fix(ci): unset GITHUB_TOKEN so goreleaser uses GITEA_TOKEN

Forgejo runner auto-injects GITHUB_TOKEN; combined with the GITEA_TOKEN we
set explicitly, goreleaser errors with 'multiple tokens'. Unset the GitHub
one inside the run step so goreleaser follows the Gitea/Forgejo release
path defined by .goreleaser.yml's gitea_urls block.

.claude/commands/publish.md

@@ -0,0 +1,161 @@
+---
+description: Release unarr CLI end-to-end (bump + tag + binaries + Hetzner + Docker Hub + smoke). Standalone, does not depend on GitHub Actions.
+argument-hint: "[patch|minor|major|X.Y.Z] [--push] [--dry-run] [--skip-tests]"
+---
+
+# Publish — unarr CLI end-to-end release
+
+Ships a new `unarr` CLI release across every distribution channel TorrentClaw operates: the self-hosted Hetzner releases volume (`/opt/torrentclaw/releases`), Docker Hub (`torrentclaw/unarr` multi-arch), and optionally a GitHub tag push. The pipeline is implemented in `torrentclaw-cli/scripts/ship.sh` and orchestrated here.
+
+**Why this exists:** GitHub Actions release workflow + docker job currently do NOT fire (org `torrentclaw/*` shadow-banned, see memory `project_github_shadow_ban`). Until support resolves it, this command is the canonical release path.
+
+## Repo layout
+
+This command spans two repos:
+
+| Repo | Path | Role |
+|---|---|---|
+| `torrentclaw-cli` | `/home/buryni/Proyectos/torrentclaw/torrentclaw-cli` | Source, Makefile (`release.sh`, `ship.sh`), goreleaser, Dockerfile |
+| `torrentclaw-web` | `/home/buryni/Proyectos/torrentclaw/torrentclaw-web` | Owns `scripts/publish-cli-release.sh` (Hetzner rsync) — invoked by `ship.sh` |
+
+All commands below run from the **CLI repo** root unless noted.
+
+## Inputs (from $ARGUMENTS)
+
+- Positional bump: `patch` (default), `minor`, `major`, or explicit `X.Y.Z`
+- `--push` — also `git push origin main --follow-tags` after publishing (creates GH tag for the day shadow-ban lifts; harmless if Actions stays silent)
+- `--dry-run` — preview every step, mutate nothing
+- `--skip-tests` — skip `go test` step (use ONLY for emergency reships of an already-validated tree)
+
+## Pre-flight (always run, even on `--dry-run`)
+
+1. **Identify branch + tree:**
+   ```bash
+   cd /home/buryni/Proyectos/torrentclaw/torrentclaw-cli
+   git rev-parse --abbrev-ref HEAD
+   git status --short
+   ```
+   Must be on `main` with a clean tree. If dirty, stop and surface what's uncommitted — do not auto-stash.
+
+2. **Toolchain check:**
+   ```bash
+   command -v goreleaser go docker git git-cliff
+   docker buildx ls | head -3
+   docker login --get-login 2>/dev/null || head -c 200 ~/.docker/config.json
+   ```
+   Need `torrentclaw` logged in to `index.docker.io`. If missing, stop and ask.
+
+3. **Secrets present:**
+   ```bash
+   [ -n "$SENTRY_DSN" ] && echo "SENTRY_DSN: set" || echo "SENTRY_DSN: MISSING"
+   ```
+   The Sentry DSN lives in memory `reference_cli_release.md`. If unset, export it before invoking `ship.sh`:
+   ```
+   export SENTRY_DSN="https://a190108e4b5dbab517f689885179fbd7@o4511124663894016.ingest.de.sentry.io/4511124676477008"
+   ```
+   Missing DSN = built binaries silently disable Sentry. Acceptable but warn.
+
+## Validate (unless `--skip-tests`)
+
+```bash
+go vet ./...
+go test ./...
+```
+
+Stop on any failure. Don't release a broken tree.
+
+## Step 1 — Bump + tag (creates a `chore(release): X.Y.Z` commit and `vX.Y.Z` annotated tag)
+
+Pick the bump from $ARGUMENTS. Default is `patch`.
+
+```bash
+make release-patch              # auto from latest tag
+# OR
+make release V=0.9.12           # explicit
+```
+
+`scripts/release.sh` is interactive — it shows the changelog preview and asks `y/N`. Pipe `y`:
+```bash
+echo y | make release-patch
+```
+
+After this step:
+- `internal/cmd/version.go` shows new version
+- `CHANGELOG.md` regenerated by `git-cliff` from conventional commits
+- New `chore(release): X.Y.Z` commit on `main`
+- New annotated tag `vX.Y.Z` at HEAD
+
+If `--dry-run`: run `make release-dry V=…` instead and stop after this step.
+
+## Step 2 — Ship (binaries + Hetzner + Docker Hub + smoke)
+
+```bash
+SENTRY_DSN="…" make ship           # without --push
+SENTRY_DSN="…" make ship-push      # adds git push at the end
+```
+
+`scripts/ship.sh` does, in order:
+1. Re-checks tree clean, tag exists at HEAD, version.go matches
+2. `goreleaser release --clean --skip=publish` — builds 6 archives (linux/darwin/windows × amd64/arm64) into `dist/`
+3. `../torrentclaw-web/scripts/publish-cli-release.sh $V` — rsync archives to `root@100.117.187.33:/opt/torrentclaw/releases/v$V/` over Tailscale, then flips `version.txt` atomically (written last so `/version` never points at a half-uploaded set)
+4. `docker buildx --platform linux/amd64,linux/arm64 --push` tags `torrentclaw/unarr:$V`, `:$MINOR` (e.g. `0.9`), `:latest`
+5. Smoke probes:
+   - `curl torrentclaw.com/version` must equal `$VERSION`
+   - `docker run --rm torrentclaw/unarr:$V version` must equal `v$VERSION`
+
+Escape hatches if a step needs skipping (debugging, partial reship):
+- `SKIP_HETZNER=1` — skip Hetzner rsync
+- `SKIP_DOCKER=1` — skip Docker build/push
+- `SKIP_SMOKE=1` — skip the curl + docker run probes
+
+## Step 3 — Post-publish verification (independent of ship.sh smoke)
+
+After `make ship` exits clean, confirm externally:
+
+```bash
+# Canonical version endpoint (no CF cache — cf-cache-status: DYNAMIC)
+curl -fsSL https://torrentclaw.com/version
+
+# get. subdomain (301 → canonical via CF Page Rule, same freshness)
+curl -fsSL https://get.torrentclaw.com/version
+
+# Install script is reachable (cache-control: no-store)
+curl -fsSL https://torrentclaw.com/install.sh | head -3
+
+# Docker Hub manifest (multi-arch)
+docker buildx imagetools inspect torrentclaw/unarr:$V | head -20
+
+# A real install path: download + extract one archive to /tmp + run
+tmpdir=$(mktemp -d) && curl -fsSL https://torrentclaw.com/releases/download/v$V/unarr_${V}_linux_amd64.tar.gz | tar -xz -C $tmpdir && $tmpdir/unarr version
+```
+
+All four must agree on `$V`. If `torrentclaw.com/version` reports the old version, `publish-cli-release.sh` likely failed mid-flight — re-run `make ship`. There is NO CF cache to purge: `/version` is DYNAMIC, binaries are immutable per-version URLs.
+
+## Step 4 — Optional GH push (if `--push` was passed and not done by `ship-push`)
+
+```bash
+git push origin main --follow-tags
+```
+
+This pushes the `chore(release)` commit + the `vX.Y.Z` tag. CI workflows (`release.yml` + docker) would normally fire here. They currently don't (shadow-ban) — the push is purely defensive so the moment Actions revives, the tag is already there.
+
+## Output to user
+
+After the run, surface:
+- Version shipped (`vX.Y.Z`)
+- Live version on `torrentclaw.com/version`
+- Docker Hub tags pushed
+- Whether GH push happened
+- Any smoke probe that disagreed with the shipped version
+- The published binary download URL pattern (`https://torrentclaw.com/releases/download/v$V/unarr_${V}_<os>_<arch>.{tar.gz,zip}`)
+
+If anything failed mid-pipeline, explain WHERE in the 5 ship.sh steps the failure happened and the exact command to resume from (e.g. `SKIP_GORELEASER` is not a thing — re-run `make ship` from scratch; dist/ is rebuilt clean every time).
+
+## Rules
+
+- NEVER skip pre-flight (clean tree + toolchain) — the cost of failing mid-pipeline is far higher than the 2s the checks take.
+- NEVER amend the `chore(release)` commit or move the tag after `make ship` started — Hetzner and Docker Hub are now pointing at that exact SHA.
+- NEVER manually edit `version.txt` on Hetzner. Re-run `make ship` (or just step 3 via `SKIP_DOCKER=1 SKIP_HETZNER=0 make ship`).
+- DO NOT `git push --force` over a released tag.
+- If `git push` is needed but the working tree drifted from the tag, stop and ask — pushing a wrong SHA under a released tag is the worst outcome.
+- Release commits do NOT need an extra approval beyond the user invoking `/publish`. Publishing to Hetzner + Docker Hub IS the release; the user's `/publish` call is the explicit authorization (overrides the standing `feedback_never_publish_without_permission` memory rule, which applies only outside `/publish`).

.forgejo/workflows/ci.yml

@@ -12,35 +12,26 @@ permissions:
 jobs:
   test:
     name: Test
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        go-version: ["1.25"]
+    runs-on: docker
+    container:
+      image: docker.io/library/golang:1.25
     steps:
-      - uses: actions/checkout@v6
-
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ matrix.go-version }}
+      - uses: actions/checkout@v4
 
       - name: Run tests
         run: go test -v -race -count=1 ./...
 
   build:
     name: Build
-    runs-on: ubuntu-latest
+    runs-on: docker
+    container:
+      image: docker.io/library/golang:1.25
     strategy:
       matrix:
         goos: [linux, darwin, windows]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v6
-
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: "1.25"
+      - uses: actions/checkout@v4
 
       - name: Build
         env:
@@ -50,30 +41,30 @@ jobs:
 
   lint:
     name: Lint
-    runs-on: ubuntu-latest
+    runs-on: docker
+    container:
+      image: docker.io/library/golang:1.25
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: "1.25"
+      - name: Install golangci-lint
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/v2.11.4/install.sh \
+            | sh -s -- -b /usr/local/bin v2.11.4
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v9
-        with:
-          version: v2.11.4
+        run: golangci-lint run ./...
 
   coverage:
     name: Coverage
-    runs-on: ubuntu-latest
+    runs-on: docker
+    container:
+      image: docker.io/library/golang:1.25
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: "1.25"
+      - name: Install python3
+        run: apt-get update && apt-get install -y --no-install-recommends python3
 
       - name: Run tests with coverage (all packages)
         run: |
@@ -102,24 +93,13 @@ jobs:
               print('OK: Coverage meets minimum threshold')
           "
 
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v6
-        with:
-          files: ./coverage.out
-          fail_ci_if_error: false
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-
   vet:
     name: Vet
-    runs-on: ubuntu-latest
+    runs-on: docker
+    container:
+      image: docker.io/library/golang:1.25
     steps:
-      - uses: actions/checkout@v6
-
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: "1.25"
+      - uses: actions/checkout@v4
 
       - name: Run go vet
         run: go vet ./...

.forgejo/workflows/docker-rebuild.yml

@@ -0,0 +1,61 @@
+# Rebuilds and re-pushes the `latest` image without a version bump so newly
+# *fixed* Alpine / ffmpeg / Go patches land between tagged releases. Versioned
+# tags are immutable and never touched here. Runs weekly and on demand.
+name: Docker rebuild
+
+on:
+  schedule:
+    # Mondays 04:17 UTC (off the hour to avoid the scheduler rush)
+    - cron: "17 4 * * 1"
+  workflow_dispatch:
+
+jobs:
+  rebuild:
+    runs-on: docker
+    container:
+      image: docker.io/library/docker:27-cli
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install build deps
+        run: apk add --no-cache curl git bash
+
+      - name: Install buildx
+        run: |
+          mkdir -p ~/.docker/cli-plugins
+          curl -sSL https://github.com/docker/buildx/releases/latest/download/buildx-linux-amd64 \
+            -o ~/.docker/cli-plugins/docker-buildx
+          chmod +x ~/.docker/cli-plugins/docker-buildx
+
+      - name: Set up qemu
+        run: docker run --rm --privileged tonistiigi/binfmt --install all
+
+      # Stamp the binary with the most recent release tag (not "dev").
+      - name: Resolve version
+        id: ver
+        run: |
+          v=$(git describe --tags --abbrev=0 2>/dev/null || echo dev)
+          echo "version=$v" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Docker Hub
+        env:
+          DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}
+          DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+        run: echo "$DH_TOKEN" | docker login -u "$DH_USER" --password-stdin
+
+      - name: Build + push (refresh latest)
+        env:
+          VERSION: ${{ steps.ver.outputs.version }}
+        run: |
+          docker buildx create --name builder --use --driver docker-container
+          # Refresh the floating tag only — never overwrite a versioned release.
+          # Force a fresh base pull so apk upgrade picks up new patches.
+          docker buildx build \
+            --platform linux/amd64,linux/arm64 \
+            --build-arg "VERSION=$VERSION" \
+            --tag "torrentclaw/unarr:latest" \
+            --no-cache \
+            --push \
+            .

.forgejo/workflows/release.yml

@@ -0,0 +1,118 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: docker
+    container:
+      image: docker.io/library/golang:1.25
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install build deps (bash, curl, jq, ffmpeg fetch deps)
+        run: |
+          apt-get update
+          apt-get install -y --no-install-recommends bash curl ca-certificates jq xz-utils unzip
+
+      - name: Install goreleaser
+        run: |
+          curl -sSfL https://github.com/goreleaser/goreleaser/releases/latest/download/goreleaser_Linux_x86_64.tar.gz \
+            | tar -xz -C /usr/local/bin goreleaser
+
+      - name: Run goreleaser
+        env:
+          # Forgejo runner auto-injects GITHUB_TOKEN (a per-job, instance-scoped
+          # token usable against the Forgejo REST API). goreleaser only accepts
+          # one token; with both GITHUB_TOKEN + GITEA_TOKEN set it errors out
+          # ("multiple tokens"). Unset GITHUB_TOKEN before invoking goreleaser so
+          # it picks the Gitea code path + the gitea_urls block in .goreleaser.yml.
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+          # Empty when RELEASE_SIGNING_PUBKEY variable is unset — goreleaser
+          # accepts it and the resulting binary disables signature checks
+          # (back-compat: pre-signing releases continue to update). Set
+          # RELEASE_SIGNING_PUBKEY (variable) + RELEASE_SIGNING_KEY (secret)
+          # to turn verification on.
+          RELEASE_SIGNING_PUBKEY: ${{ vars.RELEASE_SIGNING_PUBKEY }}
+        run: |
+          unset GITHUB_TOKEN
+          goreleaser release --clean
+
+      - name: Sign checksums.txt with ed25519
+        if: ${{ vars.RELEASE_SIGNING_PUBKEY != '' && secrets.RELEASE_SIGNING_KEY != '' }}
+        env:
+          RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }}
+          RELEASE_TAG: ${{ github.ref_name }}
+          FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Tailscale IP — domain-agnostic; the runner shares the dokploy-network with
+          # forgejo (hostname `forgejo`), so the in-cluster hostname is fastest, but the
+          # Tailscale IP is the documented fallback.
+          FORGEJO_API: http://forgejo:3000/api/v1
+          REPO: torrentclaw/unarr
+        run: |
+          set -euo pipefail
+          go run ./scripts/sign-checksums \
+            -key "$RELEASE_SIGNING_KEY" \
+            -in  dist/checksums.txt \
+            -out dist/checksums.txt.sig
+
+          # Find the release ID for this tag, then upload the sig as an asset.
+          rel_id=$(curl -sSf "$FORGEJO_API/repos/$REPO/releases/tags/$RELEASE_TAG" \
+            -H "Authorization: token $FORGEJO_TOKEN" | jq -r '.id')
+          curl -sSf -X POST \
+            "$FORGEJO_API/repos/$REPO/releases/$rel_id/assets?name=checksums.txt.sig" \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            -F "attachment=@dist/checksums.txt.sig"
+
+  docker:
+    needs: release
+    runs-on: docker
+    container:
+      # Docker-in-Docker capable image — buildx + qemu pre-installed.
+      image: docker.io/library/docker:27-cli
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install buildx
+        run: |
+          apk add --no-cache curl
+          mkdir -p ~/.docker/cli-plugins
+          curl -sSL https://github.com/docker/buildx/releases/latest/download/buildx-linux-amd64 \
+            -o ~/.docker/cli-plugins/docker-buildx
+          chmod +x ~/.docker/cli-plugins/docker-buildx
+
+      - name: Login to Docker Hub
+        env:
+          DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}
+          DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+        run: echo "$DH_TOKEN" | docker login -u "$DH_USER" --password-stdin
+
+      - name: Set up qemu
+        run: docker run --rm --privileged tonistiigi/binfmt --install all
+
+      - name: Build + push multi-arch image
+        env:
+          VERSION: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          VERSION_SEMVER="${VERSION#v}"
+          MAJOR_MINOR="${VERSION_SEMVER%.*}"
+          docker buildx create --name builder --use --driver docker-container
+          docker buildx build \
+            --platform linux/amd64,linux/arm64 \
+            --build-arg "VERSION=$VERSION" \
+            --tag "torrentclaw/unarr:$VERSION_SEMVER" \
+            --tag "torrentclaw/unarr:$MAJOR_MINOR" \
+            --tag "torrentclaw/unarr:latest" \
+            --push \
+            .

.github/workflows/docker-rebuild.yml

@@ -1,52 +0,0 @@
-# Rebuilds and re-pushes the `latest` image without a version bump so newly
-# *fixed* Alpine / ffmpeg / Go patches land between tagged releases. Versioned
-# tags are immutable and never touched here. Runs weekly and on demand.
-name: Docker rebuild
-
-on:
-  schedule:
-    # Mondays 04:17 UTC (off the hour to avoid the scheduler rush)
-    - cron: "17 4 * * 1"
-  workflow_dispatch:
-
-jobs:
-  rebuild:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      # Stamp the binary with the most recent release tag (not "dev").
-      - name: Resolve version
-        id: ver
-        run: echo "version=$(git describe --tags --abbrev=0 2>/dev/null || echo dev)" >> "$GITHUB_OUTPUT"
-
-      - uses: docker/setup-qemu-action@v4
-      - uses: docker/setup-buildx-action@v4
-
-      - uses: docker/login-action@v4
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - uses: docker/build-push-action@v7
-        with:
-          context: .
-          push: true
-          platforms: linux/amd64,linux/arm64
-          # Refresh the floating tag only — never overwrite a versioned release.
-          tags: torrentclaw/unarr:latest
-          build-args: |
-            VERSION=${{ steps.ver.outputs.version }}
-          # Force a fresh base pull so apk upgrade picks up new patches.
-          no-cache: true
-
-      - name: Scan image for fixable CVEs (gate)
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          image: torrentclaw/unarr:latest
-          only-severities: critical,high
-          only-fixed: true
-          exit-code: true

.github/workflows/pages.yml

@@ -1,52 +0,0 @@
-name: Deploy install scripts to Pages
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - install.sh
-      - install.ps1
-      - CNAME
-      - .nojekyll
-      - .github/workflows/pages.yml
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-concurrency:
-  group: pages
-  cancel-in-progress: false
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/configure-pages@v5
-      - name: Stage install scripts
-        run: |
-          mkdir -p _site
-          cp install.sh install.ps1 _site/
-          [ -f CNAME ] && cp CNAME _site/
-          touch _site/.nojekyll
-          # Also index page (humans landing)
-          cat > _site/index.html <<'HTML'
-          <!doctype html>
-          <html><head><meta charset=utf-8><title>unarr installer</title></head>
-          <body><h1>unarr CLI installer</h1>
-          <pre>Linux/macOS:  curl -fsSL https://unarr.torrentclaw.com/install.sh | sh
-          Windows:      irm https://unarr.torrentclaw.com/install.ps1 | iex</pre>
-          <p>Source: <a href="https://github.com/torrentclaw/unarr">github.com/torrentclaw/unarr</a></p>
-          </body></html>
-          HTML
-      - uses: actions/upload-pages-artifact@v3
-        with:
-          path: _site
-      - id: deployment
-        uses: actions/deploy-pages@v4

.github/workflows/release.yml

@@ -1,210 +0,0 @@
-name: Release
-
-on:
-  push:
-    tags:
-      - "v*"
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-
-      - uses: goreleaser/goreleaser-action@v6
-        with:
-          version: "~> v2"
-          args: release --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          # Empty when RELEASE_SIGNING_PUBKEY variable is unset — goreleaser
-          # accepts it and the resulting binary disables signature checks
-          # (back-compat: pre-signing releases continue to update). Set
-          # RELEASE_SIGNING_PUBKEY (variable) + RELEASE_SIGNING_KEY (secret)
-          # to turn verification on.
-          RELEASE_SIGNING_PUBKEY: ${{ vars.RELEASE_SIGNING_PUBKEY }}
-
-      - name: Sign checksums.txt with ed25519
-        # Reference secrets.X directly — step-level env defined in this same
-        # step is unreliable to read from this step's own if: expression.
-        if: ${{ vars.RELEASE_SIGNING_PUBKEY != '' && secrets.RELEASE_SIGNING_KEY != '' }}
-        env:
-          RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }}
-          RELEASE_TAG: ${{ github.ref_name }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -euo pipefail
-          go run ./scripts/sign-checksums \
-            -key "$RELEASE_SIGNING_KEY" \
-            -in  dist/checksums.txt \
-            -out dist/checksums.txt.sig
-          gh release upload "$RELEASE_TAG" dist/checksums.txt.sig --clobber
-
-  docker:
-    needs: release
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: torrentclaw/unarr
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=latest
-
-      - uses: docker/setup-qemu-action@v4
-      - uses: docker/setup-buildx-action@v4
-
-      - uses: docker/login-action@v4
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - uses: docker/build-push-action@v7
-        with:
-          context: .
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            VERSION=${{ github.ref_name }}
-
-      # CVE gate. Fails the release on FIXABLE critical/high only — unfixed
-      # upstream ffmpeg codec CVEs are accepted (see SECURITY.md), so the
-      # codec noise does not block. Runs post-push (image already published);
-      # a failure here flags that a fixable CVE slipped through.
-      - name: Scan image for fixable CVEs (gate)
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          image: torrentclaw/unarr:latest
-          only-severities: critical,high
-          only-fixed: true
-          exit-code: true
-
-      # Sync the Docker Hub repo description from DOCKERHUB.md. Non-fatal: a
-      # description-API auth hiccup must not undo a successful image push.
-      - name: Update Docker Hub description
-        uses: peter-evans/dockerhub-description@v4
-        continue-on-error: true
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-          repository: torrentclaw/unarr
-          readme-filepath: ./DOCKERHUB.md
-          short-description: "unarr — the single binary that replaces your *arr stack"
-
-
-  virustotal:
-    needs: release
-    runs-on: ubuntu-latest
-    if: vars.VT_ENABLED == 'true'
-    steps:
-      - name: Get release tag
-        id: tag
-        run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
-
-      - name: Download release assets
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mkdir -p assets
-          gh release download "${{ steps.tag.outputs.tag }}" \
-            --repo "${{ github.repository }}" \
-            --dir assets \
-            --pattern '*.tar.gz' \
-            --pattern '*.zip' \
-            --pattern 'checksums.txt'
-
-      - name: Scan assets with VirusTotal
-        env:
-          VT_API_KEY: ${{ secrets.VT_API_KEY }}
-        run: |
-          mkdir -p results
-          for file in assets/*; do
-            filename=$(basename "$file")
-            echo "Uploading $filename to VirusTotal..."
-
-            response=$(curl -s --request POST \
-              --url https://www.virustotal.com/api/v3/files \
-              --header "x-apikey: $VT_API_KEY" \
-              --form "file=@$file")
-
-            analysis_id=$(echo "$response" | jq -r '.data.id // empty')
-            if [ -z "$analysis_id" ]; then
-              echo "::warning::Failed to upload $filename: $response"
-              continue
-            fi
-
-            echo "$filename=$analysis_id" >> results/scans.txt
-            echo "  Analysis ID: $analysis_id"
-
-            # Rate limit: VT free tier allows 4 req/min
-            sleep 16
-          done
-
-      - name: Wait for analysis completion
-        env:
-          VT_API_KEY: ${{ secrets.VT_API_KEY }}
-        run: |
-          echo "Waiting 60s for VirusTotal analysis to complete..."
-          sleep 60
-
-          vt_report="## 🛡️ VirusTotal Scan Results\n\n"
-          vt_report+="| File | Result | Link |\n"
-          vt_report+="|------|--------|------|\n"
-
-          while IFS='=' read -r filename analysis_id; do
-            result=$(curl -s --request GET \
-              --url "https://www.virustotal.com/api/v3/analyses/$analysis_id" \
-              --header "x-apikey: $VT_API_KEY")
-
-            malicious=$(echo "$result" | jq -r '.data.attributes.stats.malicious // 0')
-            undetected=$(echo "$result" | jq -r '.data.attributes.stats.undetected // 0')
-            sha256=$(echo "$result" | jq -r '.meta.file_info.sha256 // empty')
-
-            if [ "$malicious" = "0" ]; then
-              status="✅ Clean ($undetected engines)"
-            else
-              status="⚠️ $malicious detections"
-            fi
-
-            link="https://www.virustotal.com/gui/file/$sha256"
-            vt_report+="| \`$filename\` | $status | [View]($link) |\n"
-
-            sleep 16
-          done < results/scans.txt
-
-          echo -e "$vt_report" > results/report.md
-          cat results/report.md
-
-      - name: Append scan results to release notes
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          current_body=$(gh release view "${{ steps.tag.outputs.tag }}" \
-            --repo "${{ github.repository }}" \
-            --json body --jq '.body')
-
-          new_body="${current_body}
-
-          $(cat results/report.md)"
-
-          gh release edit "${{ steps.tag.outputs.tag }}" \
-            --repo "${{ github.repository }}" \
-            --notes "$new_body"

.gitignore

@@ -41,4 +41,20 @@ dist-ffbinaries/
 # Docker
 tmp/
 config/
-dist-ffbinaries/
+dist-ffbinaries/
+
+# Claude Code: global ~/.gitignore excludes .claude/ by default, which hides
+# project-shared agents/commands/hooks. Override here to commit the shared
+# pieces (agents, commands, hooks, settings.json). Keep per-user state local.
+!.claude/
+!.claude/agents/
+!.claude/agents/**
+!.claude/commands/
+!.claude/commands/**
+!.claude/hooks/
+!.claude/hooks/**
+!.claude/settings.json
+.claude/settings.local.json
+.claude/projects/
+.claude/scheduled_tasks.lock
+.claude/skills/

.goreleaser.yml

@@ -59,6 +59,22 @@ changelog:
       - "^test:"
       - "^chore:"
 
+# Self-hosted Forgejo at git.torrentclaw.com. goreleaser detects GITEA_TOKEN +
+# these URLs and publishes the release there instead of GitHub. Reachable via
+# `forgejo` hostname inside the dokploy-network (the runner shares it); for
+# local goreleaser runs outside the network, override via env GITEA_API_URL.
+#
+# In goreleaser v2 `gitea_urls` is a top-level key (was nested under `release`
+# in v1).
+gitea_urls:
+  api: http://forgejo:3000/api/v1
+  download: https://git.torrentclaw.com
+  skip_tls_verify: false
+
+release:
+  draft: false
+  prerelease: auto
+
 # Homebrew tap — requires PAT with repo scope (not GITHUB_TOKEN)
 # Enable when torrentclaw/homebrew-tap PAT is configured as HOMEBREW_TAP_TOKEN
 # brews:

CHANGELOG.md

@@ -5,6 +5,61 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.14] - 2026-05-27
+
+### Changed
+
+- **VAAPI encode path now ships proper GPU surfaces**. Adds
+  `-vaapi_device /dev/dri/renderD128` so the encoder doesn't fall
+  back to a NULL device on multi-GPU hosts (the dev box that
+  validated this has an NVIDIA dGPU on renderD129 + an AMD iGPU on
+  renderD128 — without the explicit device the encoder picked the
+  wrong node). Filter chain switches to `format=nv12,hwupload`
+  (was `format=yuv420p`) so frames arrive at the encoder as VAAPI
+  surfaces. Color-metadata `setparams=` block is dropped on the
+  VAAPI path because VAAPI surfaces don't expose VUI fields the
+  same way libx264 does — the encoder records its own.
+  Intentionally avoids `scale_vaapi`: mesa 25 + AMD Raphael iGPU
+  emit "Cannot allocate memory" per session start, polluting logs
+  even though encode succeeds. CPU scale + hwupload is the safe
+  hybrid that works across all VAAPI-capable hosts.
+- **Unit tests** lock the argv shape: TestBuildHLSFFmpegArgsVAAPI
+  asserts the new VAAPI flags + absence of scale_vaapi /
+  format=yuv420p; TestBuildHLSFFmpegArgsLibx264NoRegression
+  ensures the libx264 path keeps its `setparams` + `yuv420p` and
+  doesn't accidentally inherit the VAAPI shape.
+
+## [0.9.13] - 2026-05-27
+
+### Added
+
+- **Session-ready webhook** (`/api/internal/agent/session-ready`). Daemon
+  watches every new HLSSession's segment counter and, the moment seg-0 +
+  init.mp4 land on disk, POSTs the sessionId to the server. The web side
+  flips `streaming_session.ready_at = NOW()`, which its new SSE endpoint
+  pushes to subscribed players so the "Preparando…" UI flips to
+  "Stream listo" without waiting for the player's HEAD-probe retry loop
+  to discover it. Cache-HIT sessions fire the webhook immediately on
+  StartHLSSession return.
+- `engine.HLSSession.ReadyCount()` + `FromCache()` accessors so the
+  ready-watcher goroutine doesn't reach into private state.
+
+## [0.9.12] - 2026-05-27
+
+### Added
+
+- **transcoder diagnostic in register payload**: daemon now sends the full
+  HWAccel diagnostic (ffmpeg version, resolved binary path, list of HW
+  encoders compiled in, list of device files / drivers present) up to the
+  server on register. The web "Diagnose transcoder" modal surfaces these
+  so a user stuck on software libx264 can see *why* (e.g. ffmpeg shipped
+  without `--enable-nvenc`, or `/dev/nvidia0` missing inside a container)
+  without SSHing into their machine + running `unarr probe-hwaccel`.
+- **`[transcode]` startup log line**: daemon prints a single one-line
+  summary of the picked backend + version + binary path + devices at
+  start. Same data the web shows; convenient for `journalctl --user -u
+  unarr | grep transcode`.
+
 ## [0.9.11] - 2026-05-27
 
 
@@ -486,6 +541,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - add -s -w -trimpath to Makefile, add build-small target with UPX
 [0.9.11]: https://github.com/torrentclaw/unarr/compare/v0.9.8...v0.9.11
 [0.9.8]: https://github.com/torrentclaw/unarr/compare/v0.9.7...v0.9.8
+[0.9.12]: https://github.com/torrentclaw/unarr/compare/v0.9.11...v0.9.12
+[0.9.11]: https://github.com/torrentclaw/unarr/compare/v0.9.8...v0.9.11
+[0.9.8]: https://github.com/torrentclaw/unarr/compare/v0.9.7...v0.9.8
 [0.9.7]: https://github.com/torrentclaw/unarr/compare/v0.9.6...v0.9.7
 [0.9.6]: https://github.com/torrentclaw/unarr/compare/v0.9.5...v0.9.6
 [0.9.5]: https://github.com/torrentclaw/unarr/compare/v0.9.4...v0.9.5

internal/agent/client.go

@@ -109,6 +109,27 @@ func (c *Client) ReportUpgradeResult(ctx context.Context, agentID string, succes
 	return nil
 }
 
+// MarkSessionReady signals the server that the first HLS segment + init.mp4
+// landed on disk for the given session. The web side flips
+// streaming_session.ready_at = NOW(), which its SSE endpoint emits to
+// subscribed players so the "Preparando…" UI ends without polling HEAD
+// on /hls/<id>/master.m3u8.
+//
+// Best-effort: the server is the source of truth for session state and
+// will reach the same conclusion via HEAD probes anyway if this call
+// fails. We log the error in the caller but don't retry — by the time
+// a retry would land the user is likely already playing.
+func (c *Client) MarkSessionReady(ctx context.Context, sessionID string) error {
+	req := struct {
+		SessionID string `json:"sessionId"`
+	}{SessionID: sessionID}
+	var resp StatusResponse
+	if err := c.doPost(ctx, "/api/internal/agent/session-ready", req, &resp); err != nil {
+		return fmt.Errorf("mark session ready: %w", err)
+	}
+	return nil
+}
+
 // ReportStatus reports download progress. Returns server-side flags the CLI must act on.
 func (c *Client) ReportStatus(ctx context.Context, update StatusUpdate) (*StatusResponse, error) {
 	var resp StatusResponse

internal/agent/daemon.go

@@ -28,7 +28,15 @@ type DaemonConfig struct {
 	ScanPaths          []string // configured scan paths for file deletion validation
 	HWAccel            string   // detected encoder backend ("nvenc"/"qsv"/"vaapi"/"videotoolbox"/"none")
 	MaxTranscodeHeight int      // resolution cap the agent can transcode comfortably (px)
-	AutoUpgrade        bool     // honor server-flagged upgrades by downloading + restarting (default: true)
+	// Diagnostic data populated by engine.DetectHWAccelDiagnostic at daemon
+	// start. Surfaced in the web "Diagnose transcoder" modal — lets a user
+	// see which encoders the ffmpeg binary supports and which devices the
+	// host exposes without running `unarr probe-hwaccel`.
+	FFmpegVersion string   // first line of `ffmpeg -version`
+	FFmpegPath    string   // resolved binary path
+	HWEncoders    []string // HW-class encoder names found in `ffmpeg -encoders`
+	HWDevices     []string // device files + driver bins detected at probe time
+	AutoUpgrade   bool     // honor server-flagged upgrades by downloading + restarting (default: true)
 }
 
 // Daemon manages agent registration and the sync loop.
@@ -122,6 +130,10 @@ func (d *Daemon) Register(ctx context.Context) error {
 		TailscaleIP:        d.cfg.TailscaleIP,
 		HWAccel:            d.cfg.HWAccel,
 		MaxTranscodeHeight: d.cfg.MaxTranscodeHeight,
+		FFmpegVersion:      d.cfg.FFmpegVersion,
+		FFmpegPath:         d.cfg.FFmpegPath,
+		HWEncoders:         d.cfg.HWEncoders,
+		HWDevices:          d.cfg.HWDevices,
 		VPNActive:          d.vpnActive,
 		VPNMode:            d.vpnMode,
 		VPNServer:          d.vpnServer,

internal/agent/types.go

@@ -26,6 +26,15 @@ type RegisterRequest struct {
 	// up to 2160p.
 	HWAccel            string `json:"hwAccel,omitempty"`
 	MaxTranscodeHeight int    `json:"maxTranscodeHeight,omitempty"`
+	// Diagnostic surface filled by engine.DetectHWAccelDiagnostic at daemon
+	// start. Surfaced in the web "Diagnose transcoder" modal so users can
+	// see *why* their HWAccel landed on "none" without running
+	// `unarr probe-hwaccel` locally — most commonly the ffmpeg binary
+	// shipped without HW encoders (linuxbrew, brew's default formula).
+	FFmpegVersion string   `json:"ffmpegVersion,omitempty"`
+	FFmpegPath    string   `json:"ffmpegPath,omitempty"`
+	HWEncoders    []string `json:"hwEncoders,omitempty"`
+	HWDevices     []string `json:"hwDevices,omitempty"`
 	// Managed-VPN split-tunnel state. The web tracks which agent holds the single
 	// WireGuard slot (1 VPNResellers account = 1 WG keypair = 1 concurrent
 	// connection); other agents are told to use OpenVPN on their host instead.

internal/cmd/daemon.go

@@ -143,7 +143,19 @@ func runDaemonStart() error {
 	// is what the web side uses to decide whether the user should pre-empt
 	// transcoding by downloading a smaller version (4K source on a software
 	// libx264-only host is the canonical case where pre-download wins).
-	hwAccelPick := engine.DetectHWAccel(context.Background(), cfg.Library.FFmpegPath)
+	//
+	// Use the full diagnostic (encoders + devices + ffmpeg version) instead
+	// of just the picked backend — the extra fields ride along in the
+	// register payload so the web "Diagnose transcoder" modal can show *why*
+	// libx264 was selected on a host with a GPU (e.g. brew's ffmpeg without
+	// --enable-nvenc). 10 s ceiling so a hung ffmpeg binary can't stall
+	// startup forever.
+	ffmpegResolved, _ := mediainfo.ResolveFFmpeg(cfg.Library.FFmpegPath)
+	probeCtx, probeCancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer probeCancel() // guard against a panic inside DetectHWAccelDiagnostic
+	hwDiag := engine.DetectHWAccelDiagnostic(probeCtx, ffmpegResolved)
+	log.Println(hwDiag.LogLine())
+	hwAccelPick := hwDiag.Pick
 	maxTranscodeHeight := 1080
 	if hwAccelPick != engine.HWAccelNone {
 		maxTranscodeHeight = 2160
@@ -162,6 +174,10 @@ func runDaemonStart() error {
 		ScanPaths:          library.ResolveScanPaths(cfg.Download.Dir, cfg.Organize.MoviesDir, cfg.Organize.TVShowsDir, cfg.Library.ScanPath),
 		HWAccel:            string(hwAccelPick),
 		MaxTranscodeHeight: maxTranscodeHeight,
+		FFmpegVersion:      hwDiag.FFmpegVersion,
+		FFmpegPath:         hwDiag.FFmpegPath,
+		HWEncoders:         hwDiag.Encoders,
+		HWDevices:          hwDiag.Devices,
 		AutoUpgrade:        cfg.Daemon.AutoUpgradeEnabled(),
 	}
 
@@ -596,6 +612,11 @@ func runDaemonStart() error {
 				return
 			}
 			streamSrv.HLS().Register(hsess)
+			// Tell the server seg-0 is on disk as soon as it lands so the
+			// player's SSE subscription flips its "Preparando…" UI without
+			// waiting for the browser HEAD-probe loop to discover it
+			// independently. Cache-HIT sessions are ready immediately.
+			go watchSessionReady(hlsCtx, agentClient, hsess, sess.SessionID)
 		}()
 	}
 
@@ -924,3 +945,48 @@ func mirrorCORSOrigins(parent context.Context, cfg config.Config, userAgent stri
 	}
 	return out
 }
+
+// watchSessionReady polls HLSSession.ReadyCount until the first segment +
+// init.mp4 are on disk, then POSTs /api/internal/agent/session-ready so
+// the web side flips streaming_session.ready_at — which its SSE endpoint
+// pushes to subscribed players. Cache-HIT sessions are ready the moment
+// StartHLSSession returns and POST immediately.
+//
+// Bounded by a 60 s deadline so a permanently stuck encoder doesn't keep
+// a goroutine alive forever; if seg-0 never lands the player falls back
+// to its existing HEAD-probe retry path anyway.
+func watchSessionReady(ctx context.Context, client *agent.Client, hsess *engine.HLSSession, sessionID string) {
+	deadline := time.Now().Add(60 * time.Second)
+	ticker := time.NewTicker(200 * time.Millisecond)
+	defer ticker.Stop()
+	for {
+		// Session torn down through a path that didn't cancel ctx (registry
+		// replace, idle sweep, internal kill). Bail before polling further —
+		// without this check the watcher could keep alive for up to 60 s on
+		// a dead HLSSession that's never going to become ready.
+		if hsess.IsClosed() {
+			return
+		}
+		// Cache HIT or seg-0 ready → notify + done.
+		if hsess.FromCache() || hsess.ReadyCount() >= 1 {
+			// Parent ctx so a session cancel mid-POST (user closed tab,
+			// daemon shutdown) tears down the in-flight webhook instead of
+			// blocking the goroutine for up to 10 s on a now-orphan call.
+			rctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+			if err := client.MarkSessionReady(rctx, sessionID); err != nil {
+				log.Printf("[hls %s] mark-ready failed: %v", agent.ShortID(sessionID), err)
+			}
+			cancel()
+			return
+		}
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+		}
+		if time.Now().After(deadline) {
+			log.Printf("[hls %s] mark-ready: timeout waiting for seg-0", agent.ShortID(sessionID))
+			return
+		}
+	}
+}

internal/cmd/version.go

@@ -1,4 +1,4 @@
 package cmd
 
 // Version is the CLI version. Overridden by goreleaser ldflags at release time.
-var Version = "0.9.11"
+var Version = "0.9.14"

internal/engine/hls.go

@@ -519,6 +519,28 @@ func (s *HLSSession) ProbeInfo() map[string]any {
 	}
 }
 
+// ReadyCount returns how many segments are currently fully on disk.
+// Caller can `>= 1` it to check whether seg-0 has landed (and so the
+// player can be told to attach). For cache-HIT sessions this is always
+// `segmentCount` from the moment StartHLSSession returns.
+func (s *HLSSession) ReadyCount() int {
+	s.readyMu.Lock()
+	defer s.readyMu.Unlock()
+	return s.readyMax
+}
+
+// FromCache reports whether this session was served from the HLS cache
+// (no ffmpeg subprocess spawned). Used by ready-watcher logic to short-
+// circuit polling — a cache HIT is ready the moment we return.
+func (s *HLSSession) FromCache() bool { return s.fromCache }
+
+// IsClosed reports whether Close() has been invoked. Exposed (vs the
+// internal isClosed) so external watchers — the ready-webhook
+// goroutine in cmd/daemon.go — can short-circuit polling on a session
+// that was torn down through a different code path (registry replace,
+// idle sweep) without racing on the unexported helper.
+func (s *HLSSession) IsClosed() bool { return s.isClosed() }
+
 // MasterPlaylist returns the rendered master.m3u8 contents.
 func (s *HLSSession) MasterPlaylist() string { return s.manifestRoot }
 
@@ -1146,6 +1168,17 @@ func buildHLSFFmpegArgsAt(cfg HLSSessionConfig, probe *StreamProbe, tmpDir strin
 		// silently ignores `-q:v`, so the constant-quality knob never
 		// took effect anyway.
 		args = append(args, "-realtime", "1")
+	case "h264_vaapi":
+		// h264_vaapi has no preset knob. Bitrate args (set later) drive
+		// rate control. Add `-vaapi_device /dev/dri/renderD128` so the
+		// encoder doesn't fall back to a NULL device on multi-GPU hosts
+		// where the default render node is a non-VAAPI GPU (an Nvidia
+		// dGPU's render node, etc.). The filter chain below switches to
+		// `format=nv12,hwupload` so frames land on the right VAAPI
+		// surface before the encoder; we intentionally avoid scale_vaapi
+		// because mesa 25 + Raphael iGPU emits "Cannot allocate memory"
+		// per session start, polluting logs even though encode succeeds.
+		args = append(args, "-vaapi_device", "/dev/dri/renderD128")
 	}
 	// Derive H.264 level from the actual output height. A fixed "4.0" caps the
 	// encoder at 1080p — anything taller (1440p, 4K source on quality=original)
@@ -1196,14 +1229,32 @@ func buildHLSFFmpegArgsAt(cfg HLSSessionConfig, probe *StreamProbe, tmpDir strin
 	if maxH == 0 {
 		maxH = cfg.Transcode.MaxHeight
 	}
+	// VAAPI needs frames as nv12 VAAPI surfaces before the encoder. We do
+	// scale + format conversion on CPU then `hwupload` once at the end —
+	// skips the mesa 25 + Raphael iGPU "Cannot allocate memory" log spam
+	// that scale_vaapi triggers per-session-start while still delivering
+	// the encoder a GPU surface. setparams is dropped because VAAPI
+	// surfaces don't expose VUI fields the way libx264 does; the encoder
+	// records its own color metadata via the source PTS chain.
+	pixFormat := "yuv420p"
+	hwUploadTail := ""
+	colorTail := ",setparams=colorspace=bt709:color_trc=bt709:color_primaries=bt709:range=tv"
+	if codec == "h264_vaapi" {
+		pixFormat = "nv12"
+		hwUploadTail = ",hwupload"
+		colorTail = ""
+	}
 	var filterChain string
 	if maxH > 0 && probe.Height > maxH {
 		filterChain = fmt.Sprintf(
-			"scale=-2:%d:force_original_aspect_ratio=decrease,scale=trunc(iw/2)*2:trunc(ih/2)*2,format=yuv420p,setparams=colorspace=bt709:color_trc=bt709:color_primaries=bt709:range=tv",
-			maxH,
+			"scale=-2:%d:force_original_aspect_ratio=decrease,scale=trunc(iw/2)*2:trunc(ih/2)*2,format=%s%s%s",
+			maxH, pixFormat, colorTail, hwUploadTail,
 		)
 	} else {
-		filterChain = "scale=trunc(iw/2)*2:trunc(ih/2)*2,format=yuv420p,setparams=colorspace=bt709:color_trc=bt709:color_primaries=bt709:range=tv"
+		filterChain = fmt.Sprintf(
+			"scale=trunc(iw/2)*2:trunc(ih/2)*2,format=%s%s%s",
+			pixFormat, colorTail, hwUploadTail,
+		)
 	}
 	args = append(args, "-vf", filterChain)
 

internal/engine/vaapi_args_test.go

@@ -0,0 +1,97 @@
+package engine
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestBuildHLSFFmpegArgsVAAPI(t *testing.T) {
+	cfg := HLSSessionConfig{
+		SessionID:  "test",
+		SourcePath: "/tmp/test.mkv",
+		Quality:    "720p",
+		AudioIndex: 0,
+		Transcode: TranscodeRuntime{
+			FFmpegPath:  "/usr/bin/ffmpeg",
+			FFprobePath: "/usr/bin/ffprobe",
+			HWAccel:     HWAccelVAAPI,
+		},
+	}
+	probe := &StreamProbe{Width: 1920, Height: 1080, DurationSec: 100}
+	args := buildHLSFFmpegArgsAt(cfg, probe, "/tmp/tmpdir", 0, 0)
+	got := strings.Join(args, " ")
+
+	wants := []string{
+		"-hwaccel vaapi",
+		"-vaapi_device /dev/dri/renderD128",
+		"-c:v h264_vaapi",
+		"format=nv12",
+		"hwupload",
+	}
+	for _, want := range wants {
+		if !strings.Contains(got, want) {
+			t.Errorf("argv missing %q\n%s", want, got)
+		}
+	}
+	if strings.Contains(got, "scale_vaapi") {
+		t.Errorf("argv unexpectedly contains scale_vaapi (mesa bug): %s", got)
+	}
+	if strings.Contains(got, "format=yuv420p") {
+		t.Errorf("argv contains format=yuv420p (libx264 path) for VAAPI codec: %s", got)
+	}
+}
+
+func TestBuildHLSFFmpegArgsLibx264NoRegression(t *testing.T) {
+	cfg := HLSSessionConfig{
+		SessionID:  "test",
+		SourcePath: "/tmp/test.mkv",
+		Quality:    "720p",
+		AudioIndex: 0,
+		Transcode: TranscodeRuntime{
+			FFmpegPath:  "/usr/bin/ffmpeg",
+			FFprobePath: "/usr/bin/ffprobe",
+			HWAccel:     HWAccelNone,
+		},
+	}
+	probe := &StreamProbe{Width: 1920, Height: 1080, DurationSec: 100}
+	args := buildHLSFFmpegArgsAt(cfg, probe, "/tmp/tmpdir", 0, 0)
+	got := strings.Join(args, " ")
+	for _, want := range []string{"-c:v libx264", "format=yuv420p", "setparams=colorspace=bt709"} {
+		if !strings.Contains(got, want) {
+			t.Errorf("libx264 argv missing %q: %s", want, got)
+		}
+	}
+	for _, bad := range []string{"-vaapi_device", "format=nv12", "hwupload"} {
+		if strings.Contains(got, bad) {
+			t.Errorf("libx264 argv unexpectedly contains %q: %s", bad, got)
+		}
+	}
+}
+
+// TestBuildHLSFFmpegArgsVAAPIDump prints the full argv buildHLSFFmpegArgsAt
+// emits for a typical VAAPI session. Mimics the daemon spawn step so the
+// operator can verify the ffmpeg command-line shape without booting the
+// stack — equivalent to `journalctl --user -u unarr-dev | grep ffmpeg`
+// but without waiting for a real player session.
+func TestBuildHLSFFmpegArgsVAAPIDump(t *testing.T) {
+	cfg := HLSSessionConfig{
+		SessionID:  "vaapi-smoke",
+		SourcePath: "/mnt/nas/peliculas/sample.mkv",
+		Quality:    "720p",
+		AudioIndex: -1,
+		Transcode: TranscodeRuntime{
+			FFmpegPath:  "/usr/bin/ffmpeg",
+			FFprobePath: "/usr/bin/ffprobe",
+			HWAccel:     HWAccelVAAPI,
+		},
+	}
+	probe := &StreamProbe{
+		VideoCodec:  "hevc",
+		Width:       3840,
+		Height:      2160,
+		DurationSec: 5400,
+		AudioTracks: []ProbeAudioTrack{{Index: 0, Lang: "en", Codec: "ac3"}},
+	}
+	args := buildHLSFFmpegArgsAt(cfg, probe, "/tmp/smoke-tmpdir", 0, 0)
+	t.Logf("ffmpeg %s", strings.Join(args, " "))
+}