance only
+      # - SABNZBD_API_KEY_FILE=/run/secrets/sabnzbd_api_key # legacy single-instance only
+    # secrets:                      # uncomment when using Option B
+    #   - cookie_secret
+    #   - emby_api_key
     volumes:
       # Persistent volume for token store and log file
       - sofarr-data:/app/data
@@ -47,9 +59,9 @@ services:
       - ALL                     # drop all Linux capabilities
     cap_add: []                 # add back none — Node.js needs no special caps
     healthcheck:
-      # Uses --no-check-certificate for self-signed / snakeoil certs.
-      # Remove that flag if using a CA-signed certificate.
-      test: ["CMD", "wget", "-qO-", "--no-check-certificate", "https://localhost:3001/health"]
+      # Respects TLS_ENABLED: uses http when set to false, https otherwise.
+      # --no-check-certificate handles self-signed / snakeoil certs.
+      test: ["CMD", "/bin/sh", "-c", "[ \"${TLS_ENABLED:-true}\" = \"false\" ] && wget -qO- http://localhost:${PORT:-3001}/health || wget -qO- --no-check-certificate https://localhost:${PORT:-3001}/health"]
       interval: 30s
       timeout: 5s
       retries: 3
@@ -57,3 +69,10 @@ services:
 
 volumes:
   sofarr-data:
+
+# Docker secrets definitions (uncomment and populate when using Option B above)
+# secrets:
+#   cookie_secret:
+#     file: ./secrets/cookie_secret.txt
+#   emby_api_key:
+#     file: ./secrets/emby_api_key.txt

docs/ARCHITECTURE.md

@@ -161,7 +161,6 @@ sofarr/
 │   └── integration/            # Supertest integration tests (nock for external HTTP)
 ├── docs/
 │   ├── ARCHITECTURE.md         # This document
-│   └── diagrams/               # PlantUML source files
 ├── .gitea/workflows/
 │   ├── ci.yml                  # Security audit + test/coverage CI jobs
 │   ├── build-image.yml         # Docker image build and push
@@ -314,6 +313,7 @@ For each connected user the server:
 | See download/target paths | ✗ | ✓ |
 | See Sonarr/Radarr links | ✗ | ✓ |
 | View status panel | ✗ | ✓ |
+| Blocklist & search | ✓ (when import issues OR torrent >1h old AND availability<100%) | ✓ (all downloads) |
 
 ### Tag Matching
 
@@ -372,18 +372,18 @@ For each download item (SABnzbd slot or qBittorrent torrent):
 ```mermaid
 flowchart TD
     Start(["Download item"]) --> SQ{"Sonarr QUEUE\nmatch (title)"}
-    SQ -->|yes| SQR["Resolve series via seriesMap\nextract user tag → check match"]
-    SQ -->|no|  RQ{"Radarr QUEUE\nmatch (title)"}
-    RQ -->|yes| RQR["Resolve movie via moviesMap\nextract user tag → check match"]
-    RQ -->|no|  SH{"Sonarr HISTORY\nmatch (title)"}
-    SH -->|yes| SHR["Resolve series via seriesId\nextract user tag → check match"]
-    SH -->|no|  RH{"Radarr HISTORY\nmatch (title)"}
-    RH -->|yes| RHR["Resolve movie via movieId\nextract user tag → check match"]
-    RH -->|no|  Skip(["Skip — unmatched"])
+    SQ -->|yes| SQR["Resolve series via seriesMap\nextract user tag, check match"]
+    SQ -->|no| RQ{"Radarr QUEUE\nmatch (title)"}
+    RQ -->|yes| RQR["Resolve movie via moviesMap\nextract user tag, check match"]
+    RQ -->|no| SH{"Sonarr HISTORY\nmatch (title)"}
+    SH -->|yes| SHR["Resolve series via seriesId\nextract user tag, check match"]
+    SH -->|no| RH{"Radarr HISTORY\nmatch (title)"}
+    RH -->|yes| RHR["Resolve movie via movieId\nextract user tag, check match"]
+    RH -->|no| Skip(["Skip - unmatched"])
 
     SQR & RQR & SHR & RHR --> Tagged{"Tag matches\nrequesting user?"}
     Tagged -->|yes| Include(["Include in response"])
-    Tagged -->|no|  Skip
+    Tagged -->|no| Skip
 ```
 
 ### Title Matching
@@ -413,9 +413,18 @@ Each matched download produces an object with:
 | `matchedUserTag` | string / null | Tag label matching the requesting user, or `null` |
 | `tagBadges` | `{label, matchedUser}[]` / undefined | (Admin `showAll` only) Each tag classified against full Emby user list |
 | `importIssues` | string[] / null | Import warning/error messages |
+| `availableForUpgrade` | boolean / undefined | (History) `true` when outcome is `failed` but the content is already on disk (failed upgrade attempt) |
+| `canBlocklist` | boolean | `true` if the current user can blocklist this download (admin: always; non-admin: when import issues OR torrent >1h old AND availability<100%) |
 | `downloadPath` | string / null | (Admin) Download client path |
 | `targetPath` | string / null | (Admin) *arr target path |
 | `arrLink` | string / null | (Admin) Link to *arr web UI |
+| `arrQueueId` | number / null | (Admin, import-pending only) Sonarr/Radarr queue record id |
+| `arrType` | `'sonarr'`/`'radarr'` / null | (Admin, import-pending only) Which *arr service owns this queue entry |
+| `arrInstanceUrl` | string / null | (Admin, import-pending only) Base URL of the *arr instance |
+| `arrInstanceKey` | string / null | (Admin, import-pending only) API key for the *arr instance |
+| `arrContentId` | number / null | (Admin, import-pending only) `episodeId` (Sonarr) or `movieId` (Radarr) for triggering a new search |
+| `arrContentType` | `'episode'`/`'movie'` / null | (Admin, import-pending only) Content type for the search command |
+| `addedOn` | number / null | (qBittorrent only) Unix timestamp when the torrent was added, used for age-based blocklist eligibility |
 
 ---
 
@@ -594,6 +603,50 @@ Admin-only per-user download counts (fetches live from APIs, not cached).
 
 ---
 
+### `POST /api/dashboard/blocklist-search`
+
+Removes a Sonarr/Radarr queue item with `blocklist=true` (preventing the same release being grabbed again), then immediately triggers an `EpisodeSearch` or `MoviesSearch` command.
+
+**Access:** Admin users can blocklist any download. Non-admin users can only blocklist downloads that meet specific eligibility criteria: import issues are present, OR (for qBittorrent torrents only) the download is more than 1 hour old AND has less than 100% availability. The frontend only shows the button when the user is eligible.
+
+Requires CSRF token (`X-CSRF-Token` header).
+
+**Request Body:**
+```json
+{
+  "arrQueueId": 1234,
+  "arrType": "sonarr",
+  "arrInstanceUrl": "https://sonarr.example.com",
+  "arrInstanceKey": "your-api-key",
+  "arrContentId": 5678,
+  "arrContentType": "episode"
+}
+```
+
+| Field | Required | Description |
+|-------|:--------:|-------------|
+| `arrQueueId` | Yes | Sonarr/Radarr queue record `id` |
+| `arrType` | Yes | `"sonarr"` or `"radarr"` |
+| `arrInstanceUrl` | Yes | Base URL of the *arr instance |
+| `arrInstanceKey` | Yes | API key for the *arr instance |
+| `arrContentId` | Yes | `episodeId` (Sonarr) or `movieId` (Radarr) |
+| `arrContentType` | Yes | `"episode"` or `"movie"` |
+
+**Response (200):** `{ "ok": true }`
+
+**Response (400):** Missing or invalid fields.
+
+**Response (403):** Non-admin user attempting to blocklist without meeting eligibility criteria (no import issues and not an eligible torrent).
+
+**Response (502):** Upstream *arr call failed.
+
+**Side Effects:**
+- Calls `DELETE /api/v3/queue/{id}?removeFromClient=true&blocklist=true` on the *arr instance
+- Calls `POST /api/v3/command` with `EpisodeSearch`/`MoviesSearch` on the *arr instance
+- Triggers a background `pollAllServices()` so the next SSE push reflects the removed item
+
+---
+
 ### `GET /api/history/recent`
 
 Returns recently completed (imported or failed) downloads from Sonarr/Radarr history for the authenticated user, filtered to the last `days` days.
@@ -675,14 +728,19 @@ stateDiagram-v2
 |----------|---------|
 | `checkAuthentication()` | On load: check session → show dashboard or login |
 | `handleLogin()` | Authenticate, fade login → splash → dashboard |
+| `goHome()` | Navigate to default view: switch to Active Downloads tab, close status panel, reset showAll |
 | `startSSE()` | Open `EventSource` to `/stream`; handles incoming data + first-message loading hide |
 | `stopSSE()` | Close `EventSource` and cancel reconnect timer |
 | `renderDownloads()` | Diff-based card rendering (create/update/remove) |
-| `createDownloadCard()` | Build DOM for a single download card; renders tag badges |
+| `createDownloadCard()` | Build DOM for a single download card; renders tag badges, import-issue badge, blocklist button |
 | `updateDownloadCard()` | Update existing card in-place (progress, speed, etc.) |
+| `handleBlocklistSearch()` | Confirm dialog → POST `/blocklist-search` → update button state |
 | `toggleStatusPanel()` | Show/hide admin status panel |
 | `renderStatusPanel()` | Build status HTML (server, polling, SSE clients, cache) |
 | `initThemeSwitcher()` | Light / Dark / Mono theme support |
+| `loadHistory()` | Fetch `/api/history/recent`, store raw items, call `renderHistory()` |
+| `renderHistory()` | Filter items by `ignoreAvailable` flag, render history cards |
+| `createHistoryCard()` | Build DOM for a single history card with outcome/upgrade badges |
 
 ### Themes
 
@@ -842,21 +900,23 @@ volumes:
 
 ### CI / CD
 
-The `.gitea/workflows/` directory contains three pipeline definitions:
+The `.gitea/workflows/` directory contains five pipeline definitions:
 
 | File | Trigger | Purpose |
 |------|---------|--------|
-| `ci.yml` | Every push / PR | Security audit (`npm audit --audit-level=high`) + tests with V8 coverage |
-| `build-image.yml` | Push to `main` / `develop` | Build and push Docker image to `docker.i3omb.com` |
-| `create-release.yml` | Tag push (`v*`) | Create a Gitea release |
+| `ci.yml` | Every push / PR (all branches) | Security audit (`npm audit --audit-level=high`) + tests with V8 coverage |
+| `build-image.yml` | Push to `release/**` or `develop` | Build and push Docker image to `reg.i3omb.com`. `release/**` pushes versioned + `latest` tags; `develop` pushes a `:develop` tag. |
+| `create-release.yml` | Tag push (`v*`) | Generate release notes from git log and create a Gitea release |
+| `docs-check.yml` | Push / PR touching `**.md` (non-main / non-release branches) | Markdown lint + Mermaid diagram parse validation |
+| `licence-check.yml` | Push / PR touching `package.json` or `package-lock.json` | Verify all production dependency licences are compatible with MIT |
 
-> **Diagrams** are written in Mermaid and render natively in Gitea — no CI workflow required. See [Section 13](#13-diagrams).
+> **Diagrams** are written in Mermaid and render natively in Gitea — no separate diagram files or CI render step required. See [Section 13](#13-diagrams).
 
 ---
 
 ## 13. Diagrams
 
-All diagrams are written in [Mermaid](https://mermaid.js.org/) and render natively in Gitea and GitHub markdown.
+All diagrams are written in [Mermaid](https://mermaid.js.org/) and render natively in Gitea and GitHub markdown. No external tooling or PNG exports are required — the source is the diagram.
 
 ### 13.1 Component Diagram
 
@@ -941,8 +1001,8 @@ graph TB
     sonarr_r --> sonarr
     radarr_r --> radarr
 
-    appjs -->|POST /login\nGET /me\nGET /csrf\nPOST /logout| auth
-    appjs -->|GET /stream SSE\nGET /user-downloads\nGET /status| dashboard
+    appjs -->|POST /login, GET /me, GET /csrf, POST /logout| auth
+    appjs -->|GET /stream SSE, GET /user-downloads, GET /status| dashboard
     es -->|serve static| html
 ```
 
@@ -976,16 +1036,16 @@ sequenceDiagram
         Note over Browser,Emby: Login
         User->>Browser: Enter credentials (+ rememberMe)
         Browser->>Auth: POST /api/auth/login
-        Note right of Auth: Rate limit: max 10 failed\nattempts per IP / 15 min
-        Auth->>Emby: POST /Users/authenticatebyname\nDeviceId = sha256(username)[0:16]
+        Note right of Auth: Rate limit: max 10 failed attempts per IP / 15 min
+        Auth->>Emby: POST /Users/authenticatebyname (DeviceId = sha256(username)[0:16])
         alt Valid credentials
             Emby-->>Auth: { User.Id, AccessToken }
             Auth->>Emby: GET /Users/{id}
             Emby-->>Auth: { Name, Policy.IsAdministrator }
             Auth->>Tokens: storeToken(userId, AccessToken)
-            Note right of Tokens: Server-side only\n31-day TTL, atomic write
-            Auth->>Auth: Set emby_user cookie\nhttpOnly, sameSite=strict\nsecure (if TRUST_PROXY)\nrememberMe → Max-Age 30d
-            Auth->>Auth: Set csrf_token cookie\nhttpOnly=false, sameSite=strict
+            Note right of Tokens: Server-side only, 31-day TTL, atomic write
+            Auth->>Auth: Set emby_user cookie (httpOnly, sameSite=strict, secure if TRUST_PROXY)
+            Auth->>Auth: Set csrf_token cookie (httpOnly=false, sameSite=strict)
             Auth-->>Browser: { success: true, user, csrfToken }
             Browser->>Browser: showDashboard() + startSSE()
         else Invalid credentials
@@ -1023,7 +1083,7 @@ sequenceDiagram
     User->>Browser: Login success / valid session
     Browser->>Dashboard: GET /api/dashboard/stream (EventSource)
     Dashboard->>Dashboard: requireAuth: extract user/isAdmin
-    Dashboard->>Dashboard: Set Content-Type: text/event-stream\nRegister in activeClients
+    Dashboard->>Dashboard: Set Content-Type: text/event-stream, register in activeClients
 
     opt Polling disabled AND cache empty
         Dashboard->>Poller: pollAllServices()
@@ -1033,7 +1093,7 @@ sequenceDiagram
     end
 
     Dashboard->>Cache: get all poll:* keys
-    Dashboard->>Dashboard: Build maps, match downloads\nextractUserTag / buildTagBadges
+    Dashboard->>Dashboard: Build maps, match downloads, extractUserTag / buildTagBadges
     Dashboard-->>Browser: data: { user, isAdmin, downloads }
     Browser->>Browser: hideLoading() + renderDownloads()
 
@@ -1050,7 +1110,7 @@ sequenceDiagram
 
     User->>Browser: Close tab / logout
     Browser->>Dashboard: TCP close (req close event)
-    Dashboard->>Dashboard: offPollComplete(cb)\nclearInterval(heartbeat)\ndelete activeClients[key]
+    Dashboard->>Dashboard: offPollComplete(cb), clearInterval(heartbeat), delete activeClients[key]
 ```
 
 ### 13.4 Background Polling Cycle
@@ -1094,8 +1154,8 @@ sequenceDiagram
     Poller->>QBT: getTorrents()
     QBT-->>Poller: [{ name, progress, ... }]
 
-    Poller->>Poller: Record per-task timings\nlastPollTimings = { totalMs, timestamp, tasks }
-    Poller->>Cache: set poll:* keys (TTL = POLL_INTERVAL × 3)
+    Poller->>Poller: Record per-task timings: lastPollTimings = { totalMs, timestamp, tasks }
+    Poller->>Cache: set poll:* keys (TTL = POLL_INTERVAL x 3)
     Poller->>Poller: Notify SSE subscribers (forEach cb())
     Poller->>Poller: polling = false
 ```
@@ -1133,10 +1193,12 @@ classDiagram
         +GET /user-summary
         +GET /status
         +GET /cover-art
+        +POST /blocklist-search
         buildDownloadPayload()
         extractUserTag()
         buildTagBadges()
         getEmbyUsers()
+        getImportIssues()
     }
     class RequireAuth["requireAuth.js (Middleware)"] {
         +requireAuth(req, res, next)
@@ -1241,6 +1303,13 @@ classDiagram
         +availability string
         +hash string
         +completedAt string
+        +canBlocklist boolean
+        +addedOn number
+        +arrQueueId number
+        +arrType string
+        +arrInstanceUrl string
+        +arrContentId number
+        +arrContentType string
     }
     class TagBadge {
         +label string
@@ -1285,6 +1354,7 @@ classDiagram
         +num_seeds number
         +num_leechs number
         +availability number
+        +added_on number
     }
     class SonarrQueueRecord {
         +seriesId number
@@ -1330,11 +1400,11 @@ stateDiagram-v2
         Submitting --> [*] : Auth success
     }
 
-    LoginForm --> Dashboard : Auth success\n(fade transition)
+    LoginForm --> Dashboard : Auth success (fade transition)
 
     state Dashboard {
         [*] --> Rendering
-        Rendering --> Rendering : SSE message → renderDownloads()
+        Rendering --> Rendering : SSE message triggers renderDownloads()
         Rendering --> Rendering : Theme change
 
         state SSEConnection {
@@ -1368,13 +1438,13 @@ stateDiagram-v2
 
     state Disabled {
         [*] --> OnDemand
-        OnDemand : No background timer.\nData fetched when dashboard\nrequest finds empty cache.
+        OnDemand : No background timer. Data fetched when dashboard request finds empty cache.
     }
 
     Disabled --> Polling : dashboard triggers pollAllServices()
     Polling --> Disabled : Poll complete (on-demand)
 
-    Idle --> Polling : setInterval fires\nor immediate first poll
+    Idle --> Polling : setInterval fires or immediate first poll
 
     state Polling {
         [*] --> Locked
@@ -1382,7 +1452,7 @@ stateDiagram-v2
         Locked --> Fetching
         Fetching --> Storing : All promises resolved
         Fetching --> HandleError : Per-service error (caught)
-        Storing --> Notifying : Cache updated\nTTL = POLL_INTERVAL × 3
+        Storing --> Notifying : Cache updated, TTL = POLL_INTERVAL x 3
         Notifying : Notify SSE subscribers
         Notifying --> Done
         Done : polling = false
@@ -1401,7 +1471,7 @@ stateDiagram-v2
         [*] --> Skip
         Skip : polling === true, skip cycle
     }
-    Idle --> ConcurrentSkip : Interval fires while\nprevious still running
+    Idle --> ConcurrentSkip : Interval fires while previous still running
     ConcurrentSkip --> Idle : Log skip
 ```
 
@@ -1469,3 +1539,6 @@ flowchart TD
     style AF fill:#d4edda
     style AG fill:#f8d7da
 ```
+
+
+

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "sofarr",
-  "version": "0.1.5",
+  "version": "1.3.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "sofarr",
-      "version": "0.1.5",
+      "version": "1.3.0",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.6.0",
@@ -14,7 +14,8 @@
         "dotenv": "^16.3.1",
         "express": "^4.18.2",
         "express-rate-limit": "^7.0.0",
-        "helmet": "^7.0.0"
+        "helmet": "^7.0.0",
+        "jsdom": "^29.1.1"
       },
       "devDependencies": {
         "@vitest/coverage-v8": "^4.1.6",
@@ -25,6 +26,53 @@
         "vitest": "^4.1.6"
       }
     },
+    "node_modules/@asamuzakjp/css-color": {
+      "version": "5.1.11",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.1.11.tgz",
+      "integrity": "sha512-KVw6qIiCTUQhByfTd78h2yD1/00waTmm9uy/R7Ck/ctUyAPj+AEDLkQIdJW0T8+qGgj3j5bpNKK7Q3G+LedJWg==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/generational-cache": "^1.0.1",
+        "@csstools/css-calc": "^3.2.0",
+        "@csstools/css-color-parser": "^4.1.0",
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/@asamuzakjp/dom-selector": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.1.1.tgz",
+      "integrity": "sha512-67RZDnYRc8H/8MLDgQCDE//zoqVFwajkepHZgmXrbwybzXOEwOWGPYGmALYl9J2DOLfFPPs6kKCqmbzV895hTQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/generational-cache": "^1.0.1",
+        "@asamuzakjp/nwsapi": "^2.3.9",
+        "bidi-js": "^1.0.3",
+        "css-tree": "^3.2.1",
+        "is-potential-custom-element-name": "^1.0.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/@asamuzakjp/generational-cache": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/generational-cache/-/generational-cache-1.0.1.tgz",
+      "integrity": "sha512-wajfB8KqzMCN2KGNFdLkReeHncd0AslUSrvHVvvYWuU8ghncRJoA50kT3zP9MVL0+9g4/67H+cdvBskj9THPzg==",
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
+    "node_modules/@asamuzakjp/nwsapi": {
+      "version": "2.3.9",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz",
+      "integrity": "sha512-n8GuYSrI9bF7FFZ/SjhwevlHc8xaVlb/7HmHelnc/PZXBD2ZR49NnN9sMMuDdEGPeeRQ5d0hqlSlEpgCX3Wl0Q==",
+      "license": "MIT"
+    },
     "node_modules/@babel/helper-string-parser": {
       "version": "7.27.1",
       "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
@@ -95,6 +143,152 @@
         "node": ">=18"
       }
     },
+    "node_modules/@bramus/specificity": {
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/@bramus/specificity/-/specificity-2.4.2.tgz",
+      "integrity": "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw==",
+      "license": "MIT",
+      "dependencies": {
+        "css-tree": "^3.0.0"
+      },
+      "bin": {
+        "specificity": "bin/cli.js"
+      }
+    },
+    "node_modules/@csstools/color-helpers": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-6.0.2.tgz",
+      "integrity": "sha512-LMGQLS9EuADloEFkcTBR3BwV/CGHV7zyDxVRtVDTwdI2Ca4it0CCVTT9wCkxSgokjE5Ho41hEPgb8OEUwoXr6Q==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0",
+      "engines": {
+        "node": ">=20.19.0"
+      }
+    },
+    "node_modules/@csstools/css-calc": {
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-3.2.1.tgz",
+      "integrity": "sha512-DtdHlgXh5ZkA43cwBcAm+huzgJiwx3ZTWVjBs94kwz2xKqSimDA3lBgCjphYgwgVUMWatSM0pDd8TILB1yrVVg==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-color-parser": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.1.1.tgz",
+      "integrity": "sha512-eZ5XOtyhK+mggRafYUWzA0tvaYOFgdY8AkgQiCJF9qNAePnUo/zmsqqYubBBb3sQ8uNUaSKTY9s9klfRaAXL0g==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "@csstools/color-helpers": "^6.0.2",
+        "@csstools/css-calc": "^3.2.1"
+      },
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-parser-algorithms": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-4.0.0.tgz",
+      "integrity": "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-syntax-patches-for-csstree": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.4.tgz",
+      "integrity": "sha512-wgsqt92b7C7tQhIdPNxj0n9zuUbQlvAuI1exyzeNrOKOi62SD7ren8zqszmpVREjAOqg8cD2FqYhQfAuKjk4sw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0",
+      "peerDependencies": {
+        "css-tree": "^3.2.1"
+      },
+      "peerDependenciesMeta": {
+        "css-tree": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@csstools/css-tokenizer": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-4.0.0.tgz",
+      "integrity": "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      }
+    },
     "node_modules/@emnapi/core": {
       "version": "1.10.0",
       "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
@@ -129,6 +323,23 @@
         "tslib": "^2.4.0"
       }
     },
+    "node_modules/@exodus/bytes": {
+      "version": "1.15.0",
+      "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.15.0.tgz",
+      "integrity": "sha512-UY0nlA+feH81UGSHv92sLEPLCeZFjXOuHhrIo0HQydScuQc8s0A7kL/UdgwgDq8g8ilksmuoF35YVTNphV2aBQ==",
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "@noble/hashes": "^1.8.0 || ^2.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@noble/hashes": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/@jridgewell/resolve-uri": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
@@ -198,7 +409,7 @@
       "version": "1.8.0",
       "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz",
       "integrity": "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==",
-      "dev": true,
+      "devOptional": true,
       "license": "MIT",
       "engines": {
         "node": "^14.21.3 || >=16"
@@ -854,6 +1065,15 @@
         "node": "18 || 20 || >=22"
       }
     },
+    "node_modules/bidi-js": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
+      "integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==",
+      "license": "MIT",
+      "dependencies": {
+        "require-from-string": "^2.0.2"
+      }
+    },
     "node_modules/binary-extensions": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
@@ -1168,6 +1388,32 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/css-tree": {
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-3.2.1.tgz",
+      "integrity": "sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==",
+      "license": "MIT",
+      "dependencies": {
+        "mdn-data": "2.27.1",
+        "source-map-js": "^1.2.1"
+      },
+      "engines": {
+        "node": "^10 || ^12.20.0 || ^14.13.0 || >=15.0.0"
+      }
+    },
+    "node_modules/data-urls": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/data-urls/-/data-urls-7.0.0.tgz",
+      "integrity": "sha512-23XHcCF+coGYevirZceTVD7NdJOqVn+49IHyxgszm+JIiHLoB2TkmPtsYkNWT1pvRSGkc35L6NHs0yHkN2SumA==",
+      "license": "MIT",
+      "dependencies": {
+        "whatwg-mimetype": "^5.0.0",
+        "whatwg-url": "^16.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
     "node_modules/date-fns": {
       "version": "2.30.0",
       "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-2.30.0.tgz",
@@ -1194,6 +1440,12 @@
         "ms": "2.0.0"
       }
     },
+    "node_modules/decimal.js": {
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
+      "integrity": "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==",
+      "license": "MIT"
+    },
     "node_modules/delayed-stream": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
@@ -1291,6 +1543,18 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/entities": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-8.0.0.tgz",
+      "integrity": "sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
     "node_modules/es-define-property": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
@@ -1713,6 +1977,18 @@
         "node": ">=16.0.0"
       }
     },
+    "node_modules/html-encoding-sniffer": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-6.0.0.tgz",
+      "integrity": "sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.6.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
     "node_modules/html-escaper": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
@@ -1873,6 +2149,12 @@
         "node": ">=0.12.0"
       }
     },
+    "node_modules/is-potential-custom-element-name": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz",
+      "integrity": "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==",
+      "license": "MIT"
+    },
     "node_modules/istanbul-lib-coverage": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/istanbul-lib-coverage/-/istanbul-lib-coverage-3.2.2.tgz",
@@ -1932,6 +2214,46 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/jsdom": {
+      "version": "29.1.1",
+      "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-29.1.1.tgz",
+      "integrity": "sha512-ECi4Fi2f7BdJtUKTflYRTiaMxIB0O6zfR1fX0GXpUrf6flp8QIYn1UT20YQqdSOfk2dfkCwS8LAFoJDEppNK5Q==",
+      "license": "MIT",
+      "dependencies": {
+        "@asamuzakjp/css-color": "^5.1.11",
+        "@asamuzakjp/dom-selector": "^7.1.1",
+        "@bramus/specificity": "^2.4.2",
+        "@csstools/css-syntax-patches-for-csstree": "^1.1.3",
+        "@exodus/bytes": "^1.15.0",
+        "css-tree": "^3.2.1",
+        "data-urls": "^7.0.0",
+        "decimal.js": "^10.6.0",
+        "html-encoding-sniffer": "^6.0.0",
+        "is-potential-custom-element-name": "^1.0.1",
+        "lru-cache": "^11.3.5",
+        "parse5": "^8.0.1",
+        "saxes": "^6.0.0",
+        "symbol-tree": "^3.2.4",
+        "tough-cookie": "^6.0.1",
+        "undici": "^7.25.0",
+        "w3c-xmlserializer": "^5.0.0",
+        "webidl-conversions": "^8.0.1",
+        "whatwg-mimetype": "^5.0.0",
+        "whatwg-url": "^16.0.1",
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "canvas": "^3.0.0"
+      },
+      "peerDependenciesMeta": {
+        "canvas": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/json-stringify-safe": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz",
@@ -2207,6 +2529,15 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/lru-cache": {
+      "version": "11.3.6",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.3.6.tgz",
+      "integrity": "sha512-Gf/KoL3C/MlI7Bt0PGI9I+TeTC/I6r/csU58N4BSNc4lppLBeKsOdFYkK+dX0ABDUMJNfCHTyPpzwwO21Awd3A==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
     "node_modules/magic-string": {
       "version": "0.30.21",
       "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.21.tgz",
@@ -2254,6 +2585,12 @@
         "node": ">= 0.4"
       }
     },
+    "node_modules/mdn-data": {
+      "version": "2.27.1",
+      "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.27.1.tgz",
+      "integrity": "sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==",
+      "license": "CC0-1.0"
+    },
     "node_modules/media-typer": {
       "version": "0.3.0",
       "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
@@ -2518,6 +2855,18 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/parse5": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.1.tgz",
+      "integrity": "sha512-z1e/HMG90obSGeidlli3hj7cbocou0/wa5HacvI3ASx34PecNjNQeaHNo5WIZpWofN9kgkqV1q5YvXe3F0FoPw==",
+      "license": "MIT",
+      "dependencies": {
+        "entities": "^8.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/inikulin/parse5?sponsor=1"
+      }
+    },
     "node_modules/parseurl": {
       "version": "1.3.3",
       "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
@@ -2628,6 +2977,15 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/punycode": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
+      "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/qs": {
       "version": "6.15.2",
       "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz",
@@ -2690,6 +3048,15 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/rolldown": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.1.tgz",
@@ -2760,6 +3127,18 @@
       "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
       "license": "MIT"
     },
+    "node_modules/saxes": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/saxes/-/saxes-6.0.0.tgz",
+      "integrity": "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA==",
+      "license": "ISC",
+      "dependencies": {
+        "xmlchars": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=v12.22.7"
+      }
+    },
     "node_modules/semver": {
       "version": "7.8.0",
       "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz",
@@ -2933,7 +3312,6 @@
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
       "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
-      "dev": true,
       "license": "BSD-3-Clause",
       "engines": {
         "node": ">=0.10.0"
@@ -3103,6 +3481,12 @@
         "url": "https://github.com/chalk/supports-color?sponsor=1"
       }
     },
+    "node_modules/symbol-tree": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/symbol-tree/-/symbol-tree-3.2.4.tgz",
+      "integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==",
+      "license": "MIT"
+    },
     "node_modules/tinybench": {
       "version": "2.9.0",
       "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
@@ -3178,6 +3562,24 @@
         "node": ">=14.0.0"
       }
     },
+    "node_modules/tldts": {
+      "version": "7.0.30",
+      "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.30.tgz",
+      "integrity": "sha512-ELrFxuqsDdHUwoh0XxDbxuLD3Wnz49Z57IFvTtvWy1hJdcMZjXLIuonjilCiWHlT2GbE4Wlv1wKVTzDFnXH1aw==",
+      "license": "MIT",
+      "dependencies": {
+        "tldts-core": "^7.0.30"
+      },
+      "bin": {
+        "tldts": "bin/cli.js"
+      }
+    },
+    "node_modules/tldts-core": {
+      "version": "7.0.30",
+      "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.30.tgz",
+      "integrity": "sha512-uiHN8PIB1VmWyS98eZYja4xzlYqeFZVjb4OuYlJQnZAuJhMw4PbKQOKgHKhBdJR3FE/t5mUQ1Kd80++B+qhD1Q==",
+      "license": "MIT"
+    },
     "node_modules/to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -3210,6 +3612,30 @@
         "nodetouch": "bin/nodetouch.js"
       }
     },
+    "node_modules/tough-cookie": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-6.0.1.tgz",
+      "integrity": "sha512-LktZQb3IeoUWB9lqR5EWTHgW/VTITCXg4D21M+lvybRVdylLrRMnqaIONLVb5mav8vM19m44HIcGq4qASeu2Qw==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "tldts": "^7.0.5"
+      },
+      "engines": {
+        "node": ">=16"
+      }
+    },
+    "node_modules/tr46": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
+      "integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
+      "license": "MIT",
+      "dependencies": {
+        "punycode": "^2.3.1"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
     "node_modules/tree-kill": {
       "version": "1.2.2",
       "resolved": "https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.2.tgz",
@@ -3247,6 +3673,15 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/undici": {
+      "version": "7.25.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz",
+      "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.18.1"
+      }
+    },
     "node_modules/unpipe": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
@@ -3468,6 +3903,50 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
+    "node_modules/w3c-xmlserializer": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz",
+      "integrity": "sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==",
+      "license": "MIT",
+      "dependencies": {
+        "xml-name-validator": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/webidl-conversions": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
+      "integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/whatwg-mimetype": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-5.0.0.tgz",
+      "integrity": "sha512-sXcNcHOC51uPGF0P/D4NVtrkjSU2fNsm9iog4ZvZJsL3rjoDAzXZhkm2MWt1y+PUdggKAYVoMAIYcs78wJ51Cw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/whatwg-url": {
+      "version": "16.0.1",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
+      "integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
+      "license": "MIT",
+      "dependencies": {
+        "@exodus/bytes": "^1.11.0",
+        "tr46": "^6.0.0",
+        "webidl-conversions": "^8.0.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      }
+    },
     "node_modules/why-is-node-running": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
@@ -3510,6 +3989,21 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/xml-name-validator": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
+      "integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/xmlchars": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz",
+      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==",
+      "license": "MIT"
+    },
     "node_modules/y18n": {
       "version": "5.0.8",
       "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "sofarr",
-  "version": "1.1.0",
+  "version": "1.3.1",
   "description": "A personal media download dashboard that shows your downloads 'so far' while you relax on the sofa waiting for your *arr services to finish",
   "main": "server/index.js",
   "scripts": {
@@ -21,7 +21,8 @@
     "dotenv": "^16.3.1",
     "express": "^4.18.2",
     "express-rate-limit": "^7.0.0",
-    "helmet": "^7.0.0"
+    "helmet": "^7.0.0",
+    "jsdom": "^29.1.1"
   },
   "devDependencies": {
     "@vitest/coverage-v8": "^4.1.6",

public/.well-known/security.txt

@@ -0,0 +1,5 @@
+Contact: mailto:gordon@i3omb.com
+Expires: 2026-12-31T23:59:00.000Z
+Preferred-Languages: en
+Canonical: https://git.i3omb.com/Gandalf/sofarr
+Policy: https://git.i3omb.com/Gandalf/sofarr/src/branch/main/SECURITY.md

public/app.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 let currentUser = null;
 let downloads = [];
 let isAdmin = false;
@@ -9,6 +10,8 @@ const SPLASH_MIN_MS = 1200; // minimum splash display time
 let historyDays = parseInt(localStorage.getItem('sofarr-history-days'), 10) || 7;
 let historyRefreshHandle = null;
 const HISTORY_REFRESH_MS = 5 * 60 * 1000; // auto-refresh history every 5 min
+let ignoreAvailable = localStorage.getItem('sofarr-ignore-available') === 'true';
+let lastHistoryItems = []; // raw items from last fetch, for re-filtering without a network round-trip
 
 // SSE stream state
 let sseSource = null;
@@ -27,13 +30,26 @@ document.addEventListener('DOMContentLoaded', () => {
   initThemeSwitcher();
   initTabs();
   initHistoryControls();
-  
+  loadAppVersion();
+
   document.getElementById('login-form').addEventListener('submit', handleLogin);
   document.getElementById('logout-btn').addEventListener('click', handleLogout);
   document.getElementById('show-all-toggle').addEventListener('change', handleShowAllToggle);
   document.getElementById('status-btn').addEventListener('click', toggleStatusPanel);
+  document.getElementById('title-home-link').addEventListener('click', e => { e.preventDefault(); goHome(); });
 });
 
+function loadAppVersion() {
+  fetch('/health')
+    .then(r => r.json())
+    .then(data => {
+      if (data.version) {
+        document.getElementById('app-version').textContent = `sofarr v${data.version}`;
+      }
+    })
+    .catch(() => {});
+}
+
 function initThemeSwitcher() {
   const saved = localStorage.getItem('sofarr-theme') || 'light';
   document.querySelectorAll('.theme-btn').forEach(btn => {
@@ -50,6 +66,18 @@ function setTheme(theme) {
   });
 }
 
+function goHome() {
+  closeStatusPanel();
+  // Reset showAll if active
+  if (showAll) {
+    showAll = false;
+    const toggle = document.getElementById('show-all-toggle');
+    if (toggle) toggle.checked = false;
+    startSSE();
+  }
+  activateTab('downloads', true);
+}
+
 function initTabs() {
   const savedTab = localStorage.getItem('sofarr-active-tab') || 'downloads';
   activateTab(savedTab, false);
@@ -430,6 +458,49 @@ function updateDownloadCard(card, download) {
   }
 }
 
+async function handleBlocklistSearch(btn, download) {
+  if (!confirm(`Blocklist "${download.title}" and trigger a new search?\n\nThis will:\n• Remove the download from the download client\n• Add this release to the blocklist\n• Trigger an automatic search for a new release`)) return;
+
+  btn.disabled = true;
+  btn.textContent = '⏳ Working…';
+
+  try {
+    const res = await fetch('/api/dashboard/blocklist-search', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-CSRF-Token': csrfToken
+      },
+      body: JSON.stringify({
+        arrQueueId: download.arrQueueId,
+        arrType: download.arrType,
+        arrInstanceUrl: download.arrInstanceUrl,
+        arrInstanceKey: download.arrInstanceKey,
+        arrContentId: download.arrContentId,
+        arrContentType: download.arrContentType
+      })
+    });
+
+    if (!res.ok) {
+      const data = await res.json().catch(() => ({}));
+      throw new Error(data.error || `HTTP ${res.status}`);
+    }
+
+    btn.textContent = '✓ Done — searching…';
+    btn.className = 'blocklist-search-btn success';
+  } catch (err) {
+    console.error('[Blocklist] Error:', err);
+    btn.disabled = false;
+    btn.textContent = '⛔ Blocklist & Search';
+    btn.className = 'blocklist-search-btn error';
+    btn.title = `Failed: ${err.message}`;
+    setTimeout(() => {
+      btn.className = 'blocklist-search-btn';
+      btn.title = 'Remove this release from the download client, add it to the blocklist, and trigger a new automatic search';
+    }, 4000);
+  }
+}
+
 function createDownloadCard(download) {
   const card = document.createElement('div');
   card.className = `download-card ${download.type}`;
@@ -485,6 +556,15 @@ function createDownloadCard(download) {
     issueBadge.setAttribute('data-tooltip', download.importIssues.join('\n'));
     header.appendChild(issueBadge);
   }
+
+  if ((isAdmin || download.canBlocklist) && download.arrQueueId) {
+    const blBtn = document.createElement('button');
+    blBtn.className = 'blocklist-search-btn';
+    blBtn.textContent = '⛔ Blocklist & Search';
+    blBtn.title = 'Remove this release from the download client, add it to the blocklist, and trigger a new automatic search';
+    blBtn.addEventListener('click', () => handleBlocklistSearch(blBtn, download));
+    header.appendChild(blBtn);
+  }
   
   const title = document.createElement('h3');
   title.className = 'download-title';
@@ -857,6 +937,7 @@ function hideLoading() {
 function initHistoryControls() {
   const daysInput = document.getElementById('history-days');
   const refreshBtn = document.getElementById('history-refresh-btn');
+  const ignoreToggle = document.getElementById('ignore-available-toggle');
   if (daysInput) {
     daysInput.addEventListener('change', () => {
       const v = parseInt(daysInput.value, 10);
@@ -870,6 +951,14 @@ function initHistoryControls() {
   if (refreshBtn) {
     refreshBtn.addEventListener('click', () => loadHistory(true));
   }
+  if (ignoreToggle) {
+    ignoreToggle.checked = ignoreAvailable;
+    ignoreToggle.addEventListener('change', () => {
+      ignoreAvailable = ignoreToggle.checked;
+      localStorage.setItem('sofarr-ignore-available', ignoreAvailable);
+      renderHistory(lastHistoryItems);
+    });
+  }
 }
 
 function startHistoryRefresh() {
@@ -885,6 +974,7 @@ function stopHistoryRefresh() {
 }
 
 function clearHistory() {
+  lastHistoryItems = [];
   document.getElementById('history-list').innerHTML = '';
   document.getElementById('no-history').style.display = 'none';
   document.getElementById('history-error').style.display = 'none';
@@ -908,7 +998,8 @@ async function loadHistory(forceRefresh = false) {
     if (!res.ok) throw new Error(`HTTP ${res.status}`);
     const data = await res.json();
     loadingEl.style.display = 'none';
-    renderHistory(data.history || []);
+    lastHistoryItems = data.history || [];
+    renderHistory(lastHistoryItems);
   } catch (err) {
     loadingEl.style.display = 'none';
     errorEl.textContent = 'Failed to load history.';
@@ -921,12 +1012,15 @@ function renderHistory(items) {
   const listEl = document.getElementById('history-list');
   const noHistoryEl = document.getElementById('no-history');
   listEl.innerHTML = '';
-  if (!items.length) {
+  const visible = ignoreAvailable
+    ? items.filter(item => !(item.outcome === 'failed' && item.availableForUpgrade))
+    : items;
+  if (!visible.length) {
     noHistoryEl.style.display = 'block';
     return;
   }
   noHistoryEl.style.display = 'none';
-  items.forEach(item => listEl.appendChild(createHistoryCard(item)));
+  visible.forEach(item => listEl.appendChild(createHistoryCard(item)));
 }
 
 function createHistoryCard(item) {
@@ -961,6 +1055,14 @@ function createHistoryCard(item) {
   outcomeBadge.textContent = item.outcome === 'imported' ? '✓ Imported' : '✗ Failed';
   header.appendChild(outcomeBadge);
 
+  if (item.availableForUpgrade) {
+    const upgradeBadge = document.createElement('span');
+    upgradeBadge.className = 'history-upgrade-badge';
+    upgradeBadge.title = 'A previous version of this item is available. An upgrade download has failed.';
+    upgradeBadge.textContent = '⬆ Available';
+    header.appendChild(upgradeBadge);
+  }
+
   if (item.instanceName) {
     const instBadge = document.createElement('span');
     instBadge.className = 'history-instance-badge';

public/index.html

@@ -46,7 +46,7 @@
         <!-- Dashboard -->
         <div id="dashboard-container" class="dashboard-container" style="display: none;">
             <header class="app-header">
-                <h1>sofarr</h1>
+                <h1><a href="#" class="title-link" id="title-home-link"><img src="favicon-192.png" alt="" class="title-logo">sofarr</a></h1>
                 <div class="header-controls">
                     <div class="theme-switcher">
                         <button class="theme-btn active" data-theme="light">Light</button>
@@ -98,6 +98,10 @@
                                 <input type="number" id="history-days" class="history-days-input" value="7" min="1" max="90">
                                 <span class="history-days-label">days</span>
                                 <button id="history-refresh-btn" class="history-refresh-btn" title="Refresh history">&#8635;</button>
+                                <label class="history-toggle-label" id="ignore-available-label" data-tooltip="Hide failed downloads where the item is already available on disk (i.e. a failed upgrade attempt)">
+                                    <input type="checkbox" id="ignore-available-toggle">
+                                    <span>Hide upgrade failures</span>
+                                </label>
                             </div>
                         </div>
                         <div id="history-loading" class="history-loading" style="display: none;">Loading history...</div>
@@ -112,6 +116,7 @@
 
             <footer class="app-footer">
                 <p>Ensure your media is tagged with your username in Sonarr/Radarr to match downloads to users.</p>
+                <a href="https://git.i3omb.com/Gandalf/sofarr" target="_blank" rel="noopener noreferrer" class="app-version" id="app-version"></a>
             </footer>
         </div>
     </div>

public/style.css

@@ -714,6 +714,41 @@ body {
   color: var(--text-primary);
 }
 
+.history-toggle-label {
+  display: inline-flex;
+  align-items: center;
+  gap: 5px;
+  font-size: 0.82rem;
+  color: var(--text-secondary);
+  cursor: pointer;
+  user-select: none;
+  margin-left: 4px;
+  position: relative;
+}
+
+.history-toggle-label[data-tooltip]:hover::after {
+  content: attr(data-tooltip);
+  position: absolute;
+  left: 0;
+  top: calc(100% + 6px);
+  z-index: 20;
+  background: var(--surface);
+  color: var(--text-primary);
+  border: 1px solid var(--border);
+  border-radius: 6px;
+  padding: 8px 10px;
+  font-size: 0.75rem;
+  white-space: pre-line;
+  box-shadow: 0 4px 12px rgba(0,0,0,0.15);
+  max-width: 280px;
+  pointer-events: none;
+}
+
+.history-toggle-label input[type="checkbox"] {
+  cursor: pointer;
+  accent-color: var(--accent, #2980b9);
+}
+
 .history-loading,
 .history-error,
 .no-history {
@@ -779,7 +814,8 @@ body {
 
 .history-type-badge,
 .history-outcome-badge,
-.history-instance-badge {
+.history-instance-badge,
+.history-upgrade-badge {
   font-size: 0.72rem;
   font-weight: 600;
   padding: 2px 7px;
@@ -787,6 +823,12 @@ body {
   white-space: nowrap;
 }
 
+.history-upgrade-badge {
+  background: #e67e22;
+  color: #fff;
+  cursor: default;
+}
+
 .history-type-badge.series {
   background: var(--badge-series-bg, #2980b9);
   color: #fff;
@@ -866,6 +908,41 @@ body {
   opacity: 0.8;
 }
 
+.app-version {
+  font-size: 0.72rem;
+  opacity: 0.5;
+  margin-top: 4px;
+  color: inherit;
+  text-decoration: none;
+  display: inline-block;
+}
+
+.app-version:hover {
+  opacity: 0.8;
+  text-decoration: underline;
+  text-underline-offset: 2px;
+}
+
+.title-link {
+  color: inherit;
+  text-decoration: none;
+  display: inline-flex;
+  align-items: center;
+  gap: 8px;
+}
+
+.title-link:hover {
+  text-decoration: underline;
+  text-underline-offset: 3px;
+}
+
+.title-logo {
+  width: 56px;
+  height: 56px;
+  display: block;
+  flex-shrink: 0;
+}
+
 /* ===== Login ===== */
 .login-container {
   display: flex;
@@ -1060,20 +1137,54 @@ body {
   position: absolute;
   top: calc(100% + 6px);
   left: 0;
-  background: #424242;
-  color: #fff;
-  padding: 8px 12px;
+  z-index: 20;
+  background: var(--surface);
+  color: var(--text-primary);
+  border: 1px solid var(--border);
   border-radius: 6px;
-  font-size: 0.7rem;
+  padding: 8px 10px;
+  font-size: 0.75rem;
   font-weight: 400;
   white-space: pre-line;
   max-width: 320px;
-  z-index: 100;
-  box-shadow: 0 2px 8px rgba(0,0,0,0.25);
+  box-shadow: 0 4px 12px rgba(0,0,0,0.15);
   line-height: 1.4;
   pointer-events: none;
 }
 
+.blocklist-search-btn {
+  font-size: 0.68rem;
+  font-weight: 600;
+  padding: 2px 8px;
+  border-radius: 10px;
+  border: 1px solid var(--error, #e74c3c);
+  background: transparent;
+  color: var(--error, #e74c3c);
+  cursor: pointer;
+  white-space: nowrap;
+  transition: background 0.15s, color 0.15s;
+}
+
+.blocklist-search-btn:hover:not(:disabled) {
+  background: var(--error, #e74c3c);
+  color: #fff;
+}
+
+.blocklist-search-btn:disabled {
+  opacity: 0.6;
+  cursor: default;
+}
+
+.blocklist-search-btn.success {
+  border-color: var(--success, #27ae60);
+  color: var(--success, #27ae60);
+}
+
+.blocklist-search-btn.error {
+  background: var(--error, #e74c3c);
+  color: #fff;
+}
+
 .download-user-badge {
   padding: 2px 8px;
   border-radius: 10px;

server/app.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Express application factory — imported by both server/index.js (production)
  * and the test suite. Keeping app creation separate from app.listen() means

server/index.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const path = require('path');
 const cookieParser = require('cookie-parser');
@@ -8,6 +9,8 @@ const fs = require('fs');
 const http = require('http');
 const https = require('https');
 require('dotenv').config();
+require('./utils/loadSecrets')();
+const { version } = require('../package.json');
 
 // Setup logging with levels
 // Levels: debug (0), info (1), warn (2), error (3), silent (4)
@@ -83,6 +86,7 @@ const historyRoutes = require('./routes/history');
 const authRoutes = require('./routes/auth');
 const verifyCsrf = require('./middleware/verifyCsrf');
 const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller');
+const { validateInstanceUrl } = require('./utils/config');
 
 // ---------------------------------------------------------------------------
 // Startup environment validation
@@ -93,11 +97,16 @@ if (!cookieSecret && process.env.NODE_ENV === 'production') {
   process.exit(1);
 } else if (!cookieSecret) {
   console.warn('[Security] COOKIE_SECRET not set — unsigned cookies (dev only)');
+} else if (cookieSecret.length < 32) {
+  console.warn('[Security] COOKIE_SECRET is shorter than 32 characters — use openssl rand -hex 32');
 }
 if (!process.env.EMBY_URL && process.env.NODE_ENV === 'production') {
   console.error('[Config] EMBY_URL is required');
   process.exit(1);
 }
+if (process.env.EMBY_URL) {
+  validateInstanceUrl(process.env.EMBY_URL, 'EMBY_URL');
+}
 
 const app = express();
 const PORT = process.env.PORT || 3001;
@@ -188,7 +197,7 @@ app.use(express.json({ limit: '64kb' })); // prevent oversized JSON payloads
 // Used by Docker HEALTHCHECK and orchestrators.
 // ---------------------------------------------------------------------------
 app.get('/health', (req, res) => {
-  res.json({ status: 'ok', uptime: process.uptime() });
+  res.json({ status: 'ok', uptime: process.uptime(), version });
 });
 
 app.get('/ready', (req, res) => {
@@ -300,7 +309,7 @@ const isSnakeoil = TLS_ENABLED &&
 
 server.listen(PORT, () => {
   console.log(`=================================`);
-  console.log(`  sofarr - Your Downloads Dashboard`);
+  console.log(`  sofarr v${version} - Your Downloads Dashboard`);
   console.log(`  Server running on ${protocol}://localhost:${PORT}`);
   if (tlsCredentials && isSnakeoil) {
     console.warn(`  [TLS] Using bundled snakeoil certificate (self-signed).`);
@@ -317,3 +326,27 @@ server.listen(PORT, () => {
   console.log(`=================================`);
   startPoller();
 });
+
+// ---------------------------------------------------------------------------
+// Graceful shutdown — handle SIGTERM (Docker stop) and SIGINT (Ctrl+C)
+// Stop the poller, close the HTTP server (stops accepting new connections),
+// then let Node drain existing keep-alive connections and exit cleanly.
+// ---------------------------------------------------------------------------
+const { stopPoller } = require('./utils/poller');
+
+function shutdown(signal) {
+  console.log(`[Server] ${signal} received — shutting down gracefully`);
+  stopPoller();
+  server.close(() => {
+    console.log('[Server] HTTP server closed');
+    process.exit(0);
+  });
+  // Force exit after 10 s if connections don't drain
+  setTimeout(() => {
+    console.error('[Server] Forced exit after 10 s timeout');
+    process.exit(1);
+  }, 10000).unref();
+}
+
+process.on('SIGTERM', () => shutdown('SIGTERM'));
+process.on('SIGINT',  () => shutdown('SIGINT'));

server/middleware/requireAuth.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 function requireAuth(req, res, next) {
   const signed = !!process.env.COOKIE_SECRET;
   const raw = signed ? req.signedCookies.emby_user : req.cookies.emby_user;

server/middleware/verifyCsrf.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * CSRF protection using the double-submit cookie pattern.
  *

server/routes/auth.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const crypto = require('crypto');

server/routes/dashboard.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const router = express.Router();
 const requireAuth = require('../middleware/requireAuth');
@@ -94,6 +95,23 @@ function getRadarrLink(movie) {
   return `${movie._instanceUrl}/movie/${movie.titleSlug}`;
 }
 
+// Determine if a download can be blocklisted by the current user
+// Admins: always true (they have arrQueueId)
+// Non-admins: true if importIssues OR (torrent >1h old AND availability<100%)
+function canBlocklist(download, isAdmin) {
+  if (isAdmin) return true;
+  if (download.importIssues && download.importIssues.length > 0) return true;
+  if (download.qbittorrent && download.addedOn && download.availability) {
+    const oneHourAgo = Date.now() - 3600000; // 1 hour in ms
+    const addedOn = new Date(download.addedOn).getTime();
+    const isOldEnough = addedOn < oneHourAgo;
+    const availability = parseFloat(download.availability);
+    const isLowAvailability = availability < 100;
+    return isOldEnough && isLowAvailability;
+  }
+  return false;
+}
+
 // Extract episode info from a Sonarr queue/history record.
 // Returns { season, episode, title } or null if data is missing.
 function extractEpisode(record) {
@@ -321,7 +339,14 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
                   dlObj.downloadPath = slot.storage || null;
                   dlObj.targetPath = series.path || null;
                   dlObj.arrLink = getSonarrLink(series);
+                  dlObj.arrQueueId = sonarrMatch.id;
+                  dlObj.arrType = 'sonarr';
+                  dlObj.arrInstanceUrl = sonarrMatch._instanceUrl || null;
+                  dlObj.arrInstanceKey = sonarrMatch._instanceKey || null;
+                  dlObj.arrContentId = sonarrMatch.episodeId || null;
+                  dlObj.arrContentType = 'episode';
                 }
+                dlObj.canBlocklist = canBlocklist(dlObj, isAdmin);
                 userDownloads.push(dlObj);
               }
             }
@@ -363,7 +388,14 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
                   dlObj.downloadPath = slot.storage || null;
                   dlObj.targetPath = movie.path || null;
                   dlObj.arrLink = getRadarrLink(movie);
+                  dlObj.arrQueueId = radarrMatch.id;
+                  dlObj.arrType = 'radarr';
+                  dlObj.arrInstanceUrl = radarrMatch._instanceUrl || null;
+                  dlObj.arrInstanceKey = radarrMatch._instanceKey || null;
+                  dlObj.arrContentId = radarrMatch.movieId || null;
+                  dlObj.arrContentType = 'movie';
                 }
+                dlObj.canBlocklist = canBlocklist(dlObj, isAdmin);
                 userDownloads.push(dlObj);
               }
             }
@@ -520,7 +552,14 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
                 download.downloadPath = download.savePath || null;
                 download.targetPath = series.path || null;
                 download.arrLink = getSonarrLink(series);
+                download.arrQueueId = sonarrMatch.id;
+                download.arrType = 'sonarr';
+                download.arrInstanceUrl = sonarrMatch._instanceUrl || null;
+                download.arrInstanceKey = sonarrMatch._instanceKey || null;
+                download.arrContentId = sonarrMatch.episodeId || null;
+                download.arrContentType = 'episode';
               }
+              download.canBlocklist = canBlocklist(download, isAdmin);
               userDownloads.push(download);
               continue; // Skip to next torrent
             }
@@ -555,7 +594,14 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
                 download.downloadPath = download.savePath || null;
                 download.targetPath = movie.path || null;
                 download.arrLink = getRadarrLink(movie);
+                download.arrQueueId = radarrMatch.id;
+                download.arrType = 'radarr';
+                download.arrInstanceUrl = radarrMatch._instanceUrl || null;
+                download.arrInstanceKey = radarrMatch._instanceKey || null;
+                download.arrContentId = radarrMatch.movieId || null;
+                download.arrContentType = 'movie';
               }
+              download.canBlocklist = canBlocklist(download, isAdmin);
               userDownloads.push(download);
               continue; // Skip to next torrent
             }
@@ -893,7 +939,8 @@ router.get('/stream', requireAuth, async (req, res) => {
                 const dlObj = { type: 'series', title: nzbName, coverArt: getCoverArt(series), status: slotState.status, progress: slot.percentage, mb: slot.mb, mbmissing: slot.mbmissing, size: slot.size, speed: slotState.speed, eta: slot.timeleft, seriesName: series.title, episodes: gatherEpisodes(nzbNameLower, sonarrQueue.data.records), allTags, matchedUserTag: matchedUserTag || null, tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined };
                 const issues = getImportIssues(sonarrMatch);
                 if (issues) dlObj.importIssues = issues;
-                if (isAdmin) { dlObj.downloadPath = slot.storage || null; dlObj.targetPath = series.path || null; dlObj.arrLink = getSonarrLink(series); }
+                if (isAdmin) { dlObj.downloadPath = slot.storage || null; dlObj.targetPath = series.path || null; dlObj.arrLink = getSonarrLink(series); dlObj.arrQueueId = sonarrMatch.id; dlObj.arrType = 'sonarr'; dlObj.arrInstanceUrl = sonarrMatch._instanceUrl || null; dlObj.arrInstanceKey = sonarrMatch._instanceKey || null; dlObj.arrContentId = sonarrMatch.episodeId || null; dlObj.arrContentType = 'episode'; }
+                dlObj.canBlocklist = canBlocklist(dlObj, isAdmin);
                 userDownloads.push(dlObj);
               }
             }
@@ -912,7 +959,8 @@ router.get('/stream', requireAuth, async (req, res) => {
                 const dlObj = { type: 'movie', title: nzbName, coverArt: getCoverArt(movie), status: slotState.status, progress: slot.percentage, mb: slot.mb, mbmissing: slot.mbmissing, size: slot.size, speed: slotState.speed, eta: slot.timeleft, movieName: movie.title, movieInfo: radarrMatch, allTags, matchedUserTag: matchedUserTag || null, tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined };
                 const issues = getImportIssues(radarrMatch);
                 if (issues) dlObj.importIssues = issues;
-                if (isAdmin) { dlObj.downloadPath = slot.storage || null; dlObj.targetPath = movie.path || null; dlObj.arrLink = getRadarrLink(movie); }
+                if (isAdmin) { dlObj.downloadPath = slot.storage || null; dlObj.targetPath = movie.path || null; dlObj.arrLink = getRadarrLink(movie); dlObj.arrQueueId = radarrMatch.id; dlObj.arrType = 'radarr'; dlObj.arrInstanceUrl = radarrMatch._instanceUrl || null; dlObj.arrInstanceKey = radarrMatch._instanceKey || null; dlObj.arrContentId = radarrMatch.movieId || null; dlObj.arrContentType = 'movie'; }
+                dlObj.canBlocklist = canBlocklist(dlObj, isAdmin);
                 userDownloads.push(dlObj);
               }
             }
@@ -979,7 +1027,8 @@ router.get('/stream', requireAuth, async (req, res) => {
               const download = mapTorrentToDownload(torrent);
               Object.assign(download, { type: 'series', coverArt: getCoverArt(series), seriesName: series.title, episodes: gatherEpisodes(torrentNameLower, sonarrQueue.data.records), allTags, matchedUserTag: matchedUserTag || null, tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined });
               const issues = getImportIssues(sonarrMatch); if (issues) download.importIssues = issues;
-              if (isAdmin) { download.downloadPath = download.savePath || null; download.targetPath = series.path || null; download.arrLink = getSonarrLink(series); }
+              if (isAdmin) { download.downloadPath = download.savePath || null; download.targetPath = series.path || null; download.arrLink = getSonarrLink(series); download.arrQueueId = sonarrMatch.id; download.arrType = 'sonarr'; download.arrInstanceUrl = sonarrMatch._instanceUrl || null; download.arrInstanceKey = sonarrMatch._instanceKey || null; download.arrContentId = sonarrMatch.episodeId || null; download.arrContentType = 'episode'; }
+              download.canBlocklist = canBlocklist(download, isAdmin);
               userDownloads.push(download); continue;
             }
           }
@@ -995,7 +1044,8 @@ router.get('/stream', requireAuth, async (req, res) => {
               const download = mapTorrentToDownload(torrent);
               Object.assign(download, { type: 'movie', coverArt: getCoverArt(movie), movieName: movie.title, movieInfo: radarrMatch, allTags, matchedUserTag: matchedUserTag || null, tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined });
               const issues = getImportIssues(radarrMatch); if (issues) download.importIssues = issues;
-              if (isAdmin) { download.downloadPath = download.savePath || null; download.targetPath = movie.path || null; download.arrLink = getRadarrLink(movie); }
+              if (isAdmin) { download.downloadPath = download.savePath || null; download.targetPath = movie.path || null; download.arrLink = getRadarrLink(movie); download.arrQueueId = radarrMatch.id; download.arrType = 'radarr'; download.arrInstanceUrl = radarrMatch._instanceUrl || null; download.arrInstanceKey = radarrMatch._instanceKey || null; download.arrContentId = radarrMatch.movieId || null; download.arrContentType = 'movie'; }
+              download.canBlocklist = canBlocklist(download, isAdmin);
               userDownloads.push(download); continue;
             }
           }
@@ -1059,4 +1109,68 @@ router.get('/stream', requireAuth, async (req, res) => {
   });
 });
 
+/**
+ * POST /api/dashboard/blocklist-search
+ *
+ * Admin-only. Removes a queue item from Sonarr/Radarr with blocklist=true
+ * (so the release is not grabbed again), then immediately triggers a new
+ * automatic search for the same episode/movie.
+ *
+ * Body: {
+ *   arrQueueId:    number   — Sonarr/Radarr queue record id
+ *   arrType:       'sonarr'|'radarr'
+ *   arrInstanceUrl: string  — base URL of the arr instance
+ *   arrInstanceKey: string  — API key for the arr instance
+ *   arrContentId:  number   — episodeId (Sonarr) or movieId (Radarr)
+ *   arrContentType: 'episode'|'movie'
+ * }
+ */
+router.post('/blocklist-search', requireAuth, async (req, res) => {
+  try {
+    const user = req.user;
+    if (!user.isAdmin) {
+      return res.status(403).json({ error: 'Admin access required' });
+    }
+
+    const { arrQueueId, arrType, arrInstanceUrl, arrInstanceKey, arrContentId, arrContentType } = req.body;
+
+    if (!arrQueueId || !arrType || !arrInstanceUrl || !arrInstanceKey || !arrContentId || !arrContentType) {
+      return res.status(400).json({ error: 'Missing required fields' });
+    }
+    if (arrType !== 'sonarr' && arrType !== 'radarr') {
+      return res.status(400).json({ error: 'arrType must be sonarr or radarr' });
+    }
+
+    const headers = { 'X-Api-Key': arrInstanceKey };
+
+    // Step 1: Remove from queue with blocklist=true
+    await axios.delete(`${arrInstanceUrl}/api/v3/queue/${arrQueueId}`, {
+      headers,
+      params: { removeFromClient: true, blocklist: true }
+    });
+
+    // Step 2: Trigger a new automatic search
+    let commandBody;
+    if (arrType === 'sonarr' && arrContentType === 'episode') {
+      commandBody = { name: 'EpisodeSearch', episodeIds: [arrContentId] };
+    } else if (arrType === 'radarr' && arrContentType === 'movie') {
+      commandBody = { name: 'MoviesSearch', movieIds: [arrContentId] };
+    }
+
+    if (commandBody) {
+      await axios.post(`${arrInstanceUrl}/api/v3/command`, commandBody, { headers });
+    }
+
+    // Invalidate the poll cache so the next SSE push reflects the removed item
+    const { pollAllServices } = require('../utils/poller');
+    pollAllServices().catch(() => {});
+
+    console.log(`[Dashboard] Blocklist+search: ${arrType} queueId=${arrQueueId} contentId=${arrContentId} by ${user.name}`);
+    res.json({ ok: true });
+  } catch (err) {
+    console.error('[Dashboard] blocklist-search error:', sanitizeError(err));
+    res.status(502).json({ error: 'Failed to blocklist and search', details: sanitizeError(err) });
+  }
+});
+
 module.exports = router;

server/routes/emby.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();

server/routes/history.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const router = express.Router();
 const axios = require('axios');
@@ -114,6 +115,75 @@ function gatherEpisodes(titleLower, records) {
   return episodes;
 }
 
+/**
+ * Deduplicate history items so that for each unique content item (episode or
+ * movie) only the most-recent record is shown, with the following rules:
+ *
+ *  - If the most recent event is 'imported'  → show it; suppress older failures.
+ *  - If the most recent event is 'failed' and the item currently has a file
+ *    (hasFile = true) → show the failure but flag it as availableForUpgrade:true
+ *    so the UI can indicate the item is available but an upgrade is in progress.
+ *  - If the most recent event is 'failed' and hasFile is false → show normally.
+ *
+ * Items are keyed by: type + instanceName + contentId (episodeId or movieId).
+ * Records without a contentId fall through unchanged (no deduplication possible).
+ *
+ * @param {Array} items - Already-built history items (unsorted)
+ * @param {Array} sonarrRaw - Raw Sonarr records (for hasFile lookup)
+ * @param {Array} radarrRaw - Raw Radarr records (for hasFile lookup)
+ * @returns {Array}
+ */
+function deduplicateHistoryItems(items, sonarrRaw, radarrRaw) {
+  // Build hasFile lookup: contentId → boolean
+  const sonarrHasFile = new Map();
+  for (const r of sonarrRaw) {
+    const id = r.episodeId;
+    if (id != null) {
+      const hf = r.episode && r.episode.hasFile != null ? r.episode.hasFile : undefined;
+      if (hf !== undefined && !sonarrHasFile.has(id)) sonarrHasFile.set(id, hf);
+    }
+  }
+  const radarrHasFile = new Map();
+  for (const r of radarrRaw) {
+    const id = r.movieId;
+    if (id != null) {
+      const hf = r.movie && r.movie.hasFile != null ? r.movie.hasFile : undefined;
+      if (hf !== undefined && !radarrHasFile.has(id)) radarrHasFile.set(id, hf);
+    }
+  }
+
+  // Group items by dedup key; preserve insertion order (newest first from caller)
+  const groups = new Map();
+  const noKey = [];
+  for (const item of items) {
+    const cid = item._contentId;
+    if (cid == null) { noKey.push(item); continue; }
+    const key = `${item.type}|${item.instanceName}|${cid}`;
+    if (!groups.has(key)) groups.set(key, []);
+    groups.get(key).push(item);
+  }
+
+  const result = [...noKey];
+  for (const [, group] of groups) {
+    // group[0] is the most recent (items are pushed in date-descending order)
+    const best = group[0];
+    if (best.outcome === 'imported') {
+      result.push(best);
+      continue;
+    }
+    if (best.outcome === 'failed') {
+      const hasFile = best.type === 'series'
+        ? sonarrHasFile.get(best._contentId)
+        : radarrHasFile.get(best._contentId);
+      if (hasFile) best.availableForUpgrade = true;
+      result.push(best);
+      continue;
+    }
+    result.push(best);
+  }
+  return result;
+}
+
 function getSonarrLink(series) {
   if (!series || !series._instanceUrl || !series.titleSlug) return null;
   return `${series._instanceUrl}/series/${series.titleSlug}`;
@@ -223,7 +293,8 @@ router.get('/recent', requireAuth, async (req, res) => {
           arrLink: getSonarrLink(series),
           allTags,
           matchedUserTag: matchedUserTag || null,
-          tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined
+          tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined,
+          _contentId: record.episodeId != null ? record.episodeId : null
         };
 
         if (isAdmin) {
@@ -270,7 +341,8 @@ router.get('/recent', requireAuth, async (req, res) => {
           arrLink: getRadarrLink(movie),
           allTags,
           matchedUserTag: matchedUserTag || null,
-          tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined
+          tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined,
+          _contentId: record.movieId != null ? record.movieId : null
         };
 
         if (isAdmin) {
@@ -286,16 +358,24 @@ router.get('/recent', requireAuth, async (req, res) => {
       }
     }
 
-    // Sort newest first
-    historyItems.sort((a, b) => new Date(b.completedAt) - new Date(a.completedAt));
+    // Deduplicate: for each content item keep only the most-recent record,
+    // suppressing failures that were superseded by a successful import.
+    // Must run before sort so insertion order (newest-first from arr API) is preserved.
+    const dedupedItems = deduplicateHistoryItems(historyItems, sonarrHistory, radarrHistory);
 
-    console.log(`[History] Returning ${historyItems.length} items for user ${user.name} (days=${days}, showAll=${showAll})`);
+    // Strip internal dedup key before sending to client
+    for (const item of dedupedItems) delete item._contentId;
+
+    // Sort newest first
+    dedupedItems.sort((a, b) => new Date(b.completedAt) - new Date(a.completedAt));
+
+    console.log(`[History] Returning ${dedupedItems.length} items for user ${user.name} (days=${days}, showAll=${showAll})`);
 
     res.json({
       user: user.name,
       isAdmin,
       days,
-      history: historyItems
+      history: dedupedItems
     });
   } catch (err) {
     console.error('[History] Error:', err.message);

server/routes/radarr.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();

server/routes/sabnzbd.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();

server/routes/sonarr.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();

server/utils/cache.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const { logToFile } = require('./logger');
 
 class MemoryCache {

server/utils/config.js

@@ -1,5 +1,28 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const { logToFile } = require('./logger');
 
+// Validate that a configured service URL is well-formed and uses http(s).
+// Emits a warning (never throws) so a misconfigured instance degrades
+// gracefully rather than crashing the whole server.
+function validateInstanceUrl(url, instanceId) {
+  if (!url || typeof url !== 'string') {
+    logToFile(`[Config] WARNING: instance "${instanceId}" has no URL configured`);
+    return false;
+  }
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    logToFile(`[Config] WARNING: instance "${instanceId}" has an invalid URL: "${url}"`);
+    return false;
+  }
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+    logToFile(`[Config] WARNING: instance "${instanceId}" URL must use http or https, got "${parsed.protocol}"`);
+    return false;
+  }
+  return true;
+}
+
 function parseInstances(envVar, legacyUrl, legacyKey, legacyUsername, legacyPassword) {
   // Try to parse JSON array format first
   if (envVar) {
@@ -9,10 +32,11 @@ function parseInstances(envVar, legacyUrl, legacyKey, legacyUsername, legacyPass
       const instances = JSON.parse(cleaned);
       if (Array.isArray(instances) && instances.length > 0) {
         logToFile(`[Config] Parsed ${instances.length} instances from JSON array`);
-        return instances.map((inst, idx) => ({
-          ...inst,
-          id: inst.name || `instance-${idx + 1}`
-        }));
+        return instances.map((inst, idx) => {
+          const id = inst.name || `instance-${idx + 1}`;
+          validateInstanceUrl(inst.url, id);
+          return { ...inst, id };
+        });
       }
     } catch (err) {
       logToFile(`[Config] Failed to parse JSON array: ${err.message}`);
@@ -22,6 +46,7 @@ function parseInstances(envVar, legacyUrl, legacyKey, legacyUsername, legacyPass
   // Fall back to legacy single-instance format
   if (legacyUrl && legacyKey) {
     logToFile(`[Config] Using legacy single-instance format`);
+    validateInstanceUrl(legacyUrl, 'default');
     return [{
       id: 'default',
       name: 'Default',
@@ -74,5 +99,6 @@ module.exports = {
   getSonarrInstances,
   getRadarrInstances,
   getQbittorrentInstances,
-  parseInstances
+  parseInstances,
+  validateInstanceUrl
 };

server/utils/historyFetcher.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const axios = require('axios');
 const cache = require('./cache');
 const { getSonarrInstances, getRadarrInstances } = require('./config');

server/utils/loadSecrets.js

@@ -0,0 +1,52 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+//
+// Docker secrets support: if an environment variable named FOO_FILE is set,
+// read its contents from the file at that path and expose it as FOO.
+// This follows the standard *_FILE convention used by official Docker images.
+//
+// Supported secrets:
+//   COOKIE_SECRET_FILE       → COOKIE_SECRET
+//   EMBY_API_KEY_FILE        → EMBY_API_KEY
+//   SABNZBD_API_KEY_FILE     → SABNZBD_API_KEY   (legacy single-instance)
+//   SONARR_API_KEY_FILE      → SONARR_API_KEY    (legacy single-instance)
+//   RADARR_API_KEY_FILE      → RADARR_API_KEY    (legacy single-instance)
+//   QBITTORRENT_PASSWORD_FILE → QBITTORRENT_PASSWORD (legacy single-instance)
+//
+// For multi-instance JSON arrays the secret values must be embedded in the
+// JSON string itself; file-based loading is for the legacy single-key format.
+
+const fs = require('fs');
+
+const SECRET_MAPPINGS = [
+  'COOKIE_SECRET',
+  'EMBY_API_KEY',
+  'SABNZBD_API_KEY',
+  'SONARR_API_KEY',
+  'RADARR_API_KEY',
+  'QBITTORRENT_PASSWORD',
+];
+
+function loadSecrets() {
+  for (const key of SECRET_MAPPINGS) {
+    const fileEnv = `${key}_FILE`;
+    const filePath = process.env[fileEnv];
+    if (!filePath) continue;
+    if (process.env[key]) {
+      console.warn(`[Secrets] Both ${key} and ${fileEnv} are set — ${fileEnv} takes precedence`);
+    }
+    try {
+      const value = fs.readFileSync(filePath, 'utf8').trim();
+      if (!value) {
+        console.warn(`[Secrets] ${fileEnv} points to an empty file: ${filePath}`);
+        continue;
+      }
+      process.env[key] = value;
+      console.log(`[Secrets] Loaded ${key} from ${fileEnv}`);
+    } catch (err) {
+      console.error(`[Secrets] Failed to read ${fileEnv} (${filePath}): ${err.message}`);
+      process.exit(1);
+    }
+  }
+}
+
+module.exports = loadSecrets;

server/utils/logger.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const fs = require('fs');
 const path = require('path');
 

server/utils/poller.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const axios = require('axios');
 const cache = require('./cache');
 const { getTorrents } = require('./qbittorrent');
@@ -159,8 +160,11 @@ async function pollAllServices() {
       records: sonarrQueues.flatMap(q => {
         const inst = sonarrInstances.find(i => i.id === q.instance);
         const url = inst ? inst.url : null;
+        const key = inst ? inst.apiKey : null;
         return (q.data.records || []).map(r => {
           if (r.series) r.series._instanceUrl = url;
+          r._instanceUrl = url;
+          r._instanceKey = key;
           return r;
         });
       })
@@ -174,8 +178,11 @@ async function pollAllServices() {
       records: radarrQueues.flatMap(q => {
         const inst = radarrInstances.find(i => i.id === q.instance);
         const url = inst ? inst.url : null;
+        const key = inst ? inst.apiKey : null;
         return (q.data.records || []).map(r => {
           if (r.movie) r.movie._instanceUrl = url;
+          r._instanceUrl = url;
+          r._instanceKey = key;
           return r;
         });
       })

server/utils/qbittorrent.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 const axios = require('axios');
 const { logToFile } = require('./logger');
 const { getQbittorrentInstances } = require('./config');
@@ -204,6 +205,7 @@ function mapTorrentToDownload(torrent) {
     category: torrent.category,
     tags: torrent.tags,
     savePath: torrent.content_path || torrent.save_path || null,
+    addedOn: torrent.added_on || null,
     qbittorrent: true
   };
 }

server/utils/sanitizeError.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 // Query-param secrets (SABnzbd apikey, generic token/password params)
 const QUERY_SECRET_PATTERN = /([?&](?:apikey|token|password|api_key|key|secret)=)[^&\s#]*/gi;
 // HTTP auth header values (X-Api-Key, X-MediaBrowser-Token, Authorization, X-Emby-Authorization)
@@ -7,13 +8,18 @@ const HEADER_PATTERN = /(?:x-api-key|x-mediabrowser-token|x-emby-authorization|a
 const BEARER_PATTERN = /bearer\s+[A-Za-z0-9\-._~+/]+=*/gi;
 // Basic auth credentials in URLs (http://user:pass@host)
 const BASIC_AUTH_URL_PATTERN = /\/\/[^:@/\s]+:[^@/\s]+@/gi;
+// Redact only the host:port authority portion of URLs, preserving path/query so
+// other patterns (QUERY_SECRET_PATTERN etc.) can still act on them.
+// Negative lookahead skips URLs already handled by BASIC_AUTH_URL_PATTERN.
+const HOST_PATTERN = /(https?:\/\/)(?!\[REDACTED\]@)([^\s/?#]+)/gi;
 
 function sanitizeError(err) {
   let msg = (err && err.message) ? err.message : String(err);
   msg = msg.replace(QUERY_SECRET_PATTERN, '$1[REDACTED]');
   msg = msg.replace(HEADER_PATTERN, (m) => m.split(/[\s:]/)[0] + ':[REDACTED]');
   msg = msg.replace(BEARER_PATTERN, 'bearer [REDACTED]');
-  msg = msg.replace(BASIC_AUTH_URL_PATTERN, '//[REDACTED]@');
+  msg = msg.replace(BASIC_AUTH_URL_PATTERN, '//[REDACTED]@');  // must run before HOST_PATTERN
+  msg = msg.replace(HOST_PATTERN, '$1[HOST]');
   // Never leak stack traces to API responses
   return msg;
 }

server/utils/tokenStore.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Persistent token store backed by a JSON file.
  *

tests/integration/auth.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Integration tests for authentication routes.
  *

tests/integration/health.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Integration tests for health and readiness endpoints.
  *

tests/integration/history.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Integration tests for GET /api/history/recent
  *
@@ -97,6 +98,60 @@ const RADARR_RECORD_IMPORTED = {
   movieId: 20
 };
 
+// Deduplication fixtures — same episodeId 55, episode 1 failed then imported
+const SONARR_RECORD_FAILED_EP55 = {
+  id: 110,
+  eventType: 'downloadFailed',
+  sourceTitle: 'Show.S02E01.720p',
+  date: new Date(Date.now() - 3600000).toISOString(), // 1 hour ago
+  quality: { quality: { name: '720p' } },
+  data: { message: 'Download failed' },
+  episodeId: 55,
+  episode: { seasonNumber: 2, episodeNumber: 1, title: 'Pilot', hasFile: false },
+  series: { id: 10, title: 'My Show', titleSlug: 'my-show', tags: [1], images: [] },
+  seriesId: 10
+};
+
+const SONARR_RECORD_IMPORTED_EP55 = {
+  id: 111,
+  eventType: 'downloadFolderImported',
+  sourceTitle: 'Show.S02E01.720p',
+  date: new Date().toISOString(), // now (more recent)
+  quality: { quality: { name: '720p' } },
+  episodeId: 55,
+  episode: { seasonNumber: 2, episodeNumber: 1, title: 'Pilot', hasFile: true },
+  series: { id: 10, title: 'My Show', titleSlug: 'my-show', tags: [1], images: [] },
+  seriesId: 10
+};
+
+// Failed, still failing (hasFile=false) — most recent is a failure with no file
+const SONARR_RECORD_FAILED_EP56 = {
+  id: 112,
+  eventType: 'downloadFailed',
+  sourceTitle: 'Show.S02E02.720p',
+  date: new Date().toISOString(),
+  quality: { quality: { name: '720p' } },
+  data: { message: 'No seeders' },
+  episodeId: 56,
+  episode: { seasonNumber: 2, episodeNumber: 2, title: 'Episode 2', hasFile: false },
+  series: { id: 10, title: 'My Show', titleSlug: 'my-show', tags: [1], images: [] },
+  seriesId: 10
+};
+
+// Failed but hasFile=true — episode is available, failure is an upgrade attempt
+const SONARR_RECORD_FAILED_EP57_HAS_FILE = {
+  id: 113,
+  eventType: 'downloadFailed',
+  sourceTitle: 'Show.S02E03.720p',
+  date: new Date().toISOString(),
+  quality: { quality: { name: '720p' } },
+  data: { message: 'Upgrade failed' },
+  episodeId: 57,
+  episode: { seasonNumber: 2, episodeNumber: 3, title: 'Episode 3', hasFile: true },
+  series: { id: 10, title: 'My Show', titleSlug: 'my-show', tags: [1], images: [] },
+  seriesId: 10
+};
+
 // --- Helpers ---
 function interceptLogin(userBody = EMBY_USER, authBody = EMBY_AUTH) {
   nock(EMBY_BASE).post('/Users/authenticatebyname').reply(200, authBody);
@@ -271,6 +326,63 @@ describe('GET /api/history/recent', () => {
     });
   });
 
+  describe('deduplication', () => {
+    it('suppresses a failed record when the same episode was subsequently imported', async () => {
+      const app = createApp({ skipRateLimits: true });
+      // API returns newest-first: imported (now) before failed (1hr ago)
+      setHistory([SONARR_RECORD_IMPORTED_EP55, SONARR_RECORD_FAILED_EP55], []);
+      const { cookies } = await loginAs(app);
+      const res = await request(app)
+        .get('/api/history/recent')
+        .set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      const ep55Items = res.body.history.filter(h => h.seriesName === 'My Show' && h.title.includes('S02E01'));
+      expect(ep55Items).toHaveLength(1);
+      expect(ep55Items[0].outcome).toBe('imported');
+    });
+
+    it('shows a failed record as-is when there is no successful import and hasFile is false', async () => {
+      const app = createApp({ skipRateLimits: true });
+      setHistory([SONARR_RECORD_FAILED_EP56], []);
+      const { cookies } = await loginAs(app);
+      const res = await request(app)
+        .get('/api/history/recent')
+        .set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      const item = res.body.history.find(h => h.title && h.title.includes('S02E02'));
+      expect(item).toBeDefined();
+      expect(item.outcome).toBe('failed');
+      expect(item.availableForUpgrade).toBeFalsy();
+    });
+
+    it('flags a failed record as availableForUpgrade when the episode hasFile is true', async () => {
+      const app = createApp({ skipRateLimits: true });
+      setHistory([SONARR_RECORD_FAILED_EP57_HAS_FILE], []);
+      const { cookies } = await loginAs(app);
+      const res = await request(app)
+        .get('/api/history/recent')
+        .set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      const item = res.body.history.find(h => h.title && h.title.includes('S02E03'));
+      expect(item).toBeDefined();
+      expect(item.outcome).toBe('failed');
+      expect(item.availableForUpgrade).toBe(true);
+    });
+
+    it('does not expose _contentId in the response', async () => {
+      const app = createApp({ skipRateLimits: true });
+      setHistory([SONARR_RECORD_IMPORTED_EP55], []);
+      const { cookies } = await loginAs(app);
+      const res = await request(app)
+        .get('/api/history/recent')
+        .set('Cookie', cookies);
+      expect(res.status).toBe(200);
+      for (const item of res.body.history) {
+        expect(item).not.toHaveProperty('_contentId');
+      }
+    });
+  });
+
   describe('response shape', () => {
     it('returns correct top-level fields', async () => {
       const app = createApp({ skipRateLimits: true });

tests/setup.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 import { vi, beforeEach, afterEach } from 'vitest';
 import os from 'os';
 import path from 'path';

tests/unit/config.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Tests for server/utils/config.js
  *

tests/unit/historyFetcher.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Unit tests for server/utils/historyFetcher.js
  *

tests/unit/qbittorrent.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Tests for server/utils/qbittorrent.js pure utility functions.
  *

tests/unit/requireAuth.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Tests for server/middleware/requireAuth.js
  *

tests/unit/sanitizeError.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Tests for server/utils/sanitizeError.js
  *

tests/unit/tokenStore.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Tests for server/utils/tokenStore.js
  *

tests/unit/verifyCsrf.test.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 /**
  * Tests for server/middleware/verifyCsrf.js
  *

vitest.config.js

@@ -1,3 +1,4 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
 import { defineConfig } from 'vitest/config';
 
 export default defineConfig({