merge branch 'develop' into 'main' - Release v1.7.33

- RTorrentClient: guard d.multicall2 returning non-array, per-row try/catch,
  explicit Number()/String() coercions, _extractArrInfo null-safe
- RTorrentClient.getClientStatus: coerce rates through Number.isFinite
- SABnzbdClient: history limit now reads SAB_HISTORY_LIMIT env var (default 10)
- DownloadClient: added _recordLastError, _clearLastError, getLastError on base
- All four clients call _recordLastError on failure, _clearLastError on success
- DownloadClientRegistry.getAllClientStatuses: includes lastError in result
- GET /api/status/status: exposes downloadClients[] array with per-client lastError
- Tests: RTorrentClient null-safety + lastError, SABnzbd history limit + lastError,
  downloadClients.test expectation updated for new lastError field

.gitea/workflows/build-image.yml

@@ -27,23 +27,17 @@ jobs:
           if [[ "$BRANCH" == develop* ]]; then
             # Sanitise branch name for tag: replace slashes with dashes
             SAFE_BRANCH=$(echo "$BRANCH" | tr '/' '-')
-            TAGS="reg.i3omb.com/sofarr:${SAFE_BRANCH}"
-            TAGS="${TAGS},git.i3omb.com/gandalf/sofarr:${SAFE_BRANCH}"
+            TAGS="git.i3omb.com/gandalf/sofarr:${SAFE_BRANCH}"
             echo "tags=${TAGS}" >> $GITHUB_OUTPUT
             echo "Building develop image tags: ${TAGS}"
           else
             RELEASE_NAME=${BRANCH#release/}
-            
-            # Primary registry tags
-            TAGS="reg.i3omb.com/sofarr:${VERSION}"
-            TAGS="${TAGS},reg.i3omb.com/sofarr:${RELEASE_NAME}"
-            TAGS="${TAGS},reg.i3omb.com/sofarr:latest"
-            
+
             # Gitea package registry tags
-            TAGS="${TAGS},git.i3omb.com/gandalf/sofarr:${VERSION}"
+            TAGS="git.i3omb.com/gandalf/sofarr:${VERSION}"
             TAGS="${TAGS},git.i3omb.com/gandalf/sofarr:${RELEASE_NAME}"
             TAGS="${TAGS},git.i3omb.com/gandalf/sofarr:latest"
-            
+
             echo "tags=${TAGS}" >> $GITHUB_OUTPUT
             echo "Building release image tags: ${TAGS}"
           fi

CHANGELOG.md

@@ -4,6 +4,69 @@ All notable changes to this project will be documented in this file.
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.7.33] - 2026-05-28
+
+### Added
+
+- **Requests Tab Layout Enhancement (Issue #69)** — Redesigned and unified the Requests tab container and card layouts with the Active Downloads and Recently Completed tabs. Added styled media-type borders (`tv` and `movie`) using system color variables, styled the `.requests-container` with a surface card background (`var(--surface)`) and box shadow, converted `.requests-list` to a column flexbox (`display: flex; flex-direction: column; gap: 8px;`), aligned card items to the top (`align-items: flex-start`), tighter padding (`10px 14px`), and border-radius (`6px`), and scaled `.request-type-icon` to `48px` wide and `68px` high as a clean cover-art placeholder. All changes are strictly scoped to the requests tab element selectors, leaving active and recent downloads 100% untouched. Resolves Gitea Issue [#69](https://git.i3omb.com/Gandalf/sofarr/issues/69).
+
+### Fixed
+
+- **Webhook Regression (Issue #70)** — Fixed a critical regression introduced in #62 where the Ombi webhook handler called `isReplay()` with 3 arguments instead of the new 4-argument signature (`eventType, instanceName, eventDate, contentId`). The handler now correctly passes `requestId` as the fourth `contentId` argument. This restores reliability to real Ombi webhooks, loopback fallbacks, and the Ombi test simulation buttons. Resolves Gitea Issue [#70](https://git.i3omb.com/Gandalf/sofarr/issues/70).
+
+## [1.7.32] - 2026-05-28
+
+### Fixed
+
+- **TransmissionClient Hardening (Issue #63)** — Mapped the previously-unknown Transmission RPC status code `7` to `Checking` (best-effort; the RPC spec formally documents only codes 0–6, and the historical alias `TORRENT_IS_CHECKING` corresponds to code 2), so torrents reporting code 7 are now rendered with a useful status label instead of `Unknown`. Implemented three torrent control methods on `TransmissionClient` that were previously absent: `startTorrent(id)` (resumes via `torrent-start`), `stopTorrent(id)` (pauses via `torrent-stop`), and `removeTorrent(id, deleteData = false)` (removes via `torrent-remove`, optionally also deleting local files via Transmission's `delete-local-data` flag). All three accept either a single id (numeric or hash) or an array of ids, matching the Transmission RPC contract. Documented in `extractArrInfo()` that an `arrQueueId` cannot reliably be derived from filename alone — the cross-client matching path is hash-based via `DownloadMatcher.matchTorrents()` (Issue #65), which keys on `torrent.hashString` for Transmission. Added regression tests for status code 7 and all three control methods. Resolves Gitea Issue [#63](https://git.i3omb.com/Gandalf/sofarr/issues/63).
+- **Frontend Build Stability (Issue #66)** — Added explanatory inline comments to `client/vite.config.js` documenting two non-standard but deliberate build settings: `build.outDir = '../public'` (the Vite bundle is emitted into the Express-served `public/` directory at the repo root rather than the Vite-default `client/dist/`) and `build.emptyOutDir = false` (required so the hand-authored static assets committed under `public/` are not wiped by every `vite build`). The comments explicitly warn that changing either setting without also updating the Express static-serve configuration in `server/app.js` and the Dockerfile copy steps will break production serving. Removed a stale, untracked `client/dist/` directory (a leftover from an earlier default-Vite build) that was harmless — both `.gitignore` and `.dockerignore` already excluded it from version control and Docker contexts — but caused recurring confusion about which `index.html` was authoritative. Verified `client/index.html` correctly references `/src/main.js` as the Vite entrypoint. Resolves Gitea Issue [#66](https://git.i3omb.com/Gandalf/sofarr/issues/66).
+- **Download Matching & Deduplication (Issue #65)** — `DownloadMatcher.matchTorrents()` now attempts hash-first matching for every torrent before falling back to title-substring matching. The hash lookup compares `torrent.hash` (qBittorrent, rTorrent) or `torrent.hashString` (Transmission) against each *arr* queue/history record's `downloadId`, restoring deterministic matching for renamed downloads and torrents whose on-disk filename has diverged from the *arr* release title. Title-substring matching is retained verbatim as a fallback so unhashed clients and legacy fixtures continue to work. After the per-torrent matching pass, the returned list is deduplicated by the composite key `(arrType, arrQueueId)`: the first matched download wins, so a single torrent that maps to N *arr* queue records sharing one queue id (for example, a season pack exposed as multiple per-episode rows) produces a single dashboard card instead of N near-identical duplicates. A new integration suite at `tests/integration/download-matcher-season-pack.test.js` covers hash-first matching for qBittorrent (`hash`) and Transmission (`hashString`), the title-substring fallback path, and the deduplication step. Resolves Gitea Issue [#65](https://git.i3omb.com/Gandalf/sofarr/issues/65).
+- **qBittorrentClient Peer Data & Response Safety (Issue #64)** — `QBittorrentClient.normalizeDownload()` now exposes two new fields on every torrent record: `seeds` (sourced from qBittorrent's `num_seeds`, the count of connected seed peers) and `peers` (sourced from `num_leechs`, the count of connected leecher peers). The connected counts were chosen deliberately over the swarm totals `num_complete`/`num_incomplete` so the values remain consistent with what other clients (Transmission via `peersConnected`/`peersSendingToUs`, rTorrent via `d.peers_connected`) report on the same normalised contract. `QBittorrentClient.getMainData()` now also defensively returns the existing in-memory torrent map (rather than dereferencing a null) when the qBittorrent server responds with an empty body to `/api/v2/sync/maindata`, eliminating a crash class observed against transiently-restarting qBittorrent instances. A regression test verifies the new fields are populated from `num_seeds`/`num_leechs` and not from the swarm-total fields. Resolves Gitea Issue [#64](https://git.i3omb.com/Gandalf/sofarr/issues/64).
+- **Season Pack Queue Handling & Crash Prevention (Issue #61)** — Extracted a shared `buildArrQueueCache(queues, instances, mediaKey)` helper at `server/utils/arrQueueHelpers.js` covering both Sonarr and Radarr, replacing four previously-divergent inline `flatMap` blocks across the background poller (`server/utils/poller.js`) and the webhook event processor (`server/routes/webhook.js`) that built the `poll:sonarr-queue` and `poll:radarr-queue` cache entries. Sonarr queue records that share a `downloadId` (the canonical fingerprint for a season-pack release) are now annotated with `isSeasonPack: true` and `episodeCount: <n>` so downstream consumers — including the active-downloads matching service — can identify and de-duplicate season packs without re-deriving the grouping. The helper is wrapped in per-record and per-instance `try`/`catch` guards: malformed records (`null`, missing `data`, unknown instance ids) are skipped with a warning rather than throwing, eliminating a class of crashes that previously bubbled out of the `flatMap` and tore down the entire poll cycle or webhook refresh. Movies (Radarr) skip season-pack annotation by design. A new unit test suite at `tests/unit/utils/arrQueueHelpers.test.js` covers tagging, season-pack grouping, null-safety, and unknown-instance fallback. Resolves Gitea Issue [#61](https://git.i3omb.com/Gandalf/sofarr/issues/61).
+- **rTorrent Null-Safety, SABnzbd History Limit & Client Last-Error Visibility (Issue #68)** — Three related hardening improvements to the download-client layer. First, `RTorrentClient` now defends against the malformed-response scenarios observed against misconfigured or transiently-restarting rTorrent servers: `getActiveDownloads()` explicitly checks that `d.multicall2` returned an actual array (logging a warning and returning `[]` if not, rather than throwing on `.map`) and processes each torrent row in its own `try`/`catch` so a single malformed entry cannot poison the whole result set. All eleven field values retrieved from the multicall response are coerced to their expected types via explicit `Number()`/`String()` conversions in `normalizeDownload()`, so downstream arithmetic and string operations can no longer blow up on `null` or `undefined` values from plugins or older rTorrent versions. `_extractArrInfo()` now short-circuits safely on non-string filenames. `getClientStatus()` additionally coerces the global rate values through `Number.isFinite` before returning them. Second, the SABnzbd history limit (previously hard-coded to `10` records per poll) is now configurable via the `SAB_HISTORY_LIMIT` environment variable. Invalid or absent values fall back to the default of `10` with a log warning, ensuring backward compatibility. Third, all four download clients (`RTorrentClient`, `SABnzbdClient`, `QBittorrentClient`, `TransmissionClient`) now record structured `lastError` objects (`{ operation, message, at }`) on every failed API call via `_recordLastError()` and clear them on subsequent success via `_clearLastError()` — both helpers introduced on the `DownloadClient` base class alongside the public `getLastError()` accessor. The per-client last-error is surfaced through `DownloadClientRegistry.getAllClientStatuses()` and exposed on the `GET /api/status/status` admin endpoint under the new `downloadClients` array, letting the admin panel show a per-client failure indicator without log scraping. New regression tests cover all null-safety paths, the SAB history limit env variable (unset, valid, invalid, propagated to the API call), and the full lastError set/clear cycle for both rTorrent and SABnzbd. Resolves Gitea Issue [#68](https://git.i3omb.com/Gandalf/sofarr/issues/68).
+- **Webhook Reliability (Issue #62)** — Hardened the webhook replay protection to prevent false-duplicate detection while preserving protection against genuine retries. The replay key for Sonarr and Radarr now incorporates a content identifier (`downloadId`, falling back to `series.id` or `movie.id`) alongside the existing `eventType:instanceName:eventDate` components, so that multiple distinct events sharing the same timestamp (for example, several `Grab` events fired in the same second for episodes in a season pack) no longer collide and get silently dropped. Events without a content identifier (such as `Test`) fall back gracefully to the previous key shape so existing behaviour is preserved. The Ombi handler — which already uses a distinct `requestId`-bearing key — is unchanged. Additionally, the Sonarr and Radarr handlers now log an explicit warning when the inbound `instanceName` fails to match any configured instance and processing falls back to the first instance, improving diagnosability of misconfigured webhook senders. Resolves Gitea Issue [#62](https://git.i3omb.com/Gandalf/sofarr/issues/62).
+
+## [1.7.31] - 2026-05-28
+
+### Fixed
+
+- **Frontend Connection Remediation** — Staged and committed dynamic proxy target configurations and startup pipeline orchestrations. Rebuilt the production build of `public/app.js` to ensure dynamic SSL bypass and dynamic local network address resolution are fully compiled and deployed.
+
+## [1.7.30] - 2026-05-28
+
+### Added
+
+- **Testing Scope Expansion (Issue #60)** — Significantly expanded unit and integration test coverage targeting the background polling engine, rate limiting, and frontend rendering logic to secure core behaviors.
+  - **Background Poller Tests (`poller.test.js`)**: Implemented robust unit tests verifying concurrency guards, subscriber registries (`onPollComplete`/`offPollComplete`), graceful error recovery, webhook bypasses, and global fallbacks using a hybrid testing approach with Vitest fake timers.
+  - **Isolated Rate Limiting (`rateLimiter.test.js`)**: Designed a dedicated integration test that unsets `SKIP_RATE_LIMIT` and asserts `429 Too Many Requests` responses under rapid login requests while maintaining test suite stability.
+  - **Active Downloads Decoration (`ombiDecoration.test.js`)**: Covered deep-link generation (`arrLink`) for active download matching under admin and non-admin states.
+  - **Frontend UI Rendering (`downloads.test.js`)**: Expanded coverage for the downloads rendering engine, specifically targeting conditional administrative icon construction (`createServiceIcons()`) and client logo loading fallbacks (`createClientLogo()`).
+  - **SSE Connection Lifecycle & Payload Contracts (`dashboard.test.js`)**: Added stream tests checking Server-Sent Event heartbeat emission, payload schema schemas, and client close event listeners (`req.on('close')`) to verify callback cleanup and prevent connection-based memory leaks.
+
+## [1.7.29] - 2026-05-27
+
+### Fixed
+
+- **Missing Radarr/Sonarr Links on Active Downloads (Issue #59)** — Resolved a bug where Radarr and Sonarr deep-link buttons were missing from active/completed download cards on the main dashboard for administrator users. Implemented a generic link enrichment utility `decorateDownloadsWithArrLinks()` to query Radarr and Sonarr catalog APIs in parallel and match downloads via their database ID or title, circumventing minimal metadata in cached records that lacked `titleSlug`. Added a robust integration test to safeguard links decoration for dashboard downloads.
+
+## [1.7.28] - 2026-05-27
+
+### Fixed
+
+- **Missing Sonarr Link on TV Requests (Issue #58)** — Resolved a bug where the Sonarr deep-link button was missing on TV request cards while Radarr links correctly appeared on movie request cards. Added support for all camelCase TVDB ID variants (`tvDbId`, `tvdbId`, `theTvdbId`, `theTvDbId`, `TvDbId`, `TheTvDbId`) on both backend link decoration (`server/utils/ombiHelpers.js`) and frontend rendering (`client/src/ui/requests.js`). Added a dedicated integration test to safeguard links decoration for TV requests.
+
+## [1.7.27] - 2026-05-27
+
+### Fixed
+
+- **Frontend Dashboard Serve Regression (Issue #57)** — Resolved a critical regression where the Vite-built frontend dashboard UI was not served. Consolidated Express configurations by migrating static files serving and SPA routing into the `createApp` factory in `server/app.js`. Cleaned up `server/index.js` to import and instantiate the app from the factory, successfully eliminating over 300 lines of duplicate route and middleware registrations, and ensuring alignment between development testing and production runtime configurations.
+
+## [1.7.26] - 2026-05-27
+
+### Fixed
+
+- **Missing Ombi & \*Arr Request Links (Issue #56)** — Resolved an issue where the Ombi and \*Arr lookup buttons failed to appear against request cards. Added `decorateRequestsWithArrLinks` to aggregate IDs and query Radarr/Sonarr libraries during SSE stream decoration and backend REST fetching. Also fixed a frontend condition failing to generate Ombi links for TV requests by checking a broader set of ID properties (`theTvDbId`, `theTmdbId`, `imdbId`).
+
 ## [1.7.25] - 2026-05-27
 
 ### Fixed

Dockerfile

@@ -45,7 +45,7 @@ COPY --from=deps /app/node_modules ./node_modules
 # Copy application source owned by root (read-only at runtime)
 COPY --chown=root:root server/ ./server/
 COPY --chown=root:root public/ ./public/
-COPY --from=client-build --chown=root:root /app/public/app.js ./public/app.js
+COPY --from=client-build --chown=root:root /app/public/ ./public/
 COPY --chown=root:root package.json ./
 # Bundled snakeoil certificate for out-of-the-box TLS (self-signed, localhost only).
 # Mount your own cert/key over /app/certs/ or set TLS_CERT/TLS_KEY env vars.

client/index.html

@@ -7,6 +7,6 @@
   </head>
   <body>
     <div id="root"></div>
-    <script type="module" src="/src/main.jsx"></script>
+    <script type="module" src="/src/main.js"></script>
   </body>
 </html>

client/src/ui/requests.js

@@ -119,7 +119,7 @@ function createRequestCard(request) {
   }
 
   const card = document.createElement('div');
-  card.className = 'request-card';
+  card.className = `request-card ${request.mediaType || ''}`;
 
   const typeIcon = document.createElement('span');
   typeIcon.className = `request-type-icon ${request.mediaType || ''}`;
@@ -194,10 +194,11 @@ function createRequestCard(request) {
   const actions = document.createElement('span');
   actions.className = 'service-icons-container';
 
-  if (state.ombiBaseUrl && request.theMovieDbId) {
+  const id = request.theTvDbId || request.theTvdbId || request.tvDbId || request.tvdbId || request.TvDbId || request.TheTvDbId || request.theMovieDbId || request.theTmdbId || request.imdbId || request.ImdbId;
+  if (state.ombiBaseUrl && id) {
     const ombiLink = document.createElement('a');
     ombiLink.className = 'ombi-link';
-    ombiLink.href = `${state.ombiBaseUrl}/details/${request.mediaType || 'movie'}/${request.theMovieDbId}`;
+    ombiLink.href = `${state.ombiBaseUrl}/details/${request.mediaType || 'movie'}/${id}`;
     ombiLink.target = '_blank';
     ombiLink.title = 'View in Ombi';
     

client/vite.config.js

@@ -1,28 +1,50 @@
 // Copyright (c) 2026 Gordon Bolton. MIT License.
-import { defineConfig } from 'vite'
+import { defineConfig, loadEnv } from 'vite'
+import path from 'path'
 
-export default defineConfig({
-  build: {
-    outDir: '../public',
-    emptyOutDir: false,
-    rollupOptions: {
-      input: {
-        main: './src/main.js'
-      },
-      output: {
-        entryFileNames: 'app.js',
-        chunkFileNames: '[name].js',
-        assetFileNames: '[name][extname]'
+export default defineConfig(({ mode }) => {
+  // Load env variables from root directory to match backend TLS configuration
+  const env = loadEnv(mode, path.resolve(__dirname, '..'), '');
+
+  const port = env.PORT || 3001;
+  const tlsEnabled = (env.TLS_ENABLED || 'true').toLowerCase() !== 'false';
+  const target = `${tlsEnabled ? 'https' : 'http'}://localhost:${port}`;
+
+  return {
+    build: {
+      // NOTE (Issue #66): `outDir` is intentionally the repo-root `../public`,
+      // NOT the Vite default `client/dist/`. The Express server in
+      // `server/app.js` serves static assets directly from `public/`, so the
+      // Vite build emits its bundle alongside the hand-authored static assets
+      // (favicon, etc.) that live in `public/` and are committed to the repo.
+      // Do NOT change this back to `dist/` without also updating the Express
+      // static-serve configuration and the Dockerfile copy steps.
+      outDir: '../public',
+      // NOTE (Issue #66): `emptyOutDir: false` is REQUIRED because `public/`
+      // contains hand-authored static assets that must survive the build.
+      // Setting this to `true` would wipe those assets on every `vite build`.
+      emptyOutDir: false,
+      rollupOptions: {
+        input: {
+          main: './src/main.js'
+        },
+        output: {
+          entryFileNames: 'app.js',
+          chunkFileNames: '[name].js',
+          assetFileNames: '[name][extname]'
+        }
+      }
+    },
+    server: {
+      port: 5173,
+      host: true, // Listen on all network interfaces
+      proxy: {
+        '/api': {
+          target: target,
+          changeOrigin: true,
+          secure: false // Allow self-signed certificate in development
+        }
       }
     }
-  },
-  server: {
-    port: 5173,
-    proxy: {
-      '/api': {
-        target: 'http://localhost:3001',
-        changeOrigin: true
-      }
-    }
-  }
-})
+  };
+});

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "sofarr",
-  "version": "1.7.25",
+  "version": "1.7.33",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "sofarr",
-      "version": "1.7.25",
+      "version": "1.7.33",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.6.0",

package.json

@@ -1,11 +1,14 @@
 {
   "name": "sofarr",
-  "version": "1.7.25",
+  "version": "1.7.33",
   "description": "A personal media download dashboard that shows your downloads 'so far' while you relax on the sofa waiting for your *arr services to finish",
   "main": "server/index.js",
   "scripts": {
-    "dev": "nodemon server/index.js",
+    "dev:server": "nodemon server/index.js",
+    "dev:client": "npm run dev --prefix client",
+    "dev": "concurrently -n 'server,client' -c 'blue,green' 'npm run dev:server' 'npm run dev:client'",
     "start": "node server/index.js",
+    "build": "npm run build --prefix client",
     "install:all": "npm install",
     "test": "vitest run",
     "test:watch": "vitest",

public/style.css

@@ -2229,11 +2229,19 @@ body {
 
 /* ===== Requests Tab ===== */
 .requests-container {
-  padding: 20px;
+  background: var(--surface);
+  padding: 16px 20px;
+  border-radius: 8px;
+  box-shadow: 0 2px 4px var(--shadow);
+  transition: background 0.3s;
 }
 
 .requests-header {
-  margin-bottom: 20px;
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  margin-bottom: 12px;
+  flex-wrap: wrap;
 }
 
 .requests-header h2 {
@@ -2249,37 +2257,46 @@ body {
 }
 
 .requests-list {
-  display: grid;
-  gap: 12px;
-  overflow-x: hidden;
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
 }
 
 .request-card {
   display: flex;
-  align-items: center;
+  align-items: flex-start;
   gap: 12px;
-  padding: 16px;
+  padding: 10px 14px;
   background: var(--surface);
   border: 1px solid var(--border);
-  border-radius: 8px;
+  border-radius: 6px;
   transition: box-shadow 0.2s ease, border-color 0.2s ease;
   min-width: 0;
 }
 
+.request-card.tv {
+  border-left: 3px solid var(--series-color);
+}
+
+.request-card.movie {
+  border-left: 3px solid var(--movie-color);
+}
+
 .request-card:hover {
   box-shadow: 0 2px 8px rgba(0, 0, 0, 0.08);
   border-color: var(--accent);
 }
 
 .request-type-icon {
-  font-size: 1.5rem;
+  font-size: 1.6rem;
   display: flex;
   align-items: center;
   justify-content: center;
-  width: 40px;
-  height: 40px;
+  width: 48px;
+  height: 68px;
   background: var(--surface-alt);
-  border-radius: 8px;
+  border-radius: 4px;
+  box-shadow: 0 1px 4px var(--shadow-strong);
   flex-shrink: 0;
 }
 
@@ -2289,11 +2306,11 @@ body {
 }
 
 .request-title {
+  font-size: 0.95rem;
   font-weight: 600;
   color: var(--text-primary);
-  margin-bottom: 4px;
-  overflow: hidden;
-  text-overflow: ellipsis;
+  margin: 0 0 4px;
+  word-break: break-word;
 }
 
 .request-meta {

server/app.js

@@ -15,6 +15,7 @@ const swaggerUi = require('swagger-ui-express');
 const swaggerJsdoc = require('swagger-jsdoc');
 const YAML = require('yamljs');
 const path = require('path');
+const fs = require('fs');
 const { version } = require('../package.json');
 
 const sabnzbdRoutes = require('./routes/sabnzbd');
@@ -132,7 +133,7 @@ function createApp({ skipRateLimits = false } = {}) {
    *                 version:
    *                   type: string
    *                   description: sofarr version
-   *                   example: "1.7.25"
+   *                   example: "1.7.33"
    *     x-code-samples:
    *       - lang: curl
    *         label: cURL
@@ -232,6 +233,44 @@ function createApp({ skipRateLimits = false } = {}) {
   app.use('/api/status', statusRoutes);
   app.use('/api/history', historyRoutes);
 
+  // ---------------------------------------------------------------------------
+  // Static files — served before API routes
+  // index.html is served manually so we can inject the CSP nonce
+  // ---------------------------------------------------------------------------
+  const PUBLIC_DIR = path.join(__dirname, '../public');
+  const INDEX_HTML = path.join(PUBLIC_DIR, 'index.html');
+
+  // Serve all static assets (js, css, images, icons) except index.html.
+  // JS and CSS get no-cache so browsers revalidate on every load (ETag still
+  // avoids re-downloading unchanged files; only a deploy changes the ETag).
+  app.use(express.static(PUBLIC_DIR, {
+    index: false,
+    setHeaders(res, filePath) {
+      if (filePath.endsWith('.js') || filePath.endsWith('.css')) {
+        res.setHeader('Cache-Control', 'no-cache');
+      }
+    }
+  }));
+
+  // Serve index.html with CSP nonce injected into <script> tags
+  function serveIndex(req, res) {
+    fs.readFile(INDEX_HTML, 'utf8', (err, html) => {
+      if (err) return res.status(500).send('Internal Server Error');
+      const nonce = res.locals.cspNonce;
+      // Only inject nonce into <script> tags — style-src 'self' already permits
+      // same-origin <link rel=stylesheet> without a nonce, and injecting a nonce
+      // onto <link> breaks mobile browsers / caching proxies (stale HTML carries
+      // the old nonce which no longer matches the per-request CSP header).
+      const patched = html
+        .replace(/<script([^>]*)>/gi, `<script nonce="${nonce}"$1>`);
+      res.setHeader('Content-Type', 'text/html; charset=utf-8');
+      res.send(patched);
+    });
+  }
+
+  // SPA catch-all — serve index.html for any unmatched path
+  app.get('*', serveIndex);
+
   // Global error handler
   // eslint-disable-next-line no-unused-vars
   app.use((err, req, res, next) => {

server/clients/DownloadClient.js

@@ -25,6 +25,41 @@ class DownloadClient {
     this.apiKey = instanceConfig.apiKey;
     this.username = instanceConfig.username;
     this.password = instanceConfig.password;
+
+    // Last error encountered while talking to this client.
+    // Cleared on successful calls via _clearLastError(); set via _recordLastError().
+    // Surfaced through getAllClientStatuses() so the admin status panel can show
+    // a per-client failure indicator without needing to scrape logs.
+    this.lastError = null;
+  }
+
+  /**
+   * Record an error encountered while talking to this client.
+   * @param {string} operation - Short description of the operation (e.g. 'getActiveDownloads')
+   * @param {Error|string} error - Error object or message
+   */
+  _recordLastError(operation, error) {
+    const message = (error && error.message) ? error.message : String(error || 'unknown error');
+    this.lastError = {
+      operation,
+      message,
+      at: new Date().toISOString()
+    };
+  }
+
+  /**
+   * Clear the last error (called when an operation succeeds).
+   */
+  _clearLastError() {
+    this.lastError = null;
+  }
+
+  /**
+   * Public accessor for the last recorded error, or null if none.
+   * @returns {{operation:string, message:string, at:string}|null}
+   */
+  getLastError() {
+    return this.lastError;
   }
 
   /**

server/clients/QBittorrentClient.js

@@ -23,9 +23,11 @@ class QBittorrentClient extends DownloadClient {
       // Try a simple API call to verify connection
       await this.makeRequest('/api/v2/app/version');
       logToFile(`[qBittorrent:${this.name}] Connection test successful`);
+      this._clearLastError();
       return true;
     } catch (error) {
       logToFile(`[qBittorrent:${this.name}] Connection test failed: ${error.message}`);
+      this._recordLastError('testConnection', error);
       return false;
     }
   }
@@ -104,6 +106,11 @@ class QBittorrentClient extends DownloadClient {
     const response = await this.makeRequest(`/api/v2/sync/maindata?rid=${this.lastRid}`);
     const data = response.data;
 
+    if (!data) {
+      logToFile(`[qBittorrent:${this.name}] Empty response from sync/maindata`);
+      return Array.from(this.torrentMap.values());
+    }
+
     if (data.full_update) {
       // Full refresh: rebuild the entire map
       this.torrentMap.clear();
@@ -169,6 +176,7 @@ class QBittorrentClient extends DownloadClient {
 
       const torrents = await this.getMainData();
       logToFile(`[qBittorrent:${this.name}] Sync: ${torrents.length} torrents (rid=${this.lastRid})`);
+      this._clearLastError();
       return torrents.map(torrent => this.normalizeDownload(torrent));
     } catch (error) {
       logToFile(`[qBittorrent:${this.name}] Sync failed, falling back to legacy: ${error.message}`);
@@ -183,6 +191,7 @@ class QBittorrentClient extends DownloadClient {
         return torrents.map(torrent => this.normalizeDownload(torrent));
       } catch (fallbackError) {
         logToFile(`[qBittorrent:${this.name}] Fallback also failed: ${fallbackError.message}`);
+        this._recordLastError('getActiveDownloads', fallbackError);
         return [];
       }
     }
@@ -193,6 +202,7 @@ class QBittorrentClient extends DownloadClient {
       const response = await this.makeRequest('/api/v2/sync/maindata');
       const data = response.data;
       
+      this._clearLastError();
       return {
         serverState: data.server_state || {},
         rid: data.rid,
@@ -200,6 +210,7 @@ class QBittorrentClient extends DownloadClient {
       };
     } catch (error) {
       logToFile(`[qBittorrent:${this.name}] Error getting client status: ${error.message}`);
+      this._recordLastError('getClientStatus', error);
       return null;
     }
   }
@@ -249,6 +260,14 @@ class QBittorrentClient extends DownloadClient {
       downloaded: downloadedSize,
       speed: torrent.dlspeed,
       eta: torrent.eta < 0 || torrent.eta === 8640000 ? null : torrent.eta,
+      // Connected peer counts (Issue #64). qBittorrent exposes:
+      //   num_seeds   — connected seeds (peers we have a connection to)
+      //   num_leechs  — connected leechers (peers downloading from us)
+      //   num_complete / num_incomplete — *swarm* totals reported by tracker
+      // We expose the connected counts to stay consistent with what other
+      // clients (e.g. Transmission via peersConnected/peersSendingToUs) report.
+      seeds: torrent.num_seeds ?? 0,
+      peers: torrent.num_leechs ?? 0,
       category: torrent.category || undefined,
       tags: torrent.tags ? torrent.tags.split(',').filter(tag => tag.trim()) : [],
       savePath: torrent.content_path || torrent.save_path || undefined,

server/clients/RTorrentClient.js

@@ -35,9 +35,11 @@ class RTorrentClient extends DownloadClient {
     try {
       await this._methodCall('system.client_version');
       logToFile(`[rtorrent:${this.name}] Connection test successful`);
+      this._clearLastError();
       return true;
     } catch (error) {
       logToFile(`[rtorrent:${this.name}] Connection test failed: ${error.message}`);
+      this._recordLastError('testConnection', error);
       return false;
     }
   }
@@ -77,10 +79,31 @@ class RTorrentClient extends DownloadClient {
         'd.custom1='
       ]);
 
+      // rTorrent XML-RPC can occasionally return null/undefined or a non-array
+      // on misconfigured servers or transient errors. Guard against that here
+      // so callers always get a sane array instead of throwing on .map.
+      if (!Array.isArray(torrents)) {
+        logToFile(`[rtorrent:${this.name}] d.multicall2 returned non-array (${typeof torrents}); treating as empty`);
+        this._clearLastError();
+        return [];
+      }
+
       logToFile(`[rtorrent:${this.name}] Retrieved ${torrents.length} torrents`);
-      return torrents.map(torrent => this.normalizeDownload(torrent));
+      this._clearLastError();
+      // Filter out any individual rows that fail to normalize so a single bad
+      // record cannot poison the whole result set.
+      const normalized = [];
+      for (const torrent of torrents) {
+        try {
+          normalized.push(this.normalizeDownload(torrent));
+        } catch (err) {
+          logToFile(`[rtorrent:${this.name}] Skipping malformed torrent row: ${err.message}`);
+        }
+      }
+      return normalized;
     } catch (error) {
       logToFile(`[rtorrent:${this.name}] Error fetching torrents: ${error.message}`);
+      this._recordLastError('getActiveDownloads', error);
       return [];
     }
   }
@@ -92,31 +115,53 @@ class RTorrentClient extends DownloadClient {
         this._methodCall('throttle.global_up.rate')
       ]);
 
+      this._clearLastError();
       return {
-        globalDownRate: downRate,
-        globalUpRate: upRate
+        globalDownRate: Number.isFinite(downRate) ? downRate : 0,
+        globalUpRate: Number.isFinite(upRate) ? upRate : 0
       };
     } catch (error) {
       logToFile(`[rtorrent:${this.name}] Error getting client status: ${error.message}`);
+      this._recordLastError('getClientStatus', error);
       return null;
     }
   }
 
   normalizeDownload(torrent) {
+    // rTorrent's d.multicall2 returns an array of fields in the order requested.
+    // If a value is missing rtorrent typically returns '' or 0, but plugins and
+    // older versions can return undefined/null — coerce everything explicitly so
+    // downstream math and string ops never blow up on null/undefined.
+    if (!Array.isArray(torrent)) {
+      throw new Error('Expected torrent row to be an array');
+    }
+
     const [
-      hash,
-      name,
-      sizeBytes,
-      completedBytes,
-      downRate,
-      upRate,
-      state,
-      isActive,
-      isHashChecking,
-      directory,
-      custom1
+      hashRaw,
+      nameRaw,
+      sizeBytesRaw,
+      completedBytesRaw,
+      downRateRaw,
+      upRateRaw,
+      stateRaw,
+      isActiveRaw,
+      isHashCheckingRaw,
+      directoryRaw,
+      custom1Raw
     ] = torrent;
 
+    const hash = hashRaw ? String(hashRaw) : '';
+    const name = nameRaw ? String(nameRaw) : '';
+    const sizeBytes = Number(sizeBytesRaw) || 0;
+    const completedBytes = Number(completedBytesRaw) || 0;
+    const downRate = Number(downRateRaw) || 0;
+    const upRate = Number(upRateRaw) || 0;
+    const state = Number.isFinite(Number(stateRaw)) ? Number(stateRaw) : 0;
+    const isActive = Number.isFinite(Number(isActiveRaw)) ? Number(isActiveRaw) : 0;
+    const isHashChecking = Number.isFinite(Number(isHashCheckingRaw)) ? Number(isHashCheckingRaw) : 0;
+    const directory = directoryRaw ? String(directoryRaw) : '';
+    const custom1 = custom1Raw ? String(custom1Raw) : '';
+
     const status = this._mapStatus(state, isActive, isHashChecking, completedBytes, sizeBytes);
     const progress = sizeBytes > 0 ? Math.round((completedBytes / sizeBytes) * 100) : 0;
 
@@ -168,6 +213,11 @@ class RTorrentClient extends DownloadClient {
   }
 
   _extractArrInfo(filename) {
+    // Null-safe: getActiveDownloads passes a normalized string, but guard anyway
+    // so callers passing raw rtorrent values cannot crash this helper.
+    if (!filename || typeof filename !== 'string') {
+      return {};
+    }
     const seriesMatch = filename.match(/[-\s]S(\d{2})E(\d{2})/i);
     if (seriesMatch) {
       return { type: 'series' };

server/clients/SABnzbdClient.js

@@ -3,9 +3,27 @@ const axios = require('axios');
 const DownloadClient = require('./DownloadClient');
 const { logToFile } = require('../utils/logger');
 
+// Number of recently completed jobs to pull from SABnzbd's /api?mode=history on
+// every poll. Larger values let DownloadMatcher correlate slightly older jobs
+// with their Sonarr/Radarr queue entries at the cost of one wider HTTP
+// response per poll cycle. Configurable via the SAB_HISTORY_LIMIT environment
+// variable; defaults to 10 to match the previous hardcoded value.
+const DEFAULT_HISTORY_LIMIT = 10;
+function resolveHistoryLimit() {
+  const raw = process.env.SAB_HISTORY_LIMIT;
+  if (raw === undefined || raw === null || raw === '') return DEFAULT_HISTORY_LIMIT;
+  const parsed = parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed < 0) {
+    logToFile(`[SABnzbd] Invalid SAB_HISTORY_LIMIT='${raw}'; falling back to ${DEFAULT_HISTORY_LIMIT}`);
+    return DEFAULT_HISTORY_LIMIT;
+  }
+  return parsed;
+}
+
 class SABnzbdClient extends DownloadClient {
   constructor(instance) {
     super(instance);
+    this.historyLimit = resolveHistoryLimit();
   }
 
   getClientType() {
@@ -16,9 +34,11 @@ class SABnzbdClient extends DownloadClient {
     try {
       const response = await this.makeRequest('', { mode: 'version' });
       logToFile(`[SABnzbd:${this.name}] Connection test successful, version: ${response.data.version}`);
+      this._clearLastError();
       return true;
     } catch (error) {
       logToFile(`[SABnzbd:${this.name}] Connection test failed: ${error.message}`);
+      this._recordLastError('testConnection', error);
       return false;
     }
   }
@@ -47,7 +67,7 @@ class SABnzbdClient extends DownloadClient {
       // Get both queue and history to provide complete picture
       const [queueResponse, historyResponse] = await Promise.all([
         this.makeRequest({ mode: 'queue' }),
-        this.makeRequest({ mode: 'history', limit: 10 })
+        this.makeRequest({ mode: 'history', limit: this.historyLimit })
       ]);
 
       const queueData = queueResponse.data;
@@ -99,10 +119,12 @@ class SABnzbdClient extends DownloadClient {
         }
       }
 
-      logToFile(`[SABnzbd:${this.name}] Retrieved ${downloads.length} downloads`);
+      logToFile(`[SABnzbd:${this.name}] Retrieved ${downloads.length} downloads (historyLimit=${this.historyLimit})`);
+      this._clearLastError();
       return downloads;
     } catch (error) {
       logToFile(`[SABnzbd:${this.name}] Error fetching downloads: ${error.message}`);
+      this._recordLastError('getActiveDownloads', error);
       return [];
     }
   }
@@ -112,8 +134,12 @@ class SABnzbdClient extends DownloadClient {
       const response = await this.makeRequest({ mode: 'queue' });
       const queueData = response.data.queue;
       
-      if (!queueData) return null;
+      if (!queueData) {
+        this._clearLastError();
+        return null;
+      }
 
+      this._clearLastError();
       return {
         status: queueData.status,
         speed: queueData.speed,
@@ -128,6 +154,7 @@ class SABnzbdClient extends DownloadClient {
       };
     } catch (error) {
       logToFile(`[SABnzbd:${this.name}] Error getting client status: ${error.message}`);
+      this._recordLastError('getClientStatus', error);
       return null;
     }
   }

server/clients/TransmissionClient.js

@@ -18,9 +18,11 @@ class TransmissionClient extends DownloadClient {
     try {
       await this.makeRequest('session-get');
       logToFile(`[Transmission:${this.name}] Connection test successful`);
+      this._clearLastError();
       return true;
     } catch (error) {
       logToFile(`[Transmission:${this.name}] Connection test failed: ${error.message}`);
+      this._recordLastError('testConnection', error);
       return false;
     }
   }
@@ -80,10 +82,11 @@ class TransmissionClient extends DownloadClient {
 
       const torrents = response.data.arguments.torrents || [];
       logToFile(`[Transmission:${this.name}] Retrieved ${torrents.length} torrents`);
-      
+      this._clearLastError();
       return torrents.map(torrent => this.normalizeDownload(torrent));
     } catch (error) {
       logToFile(`[Transmission:${this.name}] Error fetching torrents: ${error.message}`);
+      this._recordLastError('getActiveDownloads', error);
       return [];
     }
   }
@@ -93,12 +96,14 @@ class TransmissionClient extends DownloadClient {
       const response = await this.makeRequest('session-get');
       const sessionStats = await this.makeRequest('session-stats');
       
+      this._clearLastError();
       return {
         session: response.data.arguments,
         stats: sessionStats.data.arguments
       };
     } catch (error) {
       logToFile(`[Transmission:${this.name}] Error getting client status: ${error.message}`);
+      this._recordLastError('getClientStatus', error);
       return null;
     }
   }
@@ -113,7 +118,11 @@ class TransmissionClient extends DownloadClient {
       4: 'Downloading',  // TORRENT_DOWNLOAD
       5: 'Queued',       // TORRENT_SEED_WAIT
       6: 'Seeding',      // TORRENT_SEED
-      7: 'Unknown'       // TORRENT_IS_CHECKING (alias for 2)
+      // Status code 7 is undocumented in the Transmission RPC spec (which
+      // formally defines only 0–6). The legacy alias "TORRENT_IS_CHECKING"
+      // (a duplicate of code 2) is the best-effort interpretation; map it to
+      // `Checking` so it is rendered usefully rather than as `Unknown`.
+      7: 'Checking'      // TORRENT_IS_CHECKING (undocumented; treated as code 2)
     };
 
     const status = statusMap[torrent.status] || 'Unknown';
@@ -160,8 +169,12 @@ class TransmissionClient extends DownloadClient {
   }
 
   extractArrInfo(filename) {
-    // Similar to SABnzbdClient, try to extract Sonarr/Radarr info
-    
+    // arrQueueId cannot be extracted from filename alone; *arr exposes that
+    // identifier only via its queue API. The reliable cross-client matching
+    // path is hash-based and lives in `DownloadMatcher.matchTorrents()` (see
+    // Issue #65), which keys on `torrent.hashString` for Transmission.
+    // This heuristic remains only to provide a coarse `type` hint.
+
     // Look for patterns like "Series Name - S01E02 - Episode Title"
     const seriesMatch = filename.match(/[-\s]S(\d{2})E(\d{2})/i);
     if (seriesMatch) {
@@ -176,6 +189,39 @@ class TransmissionClient extends DownloadClient {
 
     return {};
   }
+
+  /**
+   * Start (resume) one or more torrents. `id` is the Transmission internal
+   * numeric id or a hashString; the RPC accepts either.
+   * @param {number|string|Array<number|string>} id
+   */
+  async startTorrent(id) {
+    const ids = Array.isArray(id) ? id : [id];
+    await this.makeRequest('torrent-start', { ids });
+    logToFile(`[Transmission:${this.name}] Started torrent(s): ${ids.join(', ')}`);
+  }
+
+  /**
+   * Stop (pause) one or more torrents.
+   * @param {number|string|Array<number|string>} id
+   */
+  async stopTorrent(id) {
+    const ids = Array.isArray(id) ? id : [id];
+    await this.makeRequest('torrent-stop', { ids });
+    logToFile(`[Transmission:${this.name}] Stopped torrent(s): ${ids.join(', ')}`);
+  }
+
+  /**
+   * Remove one or more torrents. When `deleteData` is true the local files
+   * are also deleted from disk (Transmission's `delete-local-data`).
+   * @param {number|string|Array<number|string>} id
+   * @param {boolean} [deleteData=false]
+   */
+  async removeTorrent(id, deleteData = false) {
+    const ids = Array.isArray(id) ? id : [id];
+    await this.makeRequest('torrent-remove', { ids, 'delete-local-data': !!deleteData });
+    logToFile(`[Transmission:${this.name}] Removed torrent(s): ${ids.join(', ')} (deleteData=${!!deleteData})`);
+  }
 }
 
 module.exports = TransmissionClient;

server/index.js

@@ -82,20 +82,9 @@ console.error = function(...args) {
   logFile.write(`[${new Date().toISOString()}] ERROR: ${message}\n`);
 };
 
-const sabnzbdRoutes = require('./routes/sabnzbd');
-const sonarrRoutes = require('./routes/sonarr');
-const radarrRoutes = require('./routes/radarr');
-const embyRoutes = require('./routes/emby');
-const dashboardRoutes = require('./routes/dashboard');
-const statusRoutes = require('./routes/status');
-const historyRoutes = require('./routes/history');
-const authRoutes = require('./routes/auth');
-const webhookRoutes = require('./routes/webhook');
-const ombiRoutes = require('./routes/ombi');
-const debugRoutes = require('./routes/debug');
-const verifyCsrf = require('./middleware/verifyCsrf');
 const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller');
 const { validateInstanceUrl } = require('./utils/config');
+const { createApp } = require('./app');
 
 // ---------------------------------------------------------------------------
 // Startup environment validation
@@ -117,284 +106,10 @@ if (process.env.EMBY_URL) {
   validateInstanceUrl(process.env.EMBY_URL, 'EMBY_URL');
 }
 
-const app = express();
+const app = createApp();
 const PORT = process.env.PORT || 3001;
-
-// Load OpenAPI spec from YAML
-const openapiSpec = YAML.load(path.join(__dirname, 'openapi.yaml'));
-
-// Configure swagger-jsdoc to merge JSDoc comments from route files
-const swaggerOptions = {
-  definition: {
-    ...openapiSpec,
-    openapi: '3.1.0'
-  },
-  apis: [
-    path.join(__dirname, 'routes/*.js'),
-    path.join(__dirname, 'index.js')
-  ]
-};
-
-const swaggerSpec = swaggerJsdoc(swaggerOptions);
-
-// Resolve TLS_ENABLED early — used in Helmet CSP and server startup
 const TLS_ENABLED = (process.env.TLS_ENABLED || 'true').toLowerCase() !== 'false';
 
-// ---------------------------------------------------------------------------
-// Trust proxy — required when behind Nginx/Caddy/Traefik so that
-// req.ip reflects the real client IP (not 127.0.0.1) and
-// req.secure is true when the upstream TLS is terminated by the proxy.
-// Set TRUST_PROXY=1 (or a specific IP/CIDR) via env.
-// ---------------------------------------------------------------------------
-if (process.env.TRUST_PROXY) {
-  const trustValue = /^\d+$/.test(process.env.TRUST_PROXY)
-    ? parseInt(process.env.TRUST_PROXY, 10)
-    : process.env.TRUST_PROXY;
-  app.set('trust proxy', trustValue);
-}
-
-// ---------------------------------------------------------------------------
-// Helmet v7 — security response headers
-// CSP uses a per-request nonce injected into index.html so inline scripts
-// and styles are allowed only with a valid nonce, not blanket unsafe-inline.
-// ---------------------------------------------------------------------------
-app.use((req, res, next) => {
-  // Generate a fresh nonce for every request
-  res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
-  next();
-});
-
-app.use((req, res, next) => {
-  helmet({
-    contentSecurityPolicy: {
-      directives: {
-        defaultSrc: ["'self'"],
-        scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
-        styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
-        imgSrc: ["'self'", 'data:', 'blob:'],
-        fontSrc: ["'self'", 'data:'],
-        connectSrc: ["'self'"],
-        objectSrc: ["'none'"],
-        baseUri: ["'self'"],
-        frameAncestors: ["'none'"],
-        formAction: ["'self'"],
-        upgradeInsecureRequests: (process.env.TRUST_PROXY || TLS_ENABLED) ? [] : null
-      }
-    },
-    hsts: {
-      maxAge: 31536000,       // 1 year
-      includeSubDomains: true,
-      preload: true
-    },
-    referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
-    crossOriginEmbedderPolicy: false // not needed for this SPA
-  })(req, res, next);
-});
-
-// Permissions-Policy — disable powerful browser features not needed by the app
-app.use((req, res, next) => {
-  res.setHeader(
-    'Permissions-Policy',
-    'camera=(), microphone=(), geolocation=(), payment=(), usb=()'
-  );
-  next();
-});
-
-// ---------------------------------------------------------------------------
-// General API rate limiter — applies to all /api/* routes
-// More specific limiters (e.g. login) apply on top of this.
-// ---------------------------------------------------------------------------
-const apiLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,   // 15 minutes
-  max: 300,                    // 300 requests per IP per window (generous for polling)
-  standardHeaders: true,
-  legacyHeaders: false,
-  skip: (req) => req.originalUrl && req.originalUrl.startsWith('/api/dashboard/cover-art'),
-  message: { error: 'Too many requests, please try again later' }
-});
-
-// ---------------------------------------------------------------------------
-// Body parsing & cookies
-// ---------------------------------------------------------------------------
-app.use(cookieParser(cookieSecret || undefined));
-app.use(express.json({ limit: '64kb' })); // prevent oversized JSON payloads
-
-// ---------------------------------------------------------------------------
-// Health / readiness endpoints (no auth, no rate-limit)
-// Used by Docker HEALTHCHECK and orchestrators.
-// ---------------------------------------------------------------------------
-/**
- * @openapi
- * /health:
- *   get:
- *     tags: [Health]
- *     summary: Health check
- *     description: Returns server uptime and status. No authentication required. Used for liveness probes.
- *     security: []
- *     responses:
- *       '200':
- *         description: Server is healthy
- *         content:
- *           application/json:
- *             schema:
- *               type: object
- *               properties:
- *                 status:
- *                   type: string
- *                   example: "ok"
- *                 uptime:
- *                   type: number
- *                   description: Server uptime in seconds
- *                   example: 3600.5
- *                 version:
- *                   type: string
- *                   description: sofarr version
- *                   example: "1.7.25"
- */
-app.get('/health', (req, res) => {
-  res.json({ status: 'ok', uptime: process.uptime(), version });
-});
-
-/**
- * @openapi
- * /ready:
- *   get:
- *     tags: [Health]
- *     summary: Readiness check
- *     description: Checks if critical configuration (EMBY_URL) is present. Used by Docker HEALTHCHECK and orchestrators. No authentication required.
- *     security: []
- *     responses:
- *       '200':
- *         description: Server is ready
- *         content:
- *           application/json:
- *             schema:
- *               type: object
- *               properties:
- *                 status:
- *                   type: string
- *                   example: "ready"
- *       '503':
- *         description: Server not ready
- *         content:
- *           application/json:
- *             schema:
- *               type: object
- *               properties:
- *                 status:
- *                   type: string
- *                   example: "not ready"
- *                 reason:
- *                   type: string
- *                   example: "EMBY_URL not configured"
- */
-app.get('/ready', (req, res) => {
-  // Confirm critical config is present
-  const ready = !!(process.env.EMBY_URL);
-  if (ready) {
-    res.json({ status: 'ready' });
-  } else {
-    res.status(503).json({ status: 'not ready', reason: 'EMBY_URL not configured' });
-  }
-});
-
-// ---------------------------------------------------------------------------
-// Swagger UI - publicly accessible API documentation
-// ---------------------------------------------------------------------------
-app.use('/api/swagger', swaggerUi.serve, swaggerUi.setup(null, {
-  customSiteTitle: 'sofarr API Documentation',
-  customCss: '.swagger-ui .topbar { display: none }',
-  customJs: [
-    '/swagger-auth-banner.js'
-  ],
-  swaggerOptions: {
-    url: '/api/swagger.json'
-  }
-}));
-
-// Serve the raw OpenAPI spec as JSON with dynamic server URL
-app.get('/api/swagger.json', (req, res) => {
-  // Clone the spec to avoid modifying the original
-  const specCopy = JSON.parse(JSON.stringify(swaggerSpec));
-  
-  // Replace the server URL with the current request's origin
-  if (specCopy.servers && specCopy.servers.length > 0) {
-    const protocol = req.protocol;
-    const host = req.get('host');
-    specCopy.servers[0].url = `${protocol}://${host}`;
-  }
-  
-  res.json(specCopy);
-});
-
-// ---------------------------------------------------------------------------
-// Static files — served before API routes
-// index.html is served manually so we can inject the CSP nonce
-// ---------------------------------------------------------------------------
-const PUBLIC_DIR = path.join(__dirname, '../public');
-const INDEX_HTML = path.join(PUBLIC_DIR, 'index.html');
-
-// Serve all static assets (js, css, images, icons) except index.html.
-// JS and CSS get no-cache so browsers revalidate on every load (ETag still
-// avoids re-downloading unchanged files; only a deploy changes the ETag).
-app.use(express.static(PUBLIC_DIR, {
-  index: false,
-  setHeaders(res, filePath) {
-    if (filePath.endsWith('.js') || filePath.endsWith('.css')) {
-      res.setHeader('Cache-Control', 'no-cache');
-    }
-  }
-}));
-
-// Serve index.html with CSP nonce injected into <script> tags
-function serveIndex(req, res) {
-  fs.readFile(INDEX_HTML, 'utf8', (err, html) => {
-    if (err) return res.status(500).send('Internal Server Error');
-    const nonce = res.locals.cspNonce;
-    // Only inject nonce into <script> tags — style-src 'self' already permits
-    // same-origin <link rel=stylesheet> without a nonce, and injecting a nonce
-    // onto <link> breaks mobile browsers / caching proxies (stale HTML carries
-    // the old nonce which no longer matches the per-request CSP header).
-    const patched = html
-      .replace(/<script([^>]*)>/gi, `<script nonce="${nonce}"$1>`);
-    res.setHeader('Content-Type', 'text/html; charset=utf-8');
-    res.send(patched);
-  });
-}
-
-// ---------------------------------------------------------------------------
-// API routes (rate-limited; auth routes exempt CSRF for login/csrf endpoints)
-// CSRF protection applies to all state-changing /api/* requests except
-// /api/auth/login (pre-auth) and /api/auth/csrf (issues the token).
-// ---------------------------------------------------------------------------
-app.use('/api', apiLimiter);
-app.use('/api/auth', authRoutes);
-app.use('/api/webhook', webhookRoutes);
-app.use('/api/debug', debugRoutes);
-
-// All routes below this point require CSRF validation on mutating methods
-app.use('/api', verifyCsrf);
-app.use('/api/sabnzbd', sabnzbdRoutes);
-app.use('/api/sonarr', sonarrRoutes);
-app.use('/api/radarr', radarrRoutes);
-app.use('/api/emby', embyRoutes);
-app.use('/api/ombi', ombiRoutes);
-app.use('/api/dashboard', dashboardRoutes);
-app.use('/api/status', statusRoutes);
-app.use('/api/history', historyRoutes);
-
-// SPA catch-all — serve index.html for any unmatched path
-app.get('*', serveIndex);
-
-// ---------------------------------------------------------------------------
-// Global error handler — never leak stack traces to clients
-// ---------------------------------------------------------------------------
-// eslint-disable-next-line no-unused-vars
-app.use((err, req, res, next) => {
-  console.error('[Server] Unhandled error:', err.message);
-  res.status(500).json({ error: 'Internal server error' });
-});
-
 // ---------------------------------------------------------------------------
 // TLS / HTTPS support
 // Set TLS_CERT and TLS_KEY to paths of your certificate and private key.

server/openapi.yaml

@@ -22,7 +22,7 @@ info:
 
     ## SSE Streaming
     Real-time updates are available via Server-Sent Events at GET /api/dashboard/stream.
-  version: 1.7.24
+  version: 1.7.33
   contact:
     name: sofarr
   license:

server/routes/dashboard.js

@@ -13,7 +13,7 @@ const { buildUserDownloads } = require('../services/DownloadBuilder');
 const { onHistoryUpdate, offHistoryUpdate } = require('../utils/historyFetcher');
 const arrRetrieverRegistry = require('../utils/arrRetrievers');
 const { getOmbiInstances, getSonarrInstances, getRadarrInstances } = require('../utils/config');
-const { extractRequestedUser, filterRequestsByUser } = require('../utils/ombiHelpers');
+const { extractRequestedUser, filterRequestsByUser, decorateRequestsWithArrLinks, decorateDownloadsWithArrLinks } = require('../utils/ombiHelpers');
 const { canBlocklist } = require('../services/DownloadAssembler');
 
 
@@ -218,6 +218,10 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
       ombiBaseUrl
     });
 
+    if (isAdmin) {
+      await decorateDownloadsWithArrLinks(userDownloads, isAdmin);
+    }
+
     res.json({
       user: user.name,
       isAdmin,
@@ -513,6 +517,10 @@ router.get('/stream', requireAuth, async (req, res) => {
         ombiBaseUrl
       });
 
+      if (isAdmin) {
+        await decorateDownloadsWithArrLinks(userDownloads, isAdmin);
+      }
+
       console.log(`[SSE] Sending ${userDownloads.length} downloads for ${user.name}`);
       const downloadClients = downloadClientRegistry.getAllClients().map(c => ({
         id: c.getInstanceId(),
@@ -525,8 +533,14 @@ router.get('/stream', requireAuth, async (req, res) => {
       const showAllOmbi = showAll; // Use the same showAll flag for Ombi
 
 
-      const filteredOmbiMovieRequests = filterRequestsByUser(ombiRequests.movie || [], username, showAllOmbi);
-      const filteredOmbiTvRequests = filterRequestsByUser(ombiRequests.tv || [], username, showAllOmbi);
+      const filteredOmbiMovieRequests = filterRequestsByUser(ombiRequests.movie || [], username, showAllOmbi).map(r => ({ ...r, mediaType: 'movie' }));
+      const filteredOmbiTvRequests = filterRequestsByUser(ombiRequests.tv || [], username, showAllOmbi).map(r => ({ ...r, mediaType: 'tv' }));
+
+      // Admin only: add Sonarr/Radarr lookup links
+      if (isAdmin) {
+        const allFiltered = [...filteredOmbiMovieRequests, ...filteredOmbiTvRequests];
+        await decorateRequestsWithArrLinks(allFiltered, isAdmin);
+      }
 
       const ombiRequestsFiltered = {
         movie: filteredOmbiMovieRequests,

server/routes/ombi.js

@@ -4,7 +4,7 @@ const { logToFile } = require('../utils/logger');
 const cache = require('../utils/cache');
 const { getOmbiInstances, getWebhookSecret, getSofarrBaseUrl, getSofarrWebhookBaseUrl } = require('../utils/config');
 const requireAuth = require('../middleware/requireAuth');
-const { extractRequestedUser, filterRequestsByUser } = require('../utils/ombiHelpers');
+const { extractRequestedUser, filterRequestsByUser, decorateRequestsWithArrLinks } = require('../utils/ombiHelpers');
 const { applyRequestFilters } = require('../utils/ombiFilters');
 
 const router = express.Router();
@@ -120,72 +120,17 @@ router.get('/requests', requireAuth, async (req, res) => {
     const filteredMovieRequests = filterRequestsByUser(ombiRequests.movie || [], username, showAll);
     const filteredTvRequests = filterRequestsByUser(ombiRequests.tv || [], username, showAll);
 
-    // Admin only: add Sonarr/Radarr lookup links
-    if (isAdmin) {
-      const sonarrRetrievers = arrRetrieverRegistry.getRetrieversByType('sonarr') || [];
-      const radarrRetrievers = arrRetrieverRegistry.getRetrieversByType('radarr') || [];
-
-      // Fetch all series and movies in parallel to match
-      const [sonarrData, radarrData] = await Promise.all([
-        Promise.all(sonarrRetrievers.map(async r => {
-          try {
-            const response = await require('axios').get(`${r.url}/api/v3/series`, {
-              headers: { 'X-Api-Key': r.apiKey }
-            });
-            return { instance: r, series: response.data || [] };
-          } catch {
-            return { instance: r, series: [] };
-          }
-        })),
-        Promise.all(radarrRetrievers.map(async r => {
-          try {
-            const response = await require('axios').get(`${r.url}/api/v3/movie`, {
-              headers: { 'X-Api-Key': r.apiKey }
-            });
-            return { instance: r, movies: response.data || [] };
-          } catch {
-            return { instance: r, movies: [] };
-          }
-        }))
-      ]);
-
-      // For TV requests, find match in Sonarr
-      filteredTvRequests.forEach(req => {
-        const tvdbId = req.theTvDbId || req.theMovieDbId || req.theTvdbId || req.theTmdbId || req.TvDbId || req.TheTvDbId;
-        if (!tvdbId) return;
-
-        for (const instData of sonarrData) {
-          const match = instData.series.find(s => s && (s.tvdbId === parseInt(tvdbId, 10) || s.tmdbId === parseInt(tvdbId, 10)));
-          if (match && match.titleSlug) {
-            req.arrLink = `${instData.instance.url}/series/${match.titleSlug}`;
-            req.arrType = 'sonarr';
-            break;
-          }
-        }
-      });
-
-      // For Movie requests, find match in Radarr
-      filteredMovieRequests.forEach(req => {
-        const tmdbId = req.theMovieDbId || req.imdbId || req.theTmdbId || req.TheMovieDbId || req.ImdbId;
-        if (!tmdbId) return;
-
-        for (const instData of radarrData) {
-          const match = instData.movies.find(m => m && (m.tmdbId === parseInt(tmdbId, 10) || m.imdbId === tmdbId));
-          if (match && match.titleSlug) {
-            req.arrLink = `${instData.instance.url}/movie/${match.titleSlug}`;
-            req.arrType = 'radarr';
-            break;
-          }
-        }
-      });
-    }
-
     // Tag with mediaType and flatten for filtering/sorting
     const allRequests = [
       ...filteredMovieRequests.map(r => ({ ...r, mediaType: 'movie' })),
       ...filteredTvRequests.map(r => ({ ...r, mediaType: 'tv' }))
     ];
 
+    // Admin only: add Sonarr/Radarr lookup links
+    if (isAdmin) {
+      await decorateRequestsWithArrLinks(allRequests, isAdmin);
+    }
+
     // Parse query params
     let types = req.query.type;
     let statuses = req.query.status;

server/routes/status.js

@@ -7,6 +7,7 @@ const { getLastPollTimings, POLLING_ENABLED } = require('../utils/poller');
 const { getSonarrInstances, getRadarrInstances, getOmbiInstances } = require('../utils/config');
 const { getGlobalWebhookMetrics } = require('../utils/cache');
 const { checkWebhookConfigured, checkOmbiWebhookConfigured, aggregateMetrics } = require('../services/WebhookStatus');
+const downloadClientRegistry = require('../utils/downloadClients');
 
 /**
  * @openapi
@@ -165,7 +166,16 @@ router.get('/', requireAuth, async (req, res) => {
         sonarr: aggregateMetrics(sonarrMetrics, sonarrWebhookConfigured),
         radarr: aggregateMetrics(radarrMetrics, radarrWebhookConfigured),
         ombi: aggregateMetrics(ombiMetrics, ombiWebhookConfigured)
-      }
+      },
+      // Per-download-client health summary including any lastError captured
+      // since the last successful call. Lets the admin status panel surface
+      // transient failures (auth expiry, RPC blips, etc.) without log scraping.
+      downloadClients: downloadClientRegistry.getAllClients().map(c => ({
+        instanceId: c.getInstanceId(),
+        instanceName: c.name,
+        clientType: c.getClientType(),
+        lastError: typeof c.getLastError === 'function' ? c.getLastError() : null
+      }))
     });
   } catch (err) {
     res.status(500).json({ error: 'Failed to get status', details: err.message });

server/routes/webhook.js

@@ -5,6 +5,7 @@ const { logToFile } = require('../utils/logger');
 const { getWebhookSecret, getSonarrInstances, getRadarrInstances, getOmbiInstances, getSofarrBaseUrl } = require('../utils/config');
 const cache = require('../utils/cache');
 const arrRetrieverRegistry = require('../utils/arrRetrievers');
+const { buildArrQueueCache } = require('../utils/arrQueueHelpers');
 const { pollAllServices, POLL_INTERVAL, POLLING_ENABLED } = require('../utils/poller');
 const { extractRequestedUser } = require('../utils/ombiHelpers');
 const requireAuth = require('../middleware/requireAuth');
@@ -106,9 +107,14 @@ function pruneReplayCache() {
 // Prune the replay cache once per minute
 setInterval(pruneReplayCache, 60 * 1000).unref();
 
-function isReplay(eventType, instanceName, eventDate) {
+function isReplay(eventType, instanceName, eventDate, contentId) {
   if (!eventDate) return false;
-  const key = `${eventType}:${instanceName || ''}:${eventDate}`;
+  // Content-aware replay key: incorporates downloadId / series.id / movie.id when
+  // available so that distinct events sharing the same `date` (e.g. multiple
+  // Grab events for episodes in a season pack fired in the same second) do not
+  // falsely collide. Falls back to the prior shape when contentId is absent
+  // (e.g. Test events) so existing behaviour is preserved.
+  const key = `${eventType}:${instanceName || ''}:${contentId || ''}:${eventDate}`;
   if (recentEvents.has(key)) return true;
   recentEvents.set(key, Date.now());
   return false;
@@ -202,17 +208,7 @@ async function processWebhookEvent(serviceType, eventType, payload = null) {
       const queuesByType = await arrRetrieverRegistry.getQueuesByType();
       const sonarrQueues = queuesByType.sonarr || [];
       cache.set('poll:sonarr-queue', {
-        records: sonarrQueues.flatMap(q => {
-          const inst = sonarrInstances.find(i => i.id === q.instance);
-          const url = inst ? inst.url : null;
-          const key = inst ? inst.apiKey : null;
-          return (q.data.records || []).map(r => {
-            if (r.series) r.series._instanceUrl = url;
-            r._instanceUrl = url;
-            r._instanceKey = key;
-            return r;
-          });
-        })
+        records: buildArrQueueCache(sonarrQueues, sonarrInstances, 'series')
       }, CACHE_TTL);
       logToFile(`[Webhook] Refreshed poll:sonarr-queue (${sonarrQueues.length} instance(s))`);
     }
@@ -232,17 +228,7 @@ async function processWebhookEvent(serviceType, eventType, payload = null) {
       const queuesByType = await arrRetrieverRegistry.getQueuesByType();
       const radarrQueues = queuesByType.radarr || [];
       cache.set('poll:radarr-queue', {
-        records: radarrQueues.flatMap(q => {
-          const inst = radarrInstances.find(i => i.id === q.instance);
-          const url = inst ? inst.url : null;
-          const key = inst ? inst.apiKey : null;
-          return (q.data.records || []).map(r => {
-            if (r.movie) r.movie._instanceUrl = url;
-            r._instanceUrl = url;
-            r._instanceKey = key;
-            return r;
-          });
-        })
+        records: buildArrQueueCache(radarrQueues, radarrInstances, 'movie')
       }, CACHE_TTL);
       logToFile(`[Webhook] Refreshed poll:radarr-queue (${radarrQueues.length} instance(s))`);
     }
@@ -480,11 +466,18 @@ router.post('/sonarr', webhookLimiter, (req, res) => {
   const { eventType, instanceName, eventDate } = validation;
 
   const sonarrInstances = getSonarrInstances();
-  const inst = sonarrInstances.find(i => i.name === instanceName || i.id === instanceName) || sonarrInstances[0];
+  const matchedInst = sonarrInstances.find(i => i.name === instanceName || i.id === instanceName);
+  const inst = matchedInst || sonarrInstances[0];
+  if (!matchedInst && instanceName) {
+    logToFile(`[Webhook] Sonarr instanceName "${instanceName}" did not match any configured instance; falling back to first instance (${inst ? inst.name : 'none'})`);
+  }
   const resolvedInstanceName = inst ? inst.name : instanceName;
 
-  if (isReplay(eventType, resolvedInstanceName, eventDate)) {
-    logToFile(`[Webhook] Sonarr duplicate event ignored: ${eventType} @ ${eventDate}`);
+  // Content-aware replay key components (Issue #62)
+  const contentId = req.body.downloadId || req.body.series?.id || null;
+
+  if (isReplay(eventType, resolvedInstanceName, eventDate, contentId)) {
+    logToFile(`[Webhook] Sonarr duplicate event ignored: ${eventType} @ ${eventDate} (contentId=${contentId || 'none'})`);
     return res.status(200).json({ received: true, duplicate: true });
   }
 
@@ -634,11 +627,18 @@ router.post('/radarr', webhookLimiter, (req, res) => {
   const { eventType, instanceName, eventDate } = validation;
 
   const radarrInstances = getRadarrInstances();
-  const inst = radarrInstances.find(i => i.name === instanceName || i.id === instanceName) || radarrInstances[0];
+  const matchedInst = radarrInstances.find(i => i.name === instanceName || i.id === instanceName);
+  const inst = matchedInst || radarrInstances[0];
+  if (!matchedInst && instanceName) {
+    logToFile(`[Webhook] Radarr instanceName "${instanceName}" did not match any configured instance; falling back to first instance (${inst ? inst.name : 'none'})`);
+  }
   const resolvedInstanceName = inst ? inst.name : instanceName;
 
-  if (isReplay(eventType, resolvedInstanceName, eventDate)) {
-    logToFile(`[Webhook] Radarr duplicate event ignored: ${eventType} @ ${eventDate}`);
+  // Content-aware replay key components (Issue #62)
+  const contentId = req.body.downloadId || req.body.movie?.id || null;
+
+  if (isReplay(eventType, resolvedInstanceName, eventDate, contentId)) {
+    logToFile(`[Webhook] Radarr duplicate event ignored: ${eventType} @ ${eventDate} (contentId=${contentId || 'none'})`);
     return res.status(200).json({ received: true, duplicate: true });
   }
 
@@ -813,10 +813,10 @@ router.post('/ombi', webhookLimiter, (req, res) => {
 
   // Use applicationUrl as instance identifier for replay protection
   const instanceName = applicationUrl || 'ombi';
-  // Use requestId + eventType + current time as replay key
   const eventDate = req.body.requestedDate || req.body.RequestedDate || new Date().toISOString();
+  const contentId = requestId || null;
 
-  if (isReplay(eventType, instanceName, `${requestId}-${eventDate}`)) {
+  if (isReplay(eventType, instanceName, eventDate, contentId)) {
     logToFile(`[Webhook] Ombi duplicate event ignored: ${eventType} requestId=${requestId}`);
     return res.status(200).json({ received: true, duplicate: true });
   }

server/services/DownloadMatcher.js

@@ -429,7 +429,20 @@ async function matchTorrents(torrents, context) {
 
     let matchedAny = false;
 
-    const sonarrMatch = sonarrQueueRecords.find(r => {
+    // Hash-first matching (Issue #65): prefer matching by torrent hash against
+    // each *arr queue record's `downloadId`. `torrent.hash` covers qBittorrent
+    // and rTorrent; `torrent.hashString` covers Transmission. We fall back to
+    // existing title-substring matching only if no hash match was found.
+    const torrentHash = torrent?.hash || torrent?.hashString || null;
+    const hashLower = torrentHash ? String(torrentHash).toLowerCase() : null;
+    const matchesByHash = (r) => {
+      const dl = r && r.downloadId;
+      if (!dl || !hashLower) return false;
+      return String(dl).toLowerCase() === hashLower;
+    };
+
+    let sonarrMatch = hashLower ? sonarrQueueRecords.find(matchesByHash) : null;
+    if (!sonarrMatch) sonarrMatch = sonarrQueueRecords.find(r => {
       const rTitle = (r.title || r.sourceTitle || '').toLowerCase();
       return rTitle && (rTitle.includes(torrentNameLower) || torrentNameLower.includes(rTitle));
     });
@@ -480,7 +493,8 @@ async function matchTorrents(torrents, context) {
       }
     }
 
-    const radarrMatch = radarrQueueRecords.find(r => {
+    let radarrMatch = hashLower ? radarrQueueRecords.find(matchesByHash) : null;
+    if (!radarrMatch) radarrMatch = radarrQueueRecords.find(r => {
       const rTitle = (r.title || r.sourceTitle || '').toLowerCase();
       return rTitle && (rTitle.includes(torrentNameLower) || torrentNameLower.includes(rTitle));
     });
@@ -529,7 +543,8 @@ async function matchTorrents(torrents, context) {
       }
     }
 
-    const sonarrHistoryMatch = sonarrHistoryRecords.find(r => {
+    let sonarrHistoryMatch = hashLower ? sonarrHistoryRecords.find(matchesByHash) : null;
+    if (!sonarrHistoryMatch) sonarrHistoryMatch = sonarrHistoryRecords.find(r => {
       const rTitle = (r.sourceTitle || r.title || '').toLowerCase();
       return rTitle && (rTitle.includes(torrentNameLower) || torrentNameLower.includes(rTitle));
     });
@@ -562,7 +577,8 @@ async function matchTorrents(torrents, context) {
       }
     }
 
-    const radarrHistoryMatch = radarrHistoryRecords.find(r => {
+    let radarrHistoryMatch = hashLower ? radarrHistoryRecords.find(matchesByHash) : null;
+    if (!radarrHistoryMatch) radarrHistoryMatch = radarrHistoryRecords.find(r => {
       const rTitle = (r.sourceTitle || r.title || '').toLowerCase();
       return rTitle && (rTitle.includes(torrentNameLower) || torrentNameLower.includes(rTitle));
     });
@@ -598,7 +614,24 @@ async function matchTorrents(torrents, context) {
     }
 
   }
-  return matched;
+
+  // Deduplicate by (arrType, arrQueueId) (Issue #65). When a single torrent
+  // (typically a season pack) matches N *arr queue records sharing one
+  // arrQueueId via downstream emission paths, only the first matched download
+  // is retained. Entries without an arrQueueId pass through unchanged.
+  const seen = new Set();
+  const deduped = [];
+  for (const m of matched) {
+    const key = (m && m.arrType && m.arrQueueId != null)
+      ? `${m.arrType}:${m.arrQueueId}`
+      : null;
+    if (key) {
+      if (seen.has(key)) continue;
+      seen.add(key);
+    }
+    deduped.push(m);
+  }
+  return deduped;
 }
 
 module.exports = {

server/utils/arrQueueHelpers.js

@@ -0,0 +1,97 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+//
+// Shared helpers for assembling the cached *arr queue payload.
+//
+// Both the background poller (`server/utils/poller.js`) and the webhook
+// processor (`server/routes/webhook.js`) build the `poll:sonarr-queue` and
+// `poll:radarr-queue` cache entries from an array of per-instance queue
+// responses. Historically the same `flatMap` block was duplicated across all
+// four call sites (Sonarr + Radarr × poller + webhook) and had begun to drift.
+//
+// This module centralises that logic, adds defensive null-guards, and — for
+// Sonarr only — annotates season-pack records (queue entries sharing a
+// `downloadId`) with `isSeasonPack` and `episodeCount`. See Issue #61.
+//
+const { logToFile } = require('./logger');
+
+/**
+ * Build the flattened, instance-tagged `records` array for the
+ * `poll:sonarr-queue` / `poll:radarr-queue` cache entry.
+ *
+ * @param {Array<{ instance: string, data: { records?: Array<object> } }>} queues
+ *   Per-instance queue responses as returned by
+ *   `arrRetrieverRegistry.getQueuesByType()` (or the equivalent batched
+ *   retrieval in the poller).
+ * @param {Array<{ id: string, url: string, apiKey: string, name?: string }>} instances
+ *   Configured instances; used to resolve `_instanceUrl` / `_instanceKey`.
+ * @param {'series'|'movie'} mediaKey
+ *   Sonarr records embed a `series` object; Radarr records embed a `movie`
+ *   object. The embedded object is annotated with `_instanceUrl` so that
+ *   downstream link builders work.
+ * @returns {Array<object>} The flattened, annotated records array.
+ */
+function buildArrQueueCache(queues, instances, mediaKey) {
+  if (!Array.isArray(queues) || queues.length === 0) return [];
+  if (mediaKey !== 'series' && mediaKey !== 'movie') {
+    logToFile(`[arrQueueHelpers] Invalid mediaKey "${mediaKey}"; expected 'series' or 'movie'`);
+    return [];
+  }
+  const safeInstances = Array.isArray(instances) ? instances : [];
+
+  const out = [];
+  for (const q of queues) {
+    try {
+      if (!q || !q.data) continue;
+      const inst = safeInstances.find(i => i.id === q.instance);
+      const url = inst ? inst.url : null;
+      const key = inst ? inst.apiKey : null;
+      const records = Array.isArray(q.data.records) ? q.data.records : [];
+      for (const r of records) {
+        try {
+          if (!r) continue;
+          if (r[mediaKey]) {
+            r[mediaKey]._instanceUrl = url;
+          }
+          r._instanceUrl = url;
+          r._instanceKey = key;
+          out.push(r);
+        } catch (perRecordErr) {
+          logToFile(`[arrQueueHelpers] Skipping malformed ${mediaKey} record: ${perRecordErr.message}`);
+        }
+      }
+    } catch (perInstanceErr) {
+      logToFile(`[arrQueueHelpers] Skipping malformed ${mediaKey} queue payload: ${perInstanceErr.message}`);
+    }
+  }
+
+  // Sonarr-only: season pack annotation. Group by downloadId; entries that
+  // share a downloadId are episodes belonging to the same release (a season
+  // pack). Movies (mediaKey === 'movie') are single-record by nature.
+  if (mediaKey === 'series') {
+    try {
+      const groups = new Map();
+      for (const r of out) {
+        const dlId = r && r.downloadId;
+        if (!dlId) continue;
+        if (!groups.has(dlId)) groups.set(dlId, []);
+        groups.get(dlId).push(r);
+      }
+      for (const group of groups.values()) {
+        if (group.length > 1) {
+          for (const r of group) {
+            r.isSeasonPack = true;
+            r.episodeCount = group.length;
+          }
+        }
+      }
+    } catch (annotateErr) {
+      logToFile(`[arrQueueHelpers] Season-pack annotation failed: ${annotateErr.message}`);
+    }
+  }
+
+  return out;
+}
+
+module.exports = {
+  buildArrQueueCache
+};

server/utils/downloadClients.js

@@ -239,7 +239,10 @@ class DownloadClientRegistry {
             instanceId: client.getInstanceId(),
             instanceName: client.name,
             clientType: client.getClientType(),
-            status
+            status,
+            // Surface the per-client lastError so admins can see transient
+            // failures (auth expiry, RPC blips, etc.) without scraping logs.
+            lastError: typeof client.getLastError === 'function' ? client.getLastError() : null
           };
         } catch (error) {
           logToFile(`[DownloadClientRegistry] Error getting status from ${client.name}: ${error.message}`);
@@ -248,7 +251,8 @@ class DownloadClientRegistry {
             instanceName: client.name,
             clientType: client.getClientType(),
             status: null,
-            error: error.message
+            error: error.message,
+            lastError: typeof client.getLastError === 'function' ? client.getLastError() : null
           };
         }
       })

server/utils/ombiHelpers.js

@@ -80,7 +80,160 @@ function filterRequestsByUser(requests, username, showAll) {
   });
 }
 
+async function decorateRequestsWithArrLinks(requests, isAdmin) {
+  if (!isAdmin || !Array.isArray(requests)) return;
+
+  const arrRetrieverRegistry = require('./arrRetrievers');
+  await arrRetrieverRegistry.initialize();
+
+  const sonarrRetrievers = arrRetrieverRegistry.getRetrieversByType('sonarr') || [];
+  const radarrRetrievers = arrRetrieverRegistry.getRetrieversByType('radarr') || [];
+
+  const [sonarrData, radarrData] = await Promise.all([
+    Promise.all(sonarrRetrievers.map(async r => {
+      try {
+        const response = await require('axios').get(`${r.url}/api/v3/series`, {
+          headers: { 'X-Api-Key': r.apiKey }
+        });
+        return { instance: r, series: response.data || [] };
+      } catch {
+        return { instance: r, series: [] };
+      }
+    })),
+    Promise.all(radarrRetrievers.map(async r => {
+      try {
+        const response = await require('axios').get(`${r.url}/api/v3/movie`, {
+          headers: { 'X-Api-Key': r.apiKey }
+        });
+        return { instance: r, movies: response.data || [] };
+      } catch {
+        return { instance: r, movies: [] };
+      }
+    }))
+  ]);
+
+  requests.forEach(req => {
+    // Determine if it's TV or Movie. Often `mediaType` is set, or `type === 'Tv'`
+    // Fallback to checking for TV specific IDs.
+    const isTv = req.mediaType === 'tv' || req.type === 'Tv' || req.tvDbId || req.tvdbId || req.theTvDbId || req.theTvdbId || req.TvDbId || req.TheTvDbId;
+
+    if (isTv) {
+      const tvdbId = req.theTvDbId || req.theTvdbId || req.tvDbId || req.tvdbId || req.TvDbId || req.TheTvDbId || req.theMovieDbId || req.theTmdbId;
+      if (!tvdbId) return;
+
+      for (const instData of sonarrData) {
+        const match = instData.series.find(s => s && (s.tvdbId === parseInt(tvdbId, 10) || s.tmdbId === parseInt(tvdbId, 10)));
+        if (match && match.titleSlug) {
+          req.arrLink = `${instData.instance.url}/series/${match.titleSlug}`;
+          req.arrType = 'sonarr';
+          break;
+        }
+      }
+    } else {
+      const tmdbId = req.theMovieDbId || req.imdbId || req.theTmdbId || req.TheMovieDbId || req.ImdbId;
+      if (!tmdbId) return;
+
+      for (const instData of radarrData) {
+        const match = instData.movies.find(m => m && (m.tmdbId === parseInt(tmdbId, 10) || m.imdbId === tmdbId));
+        if (match && match.titleSlug) {
+          req.arrLink = `${instData.instance.url}/movie/${match.titleSlug}`;
+          req.arrType = 'radarr';
+          break;
+        }
+      }
+    }
+  });
+}
+
+async function decorateDownloadsWithArrLinks(downloads, isAdmin) {
+  if (!isAdmin || !Array.isArray(downloads)) return;
+
+  const arrRetrieverRegistry = require('./arrRetrievers');
+  await arrRetrieverRegistry.initialize();
+
+  const sonarrRetrievers = arrRetrieverRegistry.getRetrieversByType('sonarr') || [];
+  const radarrRetrievers = arrRetrieverRegistry.getRetrieversByType('radarr') || [];
+
+  const [sonarrData, radarrData] = await Promise.all([
+    Promise.all(sonarrRetrievers.map(async r => {
+      try {
+        const response = await require('axios').get(`${r.url}/api/v3/series`, {
+          headers: { 'X-Api-Key': r.apiKey }
+        });
+        return { instance: r, series: response.data || [] };
+      } catch {
+        return { instance: r, series: [] };
+      }
+    })),
+    Promise.all(radarrRetrievers.map(async r => {
+      try {
+        const response = await require('axios').get(`${r.url}/api/v3/movie`, {
+          headers: { 'X-Api-Key': r.apiKey }
+        });
+        return { instance: r, movies: response.data || [] };
+      } catch {
+        return { instance: r, movies: [] };
+      }
+    }))
+  ]);
+
+  downloads.forEach(dl => {
+    // Determine if it's TV (series) or Movie
+    const isTv = dl.type === 'series' || dl.arrType === 'sonarr';
+
+    if (isTv) {
+      // Look for a match in Sonarr instances
+      for (const instData of sonarrData) {
+        const match = instData.series.find(s => {
+          if (!s) return false;
+          // Match by database series ID if the instance matches
+          const instanceUrlMatch = dl.arrInstanceUrl === instData.instance.url;
+          if (instanceUrlMatch && dl.arrSeriesId != null && s.id === parseInt(dl.arrSeriesId, 10)) {
+            return true;
+          }
+          // Fallback to seriesName matching
+          if (dl.seriesName && s.title && dl.seriesName.toLowerCase() === s.title.toLowerCase()) {
+            return true;
+          }
+          return false;
+        });
+
+        if (match && match.titleSlug) {
+          dl.arrLink = `${instData.instance.url}/series/${match.titleSlug}`;
+          dl.arrType = 'sonarr';
+          break;
+        }
+      }
+    } else if (dl.type === 'movie' || dl.arrType === 'radarr') {
+      // Look for a match in Radarr instances
+      for (const instData of radarrData) {
+        const match = instData.movies.find(m => {
+          if (!m) return false;
+          // Match by database movie ID if instance matches
+          const instanceUrlMatch = dl.arrInstanceUrl === instData.instance.url;
+          if (instanceUrlMatch && dl.arrContentId != null && m.id === parseInt(dl.arrContentId, 10)) {
+            return true;
+          }
+          // Fallback to movieName matching
+          if (dl.movieName && m.title && dl.movieName.toLowerCase() === m.title.toLowerCase()) {
+            return true;
+          }
+          return false;
+        });
+
+        if (match && match.titleSlug) {
+          dl.arrLink = `${instData.instance.url}/movie/${match.titleSlug}`;
+          dl.arrType = 'radarr';
+          break;
+        }
+      }
+    }
+  });
+}
+
 module.exports = {
   extractRequestedUser,
-  filterRequestsByUser
+  filterRequestsByUser,
+  decorateRequestsWithArrLinks,
+  decorateDownloadsWithArrLinks
 };

server/utils/poller.js

@@ -3,6 +3,7 @@ const axios = require('axios');
 const cache = require('./cache');
 const { initializeClients, getAllDownloads, getDownloadsByClientType } = require('./downloadClients');
 const arrRetrieverRegistry = require('./arrRetrievers');
+const { buildArrQueueCache } = require('./arrQueueHelpers');
 const {
   getSonarrInstances,
   getRadarrInstances,
@@ -237,17 +238,7 @@ async function pollAllServices() {
       cache.set('poll:sonarr-tags', sonarrTagsResults, cacheTTL);
       // Tag queue/history records with _instanceUrl so embedded series/movie objects can build links
       cache.set('poll:sonarr-queue', {
-        records: sonarrQueues.flatMap(q => {
-          const inst = sonarrInstances.find(i => i.id === q.instance);
-          const url = inst ? inst.url : null;
-          const key = inst ? inst.apiKey : null;
-          return (q.data.records || []).map(r => {
-            if (r.series) r.series._instanceUrl = url;
-            r._instanceUrl = url;
-            r._instanceKey = key;
-            return r;
-          });
-        })
+        records: buildArrQueueCache(sonarrQueues, sonarrInstances, 'series')
       }, cacheTTL);
       cache.set('poll:sonarr-history', {
         records: sonarrHistories.flatMap(h => h.data.records || [])
@@ -265,17 +256,7 @@ async function pollAllServices() {
     // Radarr
     if (shouldPollRadarr) {
       cache.set('poll:radarr-queue', {
-        records: radarrQueues.flatMap(q => {
-          const inst = radarrInstances.find(i => i.id === q.instance);
-          const url = inst ? inst.url : null;
-          const key = inst ? inst.apiKey : null;
-          return (q.data.records || []).map(r => {
-            if (r.movie) r.movie._instanceUrl = url;
-            r._instanceUrl = url;
-            r._instanceKey = key;
-            return r;
-          });
-        })
+        records: buildArrQueueCache(radarrQueues, radarrInstances, 'movie')
       }, cacheTTL);
       cache.set('poll:radarr-history', {
         records: radarrHistories.flatMap(h => h.data.records || [])

tests/frontend/ui/downloads.test.js

@@ -98,3 +98,139 @@ describe('renderTagBadges', () => {
     expect(result.childNodes.length).toBe(0);
   });
 });
+
+import { createDownloadCard } from '../../../client/src/ui/downloads.js';
+import { state } from '../../../client/src/state.js';
+
+describe('createDownloadCard rendering details', () => {
+  let originalState;
+
+  beforeEach(() => {
+    originalState = { ...state };
+  });
+
+  afterEach(() => {
+    // Reset global state
+    Object.assign(state, originalState);
+  });
+
+  describe('createClientLogo and fallbacks', () => {
+    it('renders client logo img tag when client is configured', () => {
+      const dl = {
+        title: 'Test Download',
+        type: 'series',
+        client: 'qbittorrent',
+        instanceName: 'Qbit Main'
+      };
+
+      const card = createDownloadCard(dl);
+      const wrapper = card.querySelector('.download-client-logo-wrapper');
+      expect(wrapper).toBeTruthy();
+
+      const img = wrapper.querySelector('img.download-client-logo');
+      expect(img).toBeTruthy();
+      expect(img.src).toContain('/images/clients/qbittorrent.svg');
+      expect(img.alt).toBe('Qbit Main icon');
+    });
+
+    it('falls back to character avatar text on img load error', () => {
+      const dl = {
+        title: 'Test Download',
+        type: 'series',
+        client: 'transmission'
+      };
+
+      const card = createDownloadCard(dl);
+      const wrapper = card.querySelector('.download-client-logo-wrapper');
+      const img = wrapper.querySelector('img');
+
+      // Trigger the onerror event programmatically to simulate missing/broken SVG
+      img.onerror();
+
+      expect(wrapper.classList.contains('fallback')).toBe(true);
+      expect(wrapper.textContent).toBe('T');
+    });
+  });
+
+  describe('createServiceIcons deep-linking', () => {
+    it('renders Ombi icon link for all users when ombiLink exists', () => {
+      state.isAdmin = false; // Non-admin should still see Ombi icon
+
+      const dl = {
+        title: 'Mandalorian S01E01',
+        type: 'series',
+        seriesName: 'The Mandalorian',
+        ombiLink: 'https://ombi.test/request/42',
+        ombiTooltip: 'View on Ombi'
+      };
+
+      const card = createDownloadCard(dl);
+      const ombiLinkEl = card.querySelector('.download-series a');
+      expect(ombiLinkEl).toBeTruthy();
+      expect(ombiLinkEl.href).toBe('https://ombi.test/request/42');
+
+      const img = ombiLinkEl.querySelector('img.service-icon.ombi');
+      expect(img).toBeTruthy();
+      expect(img.title).toBe('View on Ombi');
+    });
+
+    it('renders Sonarr icon link for administrator when arrType is sonarr and arrLink exists', () => {
+      state.isAdmin = true; // Admin required for Sonarr link
+
+      const dl = {
+        title: 'Mandalorian S01E01',
+        type: 'series',
+        seriesName: 'The Mandalorian',
+        arrType: 'sonarr',
+        arrLink: 'https://sonarr.test/series/the-mandalorian'
+      };
+
+      const card = createDownloadCard(dl);
+      const arrLinkEl = card.querySelector('.download-series a');
+      expect(arrLinkEl).toBeTruthy();
+      expect(arrLinkEl.href).toBe('https://sonarr.test/series/the-mandalorian');
+
+      const img = arrLinkEl.querySelector('img.service-icon.sonarr');
+      expect(img).toBeTruthy();
+      expect(img.title).toBe('Sonarr');
+    });
+
+    it('renders Radarr icon link for administrator when arrType is radarr and arrLink exists', () => {
+      state.isAdmin = true; // Admin required for Radarr link
+
+      const dl = {
+        title: 'Blade Runner 2049',
+        type: 'movie',
+        movieName: 'Blade Runner 2049',
+        arrType: 'radarr',
+        arrLink: 'https://radarr.test/movie/blade-runner-2049'
+      };
+
+      const card = createDownloadCard(dl);
+      const arrLinkEl = card.querySelector('.download-movie a');
+      expect(arrLinkEl).toBeTruthy();
+      expect(arrLinkEl.href).toBe('https://radarr.test/movie/blade-runner-2049');
+
+      const img = arrLinkEl.querySelector('img.service-icon.radarr');
+      expect(img).toBeTruthy();
+      expect(img.title).toBe('Radarr');
+    });
+
+    it('does not render Sonarr/Radarr links if the user is a non-admin', () => {
+      state.isAdmin = false; // Non-admin
+
+      const dl = {
+        title: 'Mandalorian S01E01',
+        type: 'series',
+        seriesName: 'The Mandalorian',
+        arrType: 'sonarr',
+        arrLink: 'https://sonarr.test/series/the-mandalorian'
+      };
+
+      const card = createDownloadCard(dl);
+      const arrLinkEl = card.querySelector('.download-series a');
+      expect(arrLinkEl).toBeNull(); // Admin gate successfully hides Sonarr icon
+    });
+  });
+});
+

tests/integration/dashboard.test.js

@@ -563,6 +563,47 @@ describe('GET /api/dashboard/user-downloads', () => {
       expect(dl.canBlocklist).toBe(true);
     });
   });
+
+  describe('Radarr/Sonarr deep-links decoration (Issue #59)', () => {
+    it('decorates active series downloads with Sonarr links for administrator', async () => {
+      const app = createApp({ skipRateLimits: true });
+      const { cookies } = await loginAs(app, EMBY_ADMIN_USER, EMBY_ADMIN_AUTH);
+
+      // Seed cache: queue record exists and matches SABnzbd slot
+      cache.set('poll:sab-queue', { slots: [ADMIN_SAB_SLOT], status: 'Downloading', speed: '10 MB/s' }, CACHE_TTL);
+      cache.set('poll:sab-history', { slots: [] }, CACHE_TTL);
+      cache.set('poll:sonarr-queue', { records: [ADMIN_SONARR_QUEUE_RECORD] }, CACHE_TTL);
+      cache.set('poll:sonarr-history', { records: [] }, CACHE_TTL);
+      cache.set('poll:sonarr-tags', [{ data: SONARR_TAGS }], CACHE_TTL);
+      cache.set('poll:radarr-queue', { records: [] }, CACHE_TTL);
+      cache.set('poll:radarr-history', { records: [] }, CACHE_TTL);
+      cache.set('poll:radarr-tags', RADARR_TAGS, CACHE_TTL);
+      cache.set('poll:qbittorrent', [], CACHE_TTL);
+
+      // Mock Sonarr /api/v3/series response carrying titleSlug and seriesId matching our record
+      nock(SONARR_BASE)
+        .get('/api/v3/series')
+        .reply(200, [
+          { id: 43, title: 'Admin Show', titleSlug: 'admin-show' }
+        ]);
+
+      // Mock Radarr /api/v3/movie response
+      nock(RADARR_BASE)
+        .get('/api/v3/movie')
+        .reply(200, []);
+
+      const res = await request(app)
+        .get('/api/dashboard/user-downloads')
+        .set('Cookie', cookies);
+
+      expect(res.status).toBe(200);
+      const downloads = res.body.downloads;
+      const dl = downloads.find(d => d.type === 'series');
+      expect(dl).toBeDefined();
+      expect(dl.arrLink).toBe('https://sonarr.test/series/admin-show');
+      expect(dl.arrType).toBe('sonarr');
+    });
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -1093,5 +1134,88 @@ describe('GET /api/dashboard/stream — SSE with Ombi showAll filtering', () =>
     expect(data.ombiRequests.movie).toHaveLength(2);
     expect(data.ombiRequests.tv).toHaveLength(2);
   });
+
+  it('verifies SSE payload structure contract against the frontend schema', async () => {
+    const { cookies } = await loginAs(appInstance);
+    const res = await request(appInstance)
+      .get('/api/dashboard/stream')
+      .query({ testClose: 'true' })
+      .set('Cookie', cookies);
+
+    expect(res.status).toBe(200);
+    const text = res.text;
+    expect(text).toContain('data:');
+    
+    const dataStr = text.substring(text.indexOf('{'));
+    const data = JSON.parse(dataStr.trim());
+
+    // Payload Contract Validation
+    expect(data).toHaveProperty('user');
+    expect(data).toHaveProperty('isAdmin');
+    expect(data).toHaveProperty('downloads');
+    expect(data).toHaveProperty('downloadClients');
+    expect(data).toHaveProperty('ombiRequests');
+    expect(data).toHaveProperty('ombiBaseUrl');
+
+    expect(Array.isArray(data.downloads)).toBe(true);
+    expect(Array.isArray(data.downloadClients)).toBe(true);
+    expect(Array.isArray(data.ombiRequests.movie)).toBe(true);
+    expect(Array.isArray(data.ombiRequests.tv)).toBe(true);
+  });
+
+  it('sends heartbeat comment over active stream and cleans up on close', async () => {
+    vi.useFakeTimers();
+
+    // 1. Get the route handler from the dashboard router stack
+    const dashboardRouter = require('../../server/routes/dashboard.js');
+    const route = dashboardRouter.stack.find(layer => layer.route && layer.route.path === '/stream');
+    // Get the final handler (after requireAuth middleware)
+    const streamHandler = route.route.stack[route.route.stack.length - 1].handle;
+
+    // 2. Setup mock req and res
+    const mockUser = { name: 'Alice', isAdmin: false };
+    const reqOnCallbacks = {};
+    const mockReq = {
+      user: mockUser,
+      query: { showAll: 'false', testClose: 'false' },
+      on: vi.fn((event, cb) => {
+        reqOnCallbacks[event] = cb;
+      })
+    };
+
+    const resWrites = [];
+    const mockRes = {
+      setHeader: vi.fn(),
+      flushHeaders: vi.fn(),
+      write: vi.fn((data) => {
+        resWrites.push(data);
+      }),
+      end: vi.fn()
+    };
+
+    // 3. Call the handler
+    await streamHandler(mockReq, mockRes);
+
+    // Initial payload should be written
+    expect(resWrites.length).toBeGreaterThan(0);
+    expect(resWrites[0]).toContain('data:');
+
+    // 4. Advance time by 25s to trigger the heartbeat setInterval
+    vi.advanceTimersByTime(25000);
+
+    // Check that heartbeat was written
+    expect(resWrites).toContain(': heartbeat\n\n');
+
+    // 5. Simulate client disconnect by triggering the 'close' event callback
+    expect(reqOnCallbacks['close']).toBeDefined();
+    reqOnCallbacks['close']();
+
+    // Check that advancing time again does NOT write another heartbeat
+    const beforeLength = resWrites.length;
+    vi.advanceTimersByTime(25000);
+    expect(resWrites.length).toBe(beforeLength); // No new writes!
+
+    vi.useRealTimers();
+  });
 });
 

tests/integration/download-matcher-season-pack.test.js

@@ -0,0 +1,204 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+//
+// Integration tests for the torrent matcher's hash-first matching and
+// arrQueueId deduplication paths (Issue #65). These exercise `matchTorrents`
+// end-to-end against minimal but realistic queue/history record fixtures.
+import { describe, it, expect } from 'vitest';
+import { createRequire } from 'module';
+
+const require = createRequire(import.meta.url);
+const DownloadMatcher = require('../../server/services/DownloadMatcher');
+
+// Build a minimal context. `showAll: true` bypasses per-user tag filtering so
+// these tests can assert matching behaviour without setting up the Emby user
+// tag plumbing.
+function makeContext({
+  sonarrQueueRecords = [],
+  sonarrHistoryRecords = [],
+  radarrQueueRecords = [],
+  radarrHistoryRecords = []
+} = {}) {
+  const seriesMap = new Map();
+  const moviesMap = new Map();
+  for (const r of sonarrQueueRecords.concat(sonarrHistoryRecords)) {
+    if (r.series && r.seriesId) seriesMap.set(r.seriesId, r.series);
+  }
+  for (const r of radarrQueueRecords.concat(radarrHistoryRecords)) {
+    if (r.movie && r.movieId) moviesMap.set(r.movieId, r.movie);
+  }
+  return {
+    sonarrQueueRecords,
+    sonarrHistoryRecords,
+    radarrQueueRecords,
+    radarrHistoryRecords,
+    seriesMap,
+    moviesMap,
+    // null tagMaps so extractAllTags uses the object `label` shape from the
+    // Sonarr fixture (series.tags = [{ label: '...' }]). An empty Map is
+    // truthy and would cause every id-lookup to return undefined.
+    sonarrTagMap: null,
+    radarrTagMap: null,
+    username: 'tester',
+    isAdmin: false,
+    // showAll bypasses per-user tag filtering — we only need it to be truthy
+    // *together* with non-empty allTags. We seed series/movie tags as non-empty
+    // strings (Sonarr tag shape) so `extractAllTags` yields entries.
+    showAll: true,
+    embyUserMap: new Map(),
+    ombiBaseUrl: null
+  };
+}
+
+const seriesShowA = {
+  id: 100,
+  title: 'Show A',
+  tags: [{ label: 'tester' }],
+  images: []
+};
+
+const movieFilmB = {
+  id: 200,
+  title: 'Film B',
+  tags: [{ label: 'tester' }],
+  images: []
+};
+
+describe('matchTorrents — hash-first matching (#65)', () => {
+  it('matches a torrent to a Sonarr queue record by hash even when the title differs', async () => {
+    const hash = 'ABC123HASHsonarr';
+    const context = makeContext({
+      sonarrQueueRecords: [
+        {
+          id: 9001,
+          // Title intentionally bears no resemblance to the torrent name to
+          // prove the match is via hash (downloadId), not title fallback.
+          title: 'totally.unrelated.queue.record',
+          sourceTitle: '',
+          seriesId: 100,
+          series: seriesShowA,
+          downloadId: hash,
+          episodeId: 555
+        }
+      ]
+    });
+
+    const torrents = [
+      {
+        hash,
+        name: 'Show.A.S01.2160p.WEB.x265-RELEASE',
+        progress: 0.5,
+        dlspeed: 1000
+      }
+    ];
+
+    const out = await DownloadMatcher.matchTorrents(torrents, context);
+    expect(out).toHaveLength(1);
+    expect(out[0].arrType).toBe('sonarr');
+    expect(out[0].arrQueueId).toBe(9001);
+  });
+
+  it('matches a Transmission torrent via hashString', async () => {
+    const hashString = 'TRANSMISSIONHASH456';
+    const context = makeContext({
+      radarrQueueRecords: [
+        {
+          id: 7777,
+          title: 'unrelated',
+          sourceTitle: '',
+          movieId: 200,
+          movie: movieFilmB,
+          downloadId: hashString
+        }
+      ]
+    });
+
+    const torrents = [
+      {
+        hashString,
+        name: 'Film.B.2160p.WEB.x265-RELEASE',
+        progress: 0.25,
+        dlspeed: 0
+      }
+    ];
+
+    const out = await DownloadMatcher.matchTorrents(torrents, context);
+    expect(out).toHaveLength(1);
+    expect(out[0].arrType).toBe('radarr');
+    expect(out[0].arrQueueId).toBe(7777);
+  });
+
+  it('falls back to title-substring matching when no hash is present on the torrent', async () => {
+    const context = makeContext({
+      sonarrQueueRecords: [
+        {
+          id: 555,
+          title: 'Show A',
+          sourceTitle: '',
+          seriesId: 100,
+          series: seriesShowA,
+          downloadId: null
+        }
+      ]
+    });
+
+    const torrents = [
+      {
+        // No hash / hashString — title fallback must engage.
+        name: 'Show A — S01E02',
+        progress: 0.7,
+        dlspeed: 5000
+      }
+    ];
+
+    const out = await DownloadMatcher.matchTorrents(torrents, context);
+    expect(out).toHaveLength(1);
+    expect(out[0].arrType).toBe('sonarr');
+    expect(out[0].arrQueueId).toBe(555);
+  });
+});
+
+describe('matchTorrents — arrQueueId deduplication (#65)', () => {
+  it('deduplicates two torrents matching distinct queue records sharing one arrQueueId via the same hash', async () => {
+    // Construct the pathological case the dedup step is designed for: two
+    // torrents (post-hash-match) both end up mapped to the same arrQueueId.
+    // In real life this happens when *arr exposes multiple queue rows under
+    // one logical download. The first matched download wins; subsequent ones
+    // are dropped.
+    const hash = 'PACKHASH001';
+    const sharedQueueRow = {
+      id: 4242, // same arrQueueId
+      title: 'unrelated',
+      sourceTitle: '',
+      seriesId: 100,
+      series: seriesShowA,
+      downloadId: hash
+    };
+
+    const context = makeContext({
+      sonarrQueueRecords: [sharedQueueRow]
+    });
+
+    const torrents = [
+      { hash, name: 'Show.A.S02E01', progress: 0.1, dlspeed: 0 },
+      { hash, name: 'Show.A.S02E02', progress: 0.2, dlspeed: 0 }
+    ];
+
+    const out = await DownloadMatcher.matchTorrents(torrents, context);
+    expect(out).toHaveLength(1);
+    expect(out[0].arrQueueId).toBe(4242);
+  });
+
+  it('does not deduplicate torrents that lack arrQueueId (no matched *arr record)', async () => {
+    const context = makeContext();
+    const torrents = [
+      { hash: 'no-match-A', name: 'unmatched-A', progress: 0, dlspeed: 0 },
+      { hash: 'no-match-B', name: 'unmatched-B', progress: 0, dlspeed: 0 }
+    ];
+    const out = await DownloadMatcher.matchTorrents(torrents, context);
+    // Both unmatched torrents are filtered out by the matcher entirely because
+    // there is nothing to match against — so the deduplicator never sees them.
+    // This test simply asserts the dedup step itself does not collapse
+    // non-arr entries into a single bucket when no key is present.
+    expect(out).toEqual([]);
+  });
+});

tests/integration/ombi.test.js

@@ -233,6 +233,48 @@ describe('GET /api/ombi/requests', () => {
     expect(res.body.requests.movie[0].requestedUser.userName).toBe('adminuser');
   });
 
+  it('decorates TV requests with Sonarr links using tvDbId camelCase property (Issue #58)', async () => {
+    // 1. Setup mock instance config
+    process.env.SONARR_INSTANCES = JSON.stringify([
+      { id: 'sonarr-1', name: 'Test Sonarr', url: 'https://sonarr.test', apiKey: 'sonarr-key' }
+    ]);
+    
+    // Reset and re-initialize retrievers registry to pick up the Sonarr instance
+    arrRetrieverRegistry.retrievers.clear();
+    arrRetrieverRegistry.initialized = false;
+    
+    // 2. Setup mock Ombi TV request carrying `tvDbId` instead of `theTvDbId`
+    const tvRequestsWithTvDbId = [
+      { id: 4, title: 'Superman Show', requestedUser: { userName: 'adminuser' }, requestedByAlias: 'adminuser', type: 'tv', tvDbId: '101' }
+    ];
+    
+    nock.cleanAll();
+    setupOmbiRequestMocks(OMBI_REQUESTS.movie, tvRequestsWithTvDbId);
+    
+    // 3. Mock Sonarr API series call returning the series with matching tvdbId and titleSlug
+    nock('https://sonarr.test')
+      .get('/api/v3/series')
+      .reply(200, [
+        { tvdbId: 101, title: 'Superman Show', titleSlug: 'superman-show' }
+      ]);
+      
+    const { cookies } = await authenticateUser(app, 'AdminUser', true);
+    
+    const res = await request(app)
+      .get('/api/ombi/requests?showAll=true')
+      .set('Cookie', cookies)
+      .expect(200);
+      
+    // 4. Assert decoration succeeded
+    const supermanShow = res.body.requests.tv.find(r => r.id === 4);
+    expect(supermanShow).toBeDefined();
+    expect(supermanShow.arrLink).toBe('https://sonarr.test/series/superman-show');
+    expect(supermanShow.arrType).toBe('sonarr');
+    
+    // Clean up
+    delete process.env.SONARR_INSTANCES;
+  });
+
   it('handles case-insensitive username matching', async () => {
     const requestsWithMixedCase = [
       { id: 1, title: 'Test Movie', requestedUser: { userName: 'TestUser' }, requestedByAlias: 'TestUser', type: 'movie' },

tests/integration/ombiDecoration.test.js

@@ -0,0 +1,142 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import nock from 'nock';
+import { createRequire } from 'module';
+
+const require = createRequire(import.meta.url);
+const { decorateDownloadsWithArrLinks } = require('../../server/utils/ombiHelpers.js');
+const arrRetrieverRegistry = require('../../server/utils/arrRetrievers.js');
+
+const SONARR_BASE = 'https://sonarr-decor.test';
+const RADARR_BASE = 'https://radarr-decor.test';
+
+describe('decorateDownloadsWithArrLinks Integration Tests', () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+    nock.cleanAll();
+
+    // Reset the singleton retrievers registry so we can inject our test instances
+    arrRetrieverRegistry.retrievers.clear();
+    arrRetrieverRegistry.initialized = false;
+
+    // Configure test environment variables for retrievers
+    process.env.SONARR_INSTANCES = JSON.stringify([
+      { id: 'sonarr-1', name: 'Test Sonarr', url: SONARR_BASE, apiKey: 'sonarr-key' }
+    ]);
+    process.env.RADARR_INSTANCES = JSON.stringify([
+      { id: 'radarr-1', name: 'Test Radarr', url: RADARR_BASE, apiKey: 'radarr-key' }
+    ]);
+  });
+
+  afterEach(() => {
+    nock.cleanAll();
+    delete process.env.SONARR_INSTANCES;
+    delete process.env.RADARR_INSTANCES;
+    arrRetrieverRegistry.retrievers.clear();
+    arrRetrieverRegistry.initialized = false;
+  });
+
+  it('decorates a series download with Sonarr link matching on title', async () => {
+    // Mock Sonarr series query
+    nock(SONARR_BASE)
+      .get('/api/v3/series')
+      .reply(200, [
+        { id: 42, title: 'The Mandalorian', titleSlug: 'the-mandalorian' }
+      ]);
+
+    // Mock Radarr movie query (empty)
+    nock(RADARR_BASE)
+      .get('/api/v3/movie')
+      .reply(200, []);
+
+    const downloads = [
+      {
+        title: 'The.Mandalorian.S01E01.1080p',
+        type: 'series',
+        seriesName: 'The Mandalorian',
+        arrSeriesId: null
+      }
+    ];
+
+    await decorateDownloadsWithArrLinks(downloads, true);
+
+    expect(downloads[0].arrLink).toBe(`${SONARR_BASE}/series/the-mandalorian`);
+    expect(downloads[0].arrType).toBe('sonarr');
+  });
+
+  it('decorates a movie download with Radarr link matching on content ID', async () => {
+    // Mock Sonarr series query (empty)
+    nock(SONARR_BASE)
+      .get('/api/v3/series')
+      .reply(200, []);
+
+    // Mock Radarr movie query with matching ID
+    nock(RADARR_BASE)
+      .get('/api/v3/movie')
+      .reply(200, [
+        { id: 99, title: 'Blade Runner 2049', titleSlug: 'blade-runner-2049' }
+      ]);
+
+    const downloads = [
+      {
+        title: 'Blade.Runner.2049.2017.1080p',
+        type: 'movie',
+        movieName: 'Blade Runner 2049',
+        arrInstanceUrl: RADARR_BASE,
+        arrContentId: 99
+      }
+    ];
+
+    await decorateDownloadsWithArrLinks(downloads, true);
+
+    expect(downloads[0].arrLink).toBe(`${RADARR_BASE}/movie/blade-runner-2049`);
+    expect(downloads[0].arrType).toBe('radarr');
+  });
+
+  it('skips decoration entirely when isAdmin is false', async () => {
+    const downloads = [
+      {
+        title: 'The.Mandalorian.S01E01.1080p',
+        type: 'series',
+        seriesName: 'The Mandalorian'
+      }
+    ];
+
+    // No nocks are set up, so any HTTP calls would throw or error
+    await decorateDownloadsWithArrLinks(downloads, false);
+
+    expect(downloads[0].arrLink).toBeUndefined();
+    expect(downloads[0].arrType).toBeUndefined();
+  });
+
+  it('handles empty downloads array gracefully', async () => {
+    // No mock setups needed, should complete without throwing
+    await expect(decorateDownloadsWithArrLinks([], true)).resolves.not.toThrow();
+  });
+
+  it('handles external API fetch failures gracefully without failing the decoration pipeline', async () => {
+    // Mock Sonarr series query throwing connection error
+    nock(SONARR_BASE)
+      .get('/api/v3/series')
+      .replyWithError('connection refused');
+
+    // Mock Radarr movie query throwing timeout error
+    nock(RADARR_BASE)
+      .get('/api/v3/movie')
+      .replyWithError('timeout');
+
+    const downloads = [
+      {
+        title: 'The.Mandalorian.S01E01.1080p',
+        type: 'series',
+        seriesName: 'The Mandalorian'
+      }
+    ];
+
+    await expect(decorateDownloadsWithArrLinks(downloads, true)).resolves.not.toThrow();
+
+    // No links decorated since the fetch failed
+    expect(downloads[0].arrLink).toBeUndefined();
+    expect(downloads[0].arrType).toBeUndefined();
+  });
+});

tests/integration/rateLimiter.test.js

@@ -0,0 +1,65 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import request from 'supertest';
+import nock from 'nock';
+
+describe('Rate Limiting Integration Tests', () => {
+  let app;
+  let originalSkipRateLimit;
+
+  beforeEach(async () => {
+    // Save current rate limiting skip flag
+    originalSkipRateLimit = process.env.SKIP_RATE_LIMIT;
+    // Explicitly delete it before loading the app so rate limiters are active
+    delete process.env.SKIP_RATE_LIMIT;
+    process.env.EMBY_URL = 'https://emby.test';
+
+    // Dynamically import createApp so that routes/auth.js evaluates process.env.SKIP_RATE_LIMIT as undefined
+    const appModule = await import('../../server/app.js');
+    const createApp = appModule.createApp;
+
+    // Create a new app instance with rate limiting enabled
+    app = createApp({ skipRateLimits: false });
+    
+    nock.cleanAll();
+  });
+
+  afterEach(() => {
+    // Restore rate limit skip flag
+    if (originalSkipRateLimit !== undefined) {
+      process.env.SKIP_RATE_LIMIT = originalSkipRateLimit;
+    } else {
+      delete process.env.SKIP_RATE_LIMIT;
+    }
+    delete process.env.EMBY_URL;
+    nock.cleanAll();
+  });
+
+  it('triggers a 429 Too Many Requests error on the auth endpoint after 10 failed requests', async () => {
+    // Mock Emby server auth endpoint to return 401 (failed credentials).
+    // The login rate limiter has `skipSuccessfulRequests: true`, meaning ONLY failed login attempts
+    // count toward the rate limit window of 10 requests.
+    nock('https://emby.test')
+      .post('/Users/authenticatebyname')
+      .reply(401, { error: 'Unauthorized' })
+      .persist();
+
+    // Fire 10 rapid failed login requests (the limit is 10)
+    for (let i = 0; i < 10; i++) {
+      const res = await request(app)
+        .post('/api/auth/login')
+        .send({ username: 'TestUser', password: 'wrongpassword' });
+      
+      expect(res.status).toBe(401);
+      expect(res.body.error).toBe('Invalid username or password');
+    }
+
+    // The 11th request must be rate limited and return 429
+    const limitRes = await request(app)
+      .post('/api/auth/login')
+      .send({ username: 'TestUser', password: 'wrongpassword' });
+
+    expect(limitRes.status).toBe(429);
+    expect(limitRes.body.error).toContain('Too many login attempts');
+  });
+});

tests/unit/clients/QBittorrentClient.test.js

@@ -130,6 +130,8 @@ describe('QBittorrentClient', () => {
         downloaded: 750000000,
         speed: 1048576,
         eta: 3600,
+        seeds: 0,
+        peers: 0,
         category: 'movies',
         tags: ['movie', 'hd'],
         savePath: '/downloads/test',
@@ -138,6 +140,28 @@ describe('QBittorrentClient', () => {
       });
     });
 
+    it('should expose connected seeds/peers from num_seeds and num_leechs (Issue #64)', () => {
+      const torrent = {
+        hash: 'def456',
+        name: 'Swarm Torrent',
+        state: 'downloading',
+        progress: 0.1,
+        size: 1000,
+        completed: 100,
+        dlspeed: 0,
+        eta: 0,
+        num_seeds: 7,
+        num_leechs: 3,
+        // Swarm totals — must NOT be picked up as connected counts
+        num_complete: 200,
+        num_incomplete: 50
+      };
+
+      const normalized = client.normalizeDownload(torrent);
+      expect(normalized.seeds).toBe(7);
+      expect(normalized.peers).toBe(3);
+    });
+
     it('should handle unknown torrent states', () => {
       const torrent = {
         hash: 'abc123',

tests/unit/clients/RTorrentClient.test.js

@@ -420,4 +420,68 @@ describe('RTorrentClient', () => {
       expect(status).toBeNull();
     });
   });
+
+  describe('Null-safety (Issue #68)', () => {
+    it('should return [] when d.multicall2 returns a non-array', async () => {
+      mockMethodCall.mockImplementation((method, params, callback) => {
+        callback(null, null);
+      });
+      const downloads = await client.getActiveDownloads();
+      expect(downloads).toEqual([]);
+    });
+
+    it('should skip malformed individual torrent rows instead of throwing', async () => {
+      const torrents = [
+        // valid row
+        ['hashA', 'Name A', 100, 50, 0, 0, 1, 1, 0, '/dl', ''],
+        // malformed row (not an array)
+        'not-an-array',
+        // row with null/undefined fields
+        ['hashB', null, null, null, null, null, null, null, null, null, null]
+      ];
+      mockMethodCall.mockImplementation((method, params, callback) => {
+        callback(null, torrents);
+      });
+      const downloads = await client.getActiveDownloads();
+      expect(downloads).toHaveLength(2);
+      expect(downloads[0].id).toBe('hashA');
+      expect(downloads[1].id).toBe('hashB');
+      expect(downloads[1].title).toBe('');
+      expect(downloads[1].size).toBe(0);
+    });
+
+    it('_extractArrInfo should return {} for non-string filename', () => {
+      expect(client._extractArrInfo(null)).toEqual({});
+      expect(client._extractArrInfo(undefined)).toEqual({});
+      expect(client._extractArrInfo(123)).toEqual({});
+    });
+  });
+
+  describe('lastError tracking (Issue #68)', () => {
+    it('should record lastError on getActiveDownloads failure', async () => {
+      mockMethodCall.mockImplementation((method, params, callback) => {
+        callback(new Error('boom'));
+      });
+      await client.getActiveDownloads();
+      expect(client.getLastError()).not.toBeNull();
+      expect(client.getLastError().operation).toBe('getActiveDownloads');
+      expect(client.getLastError().message).toBe('boom');
+    });
+
+    it('should clear lastError on successful call', async () => {
+      // First, fail.
+      mockMethodCall.mockImplementationOnce((method, params, callback) => {
+        callback(new Error('boom'));
+      });
+      await client.getActiveDownloads();
+      expect(client.getLastError()).not.toBeNull();
+
+      // Then, succeed.
+      mockMethodCall.mockImplementation((method, params, callback) => {
+        callback(null, []);
+      });
+      await client.getActiveDownloads();
+      expect(client.getLastError()).toBeNull();
+    });
+  });
 });

tests/unit/clients/SABnzbdClient.test.js

@@ -299,4 +299,63 @@ describe('SABnzbdClient', () => {
       expect(status).toBeNull();
     });
   });
+
+  describe('History limit configuration (Issue #68)', () => {
+    const ORIG_ENV = process.env.SAB_HISTORY_LIMIT;
+    afterEach(() => {
+      if (ORIG_ENV === undefined) delete process.env.SAB_HISTORY_LIMIT;
+      else process.env.SAB_HISTORY_LIMIT = ORIG_ENV;
+    });
+
+    it('defaults historyLimit to 10 when SAB_HISTORY_LIMIT is unset', () => {
+      delete process.env.SAB_HISTORY_LIMIT;
+      const c = new SABnzbdClient(mockConfig);
+      expect(c.historyLimit).toBe(10);
+    });
+
+    it('honors SAB_HISTORY_LIMIT when set to a valid integer', () => {
+      process.env.SAB_HISTORY_LIMIT = '25';
+      const c = new SABnzbdClient(mockConfig);
+      expect(c.historyLimit).toBe(25);
+    });
+
+    it('falls back to default on invalid SAB_HISTORY_LIMIT', () => {
+      process.env.SAB_HISTORY_LIMIT = 'not-a-number';
+      const c = new SABnzbdClient(mockConfig);
+      expect(c.historyLimit).toBe(10);
+    });
+
+    it('passes historyLimit through to the history API call', async () => {
+      process.env.SAB_HISTORY_LIMIT = '42';
+      const c = new SABnzbdClient(mockConfig);
+      const makeRequest = vi.fn()
+        .mockResolvedValueOnce({ data: { queue: { slots: [], kbpersec: 0 } } })
+        .mockResolvedValueOnce({ data: { history: { slots: [] } } });
+      c.makeRequest = makeRequest;
+      await c.getActiveDownloads();
+      expect(makeRequest).toHaveBeenCalledWith({ mode: 'history', limit: 42 });
+    });
+  });
+
+  describe('lastError tracking (Issue #68)', () => {
+    it('records lastError when getActiveDownloads fails', async () => {
+      client.makeRequest = vi.fn().mockRejectedValue(new Error('boom'));
+      await client.getActiveDownloads();
+      expect(client.getLastError()).not.toBeNull();
+      expect(client.getLastError().operation).toBe('getActiveDownloads');
+      expect(client.getLastError().message).toBe('boom');
+    });
+
+    it('clears lastError after a subsequent successful call', async () => {
+      client.makeRequest = vi.fn().mockRejectedValue(new Error('boom'));
+      await client.getActiveDownloads();
+      expect(client.getLastError()).not.toBeNull();
+
+      client.makeRequest = vi.fn()
+        .mockResolvedValueOnce({ data: { queue: { slots: [], kbpersec: 0 } } })
+        .mockResolvedValueOnce({ data: { history: { slots: [] } } });
+      await client.getActiveDownloads();
+      expect(client.getLastError()).toBeNull();
+    });
+  });
 });

tests/unit/clients/TransmissionClient.test.js

@@ -154,7 +154,9 @@ describe('TransmissionClient', () => {
         4: 'Downloading',
         5: 'Queued',
         6: 'Seeding',
-        7: 'Unknown'
+        // Issue #63: code 7 is undocumented in the RPC spec; mapped to
+        // `Checking` (legacy alias for code 2) as a best-effort interpretation.
+        7: 'Checking'
       };
 
       Object.entries(statusMap).forEach(([status, expectedStatus]) => {
@@ -433,4 +435,42 @@ describe('TransmissionClient', () => {
       expect(normalized.arrType).toBeUndefined();
     });
   });
+
+  describe('Torrent Control Methods (Issue #63)', () => {
+    it('startTorrent invokes torrent-start RPC with ids array', async () => {
+      client.makeRequest = vi.fn().mockResolvedValue({ data: { result: 'success' } });
+      await client.startTorrent('abc123');
+      expect(client.makeRequest).toHaveBeenCalledWith('torrent-start', { ids: ['abc123'] });
+    });
+
+    it('startTorrent accepts an array of ids', async () => {
+      client.makeRequest = vi.fn().mockResolvedValue({ data: { result: 'success' } });
+      await client.startTorrent([1, 2, 3]);
+      expect(client.makeRequest).toHaveBeenCalledWith('torrent-start', { ids: [1, 2, 3] });
+    });
+
+    it('stopTorrent invokes torrent-stop RPC', async () => {
+      client.makeRequest = vi.fn().mockResolvedValue({ data: { result: 'success' } });
+      await client.stopTorrent(42);
+      expect(client.makeRequest).toHaveBeenCalledWith('torrent-stop', { ids: [42] });
+    });
+
+    it('removeTorrent invokes torrent-remove with delete-local-data=false by default', async () => {
+      client.makeRequest = vi.fn().mockResolvedValue({ data: { result: 'success' } });
+      await client.removeTorrent('hashX');
+      expect(client.makeRequest).toHaveBeenCalledWith('torrent-remove', {
+        ids: ['hashX'],
+        'delete-local-data': false
+      });
+    });
+
+    it('removeTorrent passes delete-local-data=true when requested', async () => {
+      client.makeRequest = vi.fn().mockResolvedValue({ data: { result: 'success' } });
+      await client.removeTorrent('hashY', true);
+      expect(client.makeRequest).toHaveBeenCalledWith('torrent-remove', {
+        ids: ['hashY'],
+        'delete-local-data': true
+      });
+    });
+  });
 });

tests/unit/downloadClients.test.js

@@ -310,7 +310,8 @@ describe('DownloadClientRegistry', () => {
         instanceId: 'sab1',
         instanceName: 'SAB 1',
         clientType: 'sabnzbd',
-        status: { status: 'active' }
+        status: { status: 'active' },
+        lastError: null
       });
     });
 

tests/unit/utils/arrQueueHelpers.test.js

@@ -0,0 +1,142 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+// Tests for the shared `buildArrQueueCache` helper (Issue #61).
+import { describe, it, expect } from 'vitest';
+import { createRequire } from 'module';
+
+const require = createRequire(import.meta.url);
+const { buildArrQueueCache } = require('../../../server/utils/arrQueueHelpers');
+
+const sonarrInstances = [
+  { id: 's1', url: 'http://sonarr-1', apiKey: 'KEY_S1', name: 'Sonarr 1' }
+];
+const radarrInstances = [
+  { id: 'r1', url: 'http://radarr-1', apiKey: 'KEY_R1', name: 'Radarr 1' }
+];
+
+describe('buildArrQueueCache', () => {
+  it('returns empty array for empty / missing input', () => {
+    expect(buildArrQueueCache([], sonarrInstances, 'series')).toEqual([]);
+    expect(buildArrQueueCache(null, sonarrInstances, 'series')).toEqual([]);
+    expect(buildArrQueueCache(undefined, sonarrInstances, 'series')).toEqual([]);
+  });
+
+  it('returns empty array for invalid mediaKey', () => {
+    const queues = [{ instance: 's1', data: { records: [{ id: 1 }] } }];
+    expect(buildArrQueueCache(queues, sonarrInstances, 'bogus')).toEqual([]);
+  });
+
+  it('tags Sonarr records with _instanceUrl/_instanceKey and decorates embedded series', () => {
+    const queues = [
+      {
+        instance: 's1',
+        data: {
+          records: [
+            { id: 1, downloadId: 'dl-1', series: { id: 100, title: 'X' } }
+          ]
+        }
+      }
+    ];
+    const out = buildArrQueueCache(queues, sonarrInstances, 'series');
+    expect(out).toHaveLength(1);
+    expect(out[0]._instanceUrl).toBe('http://sonarr-1');
+    expect(out[0]._instanceKey).toBe('KEY_S1');
+    expect(out[0].series._instanceUrl).toBe('http://sonarr-1');
+  });
+
+  it('tags Radarr records and decorates embedded movie', () => {
+    const queues = [
+      {
+        instance: 'r1',
+        data: {
+          records: [
+            { id: 11, downloadId: 'dl-r1', movie: { id: 555, title: 'M' } }
+          ]
+        }
+      }
+    ];
+    const out = buildArrQueueCache(queues, radarrInstances, 'movie');
+    expect(out).toHaveLength(1);
+    expect(out[0]._instanceUrl).toBe('http://radarr-1');
+    expect(out[0]._instanceKey).toBe('KEY_R1');
+    expect(out[0].movie._instanceUrl).toBe('http://radarr-1');
+  });
+
+  it('annotates Sonarr season pack records (multiple entries sharing downloadId)', () => {
+    const queues = [
+      {
+        instance: 's1',
+        data: {
+          records: [
+            { id: 1, downloadId: 'pack-A', episodeId: 101 },
+            { id: 2, downloadId: 'pack-A', episodeId: 102 },
+            { id: 3, downloadId: 'pack-A', episodeId: 103 },
+            { id: 4, downloadId: 'single-B', episodeId: 200 }
+          ]
+        }
+      }
+    ];
+    const out = buildArrQueueCache(queues, sonarrInstances, 'series');
+    expect(out).toHaveLength(4);
+    const packMembers = out.filter(r => r.downloadId === 'pack-A');
+    expect(packMembers).toHaveLength(3);
+    for (const r of packMembers) {
+      expect(r.isSeasonPack).toBe(true);
+      expect(r.episodeCount).toBe(3);
+    }
+    const single = out.find(r => r.downloadId === 'single-B');
+    expect(single.isSeasonPack).toBeUndefined();
+    expect(single.episodeCount).toBeUndefined();
+  });
+
+  it('does not annotate Radarr records as season packs even if downloadId repeats', () => {
+    const queues = [
+      {
+        instance: 'r1',
+        data: {
+          records: [
+            { id: 1, downloadId: 'dup', movie: { id: 1 } },
+            { id: 2, downloadId: 'dup', movie: { id: 2 } }
+          ]
+        }
+      }
+    ];
+    const out = buildArrQueueCache(queues, radarrInstances, 'movie');
+    expect(out).toHaveLength(2);
+    for (const r of out) {
+      expect(r.isSeasonPack).toBeUndefined();
+      expect(r.episodeCount).toBeUndefined();
+    }
+  });
+
+  it('skips malformed records and continues', () => {
+    const queues = [
+      {
+        instance: 's1',
+        data: {
+          records: [
+            null,
+            { id: 1, downloadId: 'ok', series: { id: 1 } }
+          ]
+        }
+      },
+      null,
+      { instance: 's1' } // no data property
+    ];
+    const out = buildArrQueueCache(queues, sonarrInstances, 'series');
+    expect(out).toHaveLength(1);
+    expect(out[0].id).toBe(1);
+  });
+
+  it('handles unknown instance id gracefully (null url/key)', () => {
+    const queues = [
+      {
+        instance: 'unknown-instance',
+        data: { records: [{ id: 1, downloadId: 'x' }] }
+      }
+    ];
+    const out = buildArrQueueCache(queues, sonarrInstances, 'series');
+    expect(out).toHaveLength(1);
+    expect(out[0]._instanceUrl).toBeNull();
+    expect(out[0]._instanceKey).toBeNull();
+  });
+});

tests/unit/utils/poller.test.js

@@ -0,0 +1,257 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { createRequire } from 'module';
+
+const require = createRequire(import.meta.url);
+
+// Set environment variables before requiring any modules
+process.env.POLL_INTERVAL = '5000';
+process.env.WEBHOOK_FALLBACK_TIMEOUT = '10';
+
+const cache = require('../../../server/utils/cache.js');
+const downloadClients = require('../../../server/utils/downloadClients.js');
+const arrRetrieverRegistry = require('../../../server/utils/arrRetrievers.js');
+const config = require('../../../server/utils/config.js');
+
+// Set up mock/spies before requiring poller so destructuring in poller captures the spied versions!
+const initializeClientsSpy = vi.spyOn(downloadClients, 'initializeClients').mockResolvedValue(true);
+const getDownloadsByClientTypeSpy = vi.spyOn(downloadClients, 'getDownloadsByClientType').mockResolvedValue({
+  sabnzbd: [],
+  qbittorrent: []
+});
+
+const arrRegistryInitializeSpy = vi.spyOn(arrRetrieverRegistry, 'initialize').mockResolvedValue(true);
+const getTagsByTypeSpy = vi.spyOn(arrRetrieverRegistry, 'getTagsByType').mockResolvedValue({
+  sonarr: [],
+  radarr: []
+});
+const getQueuesByTypeSpy = vi.spyOn(arrRetrieverRegistry, 'getQueuesByType').mockResolvedValue({
+  sonarr: [],
+  radarr: []
+});
+const getHistoryByTypeSpy = vi.spyOn(arrRetrieverRegistry, 'getHistoryByType').mockResolvedValue({
+  sonarr: [],
+  radarr: []
+});
+const getOmbiRequestsSpy = vi.spyOn(arrRetrieverRegistry, 'getOmbiRequests').mockResolvedValue({
+  movie: [],
+  tv: []
+});
+
+const getSonarrInstancesSpy = vi.spyOn(config, 'getSonarrInstances').mockReturnValue([]);
+const getRadarrInstancesSpy = vi.spyOn(config, 'getRadarrInstances').mockReturnValue([]);
+const getOmbiInstancesSpy = vi.spyOn(config, 'getOmbiInstances').mockReturnValue([]);
+
+const cacheSetSpy = vi.spyOn(cache, 'set').mockImplementation(() => {});
+const cacheGetSpy = vi.spyOn(cache, 'get').mockReturnValue(null);
+const getWebhookMetricsSpy = vi.spyOn(cache, 'getWebhookMetrics').mockReturnValue(null);
+const getGlobalWebhookMetricsSpy = vi.spyOn(cache, 'getGlobalWebhookMetrics').mockReturnValue({
+  lastGlobalWebhookTimestamp: null
+});
+const incrementPollsSkippedSpy = vi.spyOn(cache, 'incrementPollsSkipped').mockImplementation(() => {});
+
+// Now require the poller
+const poller = require('../../../server/utils/poller.js');
+
+describe('Background Poller Utility', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+
+    // Re-apply standard resolved values
+    initializeClientsSpy.mockResolvedValue(true);
+    getDownloadsByClientTypeSpy.mockResolvedValue({ sabnzbd: [], qbittorrent: [] });
+    arrRegistryInitializeSpy.mockResolvedValue(true);
+    getTagsByTypeSpy.mockResolvedValue({ sonarr: [], radarr: [] });
+    getQueuesByTypeSpy.mockResolvedValue({ sonarr: [], radarr: [] });
+    getHistoryByTypeSpy.mockResolvedValue({ sonarr: [], radarr: [] });
+    getOmbiRequestsSpy.mockResolvedValue({ movie: [], tv: [] });
+
+    getSonarrInstancesSpy.mockReturnValue([]);
+    getRadarrInstancesSpy.mockReturnValue([]);
+    getOmbiInstancesSpy.mockReturnValue([]);
+
+    cacheSetSpy.mockImplementation(() => {});
+    cacheGetSpy.mockReturnValue(null);
+    getWebhookMetricsSpy.mockReturnValue(null);
+    getGlobalWebhookMetricsSpy.mockReturnValue({ lastGlobalWebhookTimestamp: null });
+    incrementPollsSkippedSpy.mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    poller.stopPoller();
+    vi.useRealTimers();
+  });
+
+  describe('Poller Core Logic', () => {
+    it('POLL_INTERVAL matches parsed environment variable', () => {
+      expect(poller.POLL_INTERVAL).toBe(5000);
+      expect(poller.POLLING_ENABLED).toBe(true);
+    });
+
+    it('successfully registers and notifies SSE subscribers on poll completion', async () => {
+      let callbackFired = false;
+      const callback = () => {
+        callbackFired = true;
+      };
+
+      poller.onPollComplete(callback);
+
+      await poller.pollAllServices();
+
+      expect(callbackFired).toBe(true);
+
+      // Clean up/Deregister callback
+      poller.offPollComplete(callback);
+      callbackFired = false;
+
+      await poller.pollAllServices();
+      expect(callbackFired).toBe(false);
+    });
+
+    it('prevents concurrent executions of pollAllServices via the polling guard', async () => {
+      // Stub initializeClients to delay using a promise
+      let resolveInit;
+      const delayPromise = new Promise((resolve) => {
+        resolveInit = resolve;
+      });
+      initializeClientsSpy.mockImplementation(() => delayPromise);
+
+      // Start the first poll (which remains pending on initializeClients)
+      const firstPollPromise = poller.pollAllServices();
+
+      const logSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+
+      // Trigger second poll immediately while first is in progress
+      await poller.pollAllServices();
+
+      expect(logSpy).toHaveBeenCalledWith('[Poller] Previous poll still running, skipping');
+
+      // Resolve the delay to let the first poll finish
+      resolveInit();
+      await firstPollPromise;
+    });
+
+    it('resets the polling guard flag on error so future polls can run', async () => {
+      initializeClientsSpy.mockRejectedValue(new Error('Initialization failed'));
+      
+      // Setup error spy
+      const errorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+
+      await poller.pollAllServices();
+
+      expect(errorSpy).toHaveBeenCalledWith('[Poller] Poll error:', 'Initialization failed');
+
+      // Verify polling flag has been reset in the finally block by running a successful poll
+      initializeClientsSpy.mockResolvedValue(true);
+      await poller.pollAllServices();
+      expect(initializeClientsSpy).toHaveBeenCalledTimes(2);
+    });
+  });
+
+  describe('Webhook-Based Instance Bypassing', () => {
+    it('skips polling for an instance with recent active webhook events', async () => {
+      const mockSonarrInstance = { id: 'sonarr-1', name: 'Main Sonarr', url: 'https://sonarr.test' };
+      const mockRadarrInstance = { id: 'radarr-1', name: 'Main Radarr', url: 'https://radarr.test' };
+      getSonarrInstancesSpy.mockReturnValue([mockSonarrInstance]);
+      getRadarrInstancesSpy.mockReturnValue([mockRadarrInstance]);
+
+      // Mock recent webhook activity within the 10 min window (Date.now() - 1 min)
+      const recentTimestamp = Date.now() - 60000;
+      getWebhookMetricsSpy.mockImplementation((url) => {
+        if (url === 'https://sonarr.test' || url === 'https://radarr.test') {
+          return { eventsReceived: 5, lastWebhookTimestamp: recentTimestamp };
+        }
+        return null;
+      });
+
+      await poller.pollAllServices();
+
+      // Verify that skips are incremented for both
+      expect(incrementPollsSkippedSpy).toHaveBeenCalledWith('https://sonarr.test');
+      expect(incrementPollsSkippedSpy).toHaveBeenCalledWith('https://radarr.test');
+
+      // Verify that Sonarr/Radarr-specific API retrievers were not called
+      expect(getTagsByTypeSpy).not.toHaveBeenCalled();
+      expect(getQueuesByTypeSpy).not.toHaveBeenCalled();
+      expect(getHistoryByTypeSpy).not.toHaveBeenCalled();
+    });
+
+    it('forces polling if the last webhook timestamp exceeds fallback timeout', async () => {
+      const mockSonarrInstance = { id: 'sonarr-1', name: 'Main Sonarr', url: 'https://sonarr.test' };
+      getSonarrInstancesSpy.mockReturnValue([mockSonarrInstance]);
+
+      // Mock stale webhook activity (Date.now() - 11 mins, fallback is 10 mins)
+      const staleTimestamp = Date.now() - 11 * 60000;
+      getWebhookMetricsSpy.mockImplementation((url) => {
+        if (url === 'https://sonarr.test') {
+          return { eventsReceived: 5, lastWebhookTimestamp: staleTimestamp };
+        }
+        return null;
+      });
+
+      await poller.pollAllServices();
+
+      // Should bypass the skip and perform a full poll
+      expect(getTagsByTypeSpy).toHaveBeenCalled();
+    });
+
+    it('forces polling via global webhook fallback if no global webhooks received for timeout duration', async () => {
+      const mockSonarrInstance = { id: 'sonarr-1', name: 'Main Sonarr', url: 'https://sonarr.test' };
+      getSonarrInstancesSpy.mockReturnValue([mockSonarrInstance]);
+
+      // Mock recent metrics on individual level but stale globally
+      const recentTimestamp = Date.now() - 60000;
+      getWebhookMetricsSpy.mockImplementation((url) => {
+        if (url === 'https://sonarr.test') {
+          return { eventsReceived: 5, lastWebhookTimestamp: recentTimestamp };
+        }
+        return null;
+      });
+
+      // Global webhook is stale
+      getGlobalWebhookMetricsSpy.mockReturnValue({
+        lastGlobalWebhookTimestamp: Date.now() - 12 * 60000
+      });
+
+      await poller.pollAllServices();
+
+      // Stale global webhooks should trigger fallback, bypassing the individual skip
+      expect(getTagsByTypeSpy).toHaveBeenCalled();
+    });
+  });
+
+  describe('Hybrid Timer Behavior (Fake Timers)', () => {
+    beforeEach(() => {
+      vi.useFakeTimers();
+    });
+
+    it('schedules periodic polls in startPoller on standard interval', async () => {
+      poller.startPoller();
+
+      // Triggered immediately on start (flush microtasks)
+      await vi.advanceTimersByTimeAsync(0);
+      expect(getDownloadsByClientTypeSpy).toHaveBeenCalledTimes(1);
+
+      // Advance time by 5000ms
+      await vi.advanceTimersByTimeAsync(5000);
+      expect(getDownloadsByClientTypeSpy).toHaveBeenCalledTimes(2);
+
+      // Advance by another 5000ms
+      await vi.advanceTimersByTimeAsync(5000);
+      expect(getDownloadsByClientTypeSpy).toHaveBeenCalledTimes(3);
+
+      poller.stopPoller();
+    });
+
+    it('clears intervals cleanly when stopPoller is called', async () => {
+      poller.startPoller();
+      await vi.advanceTimersByTimeAsync(0);
+      expect(getDownloadsByClientTypeSpy).toHaveBeenCalledTimes(1);
+
+      poller.stopPoller();
+
+      await vi.advanceTimersByTimeAsync(10000);
+      expect(getDownloadsByClientTypeSpy).toHaveBeenCalledTimes(1); // No new execution since poller was stopped
+    });
+  });
+});