merge branch 'develop' into 'main' - Release v1.7.22

- Remove white-space: nowrap from .request-title so long titles
  truncate/wrap instead of forcing cards beyond the viewport width
- Add overflow-x: hidden to .requests-list as a safety net
- Add @media (max-width: 768px) rules for the requests section:
  reduce .requests-container padding from 20px to 12px, tighten
  .request-card and .request-meta gaps on mobile

Fixes #49

.env.sample

@@ -35,6 +35,13 @@ SOFARR_WEBHOOK_SECRET=your-webhook-secret-here
 # Example: https://sofarr.example.com or https://192.168.1.100:3001
 SOFARR_BASE_URL=https://your-sofarr-url
 
+# Optional dedicated base URL for webhooks (e.g. for reverse proxies / docker networking)
+# If configured, webhook registration in Sonarr, Radarr, and Ombi will use this URL.
+# Useful if those services reside in the same local network/docker container setup and
+# cannot route to the public SOFARR_BASE_URL due to loopback/DNS restrictions (avoiding 503s).
+# Example: http://sofarr:3001 or http://192.168.1.50:3001
+# SOFARR_WEBHOOK_BASE_URL=http://sofarr:3001
+
 # --- Webhook Polling Optimization (Phase 5) ---
 
 # Minutes of silence after which the poller falls back to a full poll
@@ -162,6 +169,9 @@ RADARR_INSTANCES=[{"name":"main","url":"https://radarr.example.com","apiKey":"yo
 # =============================================================================
 OMBI_URL=https://ombi.example.com
 OMBI_API_KEY=your-ombi-api-key-here
+# Optional: Delay in milliseconds to wait before refreshing the cache after receiving an Ombi webhook
+# to resolve the race condition where Ombi fires the webhook before committing to its database.
+# OMBI_WEBHOOK_REFRESH_DELAY_MS=2000
 
 # =============================================================================
 # NOTES

.gitignore

@@ -11,4 +11,5 @@ data/
 *.db-wal
 *.db-shm
 .agents/
-.windsurf/
+.windsurf/
+scratch/

ARCHITECTURE.md

@@ -393,9 +393,9 @@ POST /api/webhook/ombi
 Both endpoints share identical processing logic:
 
 ```
-Sonarr/Radarr
+Sonarr/Radarr/Ombi
     POST /api/webhook/sonarr
-    Headers: X-Sofarr-Webhook-Secret: <secret>
+    Headers: X-Sofarr-Webhook-Secret: <secret> OR URL parameter: ?secret=<secret>
     Body:    { "eventType": "Grab", "instanceName": "Main Sonarr",
                "date": "2026-05-19T10:00:00.000Z", … }
         │
@@ -404,6 +404,7 @@ Sonarr/Radarr
         │
         ▼
     validateWebhookSecret()  ──fail──► 401 Unauthorized
+        (Checks header or query param)
         │ ok
         ▼
     validatePayload()        ──fail──► 400 Bad Request
@@ -994,6 +995,42 @@ For AI agents and automated tooling, every endpoint includes:
 - Lints `server/openapi.yaml` with `@stoplight/spectral-cli`
 - Runs the coverage test suite on every push
 
+### 7.5 Real-Time Debug Log Streaming Subsystem
+
+sofarr provides a togglable, real-time log capturing and streaming engine allowing developer-administrators to view server standard output stream activity and browser console log activity for easy debugging in production.
+
+#### Architecture
+
+```mermaid
+flowchart LR
+    subgraph Browser ["Browser (SPA)"]
+        console["console.log/warn/error"] --> queue["logQueue (batched)"]
+        queue --> |POST /api/debug/client-logs| ingestionRoute["POST router handler"]
+    end
+
+    subgraph Server ["Node.js (Server)"]
+        stdout["process.stdout.write"] --> capture["processStreamData()"]
+        stderr["process.stderr.write"] --> capture
+        capture --> |stripAnsi| serverBuffer["logBuffer (rolling 1000 lines)"]
+        capture --> |emit server-log| serverSse["GET /api/debug/server-logs (SSE)"]
+
+        ingestionRoute --> clientBuffer["clientLogBuffer (rolling 1000 lines)"]
+        ingestionRoute --> |emit client-log| clientSse["GET /api/debug/client-logs (SSE)"]
+    end
+```
+
+#### In-Process Interceptor (Stdout & Stderr)
+To guarantee 100% logging completeness without requiring complex and insecure external Docker daemon sockets, the server hooks directly into standard output stream writers `process.stdout.write` and `process.stderr.write` during the process boot cycle. 
+- Custom accumulators process streams, strip ANSI terminal colors (colors are stripped using a standard regex matching all terminal escape codes), and split incoming chunks into structured lines.
+- Historical lines are appended to a rolling in-memory array `logBuffer` capped at 1,000 entries.
+- Real-time logging events are broadcasted via a central `EventEmitter` allowing connected SSE stream clients to receive updates instantly.
+
+#### Client Console Log Capture
+To assist developers in troubleshooting client-side runtime errors without access to developer consoles (e.g., in embedded WebViews, smart TVs, or custom mobile browser instances), the SPA implements an automatic logging interceptor.
+- If `/api/debug/status` indicates log streaming is active, the bootstrap process replaces global `console.log`, `console.warn`, and `console.error` methods.
+- Logs are added to an in-memory queue and flushed in batches using a stateless `POST /api/debug/client-logs` request every 2,000ms (or when the queue size reaches 20 items) to prevent browser thread blocking.
+- A synchronous cleanup check is registered via standard `beforeunload` to flush any remaining logs using `navigator.sendBeacon()` or `keepalive: true` fetch on page refresh or navigate.
+
 ---
 
 ## 8. Directory Structure
@@ -1188,7 +1225,7 @@ Each instance receives an `id` derived from `name` (or index if unnamed), used a
 | Concern | Mechanism |
 |---------|-----------|
 | **Secret validation** | Every webhook request must carry `X-Sofarr-Webhook-Secret` matching `SOFARR_WEBHOOK_SECRET`. Absent or wrong secret → `401`. Webhook endpoints function outside the CSRF middleware (they are not browser-initiated). |
-| **Rate limiting** | Dedicated `webhookLimiter`: 60 req/min per IP (stricter than the general 300 req/15 min limiter). |
+| **Rate limiting** | Dedicated `webhookLimiter`: 60 req/min per IP (stricter than the general 300 req/15 min limiter). Bypassed in testing/dev via `SKIP_RATE_LIMIT=1`. |
 | **Payload validation** | `validatePayload()` enforces: JSON object body, `eventType` as a non-empty string ≤ 64 chars, `eventType` in the allowlist, `instanceName` as string if present. Rejects with `400` on any violation. |
 | **Replay protection** | `isReplay()` caches a composite key `{eventType}:{instanceName}:{date}` for 5 minutes. Duplicate events within that window are acknowledged with `200 { received: true, duplicate: true }` and not processed. |
 
@@ -1196,13 +1233,25 @@ Each instance receives an `id` derived from `name` (or index if unnamed), used a
 
 | Concern | Mechanism |
 |---------|-----------|
-| **Rate limiting** | 300 req/15 min general (all API routes); 10 failed attempts/15 min login limiter; 60 req/1 min webhook limiter. |
+| **Rate limiting** | General API limiter (300 req/15 min on `/api/*` prefix) exempts `/api/dashboard/cover-art` requests; Login limiter (10 attempts/15 min) employs `skipSuccessfulRequests: true` to count failed attempts only; Webhook limiter runs 60 req/1 min on `/api/webhook/*` endpoints; Root `/health` and `/ready` probes are entirely exempt. All limiters bypassable in testing via `SKIP_RATE_LIMIT=1` or `createApp({ skipRateLimits: true })`. |
 | **Secret leakage** | `sanitizeError()` (`server/utils/sanitizeError.js`) redacts secrets from error messages and logs: URL query-param secrets (`apikey=`, `token=`), HTTP auth headers (`Authorization:`, `X-Emby-Authorization:`), Bearer tokens, and basic-auth credentials in URLs. |
 | **HTTP headers** | Helmet v7: CSP with per-request nonce (`crypto.randomBytes(16)` for inline styles/scripts), HSTS, `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `Permissions-Policy`. |
 | **Body size** | `express.json` body limit: 64 KB. |
 | **Authorisation matrix** | Regular users see only their own downloads. Admins can view all users, see paths and *arr links, and blocklist any download. Non-admins can only blocklist when import issues exist or (for qBittorrent) the torrent is >1 h old with <100% availability. |
 | **Container security** | Docker image runs as the non-root `node` user (UID 1000). `/app/data` is owned by `node`. |
 
+### 10.4 Debug Log Streaming Security
+
+Access to the debug log stream endpoints (`/api/debug/server-logs` and `/api/debug/client-logs`) is secured via a strict multi-layered policy:
+
+| Layer | Mechanism |
+|-------|-----------|
+| **Feature lock toggle** | Strictly disabled by default; only enableable when environment variable `ENABLE_LOG_STREAM=true` is set. |
+| **Subnet filtering** | If environment variable `LOG_ALLOW_SUBNETS` is configured (using standard comma-separated CIDR notation), incoming client IPs (`req.ip`) are parsed and validated via the `ipaddr.js` library. Unmatched subnets receive a `403 Forbidden` response immediately. |
+| **Fast-path webhook bypass** | A valid webhook secret bypasses the active Emby authentication layer when provided on the `X-Webhook-Secret` header. |
+| **Active Emby session** | Validates that an active `emby_user` session cookie is present and that the authenticated Emby user is an administrator. |
+| **Emby basic auth fallback** | Allows Basic Authentication headers by performing an on-demand asynchronous credentials check against Emby's `/Users/authenticatebyname` and `/Users/{id}` endpoints to assert active policy administrator status. |
+
 ---
 
 ## 11. Technology Stack

CHANGELOG.md

@@ -4,6 +4,129 @@ All notable changes to this project will be documented in this file.
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.7.22] - 2026-05-27
+
+### Fixed
+
+- **Theme Switcher Multi-Button Support (Issue #54)** — Resolved a frontend bug where themes other than Light failed to apply because the Javascript code queried a non-existent `#theme-toggle` element. Re-engineered the switcher to query all `.theme-btn` selectors inside `.theme-switcher`, managing and toggling the active class styling across `light`, `dark`, and `mono` themes, and cleanly persisting choices to local storage.
+- **Ombi TV Requester User Extraction Fallback (Issue #53)** — Resolved a bug where TV show requests from Ombi displayed as "unknown" user because requester attributes were nested under non-standard properties (`user`, `requestedBy`, `ombiUser`, `requestedByUser`, and nested seasons/child requests arrays). Added robust multi-layer extraction logic on both backend and frontend layers to resolve requester usernames under all TV request structures.
+- **Configurable Webhook Commit Delay & Retry Loop (Issue #53)** — Mitigated race conditions between Ombi webhook events and database commits by introducing a configurable `OMBI_WEBHOOK_REFRESH_DELAY_MS` delay (defaulting to `2000`) and a smart 3-attempt retry polling loop to verify updated requester data before cache updates.
+
+### Added
+
+- **Admin Request Card *arr Library Lookup (Issue #53)** — Added library deep-link lookup for admin views. Request cards now query Sonarr and Radarr library caches and dynamically render deep-link navigation icons in the card actions container if the item exists.
+- **Request Date/Time Presentation** — Added request date and time display inside request cards formatted as `YYYY-MM-DD HH:MM`.
+- **Unknown (Ombi) Dotted Underline Tooltip** — Added user-friendly placeholder "Unknown (Ombi)" with dotted underline and explanatory hover tooltip when user details are unavailable from the Ombi database.
+- **Expanded Test Coverage** — Introduced two new frontend DOM test suites (`tests/frontend/ui/theme.test.js` and `tests/frontend/ui/requests.test.js`) and robust backend unit test assertions in `tests/unit/ombiHelpers.test.js`.
+
+---
+
+## [1.7.21] - 2026-05-26
+
+### Fixed
+
+- **Ombi Webhook Test Loopback Fallback** — Resolved a persistent failure on the Ombi webhook test button when Sofarr sits behind a reverse proxy or in loopback-restricted environments. When the outbound request to the public webhook URL (`SOFARR_BASE_URL`) fails due to loopback/NAT routing limits, the server now transparently falls back to a secure local loopback request (`127.0.0.1`) with smart TLS detection and SSL error bypass (`rejectUnauthorized: false`).
+- **Resilient Webhook Mocks in Tests** — Updated integration test assertions to verify the loopback fallback path under both HTTP and HTTPS configurations, ensuring full compatibility across dev, test, and production container environments.
+
+---
+
+## [1.7.21] - 2026-05-26
+
+### Fixed
+
+- **Webhook Loopback & Hairpin NAT Connectivity** — Implemented a robust local loopback fallback inside the Ombi webhook testing endpoint to bypass NAT loopback and DNS resolution issues common in setups behind reverse proxies. When the outbound request to the public URL fails, the server automatically routes the request internally via `127.0.0.1` using automatic TLS credentials detection and SSL validation bypass for loopback requests. Added comprehensive integration tests verifying the fallback behavior.
+- **Dedicated Webhook Base URL Support** — Added support for a new `SOFARR_WEBHOOK_BASE_URL` environment variable inside `server/routes/sonarr.js`, `server/routes/radarr.js`, and `server/routes/ombi.js`. This allows setups behind reverse proxies to declare an internal/custom base URL specifically for webhooks, enabling Sonarr, Radarr, and Ombi to send webhook events directly to the server via internal container networking, resolving `503 Service Unavailable` errors.
+
+---
+
+## [1.7.20] - 2026-05-26
+
+### Fixed
+
+- **Ombi Requesting User Hydration (Issue #51)** — Resolved a bug where Sofarr displayed "Unknown" for the requesting user on requests even when the Ombi database contains valid user information. Added automatic requestedUser object hydration on the server side by fetching the full user list from `/api/v1/Identity/Users` and caching it in memory. If a request is missing the nested `requestedUser` details but possesses a valid `requestedUserId`, Sofarr automatically resolves and binds the user's username/alias. Added robust unit tests safeguarding the client and the retriever. Resolves Gitea Issue [#51](https://git.i3omb.com/Gandalf/sofarr/issues/51).
+
+### Changed
+
+- **Aligned Gitea Interaction Skill** — Updated `.windsurf/skills/gitea-interaction/SKILL.md` to align with the Antigravity `tea-interaction` hybrid interaction model guidelines, detailing when to use the editor extension versus the Gitea CLI.
+
+---
+
+## [1.7.19] - 2026-05-25
+
+### Fixed
+
+- **Requests Mobile CSS Overflow Fix (Issue #49)** — Resolved the remaining viewport overflow on narrow screens by adding `min-width: 0` to `.request-card` to allow proper flexbox and grid shrinking, reducing mobile `.main-tabs` padding to `0 8px`, and tightening `.requests-container` mobile padding to `8px`.
+- **Admin *arr Badge Links on Active Downloads (Issue #50)** — Fixed the missing Sonarr/Radarr badges and links on active downloads for admin users. Enabled robust `_instanceUrl` propagation during queue/history metadata compilation (`buildMetadataMaps`) and active matching (`DownloadMatcher.js`) to ensure link generation succeeds. Added complete schema documentation in OpenAPI.
+
+---
+
+## [1.7.18] - 2026-05-24
+
+### Fixed
+
+- **Mobile overflow on Requests tab** — Request cards no longer extend off the right edge of the screen on mobile browsers. Removed `white-space: nowrap` from `.request-title` to allow text truncation with ellipsis, added `overflow-x: hidden` to `.requests-list` as a safety net, and added `@media (max-width: 768px)` rules to reduce padding and tighten gaps on mobile. Resolves Gitea Issue [#49](https://git.i3omb.com/Gandalf/sofarr/issues/49).
+
+---
+
+## [1.7.17] - 2026-05-24
+
+### Fixed
+
+- **Blocklist-Search Persistent Failure (Regression from v1.7.16)** — Identified and corrected the true root cause of the blocklist-and-search feature being non-functional. The v1.7.16 fix correctly cast both sides of the queue ID comparison to `String`, but the lookup was performed against `downloadClientRegistry.getAllDownloads()`, which returns **raw download-client data** (qBittorrent, SABnzbd, etc.) that never has `arrQueueId` populated — that field is only assigned by `DownloadMatcher.js` during the SSE build phase from the *arr cache. For qBittorrent torrents specifically, `QBittorrentClient.normalizeDownload()` does not set `arrQueueId` at all, so the lookup always returned `undefined` and the request was rejected with `403`. The permission check in `POST /api/dashboard/blocklist-search` now looks up the queue record directly from the Sonarr/Radarr queue cache (`poll:sonarr-queue` / `poll:radarr-queue`) where `record.id` is the numeric queue ID, using `String()` casting on both sides to handle the DOM-dataset (string) vs API response (number) type difference. Resolves Gitea Issue [#48](https://git.i3omb.com/Gandalf/sofarr/issues/48) (regression).
+
+---
+
+## [1.7.16] - 2026-05-24
+
+### Fixed
+
+- **Blocklist-Search Queue ID Type Mismatch** — Resolved a bug where the "Blocklist and search" action consistently returned `403 Download not found or permission denied` for all users. The server-side download lookup in `server/routes/dashboard.js` used strict equality (`===`) to compare `arrQueueId` values, but the value sent from the SPA client (read from a DOM `data-*` attribute) is always a `string`, while the value populated from the Radarr/Sonarr queue API is a `number`. Both sides are now cast to `String` before comparison, resolving the false-negative match failure. Resolves Gitea Issue [#48](https://git.i3omb.com/Gandalf/sofarr/issues/48).
+
+---
+
+## [1.7.15] - 2026-05-24
+
+### Fixed
+
+- **Ombi Webhook Authentication Failures** — Resolved a critical issue where Ombi webhook notifications failed to authenticate because Ombi's built-in notification agent does not support custom HTTP headers (such as `X-Sofarr-Webhook-Secret`). Added a query parameter authentication fallback (`?secret=`) to all `/api/webhook/*` endpoints (Sonarr, Radarr, and Ombi) and configured Ombi webhook registration to automatically append this secret query parameter. Resolves Gitea Issue [#47](https://git.i3omb.com/Gandalf/sofarr/issues/47).
+
+---
+
+## [1.7.14] - 2026-05-24
+
+### Fixed
+
+- **Undefined Reference Error in Background Poller** — Resolved a critical runtime exception in the background scheduler loop (`server/utils/poller.js`) where `logToFile` was called on cache updates but was never imported at the top of the file, previously triggering `[Poller] Poll error: logToFile is not defined` on every interval loop.
+
+---
+
+## [1.7.13] - 2026-05-24
+
+### Changed
+
+- **Comprehensive OpenAPI & Swagger Specification Remediation** — Bumped the API documentation version to `1.7.13` and fully documented all operational rate-limiting configurations, exemptions, and bypasses in `server/openapi.yaml` (including general cover-art exclusions, failed-only login trackers, webhook limiters, and rate-limit exempt root health probes).
+- **Aligned Health Check Endpoint Implementation** — Enhanced the express application factory `/health` endpoint to dynamically require and return the active version from `package.json`, keeping it fully aligned with the production entrypoint server logic.
+- **Synchronized Security & System Architecture Docs** — Aligned security matrices and threat mitigations in `SECURITY.md` and rate-limiting testing configurations in `ARCHITECTURE.md`.
+
+### Added
+
+- **Swagger API Coverage Verification Integration** — Implemented comprehensive assertions within `tests/integration/swagger-coverage.test.js` to dynamically verify that all newly added logging and debug endpoints (`/api/debug/*`) are fully represented in the active specification, raising test suite coverage to 876 passing checks.
+
+---
+
+## [1.7.12] - 2026-05-24
+
+### Added
+
+- **Real-Time Server-Side Log Streaming (`GET /api/debug/server-logs`)** — Introduced an in-process output stream capturer that intercepts standard output (`stdout`) and standard error (`stderr`), strips terminal ANSI escape codes, maintains a rolling 1000-line buffer, and streams live operational logs via Server-Sent Events (SSE). Resolves Gitea Issue [#45](https://git.i3omb.com/Gandalf/sofarr/issues/45).
+- **Real-Time Client-Side Console Log Stream (`GET & POST /api/debug/client-logs`)** — Added a browser-side console override in the frontend SPA that intercepts `console.log`, `console.warn`, and `console.error` calls. Logs are queued and posted to `/api/debug/client-logs` in optimized batches every 2000ms (or when the queue reaches 20 items), which are then buffered and streamed over SSE to debugging developers. Resolves Gitea Issue [#46](https://git.i3omb.com/Gandalf/sofarr/issues/46).
+- **Subnet IP Filtering (`LOG_ALLOW_SUBNETS`)** — Implemented an optional CIDR-based subnet validation check using `ipaddr.js` to restrict access to debug logs endpoints to specific internal IP ranges (e.g. `127.0.0.1/32,192.168.1.0/24`). Works natively with reverse proxies when `TRUST_PROXY` is enabled.
+- **Multi-Layered Security Bypass & Auth** — Debug endpoints are guarded globally by `ENABLE_LOG_STREAM=true` (off by default) and require Emby admin sessions, standard HTTP Basic Auth fallback checks against Emby, or high-priority bypass via header `X-Webhook-Secret`.
+- **Swagger UI Specification Coverage** — Fully documented all four new endpoints, headers, and schemas in `server/openapi.yaml`, with automated verification integrated inside `swagger-coverage.test.js`.
+- **Architectural & Developer Guides** — Updated `ARCHITECTURE.md` (with system overview, diagrams, stdout/stderr hooks, and threat mitigations) and `README.md` (deploy instructions and querying parameters).
+
+---
+
 ## [1.7.11] - 2026-05-24
 
 ### Fixed

README.md

@@ -227,6 +227,10 @@ PORT=3001                           # Server port
 LOG_LEVEL=info                      # Logging: debug, info, warn, error, silent
 POLL_INTERVAL=5000                  # Background polling interval in ms (default: 5000)
                                     # Set to 0 or "off" to disable (on-demand mode)
+
+# Debug Log Streaming Subsystem
+ENABLE_LOG_STREAM=false             # Set to true to enable logs debugging routes
+LOG_ALLOW_SUBNETS=127.0.0.1/32      # Comma-separated allowed CIDR blocks (e.g. 127.0.0.1/32,192.168.1.0/24)
 ```
 
 ### Webhooks & Smart Polling
@@ -441,6 +445,12 @@ The proxy routes (`/api/sonarr/**`, `/api/radarr/**`, `/api/sabnzbd/**`, `/api/e
 ### History
 - `GET /api/history/recent` — Recently completed downloads from Sonarr/Radarr history
 
+### Debug Logs (requires ENABLE_LOG_STREAM=true)
+- `GET /api/debug/status` — Get runtime log stream configurations (public)
+- `GET /api/debug/server-logs` — **SSE stream**: push server `stdout`/`stderr` in real-time (requires auth & subnet check)
+- `GET /api/debug/client-logs` — **SSE stream**: push ingested frontend console logs in real-time (requires auth & subnet check)
+- `POST /api/debug/client-logs` — Ingest batched frontend console logs (requires auth & subnet check)
+
 ### Webhook Receiver (no user auth — protected by `X-Sofarr-Webhook-Secret`)
 - `POST /api/webhook/sonarr` — receive Sonarr webhook events
 - `POST /api/webhook/radarr` — receive Radarr webhook events

SECURITY.md

@@ -40,7 +40,7 @@ users via Emby. The primary threat surface when exposed to the public internet:
 | Privilege escalation (container) | Non-root user (UID 1000), `no-new-privileges`, all caps dropped |
 | Unbounded log growth | Size-based rotation: 10 MB cap, 3 rotated files kept |
 | Dependency vulnerabilities | `npm audit --audit-level=high` in CI on every push |
-| Unauthorized webhook injection | `SOFARR_WEBHOOK_SECRET` required on `X-Sofarr-Webhook-Secret` header; 401 on mismatch |
+| Unauthorized webhook injection | `SOFARR_WEBHOOK_SECRET` required on `X-Sofarr-Webhook-Secret` header or `secret` query parameter; 401 on mismatch |
 | Webhook payload injection | `validatePayload()` allowlists 18 known event types; rejects non-object bodies and overlong fields |
 | Webhook replay attacks | `isReplay()` tracks `(eventType, instanceName, date)` tuples for 5 minutes; duplicate events return `200 { duplicate: true }` without cache mutation |
 | Webhook flood / DoS | Dedicated rate limiter: 60 requests/min per IP on `/api/webhook/*` |
@@ -162,12 +162,13 @@ server {
 
 ## Rate Limits
 
-| Endpoint | Limit |
-|----------|-------|
-| `POST /api/auth/login` | 10 failed attempts per 15 min per IP |
-| All `/api/*` routes | 300 requests per 15 min per IP |
-| `POST /api/webhook/*` | 60 requests per 1 min per IP (webhook-specific limiter, stricter than general) |
-| `GET /api/swagger` | No rate limit (public documentation) |
+| Endpoint | Limit | Details & Exemptions |
+|----------|-------|----------------------|
+| `POST /api/auth/login` | 10 attempts per 15 min per IP | **Only failed attempts count** (`skipSuccessfulRequests: true`). Successful requests are not counted. |
+| All `/api/*` routes | 300 requests per 15 min per IP | General rate limiting. **Exempts `/api/dashboard/cover-art` requests** to avoid page layout image loading exhaustion. |
+| `POST /api/webhook/*` | 60 requests per 1 min per IP | Webhook-specific limiter, stricter than general. |
+| `/health` and `/ready` | Exempt | Root-level liveness/readiness probes bypass rate limiters completely. |
+| `GET /api/swagger` | Exempt | Public Swagger UI documentation does not enforce rate limits. |
 
 ---
 

client/src/main.js

@@ -11,8 +11,12 @@ import { initThemeSwitcher } from './ui/theme.js';
 import { initTabs, goHome } from './ui/tabs.js';
 import { handleShowAllToggle } from './sse.js';
 import { loadAppVersion } from './api.js';
+import { initClientLogCapture } from './utils/clientLogCapture.js';
 
 document.addEventListener('DOMContentLoaded', () => {
+  // Initialize client console log capturing early
+  initClientLogCapture();
+
   // Login form
   const loginForm = document.getElementById('login-form');
   if (loginForm) {

client/src/ui/requests.js

@@ -17,17 +17,52 @@ import { applyRequestFilters, getRequestStatus } from '../utils/ombiFilters.js';
 function extractRequestedUser(request) {
   if (!request) return '';
 
-  // Handle object format: OmbiStore.Entities.OmbiUser
-  if (request.requestedUser && typeof request.requestedUser === 'object') {
-    // Priority: alias > userAlias > userName > normalizedUserName > requestedByAlias
-    return request.requestedUser.alias || 
-           request.requestedUser.userAlias || 
-           request.requestedUser.userName || 
-           request.requestedUser.normalizedUserName || 
-           request.requestedByAlias || '';
+  // Try to locate a user object or string from various fields common to Ombi Movies and TV shows
+  const userSource = request.requestedUser || request.RequestedUser ||
+                     request.user || request.User ||
+                     request.requestedBy || request.RequestedBy ||
+                     request.ombiUser || request.OmbiUser ||
+                     request.requestedByUser || request.RequestedByUser;
+
+  // If userSource is an object, extract key fields
+  if (userSource && typeof userSource === 'object') {
+    const username = userSource.alias || userSource.Alias ||
+                     userSource.userAlias || userSource.UserAlias ||
+                     userSource.userName || userSource.UserName ||
+                     userSource.normalizedUserName || userSource.NormalizedUserName ||
+                     userSource.displayName || userSource.DisplayName ||
+                     userSource.email || userSource.Email;
+    if (username) return username;
   }
-  // Handle string format (fallback for compatibility)
-  return request.requestedUser || request.requestedByAlias || '';
+
+  // If userSource is a string
+  if (userSource && typeof userSource === 'string') {
+    return userSource;
+  }
+
+  // Fallbacks on the request root level
+  const rootFallback = request.requestedByAlias || request.RequestedByAlias ||
+                       request.requestedByUsername || request.RequestedByUsername ||
+                       request.requester || request.Requester ||
+                       request.requestedByEmail || request.RequestedByEmail;
+  if (rootFallback) return rootFallback;
+
+  // Check seasons / childRequests nested arrays (common for Ombi TV show requests)
+  if (Array.isArray(request.seasons)) {
+    for (const season of request.seasons) {
+      const seasonUser = extractRequestedUser(season);
+      if (seasonUser) return seasonUser;
+    }
+  }
+  
+  if (Array.isArray(request.childRequests)) {
+    for (const child of request.childRequests) {
+      const childUser = extractRequestedUser(child);
+      if (childUser) return childUser;
+    }
+  }
+
+  return '';
 }
 
 export function renderRequests() {
@@ -111,11 +146,38 @@ function createRequestCard(request) {
   }
 
   const username = extractRequestedUser(request);
+  const user = document.createElement('span');
+  user.className = 'request-user';
   if (username) {
-    const user = document.createElement('span');
-    user.className = 'request-user';
     user.textContent = `Requested by: ${username}`;
-    meta.appendChild(user);
+  } else {
+    user.textContent = 'Requested by: Unknown (Ombi)';
+    user.title = 'No user information received from Ombi';
+    user.style.cursor = 'help';
+    user.style.textDecoration = 'underline dotted';
+  }
+  meta.appendChild(user);
+
+  const dateStr = request.requestedDate || request.RequestedDate || request.date || request.Date;
+  if (dateStr) {
+    const requestDate = document.createElement('span');
+    requestDate.className = 'request-date';
+    try {
+      const dateObj = new Date(dateStr);
+      if (!isNaN(dateObj.getTime())) {
+        const year = dateObj.getFullYear();
+        const month = String(dateObj.getMonth() + 1).padStart(2, '0');
+        const day = String(dateObj.getDate()).padStart(2, '0');
+        const hours = String(dateObj.getHours()).padStart(2, '0');
+        const minutes = String(dateObj.getMinutes()).padStart(2, '0');
+        requestDate.textContent = `Date: ${year}-${month}-${day} ${hours}:${minutes}`;
+      } else {
+        requestDate.textContent = `Date: ${dateStr}`;
+      }
+    } catch (e) {
+      requestDate.textContent = `Date: ${dateStr}`;
+    }
+    meta.appendChild(requestDate);
   }
 
   if (request.quality) {
@@ -147,6 +209,22 @@ function createRequestCard(request) {
     actions.appendChild(ombiLink);
   }
 
+  if (state.isAdmin && request.arrLink) {
+    const arrLink = document.createElement('a');
+    arrLink.className = `request-link ${request.arrType}-link`;
+    arrLink.href = request.arrLink;
+    arrLink.target = '_blank';
+    arrLink.title = `View in ${request.arrType === 'sonarr' ? 'Sonarr' : 'Radarr'}`;
+    
+    const arrIcon = document.createElement('img');
+    arrIcon.src = request.arrType === 'sonarr' ? '/images/sonarr.svg' : '/images/radarr.svg';
+    arrIcon.alt = request.arrType === 'sonarr' ? 'Sonarr' : 'Radarr';
+    arrIcon.className = 'request-icon';
+    
+    arrLink.appendChild(arrIcon);
+    actions.appendChild(arrLink);
+  }
+
   card.appendChild(typeIcon);
   card.appendChild(content);
   card.appendChild(actions);

client/src/ui/theme.js

@@ -4,24 +4,43 @@ import { getTheme, saveTheme } from '../utils/storage.js';
 
 // Apply saved theme immediately on load
 (function applyTheme() {
-  const theme = getTheme();
-  if (theme) {
-    document.documentElement.setAttribute('data-theme', theme);
-  }
+  const theme = getTheme() || 'light';
+  document.documentElement.setAttribute('data-theme', theme);
 })();
 
 export function initThemeSwitcher() {
-  const themeToggle = document.getElementById('theme-toggle');
-  if (!themeToggle) return;
+  const themeButtons = document.querySelectorAll('.theme-btn');
+  const currentTheme = getTheme() || 'light';
   
-  themeToggle.addEventListener('click', () => {
-    const currentTheme = getTheme();
-    const newTheme = currentTheme === 'dark' ? 'light' : 'dark';
-    setTheme(newTheme);
+  // Set initial active state on buttons
+  themeButtons.forEach(btn => {
+    if (btn.getAttribute('data-theme') === currentTheme) {
+      btn.classList.add('active');
+    } else {
+      btn.classList.remove('active');
+    }
+    
+    btn.addEventListener('click', () => {
+      const theme = btn.getAttribute('data-theme');
+      if (theme) {
+        setTheme(theme);
+      }
+    });
   });
 }
 
 export function setTheme(theme) {
   document.documentElement.setAttribute('data-theme', theme);
   saveTheme(theme);
+  
+  // Sync button active classes if elements are present on the page
+  const themeButtons = document.querySelectorAll('.theme-btn');
+  themeButtons.forEach(btn => {
+    if (btn.getAttribute('data-theme') === theme) {
+      btn.classList.add('active');
+    } else {
+      btn.classList.remove('active');
+    }
+  });
 }
+

client/src/utils/clientLogCapture.js

@@ -0,0 +1,137 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+
+const logQueue = [];
+const MAX_QUEUE_SIZE = 20;
+const FLUSH_INTERVAL_MS = 2000;
+
+// Original console functions
+const originalLog = console.log;
+const originalWarn = console.warn;
+const originalError = console.error;
+
+let isSending = false;
+let isInitialized = false;
+let flushInterval = null;
+
+function formatArgs(args) {
+  return args.map(arg => {
+    if (arg === null) return 'null';
+    if (arg === undefined) return 'undefined';
+    if (arg instanceof Error) {
+      return `${arg.name}: ${arg.message}\n${arg.stack || ''}`;
+    }
+    if (typeof arg === 'object') {
+      try {
+        return JSON.stringify(arg);
+      } catch {
+        return String(arg);
+      }
+    }
+    return String(arg);
+  }).join(' ');
+}
+
+function enqueue(level, args) {
+  const formattedMsg = formatArgs(args);
+
+  // Still write to the developer console!
+  if (level === 'info') originalLog.apply(console, args);
+  else if (level === 'warn') originalWarn.apply(console, args);
+  else if (level === 'error') originalError.apply(console, args);
+
+  // Guard against infinite loop during logs dispatching
+  if (isSending) return;
+
+  logQueue.push({
+    timestamp: new Date().toISOString(),
+    level,
+    message: formattedMsg
+  });
+
+  // Flush immediately if queue is full
+  if (logQueue.length >= MAX_QUEUE_SIZE) {
+    flushQueue();
+  }
+}
+
+async function flushQueue() {
+  if (logQueue.length === 0 || isSending) return;
+
+  isSending = true;
+  const batch = [...logQueue];
+  logQueue.length = 0;
+
+  try {
+    const response = await fetch('/api/debug/client-logs', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(batch),
+      // keepalive allows request to survive page unload
+      keepalive: true
+    });
+
+    if (!response.ok) {
+      originalError.call(console, '[clientLogCapture] Ingestion server returned error status:', response.status);
+    }
+  } catch (err) {
+    originalError.call(console, '[clientLogCapture] Ingestion post request failed:', err.message);
+  } finally {
+    isSending = false;
+  }
+}
+
+// Perform a fast/unblocked payload flush using sendBeacon on page unload
+function flushOnUnload() {
+  if (logQueue.length === 0) return;
+
+  const batch = [...logQueue];
+  logQueue.length = 0;
+
+  try {
+    const blob = new Blob([JSON.stringify(batch)], { type: 'application/json' });
+    navigator.sendBeacon('/api/debug/client-logs', blob);
+  } catch (err) {
+    // sendBeacon failure, fallback to synchronous fetch with keepalive if available
+    try {
+      fetch('/api/debug/client-logs', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(batch),
+        keepalive: true
+      });
+    } catch {
+      // Ignore
+    }
+  }
+}
+
+export async function initClientLogCapture() {
+  if (isInitialized) return;
+
+  try {
+    // 1. Check if the server toggle for logging is active
+    const response = await fetch('/api/debug/status');
+    if (!response.ok) return;
+
+    const data = await response.json();
+    if (data && data.enabled === true) {
+      // 2. Override global console methods
+      console.log = (...args) => enqueue('info', args);
+      console.warn = (...args) => enqueue('warn', args);
+      console.error = (...args) => enqueue('error', args);
+
+      // 3. Set interval for batch updates
+      flushInterval = setInterval(flushQueue, FLUSH_INTERVAL_MS);
+
+      // 4. Setup beforeunload listener for clean flushing
+      window.addEventListener('beforeunload', flushOnUnload);
+
+      isInitialized = true;
+      console.log('[clientLogCapture] Browser console logging interceptor initialized successfully.');
+    }
+  } catch (err) {
+    originalError.call(console, '[clientLogCapture] Check failed to start interceptor:', err.message);
+  }
+}

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "sofarr",
-  "version": "1.7.11",
+  "version": "1.7.22",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "sofarr",
-      "version": "1.7.11",
+      "version": "1.7.22",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.6.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "sofarr",
-  "version": "1.7.11",
+  "version": "1.7.22",
   "description": "A personal media download dashboard that shows your downloads 'so far' while you relax on the sofa waiting for your *arr services to finish",
   "main": "server/index.js",
   "scripts": {

public/style.css

@@ -1888,6 +1888,23 @@ body {
 
 /* ===== Mobile ===== */
 @media (max-width: 768px) {
+  .main-tabs {
+    padding: 0 8px;
+  }
+
+  .requests-container {
+    padding: 8px;
+  }
+
+  .request-card {
+    gap: 8px;
+    padding: 10px;
+  }
+
+  .request-meta {
+    gap: 4px;
+  }
+
   .app {
     padding: 10px;
   }
@@ -2234,6 +2251,7 @@ body {
 .requests-list {
   display: grid;
   gap: 12px;
+  overflow-x: hidden;
 }
 
 .request-card {
@@ -2245,6 +2263,7 @@ body {
   border: 1px solid var(--border);
   border-radius: 8px;
   transition: box-shadow 0.2s ease, border-color 0.2s ease;
+  min-width: 0;
 }
 
 .request-card:hover {
@@ -2273,7 +2292,6 @@ body {
   font-weight: 600;
   color: var(--text-primary);
   margin-bottom: 4px;
-  white-space: nowrap;
   overflow: hidden;
   text-overflow: ellipsis;
 }

server/app.js

@@ -15,6 +15,7 @@ const swaggerUi = require('swagger-ui-express');
 const swaggerJsdoc = require('swagger-jsdoc');
 const YAML = require('yamljs');
 const path = require('path');
+const { version } = require('../package.json');
 
 const sabnzbdRoutes = require('./routes/sabnzbd');
 const sonarrRoutes = require('./routes/sonarr');
@@ -26,6 +27,7 @@ const historyRoutes = require('./routes/history');
 const authRoutes = require('./routes/auth');
 const webhookRoutes = require('./routes/webhook');
 const ombiRoutes = require('./routes/ombi');
+const debugRoutes = require('./routes/debug');
 const verifyCsrf = require('./middleware/verifyCsrf');
 
 function createApp({ skipRateLimits = false } = {}) {
@@ -127,13 +129,17 @@ function createApp({ skipRateLimits = false } = {}) {
    *                   type: number
    *                   description: Server uptime in seconds
    *                   example: 3600.5
+   *                 version:
+   *                   type: string
+   *                   description: sofarr version
+   *                   example: "1.7.22"
    *     x-code-samples:
    *       - lang: curl
    *         label: cURL
    *         source: curl http://localhost:3001/health
    */
   app.get('/health', (req, res) => {
-    res.json({ status: 'ok', uptime: process.uptime() });
+    res.json({ status: 'ok', uptime: process.uptime(), version });
   });
 
   /**
@@ -213,6 +219,7 @@ function createApp({ skipRateLimits = false } = {}) {
   app.use('/api', apiLimiter);
   app.use('/api/auth', authRoutes);
   app.use('/api/webhook', webhookRoutes);
+  app.use('/api/debug', debugRoutes);
 
   // CSRF protection for all state-changing API requests below
   app.use('/api', verifyCsrf);

server/clients/OmbiClient.js

@@ -125,6 +125,20 @@ class OmbiClient {
       return false;
     }
   }
+
+  /**
+   * Get all users from Ombi
+   * @returns {Promise<Array>} Array of user objects
+   */
+  async getUsers() {
+    try {
+      const response = await this.axios.get(`${this.url}/api/v1/Identity/Users`);
+      return response.data || [];
+    } catch (error) {
+      logToFile(`[OmbiClient] Get users error: ${error.message}`);
+      return [];
+    }
+  }
 }
 
 module.exports = OmbiClient;

server/clients/OmbiRetriever.js

@@ -16,8 +16,10 @@ class OmbiRetriever extends ArrRetriever {
     this.cache = {
       movieRequests: [],
       tvRequests: [],
+      users: [],
       movieMap: new Map(), // tmdbId -> request
       tvMap: new Map(),    // tvdbId -> request
+      userMap: new Map(),  // id -> user
       lastFetch: 0,
       ttl: 5 * 60 * 1000  // 5 minutes TTL
     };
@@ -98,20 +100,32 @@ class OmbiRetriever extends ArrRetriever {
     try {
       logToFile('[OmbiRetriever] Refreshing cache');
       
-      // Fetch requests in parallel
-      const [movieRequests, tvRequests] = await Promise.all([
+      // Fetch requests and users in parallel
+      const [movieRequests, tvRequests, users] = await Promise.all([
         this.client.getMovieRequests(),
-        this.client.getTvRequests()
+        this.client.getTvRequests(),
+        this.client.getUsers()
       ]);
 
       // Update cache
       this.cache.movieRequests = movieRequests;
       this.cache.tvRequests = tvRequests;
+      this.cache.users = users;
       this.cache.lastFetch = Date.now();
 
       // Build lookup maps
       this.cache.movieMap.clear();
       this.cache.tvMap.clear();
+      this.cache.userMap.clear();
+
+      // Build user map (id -> user)
+      if (Array.isArray(users)) {
+        users.forEach(user => {
+          if (user && user.id) {
+            this.cache.userMap.set(user.id, user);
+          }
+        });
+      }
 
       // Build movie map (tmdbId -> request)
       movieRequests.forEach(request => {
@@ -133,13 +147,59 @@ class OmbiRetriever extends ArrRetriever {
         }
       });
 
-      logToFile(`[OmbiRetriever] Cache refreshed: ${movieRequests.length} movies, ${tvRequests.length} TV shows`);
+      logToFile(`[OmbiRetriever] Cache refreshed: ${movieRequests.length} movies, ${tvRequests.length} TV shows, ${users.length} users`);
     } catch (error) {
       logToFile(`[OmbiRetriever] Cache refresh failed: ${error.message}`);
       // Don't throw error, continue with stale cache if available
     }
   }
 
+  /**
+   * Hydrates requestedUser on a single request using the userMap cache
+   * @param {Object} req - The request object
+   * @returns {Object} Hydrated request object
+   * @private
+   */
+  _hydrateRequest(req) {
+    if (!req) return req;
+
+    const reqUserId = req.requestedUserId || req.RequestedUserId;
+    if (reqUserId && this.cache.userMap.has(reqUserId)) {
+      const cachedUser = this.cache.userMap.get(reqUserId);
+      
+      let requestedUser = req.requestedUser || req.RequestedUser;
+      
+      // If requestedUser is not an object or is empty/null, populate it
+      if (!requestedUser || typeof requestedUser !== 'object' || Object.keys(requestedUser).length === 0) {
+        const hydratedUser = {
+          id: cachedUser.id,
+          userName: cachedUser.userName,
+          alias: cachedUser.alias || cachedUser.Alias || '',
+          userAlias: cachedUser.userAlias || cachedUser.UserAlias || '',
+          normalizedUserName: cachedUser.normalizedUserName || cachedUser.NormalizedUserName || ''
+        };
+        
+        return {
+          ...req,
+          requestedUser: hydratedUser,
+          RequestedUser: hydratedUser
+        };
+      }
+    }
+    return req;
+  }
+
+  /**
+   * Hydrates requestedUser on a list of requests using the userMap cache
+   * @param {Array} requests - Array of request objects
+   * @returns {Array} Array of hydrated request objects
+   * @private
+   */
+  _hydrateRequests(requests) {
+    if (!Array.isArray(requests)) return [];
+    return requests.map(req => this._hydrateRequest(req));
+  }
+
   /**
    * Get all movie requests
    * @param {boolean} force - Whether to force refresh from API
@@ -147,7 +207,7 @@ class OmbiRetriever extends ArrRetriever {
    */
   async getMovieRequests(force = false) {
     await this.refreshCache(force);
-    return this.cache.movieRequests;
+    return this._hydrateRequests(this.cache.movieRequests);
   }
 
   /**
@@ -157,7 +217,7 @@ class OmbiRetriever extends ArrRetriever {
    */
   async getTvRequests(force = false) {
     await this.refreshCache(force);
-    return this.cache.tvRequests;
+    return this._hydrateRequests(this.cache.tvRequests);
   }
 
   /**
@@ -171,12 +231,12 @@ class OmbiRetriever extends ArrRetriever {
     
     // Try TMDB ID first
     if (tmdbId && this.cache.movieMap.has(tmdbId)) {
-      return this.cache.movieMap.get(tmdbId);
+      return this._hydrateRequest(this.cache.movieMap.get(tmdbId));
     }
     
     // Try IMDB ID as fallback
     if (imdbId && this.cache.movieMap.has(imdbId)) {
-      return this.cache.movieMap.get(imdbId);
+      return this._hydrateRequest(this.cache.movieMap.get(imdbId));
     }
     
     return null;
@@ -193,12 +253,12 @@ class OmbiRetriever extends ArrRetriever {
     
     // Try TVDB ID first
     if (tvdbId && this.cache.tvMap.has(tvdbId)) {
-      return this.cache.tvMap.get(tvdbId);
+      return this._hydrateRequest(this.cache.tvMap.get(tvdbId));
     }
     
     // Try TMDB ID as fallback
     if (tmdbId && this.cache.tvMap.has(tmdbId)) {
-      return this.cache.tvMap.get(tmdbId);
+      return this._hydrateRequest(this.cache.tvMap.get(tmdbId));
     }
     
     return null;

server/index.js

@@ -13,6 +13,8 @@ const swaggerJsdoc = require('swagger-jsdoc');
 const YAML = require('yamljs');
 require('dotenv').config();
 require('./utils/loadSecrets')();
+const logCapture = require('./utils/logCapture');
+logCapture.init();
 const { version } = require('../package.json');
 
 // Setup logging with levels
@@ -90,6 +92,7 @@ const historyRoutes = require('./routes/history');
 const authRoutes = require('./routes/auth');
 const webhookRoutes = require('./routes/webhook');
 const ombiRoutes = require('./routes/ombi');
+const debugRoutes = require('./routes/debug');
 const verifyCsrf = require('./middleware/verifyCsrf');
 const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller');
 const { validateInstanceUrl } = require('./utils/config');
@@ -246,7 +249,7 @@ app.use(express.json({ limit: '64kb' })); // prevent oversized JSON payloads
  *                 version:
  *                   type: string
  *                   description: sofarr version
- *                   example: "1.6.0"
+ *                   example: "1.7.22"
  */
 app.get('/health', (req, res) => {
   res.json({ status: 'ok', uptime: process.uptime(), version });
@@ -367,6 +370,7 @@ function serveIndex(req, res) {
 app.use('/api', apiLimiter);
 app.use('/api/auth', authRoutes);
 app.use('/api/webhook', webhookRoutes);
+app.use('/api/debug', debugRoutes);
 
 // All routes below this point require CSRF validation on mutating methods
 app.use('/api', verifyCsrf);

server/middleware/logStreamAuth.js

@@ -0,0 +1,156 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const axios = require('axios');
+const crypto = require('crypto');
+const ipaddr = require('ipaddr.js');
+
+function getEmbyUrl() {
+  return process.env.EMBY_URL;
+}
+
+function isIpAllowed(clientIp, allowedSubnetsStr) {
+  if (!allowedSubnetsStr) return true;
+  try {
+    const clientIpParsed = ipaddr.parse(clientIp);
+    const subnets = allowedSubnetsStr.split(',').map(s => s.trim()).filter(Boolean);
+
+    for (const subnet of subnets) {
+      let rangeStr = subnet;
+      let bits = null;
+      if (subnet.includes('/')) {
+        const parts = subnet.split('/');
+        rangeStr = parts[0];
+        bits = parseInt(parts[1], 10);
+      }
+
+      const rangeIpParsed = ipaddr.parse(rangeStr);
+
+      if (bits === null) {
+        // Exact IP match
+        if (clientIpParsed.toString() === rangeIpParsed.toString()) {
+          return true;
+        }
+        // Handle IPv4 mapped IPv6 address case
+        if (clientIpParsed.kind() === 'ipv6' && clientIpParsed.isIPv4MappedAddress() && rangeIpParsed.kind() === 'ipv4') {
+          if (clientIpParsed.toIPv4Address().toString() === rangeIpParsed.toString()) {
+            return true;
+          }
+        }
+        continue;
+      }
+
+      // Match with subnet bits
+      if (clientIpParsed.kind() === rangeIpParsed.kind()) {
+        if (clientIpParsed.match(rangeIpParsed, bits)) {
+          return true;
+        }
+      } else if (clientIpParsed.kind() === 'ipv6' && clientIpParsed.isIPv4MappedAddress() && rangeIpParsed.kind() === 'ipv4') {
+        // Handle IPv4 mapped IPv6 address case matching IPv4 range
+        if (clientIpParsed.toIPv4Address().match(rangeIpParsed, bits)) {
+          return true;
+        }
+      }
+    }
+  } catch (err) {
+    console.error(`[logStreamAuth] IP parsing error for IP ${clientIp}:`, err.message);
+  }
+  return false;
+}
+
+async function logStreamAuth(req, res, next) {
+  // 1. Subnet IP Filtering (First Priority)
+  const allowedSubnets = process.env.LOG_ALLOW_SUBNETS;
+  if (allowedSubnets && !isIpAllowed(req.ip, allowedSubnets)) {
+    console.warn(`[logStreamAuth] Access denied from unauthorized IP: ${req.ip}`);
+    return res.status(403).json({ error: `Access denied from IP: ${req.ip}` });
+  }
+
+  // 2. Webhook Secret Bypass (High Priority)
+  const secretHeader = req.headers['x-webhook-secret'];
+  const configuredSecret = process.env.SOFARR_WEBHOOK_SECRET;
+  if (configuredSecret && secretHeader === configuredSecret) {
+    return next();
+  }
+
+  // 3. Session Cookie
+  const signed = !!process.env.COOKIE_SECRET;
+  const rawCookie = signed ? req.signedCookies.emby_user : req.cookies.emby_user;
+  if (rawCookie && rawCookie !== false) {
+    try {
+      const u = JSON.parse(rawCookie);
+      if (u && typeof u.id === 'string' && u.id && u.isAdmin === true) {
+        req.user = u;
+        return next();
+      }
+    } catch {
+      // Ignore JSON parse errors, fallback to basic auth
+    }
+  }
+
+  // 4. Basic Authentication Fallback
+  const authHeader = req.headers.authorization;
+  if (authHeader && authHeader.startsWith('Basic ')) {
+    try {
+      const credentialsBase64 = authHeader.substring(6);
+      const credentialsStr = Buffer.from(credentialsBase64, 'base64').toString('utf8');
+      const colonIdx = credentialsStr.indexOf(':');
+
+      if (colonIdx !== -1) {
+        const username = credentialsStr.substring(0, colonIdx).trim();
+        const password = credentialsStr.substring(colonIdx + 1);
+
+        if (username && password) {
+          const embyUrl = getEmbyUrl();
+          if (!embyUrl) {
+            console.error('[logStreamAuth] Emby auth fallback failed: EMBY_URL is not configured');
+            res.setHeader('WWW-Authenticate', 'Basic realm="sofarr log stream debug"');
+            return res.status(401).json({ error: 'Authentication service unavailable' });
+          }
+
+          // Authenticate with Emby using stable DeviceId derived from username
+          const stableDeviceId = 'sofarr-' + crypto.createHash('sha256').update(username.toLowerCase()).digest('hex').slice(0, 16);
+          
+          console.log(`[logStreamAuth] Attempting Basic Auth login for: ${username}`);
+          const authResponse = await axios.post(`${embyUrl}/Users/authenticatebyname`, {
+            Username: username,
+            Pw: password
+          }, {
+            headers: {
+              'X-Emby-Authorization': `MediaBrowser Client="sofarr", Device="sofarr", DeviceId="${stableDeviceId}", Version="1.0.0"`
+            },
+            timeout: 5000
+          });
+
+          const authData = authResponse.data;
+          const userId = authData.User.Id || authData.User.id;
+
+          // Fetch detailed profile to verify administrator status
+          const userResponse = await axios.get(`${embyUrl}/Users/${userId}`, {
+            headers: {
+              'X-MediaBrowser-Token': authData.AccessToken
+            },
+            timeout: 5000
+          });
+
+          const user = userResponse.data;
+          const isAdmin = !!(user.Policy && user.Policy.IsAdministrator);
+
+          if (isAdmin) {
+            console.log(`[logStreamAuth] Basic Auth successful for administrator: ${user.Name}`);
+            req.user = { id: user.Id, name: user.Name, isAdmin: true };
+            return next();
+          } else {
+            console.warn(`[logStreamAuth] Basic Auth rejected: user ${user.Name} is not an administrator`);
+          }
+        }
+      }
+    } catch (err) {
+      console.error('[logStreamAuth] Emby authentication error:', err.message);
+    }
+  }
+
+  // 5. Unauthorized / Access Denied
+  res.setHeader('WWW-Authenticate', 'Basic realm="sofarr log stream debug"');
+  return res.status(401).json({ error: 'Unauthorized' });
+}
+
+module.exports = logStreamAuth;

server/openapi.yaml

@@ -12,13 +12,17 @@ info:
     4. Subsequent requests must include the cookies and send the `X-CSRF-Token` header for state-changing operations (POST, PUT, PATCH, DELETE)
 
     ## Rate Limiting
-    - General API: 300 requests per 15 minutes per IP
-    - Login: 10 failed attempts per 15 minutes per IP
-    - Webhooks: 60 requests per minute per IP
+    To protect the system from resource exhaustion, rate limiters are enforced at different levels:
+    - **General API Limiter**: Enforces a limit of **300 requests per 15 minutes** per IP across all `/api/*` endpoints. 
+      - *Exemption:* Requests starting with `/api/dashboard/cover-art` are completely exempted from this limit to avoid normal dashboard image browsing triggering blocks.
+    - **Login Rate Limiter**: Enforces a strict limit of **10 attempts per 15 minutes** per IP on `POST /api/auth/login`. 
+      - *Exemption:* This limiter only tracks and counts *failed* login attempts (`skipSuccessfulRequests: true`). Successful logins do not count towards the lockout threshold.
+    - **Webhook Limiter**: Enforces a limit of **60 requests per minute** per IP on stateful webhook receiver endpoints (`/api/webhook/*`).
+    - **Health and Readiness Probes**: The public `/health` and `/ready` endpoints are mounted at the root directory level rather than under `/api/*` and are completely exempt from both rate limiting and authentication controls.
 
     ## SSE Streaming
     Real-time updates are available via Server-Sent Events at GET /api/dashboard/stream.
-  version: 1.6.0
+  version: 1.7.22
   contact:
     name: sofarr
   license:
@@ -172,6 +176,27 @@ components:
           nullable: true
           description: Tooltip text for Ombi icon ("Request" or "Search")
           example: "Request"
+        arrLink:
+          type: string
+          nullable: true
+          format: uri
+          description: Sonarr/Radarr show/movie web UI link (admin-only)
+          example: "http://sonarr:8989/series/show-slug"
+        downloadPath:
+          type: string
+          nullable: true
+          description: Save path in download client (admin-only)
+          example: "/downloads/series/show-slug"
+        targetPath:
+          type: string
+          nullable: true
+          description: Target path in library (admin-only)
+          example: "/tv/show-slug"
+        arrInstanceKey:
+          type: string
+          nullable: true
+          description: Sonarr/Radarr instance API key (admin-only)
+          example: "api-key-here"
 
     DashboardPayload:
       type: object
@@ -791,8 +816,15 @@ paths:
     post:
       tags: [Webhook]
       summary: Sonarr webhook
-      description: Receives webhook events from Sonarr. Requires X-Sofarr-Webhook-Secret header.
+      description: Receives webhook events from Sonarr. Requires X-Sofarr-Webhook-Secret header or secret query parameter.
       security: []
+      parameters:
+        - name: secret
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
       requestBody:
         required: true
         content:
@@ -828,8 +860,15 @@ paths:
     post:
       tags: [Webhook]
       summary: Radarr webhook
-      description: Receives webhook events from Radarr. Requires X-Sofarr-Webhook-Secret header.
+      description: Receives webhook events from Radarr. Requires X-Sofarr-Webhook-Secret header or secret query parameter.
       security: []
+      parameters:
+        - name: secret
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
       requestBody:
         required: true
         content:
@@ -865,8 +904,15 @@ paths:
     post:
       tags: [Webhook]
       summary: Ombi webhook
-      description: Receives webhook events from Ombi. Requires X-Sofarr-Webhook-Secret header.
+      description: Receives webhook events from Ombi. Requires X-Sofarr-Webhook-Secret header or secret query parameter.
       security: []
+      parameters:
+        - name: secret
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
       requestBody:
         required: true
         content:
@@ -1752,3 +1798,172 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ErrorResponse'
+
+  /api/debug/status:
+    get:
+      tags: [Debug]
+      summary: Check if log streaming is enabled
+      description: Returns whether the log streaming feature is enabled at runtime. No authentication required.
+      security: []
+      responses:
+        '200':
+          description: Feature status returned successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  enabled:
+                    type: boolean
+                    example: true
+
+  /api/debug/server-logs:
+    get:
+      tags: [Debug]
+      summary: Stream server logs in real-time
+      description: |
+        Streams server-side standard output (stdout/stderr) logs via Server-Sent Events (SSE).
+        
+        **Security Policies:**
+        - **Subnet IP Filtering**: IP must match subnet ranges configured in `LOG_ALLOW_SUBNETS` (if set).
+        - **Bypass Header**: Direct bypass if `X-Webhook-Secret` header matches the configured `SOFARR_WEBHOOK_SECRET`.
+        - **Session Auth**: Emby session cookie `emby_user` where user is an administrator.
+        - **Basic Auth Fallback**: `Authorization` header containing credentials of a valid Emby administrator.
+      security:
+        - CookieAuth: []
+      parameters:
+        - name: X-Webhook-Secret
+          in: header
+          required: false
+          schema:
+            type: string
+            description: Fast-track webhook secret bypass token
+      responses:
+        '200':
+          description: Event stream established
+          content:
+            text/event-stream:
+              schema:
+                type: string
+        '401':
+          description: Unauthorized
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '403':
+          description: Forbidden (feature disabled or IP not in subnet allowlist)
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+
+  /api/debug/client-logs:
+    get:
+      tags: [Debug]
+      summary: Stream client console logs in real-time
+      description: |
+        Streams client-side console logs via Server-Sent Events (SSE).
+        
+        **Security Policies:**
+        - **Subnet IP Filtering**: IP must match subnet ranges configured in `LOG_ALLOW_SUBNETS` (if set).
+        - **Bypass Header**: Direct bypass if `X-Webhook-Secret` header matches the configured `SOFARR_WEBHOOK_SECRET`.
+        - **Session Auth**: Emby session cookie `emby_user` where user is an administrator.
+        - **Basic Auth Fallback**: `Authorization` header containing credentials of a valid Emby administrator.
+      security:
+        - CookieAuth: []
+      parameters:
+        - name: X-Webhook-Secret
+          in: header
+          required: false
+          schema:
+            type: string
+            description: Fast-track webhook secret bypass token
+      responses:
+        '200':
+          description: Event stream established
+          content:
+            text/event-stream:
+              schema:
+                type: string
+        '401':
+          description: Unauthorized
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '403':
+          description: Forbidden (feature disabled or IP not in subnet allowlist)
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+    post:
+      tags: [Debug]
+      summary: Ingest client console logs
+      description: |
+        Ingests a batch of client-side console logs into the server-side rolling clientLogBuffer.
+        
+        **Security Policies:**
+        - **Subnet IP Filtering**: IP must match subnet ranges configured in `LOG_ALLOW_SUBNETS` (if set).
+        - **Bypass Header**: Direct bypass if `X-Webhook-Secret` header matches the configured `SOFARR_WEBHOOK_SECRET`.
+        - **Session Auth**: Emby session cookie `emby_user` where user is an administrator.
+        - **Basic Auth Fallback**: `Authorization` header containing credentials of a valid Emby administrator.
+      security:
+        - CookieAuth: []
+      parameters:
+        - name: X-Webhook-Secret
+          in: header
+          required: false
+          schema:
+            type: string
+            description: Fast-track webhook secret bypass token
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: array
+              items:
+                type: object
+                required: [level, message]
+                properties:
+                  timestamp:
+                    type: string
+                    format: date-time
+                  level:
+                    type: string
+                    enum: [info, warn, error]
+                  message:
+                    type: string
+      responses:
+        '200':
+          description: Logs ingested successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                  count:
+                    type: integer
+        '400':
+          description: Invalid JSON body
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '401':
+          description: Unauthorized
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '403':
+          description: Forbidden (feature disabled or IP not in subnet allowlist)
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+

server/routes/dashboard.js

@@ -51,17 +51,43 @@ function readCacheSnapshot() {
 function buildMetadataMaps(snapshot) {
   const seriesMap = new Map();
   for (const r of snapshot.sonarrQueue.data.records) {
-    if (r.series && r.seriesId) seriesMap.set(r.seriesId, r.series);
+    if (r.series && r.seriesId) {
+      if (!r.series._instanceUrl && r._instanceUrl) {
+        r.series._instanceUrl = r._instanceUrl;
+      }
+      seriesMap.set(r.seriesId, r.series);
+    }
   }
   for (const r of snapshot.sonarrHistory.data.records) {
-    if (r.series && r.seriesId && !seriesMap.has(r.seriesId)) seriesMap.set(r.seriesId, r.series);
+    if (r.series && r.seriesId) {
+      if (!r.series._instanceUrl && r._instanceUrl) {
+        r.series._instanceUrl = r._instanceUrl;
+      }
+      const existing = seriesMap.get(r.seriesId);
+      if (!existing || (!existing._instanceUrl && r.series._instanceUrl)) {
+        seriesMap.set(r.seriesId, r.series);
+      }
+    }
   }
   const moviesMap = new Map();
   for (const r of snapshot.radarrQueue.data.records) {
-    if (r.movie && r.movieId) moviesMap.set(r.movieId, r.movie);
+    if (r.movie && r.movieId) {
+      if (!r.movie._instanceUrl && r._instanceUrl) {
+        r.movie._instanceUrl = r._instanceUrl;
+      }
+      moviesMap.set(r.movieId, r.movie);
+    }
   }
   for (const r of snapshot.radarrHistory.data.records) {
-    if (r.movie && r.movieId && !moviesMap.has(r.movieId)) moviesMap.set(r.movieId, r.movie);
+    if (r.movie && r.movieId) {
+      if (!r.movie._instanceUrl && r._instanceUrl) {
+        r.movie._instanceUrl = r._instanceUrl;
+      }
+      const existing = moviesMap.get(r.movieId);
+      if (!existing || (!existing._instanceUrl && r.movie._instanceUrl)) {
+        moviesMap.set(r.movieId, r.movie);
+      }
+    }
   }
   const sonarrTagMap = new Map(snapshot.sonarrTagsResults.flatMap(t => t.data || []).map(t => [t.id, t.label]));
   const radarrTagMap = new Map(snapshot.radarrTags.data.map(t => [t.id, t.label]));
@@ -686,17 +712,33 @@ router.post('/blocklist-search', requireAuth, async (req, res) => {
       return res.status(400).json({ error: 'arrType must be sonarr or radarr' });
     }
 
-    // Look up the download to verify permission
-    const allDownloads = await downloadClientRegistry.getAllDownloads();
-    const download = allDownloads.find(d => d.arrQueueId === arrQueueId && d.arrType === arrType);
+    // Look up the queue record directly from the *arr cache.
+    // downloadClientRegistry.getAllDownloads() returns raw download-client data
+    // (qBittorrent, SABnzbd, etc.) which never has arrQueueId set — that field
+    // is only populated later by DownloadMatcher during the SSE build phase.
+    // Instead, we verify permission by finding the record in the Sonarr/Radarr
+    // queue cache where record.id is the numeric queue ID.
+    // Cast both sides to String to handle the DOM dataset → string vs API → number mismatch.
+    const queueCacheKey = arrType === 'sonarr' ? 'poll:sonarr-queue' : 'poll:radarr-queue';
+    const queueData = cache.get(queueCacheKey) || { records: [] };
+    const queueRecord = (queueData.records || []).find(r => r.id != null && String(r.id) === String(arrQueueId));
 
-    if (!download) {
-      console.error('[Blocklist] Download not found:', { arrQueueId, arrType });
+    if (!queueRecord) {
+      console.error('[Blocklist] Download not found in arr queue cache:', { arrQueueId, arrType });
       return res.status(403).json({ error: 'Download not found or permission denied' });
     }
 
+    // Build a minimal download-like object for canBlocklist eligibility check.
+    // Includes importIssues so non-admins can blocklist stalled/import-pending items.
+    const importIssues = require('../services/DownloadAssembler').getImportIssues(queueRecord);
+    const downloadForCheck = {
+      importIssues: importIssues || [],
+      arrQueueId: queueRecord.id,
+      arrType
+    };
+
     // Check if user can blocklist this download
-    if (!canBlocklist(download, user.isAdmin)) {
+    if (!canBlocklist(downloadForCheck, user.isAdmin)) {
       console.log('[Blocklist] Permission denied:', { user: user.name, isAdmin: user.isAdmin, arrQueueId, arrType });
       return res.status(403).json({ error: 'Permission denied: admin or qualifying conditions required' });
     }

server/routes/debug.js

@@ -0,0 +1,143 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const express = require('express');
+const router = express.Router();
+const logStreamAuth = require('../middleware/logStreamAuth');
+const {
+  logEmitter,
+  logBuffer,
+  clientLogBuffer,
+  ingestClientLogs
+} = require('../utils/logCapture');
+
+// Public status check (no auth, no 403 block, returns standard config state)
+router.get('/status', (req, res) => {
+  res.json({ enabled: process.env.ENABLE_LOG_STREAM === 'true' });
+});
+
+// Global toggle check
+router.use((req, res, next) => {
+  if (process.env.ENABLE_LOG_STREAM !== 'true') {
+    return res.status(403).json({ error: 'Log streaming feature is disabled' });
+  }
+  next();
+});
+
+// Enforce subnet and authentication validations on all debug routes
+router.use(logStreamAuth);
+
+/**
+ * GET /api/debug/server-logs
+ * Exposes a real-time SSE stream of intercepted server stdout/stderr logs.
+ */
+router.get('/server-logs', (req, res) => {
+  res.writeHead(200, {
+    'Content-Type': 'text/event-stream',
+    'Cache-Control': 'no-cache',
+    'Connection': 'keep-alive',
+    'X-Accel-Buffering': 'no'
+  });
+
+  // Send historical server logs buffer first
+  for (const line of logBuffer) {
+    res.write(`data: ${line}\n\n`);
+  }
+
+  // Gracefully close for integration testing
+  if (req.query.testClose === 'true') {
+    res.end();
+    return;
+  }
+
+  const sendLog = (line) => {
+    try {
+      res.write(`data: ${line}\n\n`);
+    } catch (err) {
+      console.error('[debugRoutes] Error sending server log line:', err.message);
+    }
+  };
+
+  logEmitter.on('server-log', sendLog);
+
+  // 25s heartbeat comment to prevent proxy timeouts
+  const heartbeat = setInterval(() => {
+    try {
+      res.write(': heartbeat\n\n');
+    } catch {
+      // Ignore
+    }
+  }, 25000);
+
+  req.on('close', () => {
+    clearInterval(heartbeat);
+    logEmitter.off('server-log', sendLog);
+  });
+});
+
+/**
+ * GET /api/debug/client-logs
+ * Exposes a real-time SSE stream of ingested client-side console logs.
+ */
+router.get('/client-logs', (req, res) => {
+  res.writeHead(200, {
+    'Content-Type': 'text/event-stream',
+    'Cache-Control': 'no-cache',
+    'Connection': 'keep-alive',
+    'X-Accel-Buffering': 'no'
+  });
+
+  // Send historical client logs buffer first
+  for (const line of clientLogBuffer) {
+    res.write(`data: ${line}\n\n`);
+  }
+
+  // Gracefully close for integration testing
+  if (req.query.testClose === 'true') {
+    res.end();
+    return;
+  }
+
+  const sendClientLog = (line) => {
+    try {
+      res.write(`data: ${line}\n\n`);
+    } catch (err) {
+      console.error('[debugRoutes] Error sending client log line:', err.message);
+    }
+  };
+
+  logEmitter.on('client-log', sendClientLog);
+
+  // 25s heartbeat comment to prevent proxy timeouts
+  const heartbeat = setInterval(() => {
+    try {
+      res.write(': heartbeat\n\n');
+    } catch {
+      // Ignore
+    }
+  }, 25000);
+
+  req.on('close', () => {
+    clearInterval(heartbeat);
+    logEmitter.off('client-log', sendClientLog);
+  });
+});
+
+/**
+ * POST /api/debug/client-logs
+ * Receives batches of frontend console logs to store in buffer and emit.
+ */
+router.post('/client-logs', (req, res) => {
+  const logs = req.body;
+  if (!Array.isArray(logs)) {
+    return res.status(400).json({ error: 'Body must be a JSON array of log entries' });
+  }
+
+  try {
+    ingestClientLogs(logs);
+    return res.status(200).json({ success: true, count: logs.length });
+  } catch (err) {
+    console.error('[debugRoutes] Ingestion failed:', err.message);
+    return res.status(500).json({ error: 'Internal server error during ingestion' });
+  }
+});
+
+module.exports = router;

server/routes/ombi.js

@@ -2,7 +2,7 @@
 const express = require('express');
 const { logToFile } = require('../utils/logger');
 const cache = require('../utils/cache');
-const { getOmbiInstances, getWebhookSecret, getSofarrBaseUrl } = require('../utils/config');
+const { getOmbiInstances, getWebhookSecret, getSofarrBaseUrl, getSofarrWebhookBaseUrl } = require('../utils/config');
 const requireAuth = require('../middleware/requireAuth');
 const { extractRequestedUser, filterRequestsByUser } = require('../utils/ombiHelpers');
 const { applyRequestFilters } = require('../utils/ombiFilters');
@@ -120,6 +120,66 @@ router.get('/requests', requireAuth, async (req, res) => {
     const filteredMovieRequests = filterRequestsByUser(ombiRequests.movie || [], username, showAll);
     const filteredTvRequests = filterRequestsByUser(ombiRequests.tv || [], username, showAll);
 
+    // Admin only: add Sonarr/Radarr lookup links
+    if (isAdmin) {
+      const sonarrRetrievers = arrRetrieverRegistry.getRetrieversByType('sonarr') || [];
+      const radarrRetrievers = arrRetrieverRegistry.getRetrieversByType('radarr') || [];
+
+      // Fetch all series and movies in parallel to match
+      const [sonarrData, radarrData] = await Promise.all([
+        Promise.all(sonarrRetrievers.map(async r => {
+          try {
+            const response = await require('axios').get(`${r.url}/api/v3/series`, {
+              headers: { 'X-Api-Key': r.apiKey }
+            });
+            return { instance: r, series: response.data || [] };
+          } catch {
+            return { instance: r, series: [] };
+          }
+        })),
+        Promise.all(radarrRetrievers.map(async r => {
+          try {
+            const response = await require('axios').get(`${r.url}/api/v3/movie`, {
+              headers: { 'X-Api-Key': r.apiKey }
+            });
+            return { instance: r, movies: response.data || [] };
+          } catch {
+            return { instance: r, movies: [] };
+          }
+        }))
+      ]);
+
+      // For TV requests, find match in Sonarr
+      filteredTvRequests.forEach(req => {
+        const tvdbId = req.theTvDbId || req.theMovieDbId || req.theTvdbId || req.theTmdbId || req.TvDbId || req.TheTvDbId;
+        if (!tvdbId) return;
+
+        for (const instData of sonarrData) {
+          const match = instData.series.find(s => s && (s.tvdbId === parseInt(tvdbId, 10) || s.tmdbId === parseInt(tvdbId, 10)));
+          if (match && match.titleSlug) {
+            req.arrLink = `${instData.instance.url}/series/${match.titleSlug}`;
+            req.arrType = 'sonarr';
+            break;
+          }
+        }
+      });
+
+      // For Movie requests, find match in Radarr
+      filteredMovieRequests.forEach(req => {
+        const tmdbId = req.theMovieDbId || req.imdbId || req.theTmdbId || req.TheMovieDbId || req.ImdbId;
+        if (!tmdbId) return;
+
+        for (const instData of radarrData) {
+          const match = instData.movies.find(m => m && (m.tmdbId === parseInt(tmdbId, 10) || m.imdbId === tmdbId));
+          if (match && match.titleSlug) {
+            req.arrLink = `${instData.instance.url}/movie/${match.titleSlug}`;
+            req.arrType = 'radarr';
+            break;
+          }
+        }
+      });
+    }
+
     // Tag with mediaType and flatten for filtering/sorting
     const allRequests = [
       ...filteredMovieRequests.map(r => ({ ...r, mediaType: 'movie' })),
@@ -205,10 +265,10 @@ router.get('/requests', requireAuth, async (req, res) => {
  */
 router.post('/webhook/enable', requireAuth, async (req, res) => {
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
 
-    if (!sofarrBaseUrl) {
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
@@ -221,7 +281,7 @@ router.post('/webhook/enable', requireAuth, async (req, res) => {
     }
 
     const ombiInst = ombiInstances[0];
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/ombi`;
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/ombi?secret=${webhookSecret}`;
 
     // Call Ombi API to register webhook
     const axios = require('axios');
@@ -462,10 +522,10 @@ router.get('/webhook/status', requireAuth, async (req, res) => {
  */
 router.post('/webhook/test', requireAuth, async (req, res) => {
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
 
-    if (!sofarrBaseUrl) {
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
@@ -478,25 +538,71 @@ router.post('/webhook/test', requireAuth, async (req, res) => {
     }
 
     const ombiInst = ombiInstances[0];
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/ombi`;
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/ombi`;
 
     // Simulate a test webhook event
     const axios = require('axios');
-    await axios.post(webhookUrl, {
-      notificationType: 'RequestAvailable',
-      requestId: 0,
-      requestedUser: 'test',
-      title: 'Test Request',
-      type: 'Movie',
-      requestStatus: 'Pending'
-    }, {
-      headers: {
-        'X-Sofarr-Webhook-Secret': webhookSecret,
-        'Content-Type': 'application/json'
+    try {
+      await axios.post(webhookUrl, {
+        notificationType: 'RequestAvailable',
+        requestId: 0,
+        requestedUser: 'test',
+        title: 'Test Request',
+        type: 'Movie',
+        requestStatus: 'Pending'
+      }, {
+        headers: {
+          'X-Sofarr-Webhook-Secret': webhookSecret,
+          'Content-Type': 'application/json'
+        }
+      });
+      logToFile(`[Ombi] Test webhook sent to ${webhookUrl}`);
+    } catch (error) {
+      logToFile(`[Ombi] Public test webhook request to ${webhookUrl} failed: ${error.message}. Trying local loopback fallback.`);
+      
+      const port = process.env.PORT || 3001;
+      const tlsEnabled = (process.env.TLS_ENABLED || 'true').toLowerCase() !== 'false';
+      
+      let useHttps = false;
+      if (tlsEnabled) {
+        const fs = require('fs');
+        const path = require('path');
+        const certsDir = path.join(__dirname, '../../certs');
+        const tlsCertPath = process.env.TLS_CERT || path.join(certsDir, 'snakeoil.crt');
+        const tlsKeyPath  = process.env.TLS_KEY  || path.join(certsDir, 'snakeoil.key');
+        try {
+          fs.readFileSync(tlsCertPath);
+          fs.readFileSync(tlsKeyPath);
+          useHttps = true;
+        } catch {
+          useHttps = false;
+        }
       }
-    });
-
-    logToFile(`[Ombi] Test webhook sent to ${webhookUrl}`);
+      
+      const localUrl = `${useHttps ? 'https' : 'http'}://127.0.0.1:${port}/api/webhook/ombi`;
+      
+      const https = require('https');
+      const agent = new https.Agent({
+        rejectUnauthorized: false
+      });
+      
+      await axios.post(localUrl, {
+        notificationType: 'RequestAvailable',
+        requestId: 0,
+        requestedUser: 'test',
+        title: 'Test Request',
+        type: 'Movie',
+        requestStatus: 'Pending'
+      }, {
+        headers: {
+          'X-Sofarr-Webhook-Secret': webhookSecret,
+          'Content-Type': 'application/json'
+        },
+        httpsAgent: useHttps ? agent : undefined
+      });
+      
+      logToFile(`[Ombi] Test webhook sent via local loopback to ${localUrl}`);
+    }
 
     res.json({ success: true });
   } catch (error) {

server/routes/radarr.js

@@ -4,7 +4,7 @@ const axios = require('axios');
 const router = express.Router();
 const requireAuth = require('../middleware/requireAuth');
 const sanitizeError = require('../utils/sanitizeError');
-const { getWebhookSecret, getSofarrBaseUrl, getRadarrInstances } = require('../utils/config');
+const { getWebhookSecret, getSofarrBaseUrl, getRadarrInstances, getSofarrWebhookBaseUrl } = require('../utils/config');
 
 // Helper to get first Radarr instance (for notification proxy routes)
 function getFirstRadarrInstance() {
@@ -286,17 +286,17 @@ router.post('/notifications/sofarr-webhook', async (req, res) => {
     return res.status(503).json({ error: 'Radarr not configured' });
   }
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
-
-    if (!sofarrBaseUrl) {
+ 
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
       return res.status(400).json({ error: 'SOFARR_WEBHOOK_SECRET not configured' });
     }
-
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/radarr`;
+ 
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/radarr`;
 
     // Check if Sofarr webhook already exists
     const listResponse = await axios.get(`${instance.url}/api/v3/notification`, {

server/routes/sonarr.js

@@ -4,7 +4,7 @@ const axios = require('axios');
 const router = express.Router();
 const requireAuth = require('../middleware/requireAuth');
 const sanitizeError = require('../utils/sanitizeError');
-const { getWebhookSecret, getSofarrBaseUrl, getSonarrInstances } = require('../utils/config');
+const { getWebhookSecret, getSofarrBaseUrl, getSonarrInstances, getSofarrWebhookBaseUrl } = require('../utils/config');
 
 // Helper to get first Sonarr instance (for notification proxy routes)
 function getFirstSonarrInstance() {
@@ -286,17 +286,17 @@ router.post('/notifications/sofarr-webhook', async (req, res) => {
     return res.status(503).json({ error: 'Sonarr not configured' });
   }
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
-
-    if (!sofarrBaseUrl) {
+ 
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
       return res.status(400).json({ error: 'SOFARR_WEBHOOK_SECRET not configured' });
     }
-
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/sonarr`;
+ 
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/sonarr`;
 
     // Check if Sofarr webhook already exists
     const listResponse = await axios.get(`${instance.url}/api/v3/notification`, {

server/routes/webhook.js

@@ -144,13 +144,13 @@ const OMBI_EVENTS = new Set([
 ]);
 
 /**
- * Validate webhook secret from the X-Sofarr-Webhook-Secret header
+ * Validate webhook secret from the X-Sofarr-Webhook-Secret header or secret query parameter
  * @param {Object} req - Express request object
  * @returns {boolean} True if secret is valid, false otherwise
  */
 function validateWebhookSecret(req) {
   const expectedSecret = getWebhookSecret();
-  const providedSecret = req.get('X-Sofarr-Webhook-Secret');
+  const providedSecret = req.get('X-Sofarr-Webhook-Secret') || req.query.secret;
 
   if (!expectedSecret) {
     logToFile('[Webhook] WARNING: SOFARR_WEBHOOK_SECRET not configured, rejecting webhook');
@@ -158,7 +158,7 @@ function validateWebhookSecret(req) {
   }
 
   if (!providedSecret) {
-    logToFile('[Webhook] WARNING: Missing X-Sofarr-Webhook-Secret header');
+    logToFile('[Webhook] WARNING: Missing X-Sofarr-Webhook-Secret header or secret query parameter');
     return false;
   }
 
@@ -180,7 +180,7 @@ function validateWebhookSecret(req) {
  * @param {string} serviceType - 'sonarr', 'radarr', or 'ombi'
  * @param {string} eventType   - the eventType from the webhook payload
  */
-async function processWebhookEvent(serviceType, eventType) {
+async function processWebhookEvent(serviceType, eventType, payload = null) {
   const affectsQueue = QUEUE_EVENTS.has(eventType);
   const affectsHistory = HISTORY_EVENTS.has(eventType);
   const affectsOmbi = OMBI_EVENTS.has(eventType);
@@ -259,9 +259,66 @@ async function processWebhookEvent(serviceType, eventType) {
     const ombiInstances = getOmbiInstances();
 
     if (affectsOmbi) {
-      // Add a 2000ms delay to resolve the race condition where Ombi fires the webhook before committing to DB
-      await new Promise(r => setTimeout(r, 2000));
-      const ombiRequests = await arrRetrieverRegistry.getOmbiRequests(true);
+      const delayMs = parseInt(process.env.OMBI_WEBHOOK_REFRESH_DELAY_MS, 10);
+      const initialDelay = !isNaN(delayMs) ? delayMs : 2000;
+      logToFile(`[Webhook] Waiting initial delay of ${initialDelay}ms for Ombi webhook synchronization...`);
+      await new Promise(r => setTimeout(r, initialDelay));
+
+      const requestId = payload ? (payload.requestId || payload.RequestId || payload.id || payload.Id) : null;
+      const mediaType = payload ? (payload.type || payload.Type || '').toLowerCase() : null;
+
+      let ombiRequests = { movie: [], tv: [] };
+      let foundAndValid = false;
+      const maxRetries = 3;
+      const retryDelayMs = 1500;
+
+      for (let attempt = 1; attempt <= maxRetries; attempt++) {
+        if (attempt > 1) {
+          logToFile(`[Webhook] Ombi request not found or missing user (attempt ${attempt-1}/${maxRetries}), retrying in ${retryDelayMs}ms...`);
+          await new Promise(r => setTimeout(r, retryDelayMs));
+        }
+
+        ombiRequests = await arrRetrieverRegistry.getOmbiRequests(true);
+
+        if (!requestId) {
+          // If no requestId was provided in payload, we can't search specifically, so just accept the fetch
+          foundAndValid = true;
+          break;
+        }
+
+        // Search in movie or tv lists
+        const targetList = (mediaType === 'tv' || mediaType === 'series') ? (ombiRequests.tv || []) : (ombiRequests.movie || []);
+        // Also check both if mediaType not specified
+        const searchList = mediaType ? targetList : [...(ombiRequests.movie || []), ...(ombiRequests.tv || [])];
+
+        const targetReq = searchList.find(r => r && (r.id === requestId || r.Id === requestId));
+        if (targetReq) {
+          const user = extractRequestedUser(targetReq);
+          if (user) {
+            logToFile(`[Webhook] Verified request ${requestId} has valid user "${user}" on attempt ${attempt}`);
+            foundAndValid = true;
+            break;
+          } else {
+            logToFile(`[Webhook] Found request ${requestId} on attempt ${attempt}, but user extraction was empty.`);
+          }
+        } else {
+          logToFile(`[Webhook] Request ${requestId} not found in retrieved list on attempt ${attempt}.`);
+        }
+      }
+
+      if (!foundAndValid && requestId) {
+        logToFile(`[Webhook] WARNING: Could not verify request ${requestId} with valid user info after ${maxRetries} retries.`);
+        // Try to log the raw target request if we found one
+        ombiRequests = await arrRetrieverRegistry.getOmbiRequests(true);
+        const searchList = [...(ombiRequests.movie || []), ...(ombiRequests.tv || [])];
+        const targetReq = searchList.find(r => r && (r.id === requestId || r.Id === requestId));
+        if (targetReq) {
+          logToFile(`[Webhook] Raw request object where extraction failed: ${JSON.stringify(targetReq)}`);
+        } else {
+          logToFile(`[Webhook] Request ${requestId} was completely absent from Ombi requests list.`);
+        }
+      }
+
       cache.set('poll:ombi-requests', ombiRequests, CACHE_TTL);
       logToFile(`[Webhook] Refreshed poll:ombi-requests (${ombiRequests.movie?.length || 0} movies, ${ombiRequests.tv?.length || 0} TV shows)`);
     }
@@ -309,13 +366,13 @@ function validatePayload(body) {
  *       Receives webhook events from Sonarr instances. Validates the secret, logs the event,
  *       refreshes cache, broadcasts SSE, and returns 200 immediately (fire-and-forget processing).
  *
- *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header matching `SOFARR_WEBHOOK_SECRET`.
+ *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header or `secret` query parameter matching `SOFARR_WEBHOOK_SECRET`.
  *       No cookie authentication required (webhooks come from Sonarr, not browsers).
  *
  *       **Rate Limiting:** 60 requests per minute per IP.
  *
  *       **Validation:**
- *       - Secret validation via `X-Sofarr-Webhook-Secret` header
+ *       - Secret validation via `X-Sofarr-Webhook-Secret` header or `secret` query parameter
  *       - Payload validation (must be JSON object with eventType, instanceName, date)
  *       - Event type must be in allowlist (Test, Grab, Download, DownloadFailed, etc.)
  *       - Replay protection: rejects duplicate events within 5-minute window
@@ -342,6 +399,13 @@ function validatePayload(body) {
  *       - Header: `X-Sofarr-Webhook-Secret: {SOFARR_WEBHOOK_SECRET}`
  *       - Events: onGrab, onDownload, onUpgrade, onImport
  *     security: []
+ *     parameters:
+ *       - name: secret
+ *         in: query
+ *         required: false
+ *         schema:
+ *           type: string
+ *         description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
  *     requestBody:
  *       required: true
  *       content:
@@ -456,13 +520,13 @@ router.post('/sonarr', webhookLimiter, (req, res) => {
  *       Receives webhook events from Radarr instances. Validates the secret, logs the event,
  *       refreshes cache, broadcasts SSE, and returns 200 immediately (fire-and-forget processing).
  *
- *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header matching `SOFARR_WEBHOOK_SECRET`.
+ *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header or `secret` query parameter matching `SOFARR_WEBHOOK_SECRET`.
  *       No cookie authentication required (webhooks come from Radarr, not browsers).
  *
  *       **Rate Limiting:** 60 requests per minute per IP.
  *
  *       **Validation:**
- *       - Secret validation via `X-Sofarr-Webhook-Secret` header
+ *       - Secret validation via `X-Sofarr-Webhook-Secret` header or `secret` query parameter
  *       - Payload validation (must be JSON object with eventType, instanceName, date)
  *       - Event type must be in allowlist (Test, Grab, Download, DownloadFailed, etc.)
  *       - Replay protection: rejects duplicate events within 5-minute window
@@ -489,6 +553,13 @@ router.post('/sonarr', webhookLimiter, (req, res) => {
  *       - Header: `X-Sofarr-Webhook-Secret: {SOFARR_WEBHOOK_SECRET}`
  *       - Events: onGrab, onDownload, onUpgrade, onImport
  *     security: []
+ *     parameters:
+ *       - name: secret
+ *         in: query
+ *         required: false
+ *         schema:
+ *           type: string
+ *         description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
  *     requestBody:
  *       required: true
  *       content:
@@ -603,13 +674,13 @@ router.post('/radarr', webhookLimiter, (req, res) => {
  *       Receives webhook events from Ombi instances. Validates the secret, logs the event,
  *       refreshes cache, broadcasts SSE, and returns 200 immediately (fire-and-forget processing).
  *
- *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header matching `SOFARR_WEBHOOK_SECRET`.
+ *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header or `secret` query parameter matching `SOFARR_WEBHOOK_SECRET`.
  *       No cookie authentication required (webhooks come from Ombi, not browsers).
  *
  *       **Rate Limiting:** 60 requests per minute per IP.
  *
  *       **Validation:**
- *       - Secret validation via `X-Sofarr-Webhook-Secret` header
+ *       - Secret validation via `X-Sofarr-Webhook-Secret` header or `secret` query parameter
  *       - Payload validation (must be JSON object with notificationType, requestId)
  *       - Event type must be in allowlist (RequestAvailable, RequestApproved, RequestDeclined, RequestPending, RequestProcessing)
  *       - Replay protection: rejects duplicate events within 5-minute window
@@ -627,11 +698,17 @@ router.post('/radarr', webhookLimiter, (req, res) => {
  *       6. Background: fetch fresh data from Ombi, update cache, broadcast SSE
  *
  *       **x-integration-notes:** Configure Ombi webhook:
- *       - URL: `{SOFARR_BASE_URL}/api/webhook/ombi`
+ *       - URL: `{SOFARR_BASE_URL}/api/webhook/ombi?secret={SOFARR_WEBHOOK_SECRET}`
  *       - Method: POST
- *       - Header: `X-Sofarr-Webhook-Secret: {SOFARR_WEBHOOK_SECRET}`
  *       - Application Token: OMBI_API_KEY
  *     security: []
+ *     parameters:
+ *       - name: secret
+ *         in: query
+ *         required: false
+ *         schema:
+ *           type: string
+ *         description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
  *     requestBody:
  *       required: true
  *       content:
@@ -757,7 +834,7 @@ router.post('/ombi', webhookLimiter, (req, res) => {
     }
 
     // Background cache refresh + SSE broadcast (fire-and-forget)
-    processWebhookEvent('ombi', eventType).catch(err => {
+    processWebhookEvent('ombi', eventType, req.body).catch(err => {
       logToFile(`[Webhook] Ombi background refresh error: ${err.message}`);
     });
 

server/services/DownloadMatcher.js

@@ -215,6 +215,9 @@ async function matchSabSlots(slots, context) {
           if (isAdmin) {
             dlObj.downloadPath = slot.storage || null;
             dlObj.targetPath = series.path || null;
+            if (series && !series._instanceUrl && sonarrMatch._instanceUrl) {
+              series._instanceUrl = sonarrMatch._instanceUrl;
+            }
             dlObj.arrLink = DownloadAssembler.getSonarrLink(series);
             dlObj.arrInstanceKey = sonarrMatch._instanceKey || null;
           }
@@ -269,6 +272,9 @@ async function matchSabSlots(slots, context) {
           if (isAdmin) {
             dlObj.downloadPath = slot.storage || null;
             dlObj.targetPath = movie.path || null;
+            if (movie && !movie._instanceUrl && radarrMatch._instanceUrl) {
+              movie._instanceUrl = radarrMatch._instanceUrl;
+            }
             dlObj.arrLink = DownloadAssembler.getRadarrLink(movie);
             dlObj.arrInstanceKey = radarrMatch._instanceKey || null;
           }
@@ -459,6 +465,9 @@ async function matchTorrents(torrents, context) {
           if (isAdmin) {
             download.downloadPath = download.savePath || null;
             download.targetPath = series.path || null;
+            if (series && !series._instanceUrl && sonarrMatch._instanceUrl) {
+              series._instanceUrl = sonarrMatch._instanceUrl;
+            }
             download.arrLink = DownloadAssembler.getSonarrLink(series);
             download.arrInstanceKey = sonarrMatch._instanceKey || null;
           }
@@ -505,6 +514,9 @@ async function matchTorrents(torrents, context) {
           if (isAdmin) {
             download.downloadPath = download.savePath || null;
             download.targetPath = movie.path || null;
+            if (movie && !movie._instanceUrl && radarrMatch._instanceUrl) {
+              movie._instanceUrl = radarrMatch._instanceUrl;
+            }
             download.arrLink = DownloadAssembler.getRadarrLink(movie);
             download.arrInstanceKey = radarrMatch._instanceKey || null;
           }

server/utils/config.js

@@ -130,6 +130,10 @@ function getSofarrBaseUrl() {
   return process.env.SOFARR_BASE_URL || '';
 }
 
+function getSofarrWebhookBaseUrl() {
+  return process.env.SOFARR_WEBHOOK_BASE_URL || process.env.SOFARR_BASE_URL || '';
+}
+
 module.exports = {
   getSABnzbdInstances,
   getSonarrInstances,
@@ -140,6 +144,7 @@ module.exports = {
   getRtorrentInstances,
   getWebhookSecret,
   getSofarrBaseUrl,
+  getSofarrWebhookBaseUrl,
   parseInstances,
   validateInstanceUrl
 };

server/utils/logCapture.js

@@ -0,0 +1,131 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+const EventEmitter = require('events');
+
+class LogEmitter extends EventEmitter {}
+const logEmitter = new LogEmitter();
+
+const logBuffer = [];
+const clientLogBuffer = [];
+const MAX_BUFFER_SIZE = 1000;
+
+// ANSI escape code regular expression for stripping terminal colors
+const ansiRegex = /[\u001b\u009b][[()#;?]*(?:[0-9]{1,4}(?:;[0-9]{0,4})*)?[0-9A-ORZcf-nqry=><]/g;
+
+function stripAnsi(str) {
+  return typeof str === 'string' ? str.replace(ansiRegex, '') : str;
+}
+
+// Keep track of original stdout/stderr write functions
+const originalStdoutWrite = process.stdout.write;
+const originalStderrWrite = process.stderr.write;
+
+// Buffer to accumulate partial lines from stdout and stderr
+let stdoutLineBuffer = '';
+let stderrLineBuffer = '';
+
+function processStreamData(data, encoding, callback, streamName, lineAccumulator) {
+  let str = '';
+  if (Buffer.isBuffer(data)) {
+    str = data.toString(encoding || 'utf8');
+  } else if (typeof data === 'string') {
+    str = data;
+  }
+
+  // Delegate writing to the original stream first
+  callback.call(this, data, encoding);
+
+  // Append new data to the accumulator
+  const accumulated = lineAccumulator.buffer + str;
+  const lines = accumulated.split(/\r?\n/);
+
+  // The last element is either empty (if str ended with \n) or a partial line
+  lineAccumulator.buffer = lines.pop();
+
+  for (const line of lines) {
+    const cleanLine = stripAnsi(line);
+    if (!cleanLine) continue;
+
+    // Prepend timestamp if not present (format: [ISO] Message)
+    const timestampedLine = cleanLine.startsWith('[') 
+      ? cleanLine 
+      : `[${new Date().toISOString()}] [${streamName.toUpperCase()}] ${cleanLine}`;
+
+    logBuffer.push(timestampedLine);
+    if (logBuffer.length > MAX_BUFFER_SIZE) {
+      logBuffer.shift();
+    }
+
+    logEmitter.emit('server-log', timestampedLine);
+  }
+}
+
+// Accumulator objects to allow updating string buffers by reference
+const stdoutAccumulator = { buffer: '' };
+const stderrAccumulator = { buffer: '' };
+
+let isHooked = false;
+
+function init() {
+  if (isHooked) return;
+
+  // Intercept stdout
+  process.stdout.write = function(data, encoding, callback) {
+    processStreamData.call(
+      process.stdout,
+      data,
+      encoding,
+      originalStdoutWrite,
+      'stdout',
+      stdoutAccumulator
+    );
+    if (typeof callback === 'function') callback();
+    return true;
+  };
+
+  // Intercept stderr
+  process.stderr.write = function(data, encoding, callback) {
+    processStreamData.call(
+      process.stderr,
+      data,
+      encoding,
+      originalStderrWrite,
+      'stderr',
+      stderrAccumulator
+    );
+    if (typeof callback === 'function') callback();
+    return true;
+  };
+
+  isHooked = true;
+}
+
+/**
+ * Ingests a list of client-side logs into the rolling clientLogBuffer.
+ * Each client log is expected to have structure: { timestamp, level, message }
+ */
+function ingestClientLogs(logs) {
+  if (!Array.isArray(logs)) return;
+
+  for (const log of logs) {
+    const timestamp = log.timestamp || new Date().toISOString();
+    const level = (log.level || 'info').toUpperCase();
+    const msg = typeof log.message === 'string' ? log.message : JSON.stringify(log.message);
+
+    const formattedLog = `[${timestamp}] [CLIENT] [${level}] ${stripAnsi(msg)}`;
+    clientLogBuffer.push(formattedLog);
+
+    if (clientLogBuffer.length > MAX_BUFFER_SIZE) {
+      clientLogBuffer.shift();
+    }
+
+    logEmitter.emit('client-log', formattedLog);
+  }
+}
+
+module.exports = {
+  init,
+  logEmitter,
+  logBuffer,
+  clientLogBuffer,
+  ingestClientLogs
+};

server/utils/ombiHelpers.js

@@ -5,6 +5,8 @@
  * not a string, so we need to extract the username from the object.
  */
 
+const { logToFile } = require('./logger');
+
 /**
  * Extracts the username from an Ombi request object.
  * Handles both the OmbiUser object format and legacy string format.
@@ -15,19 +17,57 @@
 function extractRequestedUser(request) {
   if (!request) return '';
   
-  const requestedUser = request.requestedUser || request.RequestedUser;
-  
-  // Handle object format: OmbiStore.Entities.OmbiUser
-  if (requestedUser && typeof requestedUser === 'object') {
-    // Priority: alias > userAlias > userName > normalizedUserName > requestedByAlias
-    return requestedUser.alias || requestedUser.Alias ||
-           requestedUser.userAlias || requestedUser.UserAlias ||
-           requestedUser.userName || requestedUser.UserName ||
-           requestedUser.normalizedUserName || requestedUser.NormalizedUserName ||
-           request.requestedByAlias || request.RequestedByAlias || '';
+  // Try to locate a user object or string from various fields common to Ombi Movies and TV shows
+  const userSource = request.requestedUser || request.RequestedUser ||
+                     request.user || request.User ||
+                     request.requestedBy || request.RequestedBy ||
+                     request.ombiUser || request.OmbiUser ||
+                     request.requestedByUser || request.RequestedByUser;
+
+  // If userSource is an object, extract key fields
+  if (userSource && typeof userSource === 'object') {
+    const username = userSource.alias || userSource.Alias ||
+                     userSource.userAlias || userSource.UserAlias ||
+                     userSource.userName || userSource.UserName ||
+                     userSource.normalizedUserName || userSource.NormalizedUserName ||
+                     userSource.displayName || userSource.DisplayName ||
+                     userSource.email || userSource.Email;
+    if (username) return username;
   }
-  // Handle string format (fallback for compatibility)
-  return requestedUser || request.requestedByAlias || request.RequestedByAlias || '';
+
+  // If userSource is a string and not an empty object/array
+  if (userSource && typeof userSource === 'string') {
+    return userSource;
+  }
+
+  // Fallbacks on the request root level
+  const rootFallback = request.requestedByAlias || request.RequestedByAlias ||
+                       request.requestedByUsername || request.RequestedByUsername ||
+                       request.requester || request.Requester ||
+                       request.requestedByEmail || request.RequestedByEmail;
+  if (rootFallback) return rootFallback;
+
+  // Check seasons / childRequests nested arrays (common for Ombi TV show requests)
+  if (Array.isArray(request.seasons)) {
+    for (const season of request.seasons) {
+      const seasonUser = extractRequestedUser(season);
+      if (seasonUser) return seasonUser;
+    }
+  }
+  
+  if (Array.isArray(request.childRequests)) {
+    for (const child of request.childRequests) {
+      const childUser = extractRequestedUser(child);
+      if (childUser) return childUser;
+    }
+  }
+
+  // Add warning log when user extraction returns empty for non-empty requests
+  if (Object.keys(request).length > 0 && !request.notificationType) {
+    logToFile(`[Ombi] WARNING: User extraction failed for request: ${JSON.stringify(request)}`);
+  }
+
+  return '';
 }
 
 function filterRequestsByUser(requests, username, showAll) {

server/utils/poller.js

@@ -8,6 +8,7 @@ const {
   getRadarrInstances,
   getOmbiInstances
 } = require('./config');
+const { logToFile } = require('./logger');
 
 const rawPollInterval = (process.env.POLL_INTERVAL || '').toLowerCase();
 const POLL_INTERVAL = (rawPollInterval === 'off' || rawPollInterval === 'false' || rawPollInterval === 'disabled')

tests/frontend/ui/requests.test.js

@@ -0,0 +1,178 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+/**
+ * @vitest-environment jsdom
+ * Tests for client/src/ui/requests.js
+ *
+ * Verifies requests dashboard rendering, tooltips, dates, and deep links.
+ */
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { renderRequests } from '../../../client/src/ui/requests.js';
+import { state } from '../../../client/src/state.js';
+
+vi.mock('../../../client/src/state.js', () => {
+  return {
+    state: {
+      ombiRequests: { movie: [], tv: [] },
+      selectedRequestTypes: ['movie', 'tv'],
+      selectedRequestStatuses: ['pending', 'approved', 'available', 'denied'],
+      requestSortMode: 'requestedDate_desc',
+      requestSearchQuery: '',
+      ombiBaseUrl: 'https://ombi.test',
+      isAdmin: false
+    }
+  };
+});
+
+describe('requests rendering', () => {
+  let requestsList, noRequests;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    
+    document.body.innerHTML = `
+      <div id="requests-list"></div>
+      <div id="no-requests" style="display: none;"><p></p></div>
+    `;
+    
+    requestsList = document.getElementById('requests-list');
+    noRequests = document.getElementById('no-requests');
+    
+    state.ombiRequests = { movie: [], tv: [] };
+    state.isAdmin = false;
+    state.ombiBaseUrl = 'https://ombi.test';
+  });
+
+  it('renders "No requests found." when request arrays are empty', () => {
+    renderRequests();
+    
+    expect(requestsList.childNodes.length).toBe(0);
+    expect(noRequests.style.display).toBe('block');
+    expect(noRequests.querySelector('p').textContent).toBe('No requests found.');
+  });
+
+  it('renders request card with correctly formatted date, media type, and requester', () => {
+    state.ombiRequests = {
+      movie: [
+        {
+          id: 101,
+          title: 'Movie Test',
+          year: '2026',
+          requestedUser: { alias: 'john_doe' },
+          requestedDate: '2026-05-27T10:15:30.000Z',
+          quality: '1080p',
+          theMovieDbId: 555,
+          requested: true
+        }
+      ],
+      tv: []
+    };
+    
+    renderRequests();
+    
+    expect(requestsList.childNodes.length).toBe(1);
+    const card = requestsList.childNodes[0];
+    expect(card.querySelector('.request-title').textContent).toBe('Movie Test');
+    expect(card.querySelector('.request-year').textContent).toBe('2026');
+    expect(card.querySelector('.request-user').textContent).toBe('Requested by: john_doe');
+    
+    // Check formatted date
+    const dateEl = card.querySelector('.request-date');
+    expect(dateEl).toBeTruthy();
+    expect(dateEl.textContent).toContain('Date: 2026-05-27');
+    
+    // Check view in Ombi link
+    const ombiLink = card.querySelector('.ombi-link');
+    expect(ombiLink).toBeTruthy();
+    expect(ombiLink.href).toBe('https://ombi.test/details/movie/555');
+  });
+
+  it('renders "Unknown (Ombi)" with tooltip when requester is missing', () => {
+    state.ombiRequests = {
+      movie: [],
+      tv: [
+        {
+          id: 201,
+          title: 'TV Test No User',
+          requestedDate: '2026-05-27T12:00:00.000Z',
+          requested: true
+        }
+      ]
+    };
+    
+    renderRequests();
+    
+    expect(requestsList.childNodes.length).toBe(1);
+    const card = requestsList.childNodes[0];
+    const userEl = card.querySelector('.request-user');
+    expect(userEl).toBeTruthy();
+    expect(userEl.textContent).toBe('Requested by: Unknown (Ombi)');
+    expect(userEl.title).toBe('No user information received from Ombi');
+    expect(userEl.style.textDecoration).toBe('underline dotted');
+  });
+
+  it('does NOT render Sonarr/Radarr deep links for non-admin users', () => {
+    state.isAdmin = false;
+    state.ombiRequests = {
+      movie: [
+        {
+          id: 101,
+          title: 'Movie Test',
+          theMovieDbId: 555,
+          arrLink: 'http://radarr:7878/movie/slug',
+          arrType: 'radarr',
+          requested: true
+        }
+      ],
+      tv: []
+    };
+    
+    renderRequests();
+    
+    const card = requestsList.childNodes[0];
+    expect(card.querySelector('.radarr-link')).toBeNull();
+  });
+
+  it('renders Sonarr/Radarr deep links next to Ombi link for administrators', () => {
+    state.isAdmin = true;
+    state.ombiRequests = {
+      movie: [
+        {
+          id: 101,
+          title: 'Movie Test',
+          theMovieDbId: 555,
+          arrLink: 'http://radarr:7878/movie/slug',
+          arrType: 'radarr',
+          requested: true
+        }
+      ],
+      tv: [
+        {
+          id: 202,
+          title: 'TV Show Test',
+          theMovieDbId: 666,
+          arrLink: 'http://sonarr:8989/series/slug',
+          arrType: 'sonarr',
+          requested: true
+        }
+      ]
+    };
+    
+    renderRequests();
+    
+    expect(requestsList.childNodes.length).toBe(2);
+    
+    // Check Radarr link
+    const movieCard = requestsList.childNodes[0];
+    const radarrLink = movieCard.querySelector('.radarr-link');
+    expect(radarrLink).toBeTruthy();
+    expect(radarrLink.href).toBe('http://radarr:7878/movie/slug');
+    expect(radarrLink.title).toBe('View in Radarr');
+    
+    // Check Sonarr link
+    const tvCard = requestsList.childNodes[1];
+    const sonarrLink = tvCard.querySelector('.sonarr-link');
+    expect(sonarrLink).toBeTruthy();
+    expect(sonarrLink.href).toBe('http://sonarr:8989/series/slug');
+    expect(sonarrLink.title).toBe('View in Sonarr');
+  });
+});

tests/frontend/ui/theme.test.js

@@ -0,0 +1,94 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+/**
+ * @vitest-environment jsdom
+ * Tests for client/src/ui/theme.js
+ *
+ * Verifies DOM actions for theme switcher button clicks, attributes, and storage calls.
+ */
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { initThemeSwitcher, setTheme } from '../../../client/src/ui/theme.js';
+import * as storage from '../../../client/src/utils/storage.js';
+
+vi.mock('../../../client/src/utils/storage.js', () => {
+  let store = {};
+  return {
+    getTheme: vi.fn(() => store.theme || 'light'),
+    saveTheme: vi.fn((theme) => { store.theme = theme; })
+  };
+});
+
+describe('theme switcher', () => {
+  let lightBtn, darkBtn, monoBtn;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    document.documentElement.removeAttribute('data-theme');
+    
+    // Create mock theme buttons
+    document.body.innerHTML = `
+      <div class="theme-switcher">
+        <button class="theme-btn" data-theme="light">Light</button>
+        <button class="theme-btn" data-theme="dark">Dark</button>
+        <button class="theme-btn" data-theme="mono">Mono</button>
+      </div>
+    `;
+    
+    lightBtn = document.querySelector('[data-theme="light"]');
+    darkBtn = document.querySelector('[data-theme="dark"]');
+    monoBtn = document.querySelector('[data-theme="mono"]');
+  });
+
+  it('initThemeSwitcher sets active class based on saved theme on load', () => {
+    vi.spyOn(storage, 'getTheme').mockReturnValue('dark');
+    
+    initThemeSwitcher();
+    
+    expect(storage.getTheme).toHaveBeenCalled();
+    expect(darkBtn.classList.contains('active')).toBe(true);
+    expect(lightBtn.classList.contains('active')).toBe(false);
+    expect(monoBtn.classList.contains('active')).toBe(false);
+  });
+
+  it('initThemeSwitcher defaults to light theme if no theme is saved', () => {
+    vi.spyOn(storage, 'getTheme').mockReturnValue(null);
+    
+    initThemeSwitcher();
+    
+    expect(lightBtn.classList.contains('active')).toBe(true);
+    expect(darkBtn.classList.contains('active')).toBe(false);
+  });
+
+  it('clicking theme button switches the document theme and persists choice', () => {
+    initThemeSwitcher();
+    
+    // Initial active button should be light
+    expect(lightBtn.classList.contains('active')).toBe(true);
+    
+    // Click Dark
+    darkBtn.click();
+    
+    expect(document.documentElement.getAttribute('data-theme')).toBe('dark');
+    expect(storage.saveTheme).toHaveBeenCalledWith('dark');
+    expect(darkBtn.classList.contains('active')).toBe(true);
+    expect(lightBtn.classList.contains('active')).toBe(false);
+    
+    // Click Mono
+    monoBtn.click();
+    
+    expect(document.documentElement.getAttribute('data-theme')).toBe('mono');
+    expect(storage.saveTheme).toHaveBeenCalledWith('mono');
+    expect(monoBtn.classList.contains('active')).toBe(true);
+    expect(darkBtn.classList.contains('active')).toBe(false);
+  });
+
+  it('setTheme directly sets document attribute and updates button classes if present', () => {
+    initThemeSwitcher(); // binds buttons
+    
+    setTheme('mono');
+    
+    expect(document.documentElement.getAttribute('data-theme')).toBe('mono');
+    expect(storage.saveTheme).toHaveBeenCalledWith('mono');
+    expect(monoBtn.classList.contains('active')).toBe(true);
+    expect(lightBtn.classList.contains('active')).toBe(false);
+  });
+});

tests/frontend/utils/clientLogCapture.test.js

@@ -0,0 +1,110 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+/**
+ * @vitest-environment jsdom
+ * Tests for client/src/utils/clientLogCapture.js
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { initClientLogCapture } from '../../../client/src/utils/clientLogCapture.js';
+
+describe('clientLogCapture', () => {
+  let fetchMock;
+  let originalConsoleLog;
+  let originalConsoleWarn;
+  let originalConsoleError;
+
+  beforeEach(() => {
+    vi.useFakeTimers();
+
+    // Preserve original console methods
+    originalConsoleLog = console.log;
+    originalConsoleWarn = console.warn;
+    originalConsoleError = console.error;
+
+    // Reset console methods to standard ones
+    console.log = vi.fn();
+    console.warn = vi.fn();
+    console.error = vi.fn();
+
+    // Mock window fetch
+    fetchMock = vi.fn();
+    global.window.fetch = fetchMock;
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.restoreAllMocks();
+
+    // Restore original console methods
+    console.log = originalConsoleLog;
+    console.warn = originalConsoleWarn;
+    console.error = originalConsoleError;
+  });
+
+  it('exits early and does not intercept console if status returns disabled', async () => {
+    fetchMock.mockResolvedValue({
+      ok: true,
+      json: async () => ({ enabled: false })
+    });
+
+    await initClientLogCapture();
+
+    expect(fetchMock).toHaveBeenCalledWith('/api/debug/status');
+    
+    // Console calls should NOT be queued or overridden (i.e. they should just run vi.fn mocks)
+    console.log('Test message');
+    expect(console.log).toHaveBeenCalledWith('Test message');
+    expect(fetchMock).not.toHaveBeenCalledWith('/api/debug/client-logs', expect.any(Object));
+  });
+
+  it('hooks console and flushes logs periodically when status returns enabled', async () => {
+    fetchMock.mockImplementation((url, options) => {
+      if (url === '/api/debug/status') {
+        return Promise.resolve({
+          ok: true,
+          json: async () => ({ enabled: true })
+        });
+      }
+      if (url === '/api/debug/client-logs') {
+        return Promise.resolve({
+          ok: true,
+          json: async () => ({ success: true })
+        });
+      }
+    });
+
+    await initClientLogCapture();
+
+    expect(fetchMock).toHaveBeenCalledWith('/api/debug/status');
+
+    // Trigger console logs
+    console.log('Booting app', { config: 'loaded' });
+    console.warn('Deprecated api call');
+    console.error('Failed request', new Error('timeout'));
+
+    // Move timers forward to trigger flush interval (2000ms)
+    await vi.advanceTimersByTimeAsync(2000);
+
+    expect(fetchMock).toHaveBeenCalledWith('/api/debug/client-logs', expect.objectContaining({
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      }
+    }));
+
+    const lastCall = fetchMock.mock.calls.find(call => call[0] === '/api/debug/client-logs');
+    expect(lastCall).toBeDefined();
+    
+    const loggedEntries = JSON.parse(lastCall[1].body);
+    expect(loggedEntries).toHaveLength(4); // Includes the interceptor boot message + 3 logs
+
+    expect(loggedEntries[1].level).toBe('info');
+    expect(loggedEntries[1].message).toContain('Booting app {"config":"loaded"}');
+
+    expect(loggedEntries[2].level).toBe('warn');
+    expect(loggedEntries[2].message).toContain('Deprecated api call');
+
+    expect(loggedEntries[3].level).toBe('error');
+    expect(loggedEntries[3].message).toContain('Failed request');
+  });
+});

tests/integration/dashboard.test.js

@@ -225,7 +225,7 @@ function invalidatePollCache() {
     'poll:sab-queue', 'poll:sab-history',
     'poll:sonarr-queue', 'poll:sonarr-history', 'poll:sonarr-tags',
     'poll:radarr-queue', 'poll:radarr-history', 'poll:radarr-tags',
-    'poll:qbittorrent'
+    'poll:qbittorrent', 'poll:ombi-requests'
   ];
   for (const k of keys) cache.invalidate(k);
 }
@@ -349,6 +349,7 @@ describe('GET /api/dashboard/user-downloads', () => {
       expect(dl.arrQueueId).toBe(1002);
       expect(dl.arrType).toBe('sonarr');
       expect(dl.arrInstanceUrl).toBe(SONARR_BASE);
+      expect(dl.arrLink).toBe(SONARR_BASE + '/series/admin-show');
       expect(dl.downloadPath).toBeDefined();
     });
 
@@ -749,12 +750,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf } = await loginAs(app);
     const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
-    
-    // Mock getAllDownloads to return a download that doesn't qualify for blocklist
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+
+    // Seed cache: queue record exists but has no import issues (non-admin cannot blocklist)
+    cache.set('poll:sonarr-queue', { records: [{
+      id: 1,
+      title: 'My.Show.S01E01.720p',
+      trackedDownloadState: 'downloading',
+      trackedDownloadStatus: 'ok'
+    }] }, CACHE_TTL);
 
     const res = await request(app)
       .post('/api/dashboard/blocklist-search')
@@ -763,18 +766,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'key', arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(403);
     expect(res.body.error).toMatch(/permission denied/i);
-    mockGetAllDownloads.mockRestore();
   });
 
-  it('returns 403 for non-admin when download not found in active downloads', async () => {
+  it('returns 403 for non-admin when download not found in arr queue cache', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf } = await loginAs(app);
     const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
-    
-    // Mock getAllDownloads to return empty array (download not found)
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([]);
 
+    // Cache is already seeded empty by beforeEach; no queue record with id=1 exists
     const res = await request(app)
       .post('/api/dashboard/blocklist-search')
       .set('Cookie', [...cookies, csrfCookie].join('; '))
@@ -782,19 +781,21 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(403);
     expect(res.body.error).toMatch(/download not found/i);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 200 for non-admin with import issues (qualifying condition)', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf } = await loginAs(app);
     const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
-    
-    // Mock getAllDownloads to return a download with import issues (qualifies for blocklist)
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1, arrType: 'sonarr', importIssues: ['Import error 1'], qbittorrent: null }
-    ]);
+
+    // Seed cache: queue record with import issues — qualifies non-admin for blocklist
+    cache.set('poll:sonarr-queue', { records: [{
+      id: 1,
+      title: 'My.Show.S01E01.720p',
+      trackedDownloadState: 'importPending',
+      trackedDownloadStatus: 'warning',
+      statusMessages: [{ messages: ['Import error 1'] }]
+    }] }, CACHE_TTL);
 
     // Mock Sonarr DELETE and command endpoints
     nock(SONARR_BASE)
@@ -812,7 +813,6 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 400 when required fields are missing', async () => {
@@ -843,11 +843,8 @@ describe('POST /api/dashboard/blocklist-search', () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    // Mock getAllDownloads to return a matching download for admin
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Sonarr queue cache so the permission lookup finds the record
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -864,18 +861,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('calls Radarr DELETE+command and returns ok:true', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    // Mock getAllDownloads to return a matching download for admin
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 2001, arrType: 'radarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Radarr queue cache so the permission lookup finds the record
+    cache.set('poll:radarr-queue', { records: [RADARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(RADARR_BASE)
       .delete('/api/v3/queue/2001')
@@ -892,18 +885,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 2001, arrType: 'radarr', arrInstanceUrl: RADARR_BASE, arrInstanceKey: 'rk', arrContentId: 99, arrContentType: 'movie' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 502 when Sonarr DELETE request fails', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    // Mock getAllDownloads to return a matching download for admin
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Sonarr queue cache so the permission lookup finds the record
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -916,17 +905,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .set('X-CSRF-Token', csrf)
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(502);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 200 OK when arrContentId is null but arrSeriesId is present (fallback SeriesSearch)', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Sonarr queue cache so the permission lookup finds the record
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -943,17 +929,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrSeriesId: 42, arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('triggers EpisodeSearch with multiple episode IDs when arrContentIds is provided', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Sonarr queue cache so the permission lookup finds the record
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -970,7 +953,42 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrContentIds: [12, 13, 14], arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
+  });
+
+  it('matches download correctly when arrQueueId is sent as a string but stored as a number in queue cache (type mismatch regression)', async () => {
+    // Regression test for issue #48 (v2): arrQueueId from the SPA DOM dataset is always
+    // a string, but the queue record id from the Radarr/Sonarr API cache is a number.
+    // Without String() casting the === comparison fails and returns 403.
+    const app = createApp({ skipRateLimits: true });
+    const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
+
+    // Seed Radarr queue with a numeric id (as Radarr API returns it)
+    cache.set('poll:radarr-queue', { records: [{
+      id: 9050001,
+      title: 'Project.Hail.Mary.2026.2160p',
+      movieId: 77,
+      trackedDownloadState: 'downloading',
+      trackedDownloadStatus: 'ok',
+      _instanceUrl: RADARR_BASE,
+      _instanceKey: 'rk'
+    }] }, CACHE_TTL);
+
+    nock(RADARR_BASE)
+      .delete('/api/v3/queue/9050001')
+      .query({ removeFromClient: 'true', blocklist: 'true' })
+      .reply(200, {});
+    nock(RADARR_BASE)
+      .post('/api/v3/command')
+      .reply(200, {});
+
+    const res = await request(app)
+      .post('/api/dashboard/blocklist-search')
+      .set('Cookie', [...cookies, csrfCookie].join('; '))
+      .set('X-CSRF-Token', csrf)
+      // arrQueueId sent as a STRING from the client (as the SPA DOM dataset does)
+      .send({ arrQueueId: '9050001', arrType: 'radarr', arrInstanceUrl: RADARR_BASE, arrInstanceKey: 'rk', arrContentId: 77, arrContentType: 'movie' });
+    expect(res.status).toBe(200);
+    expect(res.body.ok).toBe(true);
   });
 });
 

tests/integration/debugLogs.test.js

@@ -0,0 +1,213 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+import { describe, it, expect, beforeAll, afterAll, afterEach } from 'vitest';
+import request from 'supertest';
+import nock from 'nock';
+import { createApp } from '../../server/app.js';
+
+const EMBY_BASE = 'https://emby.test';
+
+describe('Debug Logs API Integration', () => {
+  beforeAll(() => {
+    process.env.EMBY_URL = EMBY_BASE;
+    process.env.SOFARR_WEBHOOK_SECRET = 'test-webhook-secret-xyz';
+  });
+
+  afterAll(() => {
+    delete process.env.EMBY_URL;
+    delete process.env.SOFARR_WEBHOOK_SECRET;
+    delete process.env.ENABLE_LOG_STREAM;
+    delete process.env.LOG_ALLOW_SUBNETS;
+    delete process.env.TRUST_PROXY;
+  });
+
+  afterEach(() => {
+    nock.cleanAll();
+  });
+
+  describe('GET /api/debug/status', () => {
+    it('returns enabled: false when ENABLE_LOG_STREAM is not true', async () => {
+      process.env.ENABLE_LOG_STREAM = 'false';
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/debug/status');
+      expect(res.status).toBe(200);
+      expect(res.body.enabled).toBe(false);
+    });
+
+    it('returns enabled: true when ENABLE_LOG_STREAM is true', async () => {
+      process.env.ENABLE_LOG_STREAM = 'true';
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/debug/status');
+      expect(res.status).toBe(200);
+      expect(res.body.enabled).toBe(true);
+    });
+  });
+
+  describe('Global toggle checking', () => {
+    it('returns 403 Forbidden on server logs GET when feature is disabled', async () => {
+      process.env.ENABLE_LOG_STREAM = 'false';
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/debug/server-logs');
+      expect(res.status).toBe(403);
+      expect(res.body.error).toMatch(/disabled/i);
+    });
+
+    it('returns 403 Forbidden on client logs GET when feature is disabled', async () => {
+      process.env.ENABLE_LOG_STREAM = 'false';
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/debug/client-logs');
+      expect(res.status).toBe(403);
+      expect(res.body.error).toMatch(/disabled/i);
+    });
+
+    it('returns 403 Forbidden on client logs POST when feature is disabled', async () => {
+      process.env.ENABLE_LOG_STREAM = 'false';
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).post('/api/debug/client-logs').send([]);
+      expect(res.status).toBe(403);
+      expect(res.body.error).toMatch(/disabled/i);
+    });
+  });
+
+  describe('Subnet CIDR validation', () => {
+    beforeAll(() => {
+      process.env.ENABLE_LOG_STREAM = 'true';
+      process.env.LOG_ALLOW_SUBNETS = '127.0.0.1/32,192.168.1.0/24';
+      process.env.TRUST_PROXY = '1';
+    });
+
+    it('returns 403 Forbidden if client IP is not in subnet allowlist', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app)
+        .get('/api/debug/server-logs')
+        .set('X-Forwarded-For', '10.0.0.50');
+      expect(res.status).toBe(403);
+      expect(res.body.error).toMatch(/Access denied from IP/i);
+    });
+
+    it('bypasses subnet check and hits auth validation if client IP is allowed', async () => {
+      const app = createApp({ skipRateLimits: true });
+      // In subnet allowlist but missing credentials -> returns 401 instead of 403!
+      const res = await request(app)
+        .get('/api/debug/server-logs')
+        .set('X-Forwarded-For', '192.168.1.150');
+      expect(res.status).toBe(401);
+    });
+
+    afterAll(() => {
+      delete process.env.LOG_ALLOW_SUBNETS;
+      delete process.env.TRUST_PROXY;
+    });
+  });
+
+  describe('Authentication and Bypass policies', () => {
+    beforeAll(() => {
+      process.env.ENABLE_LOG_STREAM = 'true';
+    });
+
+    it('returns 401 Unauthorized when all auth options are missing', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app).get('/api/debug/server-logs');
+      expect(res.status).toBe(401);
+      expect(res.headers['www-authenticate']).toContain('Basic realm=');
+    });
+
+    it('allows access via X-Webhook-Secret header bypass', async () => {
+      const app = createApp({ skipRateLimits: true });
+      // X-Webhook-Secret bypass avoids Emby login entirely (returns 200 SSE stream)
+      const res = await request(app)
+        .get('/api/debug/server-logs?testClose=true')
+        .set('X-Webhook-Secret', 'test-webhook-secret-xyz');
+      expect(res.status).toBe(200);
+      expect(res.headers['content-type']).toContain('text/event-stream');
+    });
+
+    it('allows access via Basic Authentication with valid Emby administrator credentials', async () => {
+      const app = createApp({ skipRateLimits: true });
+
+      // Mock Emby login
+      nock(EMBY_BASE)
+        .post('/Users/authenticatebyname')
+        .reply(200, {
+          AccessToken: 'admin-emby-tok',
+          User: { Id: 'admin-user-id', Name: 'embyadmin' }
+        });
+
+      // Mock Emby profile fetch verifying IsAdministrator is true
+      nock(EMBY_BASE)
+        .get('/Users/admin-user-id')
+        .reply(200, {
+          Id: 'admin-user-id',
+          Name: 'embyadmin',
+          Policy: { IsAdministrator: true }
+        });
+
+      const res = await request(app)
+        .get('/api/debug/server-logs?testClose=true')
+        .auth('embyadmin', 'password123');
+
+      expect(res.status).toBe(200);
+      expect(res.headers['content-type']).toContain('text/event-stream');
+    });
+
+    it('denies access via Basic Authentication if user is not an administrator', async () => {
+      const app = createApp({ skipRateLimits: true });
+
+      nock(EMBY_BASE)
+        .post('/Users/authenticatebyname')
+        .reply(200, {
+          AccessToken: 'user-emby-tok',
+          User: { Id: 'regular-user-id', Name: 'embyuser' }
+        });
+
+      nock(EMBY_BASE)
+        .get('/Users/regular-user-id')
+        .reply(200, {
+          Id: 'regular-user-id',
+          Name: 'embyuser',
+          Policy: { IsAdministrator: false }
+        });
+
+      const res = await request(app)
+        .get('/api/debug/server-logs')
+        .auth('embyuser', 'password123');
+
+      expect(res.status).toBe(401);
+    });
+  });
+
+  describe('Client logs ingestion and streaming', () => {
+    beforeAll(() => {
+      process.env.ENABLE_LOG_STREAM = 'true';
+    });
+
+    it('returns 400 Bad Request on client logs POST if body is not an array', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const res = await request(app)
+        .post('/api/debug/client-logs')
+        .set('X-Webhook-Secret', 'test-webhook-secret-xyz')
+        .send({ message: 'not an array' });
+      expect(res.status).toBe(400);
+    });
+
+    it('ingests client logs array and streams them over client logs GET SSE', async () => {
+      const app = createApp({ skipRateLimits: true });
+
+      // Ingest client logs
+      const postRes = await request(app)
+        .post('/api/debug/client-logs')
+        .set('X-Webhook-Secret', 'test-webhook-secret-xyz')
+        .send([
+          { timestamp: new Date().toISOString(), level: 'info', message: 'Hello from client' }
+        ]);
+      expect(postRes.status).toBe(200);
+      expect(postRes.body.count).toBe(1);
+
+      // Verify log streams successfully via GET
+      const getRes = await request(app)
+        .get('/api/debug/client-logs?testClose=true')
+        .set('X-Webhook-Secret', 'test-webhook-secret-xyz');
+      expect(getRes.status).toBe(200);
+      expect(getRes.headers['content-type']).toContain('text/event-stream');
+    });
+  });
+});

tests/integration/ombi.test.js

@@ -856,7 +856,7 @@ describe('POST /api/ombi/webhook/enable', () => {
       .post('/api/v1/Settings/notifications/webhook', {
         id: 42,
         enabled: true,
-        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi`,
+        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi?secret=test-webhook-secret`,
         applicationToken: 'test-ombi-key'
       })
       .reply(200, { success: true });
@@ -870,7 +870,7 @@ describe('POST /api/ombi/webhook/enable', () => {
       .expect(200);
     
     expect(res.body.success).toBe(true);
-    expect(res.body.webhookUrl).toBe(`${SOFARR_BASE}/api/webhook/ombi`);
+    expect(res.body.webhookUrl).toBe(`${SOFARR_BASE}/api/webhook/ombi?secret=test-webhook-secret`);
     expect(res.body.applicationToken).toBe('test-ombi-key');
   });
 
@@ -882,7 +882,7 @@ describe('POST /api/ombi/webhook/enable', () => {
       .post('/api/v1/Settings/notifications/webhook', {
         id: 0,
         enabled: true,
-        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi`,
+        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi?secret=test-webhook-secret`,
         applicationToken: 'test-ombi-key'
       })
       .reply(200, { success: true });
@@ -1014,10 +1014,16 @@ describe('POST /api/ombi/webhook/test', () => {
     expect(webhookScope.isDone()).toBe(true);
   });
 
-  it('handles webhook send errors gracefully', async () => {
+  it('handles webhook send errors gracefully when both public and loopback fail', async () => {
     nock(SOFARR_BASE)
       .post('/api/webhook/ombi')
       .reply(500, { error: 'Internal server error' });
+    nock('http://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(500, { error: 'Internal server error' });
+    nock('https://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(500, { error: 'Internal server error' });
     
     const { cookies, csrfToken } = await authenticateUser(app, 'TestUser', false);
     
@@ -1029,4 +1035,26 @@ describe('POST /api/ombi/webhook/test', () => {
     
     expect(res.body.error).toBe('Failed to test Ombi webhook');
   });
+
+  it('falls back to local loopback when public URL request fails', async () => {
+    nock(SOFARR_BASE)
+      .post('/api/webhook/ombi')
+      .replyWithError('Connection refused');
+    nock('http://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(200, { received: true });
+    nock('https://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(200, { received: true });
+    
+    const { cookies, csrfToken } = await authenticateUser(app, 'TestUser', false);
+    
+    const res = await request(app)
+      .post('/api/ombi/webhook/test')
+      .set('Cookie', cookies)
+      .set('X-CSRF-Token', csrfToken)
+      .expect(200);
+    
+    expect(res.body.success).toBe(true);
+  });
 });

tests/integration/swagger-coverage.test.js

@@ -196,6 +196,18 @@ describe('Swagger Coverage', () => {
     expect(paths['/api/ombi/webhook/test'].post).toBeDefined();
   });
 
+  it('should have Debug logging endpoints documented', () => {
+    const paths = openapiSpec.paths;
+    
+    expect(paths['/api/debug/status']).toBeDefined();
+    expect(paths['/api/debug/status'].get).toBeDefined();
+    expect(paths['/api/debug/server-logs']).toBeDefined();
+    expect(paths['/api/debug/server-logs'].get).toBeDefined();
+    expect(paths['/api/debug/client-logs']).toBeDefined();
+    expect(paths['/api/debug/client-logs'].get).toBeDefined();
+    expect(paths['/api/debug/client-logs'].post).toBeDefined();
+  });
+
   it('should return 200 for Swagger UI endpoint', async () => {
     const response = await request(app).get('/api/swagger').redirects(1);
     expect(response.status).toBe(200);

tests/integration/webhook.test.js

@@ -156,6 +156,24 @@ describe('POST /api/webhook/sonarr — secret validation', () => {
     const res = await postSonarr(app, SONARR_GRAB, 'anything');
     expect(res.status).toBe(401);
   });
+
+  it('returns 200 when secret is provided as a query parameter instead of header', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post(`/api/webhook/sonarr?secret=${VALID_SECRET}`)
+      .send(SONARR_GRAB);
+    expect(res.status).toBe(200);
+    expect(res.body.received).toBe(true);
+  });
+
+  it('returns 401 when secret is provided as an invalid query parameter', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post('/api/webhook/sonarr?secret=wrong-query-secret')
+      .send(SONARR_GRAB);
+    expect(res.status).toBe(401);
+    expect(res.body.error).toBe('Unauthorized');
+  });
 });
 
 describe('POST /api/webhook/radarr — secret validation', () => {
@@ -171,6 +189,23 @@ describe('POST /api/webhook/radarr — secret validation', () => {
     const res = await postRadarr(app, RADARR_GRAB, 'bad-secret');
     expect(res.status).toBe(401);
   });
+
+  it('returns 200 when secret is provided as a query parameter instead of header', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post(`/api/webhook/radarr?secret=${VALID_SECRET}`)
+      .send(RADARR_GRAB);
+    expect(res.status).toBe(200);
+    expect(res.body.received).toBe(true);
+  });
+
+  it('returns 401 when secret is provided as an invalid query parameter', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post('/api/webhook/radarr?secret=wrong-query-secret')
+      .send(RADARR_GRAB);
+    expect(res.status).toBe(401);
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -548,6 +583,40 @@ describe('POST /api/webhook/ombi', () => {
     expect(res.body.error).toBe('Unauthorized');
   });
 
+  it('returns 200 when secret is provided as a query parameter instead of header', async () => {
+    const app = makeApp();
+    nock('https://ombi.test')
+      .get('/api/v1/Request/movie')
+      .reply(200, []);
+    nock('https://ombi.test')
+      .get('/api/v1/Request/tv')
+      .reply(200, []);
+
+    const res = await request(app)
+      .post(`/api/webhook/ombi?secret=${VALID_SECRET}`)
+      .send({
+        notificationType: 'NewRequest',
+        requestId: 127,
+        requestedUser: 'gordon',
+        title: 'Query Movie',
+        type: 'Movie',
+        requestStatus: 'Pending',
+        applicationUrl: 'https://ombi.test',
+        requestedDate: '2026-05-23T20:40:00.000Z'
+      });
+    expect(res.status).toBe(200);
+    expect(res.body.received).toBe(true);
+  });
+
+  it('returns 401 when secret is provided as an invalid query parameter', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post('/api/webhook/ombi?secret=wrong-query-secret')
+      .send({ notificationType: 'NewRequest', requestId: 1 });
+    expect(res.status).toBe(401);
+    expect(res.body.error).toBe('Unauthorized');
+  });
+
   it('returns 400 when notificationType is missing or invalid', async () => {
     const app = makeApp();
     const res = await postOmbi(app, { requestId: 1 });

tests/unit/clients/OmbiClient.test.js

@@ -336,4 +336,47 @@ describe('OmbiClient', () => {
       expect(result).toBe(false);
     });
   });
+
+  describe('getUsers', () => {
+    it('should return user array for successful request', async () => {
+      const mockUsers = [
+        { id: '1', userName: 'Gordon' },
+        { id: '2', userName: 'Alice' }
+      ];
+
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .matchHeader('ApiKey', apiKey)
+        .reply(200, mockUsers);
+
+      const client = new OmbiClient(baseUrl, apiKey);
+      const result = await client.getUsers();
+
+      expect(result).toEqual(mockUsers);
+    });
+
+    it('should return empty array on API error', async () => {
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .matchHeader('ApiKey', apiKey)
+        .reply(500, { error: 'Internal Server Error' });
+
+      const client = new OmbiClient(baseUrl, apiKey);
+      const result = await client.getUsers();
+
+      expect(result).toEqual([]);
+    });
+
+    it('should return empty array on network error', async () => {
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .matchHeader('ApiKey', apiKey)
+        .replyWithError('Network error');
+
+      const client = new OmbiClient(baseUrl, apiKey);
+      const result = await client.getUsers();
+
+      expect(result).toEqual([]);
+    });
+  });
 });

tests/unit/clients/OmbiRetriever.test.js

@@ -766,4 +766,70 @@ describe('OmbiRetriever', () => {
       expect(stats.age).toBeGreaterThanOrEqual(0);
     });
   });
+
+  describe('hydration logic', () => {
+    it('should hydrate requestedUser when missing but requestedUserId is present', async () => {
+      const mockMovies = [
+        { id: 1, title: 'Movie 1', requestedUserId: 'gordon-id', requestedUser: null }
+      ];
+      const mockTvShows = [];
+      const mockUsers = [
+        { id: 'gordon-id', userName: 'Gordon', alias: 'G-Man' }
+      ];
+
+      nock(baseUrl)
+        .get('/api/v1/Request/movie')
+        .reply(200, mockMovies);
+
+      nock(baseUrl)
+        .get('/api/v1/Request/tv')
+        .reply(200, mockTvShows);
+
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .reply(200, mockUsers);
+
+      const retriever = new OmbiRetriever(instanceConfig);
+      const result = await retriever.getMovieRequests();
+
+      expect(result).toHaveLength(1);
+      expect(result[0].requestedUser).toBeDefined();
+      expect(result[0].requestedUser.userName).toBe('Gordon');
+      expect(result[0].requestedUser.alias).toBe('G-Man');
+    });
+
+    it('should not overwrite non-empty requestedUser object', async () => {
+      const mockMovies = [
+        {
+          id: 1,
+          title: 'Movie 1',
+          requestedUserId: 'gordon-id',
+          requestedUser: { userName: 'ExistingGordon', alias: 'ExistingG' }
+        }
+      ];
+      const mockTvShows = [];
+      const mockUsers = [
+        { id: 'gordon-id', userName: 'Gordon', alias: 'G-Man' }
+      ];
+
+      nock(baseUrl)
+        .get('/api/v1/Request/movie')
+        .reply(200, mockMovies);
+
+      nock(baseUrl)
+        .get('/api/v1/Request/tv')
+        .reply(200, mockTvShows);
+
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .reply(200, mockUsers);
+
+      const retriever = new OmbiRetriever(instanceConfig);
+      const result = await retriever.getMovieRequests();
+
+      expect(result).toHaveLength(1);
+      expect(result[0].requestedUser.userName).toBe('ExistingGordon');
+      expect(result[0].requestedUser.alias).toBe('ExistingG');
+    });
+  });
 });

tests/unit/ombiHelpers.test.js

@@ -79,6 +79,57 @@ describe('ombiHelpers', () => {
       };
       expect(extractRequestedUser(req)).toBe('');
     });
+
+    it('returns userName from nested user object', () => {
+      const req = { user: { userName: 'user_val' } };
+      expect(extractRequestedUser(req)).toBe('user_val');
+    });
+
+    it('returns alias from nested requestedBy object', () => {
+      const req = { requestedBy: { alias: 'req_alias' } };
+      expect(extractRequestedUser(req)).toBe('req_alias');
+    });
+
+    it('returns normalizedUserName from nested ombiUser object', () => {
+      const req = { ombiUser: { normalizedUserName: 'norm_ombi' } };
+      expect(extractRequestedUser(req)).toBe('norm_ombi');
+    });
+
+    it('returns userAlias from nested requestedByUser object', () => {
+      const req = { requestedByUser: { userAlias: 'alias_user' } };
+      expect(extractRequestedUser(req)).toBe('alias_user');
+    });
+
+    it('returns username from a string source value', () => {
+      const req = { requestedBy: 'direct_string' };
+      expect(extractRequestedUser(req)).toBe('direct_string');
+    });
+
+    it('returns username from root fallbacks (requestedByUsername, requester, requestedByEmail)', () => {
+      expect(extractRequestedUser({ requestedByUsername: 'user_uname' })).toBe('user_uname');
+      expect(extractRequestedUser({ requester: 'req_val' })).toBe('req_val');
+      expect(extractRequestedUser({ requestedByEmail: 'test@email.com' })).toBe('test@email.com');
+    });
+
+    it('recursively extracts user from seasons array requests', () => {
+      const req = {
+        seasons: [
+          {},
+          { requestedUser: { alias: 'season_user' } }
+        ]
+      };
+      expect(extractRequestedUser(req)).toBe('season_user');
+    });
+
+    it('recursively extracts user from childRequests array', () => {
+      const req = {
+        childRequests: [
+          {},
+          { user: { userName: 'child_user' } }
+        ]
+      };
+      expect(extractRequestedUser(req)).toBe('child_user');
+    });
   });
 
   describe('filterRequestsByUser', () => {