torrentclaw/unarr
1
0
Fork 0
Code Issues Pull requests Projects Releases 4 Packages Wiki Activity Actions

Compare commits

base: torrentclaw:main
Branches Tags
torrentclaw:main
torrentclaw:master
torrentclaw:feat/ultra-vpn
torrentclaw:dependabot/go_modules/github.com/pion/webrtc/v4-4.2.12
torrentclaw:dependabot/go_modules/golang.org/x/term-0.43.0
torrentclaw:feat/webrtc-p2p-streaming
torrentclaw:feature/plex-jellyfin-integration
torrentclaw:dependabot/go_modules/github.com/getsentry/sentry-go-0.46.2
torrentclaw:dependabot/github_actions/codecov/codecov-action-6
torrentclaw:dependabot/github_actions/docker/metadata-action-6
torrentclaw:dependabot/github_actions/docker/setup-qemu-action-4
torrentclaw:dependabot/github_actions/docker/login-action-4
torrentclaw:dependabot/github_actions/docker/build-push-action-7
torrentclaw:v0.9.15
torrentclaw:v0.9.14
torrentclaw:v0.9.13
torrentclaw:v0.9.11
torrentclaw:v0.9.8
torrentclaw:v0.9.7
torrentclaw:v0.9.6
torrentclaw:v0.9.5
torrentclaw:v0.9.4
torrentclaw:v0.9.3
torrentclaw:v0.9.2
torrentclaw:v0.9.1
torrentclaw:v0.9.0
torrentclaw:v0.8.1
torrentclaw:v0.8.0
torrentclaw:v0.7.0
torrentclaw:v0.6.8
torrentclaw:v0.6.7
torrentclaw:v0.6.6
torrentclaw:v0.6.5
torrentclaw:v0.6.4
torrentclaw:v0.6.3
torrentclaw:v0.6.2
torrentclaw:v0.6.1
torrentclaw:v0.6.0
torrentclaw:v0.5.5
torrentclaw:v0.5.4
torrentclaw:v0.5.3
torrentclaw:v0.5.2
torrentclaw:v0.5.1
torrentclaw:v0.5.0
torrentclaw:v0.4.1
torrentclaw:v0.4.0
torrentclaw:v0.3.7
torrentclaw:v0.3.6
torrentclaw:v0.3.5
torrentclaw:v0.3.3
torrentclaw:v0.3.2
torrentclaw:v0.3.1
torrentclaw:v0.3.0
..
compare: torrentclaw:v0.9.13
Branches Tags
torrentclaw:main
torrentclaw:master
torrentclaw:feat/ultra-vpn
torrentclaw:dependabot/go_modules/github.com/pion/webrtc/v4-4.2.12
torrentclaw:dependabot/go_modules/golang.org/x/term-0.43.0
torrentclaw:feat/webrtc-p2p-streaming
torrentclaw:feature/plex-jellyfin-integration
torrentclaw:dependabot/go_modules/github.com/getsentry/sentry-go-0.46.2
torrentclaw:dependabot/github_actions/codecov/codecov-action-6
torrentclaw:dependabot/github_actions/docker/metadata-action-6
torrentclaw:dependabot/github_actions/docker/setup-qemu-action-4
torrentclaw:dependabot/github_actions/docker/login-action-4
torrentclaw:dependabot/github_actions/docker/build-push-action-7
torrentclaw:v0.9.15
torrentclaw:v0.9.14
torrentclaw:v0.9.13
torrentclaw:v0.9.11
torrentclaw:v0.9.8
torrentclaw:v0.9.7
torrentclaw:v0.9.6
torrentclaw:v0.9.5
torrentclaw:v0.9.4
torrentclaw:v0.9.3
torrentclaw:v0.9.2
torrentclaw:v0.9.1
torrentclaw:v0.9.0
torrentclaw:v0.8.1
torrentclaw:v0.8.0
torrentclaw:v0.7.0
torrentclaw:v0.6.8
torrentclaw:v0.6.7
torrentclaw:v0.6.6
torrentclaw:v0.6.5
torrentclaw:v0.6.4
torrentclaw:v0.6.3
torrentclaw:v0.6.2
torrentclaw:v0.6.1
torrentclaw:v0.6.0
torrentclaw:v0.5.5
torrentclaw:v0.5.4
torrentclaw:v0.5.3
torrentclaw:v0.5.2
torrentclaw:v0.5.1
torrentclaw:v0.5.0
torrentclaw:v0.4.1
torrentclaw:v0.4.0
torrentclaw:v0.3.7
torrentclaw:v0.3.6
torrentclaw:v0.3.5
torrentclaw:v0.3.3
torrentclaw:v0.3.2
torrentclaw:v0.3.1
torrentclaw:v0.3.0

No commits in common. "main" and "v0.9.13" have entirely different histories.
main ... v0.9.13

24 changed files with 437 additions and 633 deletions
Download patch file Download diff file Expand all files Collapse all files

61
.forgejo/workflows/docker-rebuild.yml
View file

@ -1,61 +0,0 @@
# Rebuilds and re-pushes the `latest` image without a version bump so newly
# *fixed* Alpine / ffmpeg / Go patches land between tagged releases. Versioned
# tags are immutable and never touched here. Runs weekly and on demand.
name: Docker rebuild
on:
schedule:
# Mondays 04:17 UTC (off the hour to avoid the scheduler rush)
- cron: "17 4 * * 1"
workflow_dispatch:
jobs:
rebuild:
runs-on: docker
container:
image: docker.io/library/docker:27-cli
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install build deps
run: apk add --no-cache curl git bash
- name: Install buildx
run: |
mkdir -p ~/.docker/cli-plugins
curl -sSL https://github.com/docker/buildx/releases/latest/download/buildx-linux-amd64 \
-o ~/.docker/cli-plugins/docker-buildx
chmod +x ~/.docker/cli-plugins/docker-buildx
- name: Set up qemu
run: docker run --rm --privileged tonistiigi/binfmt --install all
# Stamp the binary with the most recent release tag (not "dev").
- name: Resolve version
id: ver
run: |
v=$(git describe --tags --abbrev=0 2>/dev/null || echo dev)
echo "version=$v" >> "$GITHUB_OUTPUT"
- name: Login to Docker Hub
env:
DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}
DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
run: echo "$DH_TOKEN" | docker login -u "$DH_USER" --password-stdin
- name: Build + push (refresh latest)
env:
VERSION: ${{ steps.ver.outputs.version }}
run: |
docker buildx create --name builder --use --driver docker-container
# Refresh the floating tag only — never overwrite a versioned release.
# Force a fresh base pull so apk upgrade picks up new patches.
docker buildx build \
--platform linux/amd64,linux/arm64 \
--build-arg "VERSION=$VERSION" \
--tag "torrentclaw/unarr:latest" \
--no-cache \
--push \
.

118
.forgejo/workflows/release.yml
View file

@ -1,118 +0,0 @@
name: Release
on:
push:
tags:
- "v*"
workflow_dispatch:
permissions:
contents: write
jobs:
release:
runs-on: docker
container:
image: docker.io/library/golang:1.25
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install build deps (bash, curl, jq, ffmpeg fetch deps)
run: |
apt-get update
apt-get install -y --no-install-recommends bash curl ca-certificates jq xz-utils unzip
- name: Install goreleaser
run: |
curl -sSfL https://github.com/goreleaser/goreleaser/releases/latest/download/goreleaser_Linux_x86_64.tar.gz \
| tar -xz -C /usr/local/bin goreleaser
- name: Run goreleaser
env:
# Forgejo runner auto-injects GITHUB_TOKEN (a per-job, instance-scoped
# token usable against the Forgejo REST API). goreleaser only accepts
# one token; with both GITHUB_TOKEN + GITEA_TOKEN set it errors out
# ("multiple tokens"). Unset GITHUB_TOKEN before invoking goreleaser so
# it picks the Gitea code path + the gitea_urls block in .goreleaser.yml.
GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
# Empty when RELEASE_SIGNING_PUBKEY variable is unset — goreleaser
# accepts it and the resulting binary disables signature checks
# (back-compat: pre-signing releases continue to update). Set
# RELEASE_SIGNING_PUBKEY (variable) + RELEASE_SIGNING_KEY (secret)
# to turn verification on.
RELEASE_SIGNING_PUBKEY: ${{ vars.RELEASE_SIGNING_PUBKEY }}
run: |
unset GITHUB_TOKEN
goreleaser release --clean
- name: Sign checksums.txt with ed25519
if: ${{ vars.RELEASE_SIGNING_PUBKEY != '' && secrets.RELEASE_SIGNING_KEY != '' }}
env:
RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }}
RELEASE_TAG: ${{ github.ref_name }}
FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Tailscale IP — domain-agnostic; the runner shares the dokploy-network with
# forgejo (hostname `forgejo`), so the in-cluster hostname is fastest, but the
# Tailscale IP is the documented fallback.
FORGEJO_API: http://forgejo:3000/api/v1
REPO: torrentclaw/unarr
run: |
set -euo pipefail
go run ./scripts/sign-checksums \
-key "$RELEASE_SIGNING_KEY" \
-in dist/checksums.txt \
-out dist/checksums.txt.sig
# Find the release ID for this tag, then upload the sig as an asset.
rel_id=$(curl -sSf "$FORGEJO_API/repos/$REPO/releases/tags/$RELEASE_TAG" \
-H "Authorization: token $FORGEJO_TOKEN" | jq -r '.id')
curl -sSf -X POST \
"$FORGEJO_API/repos/$REPO/releases/$rel_id/assets?name=checksums.txt.sig" \
-H "Authorization: token $FORGEJO_TOKEN" \
-F "attachment=@dist/checksums.txt.sig"
docker:
needs: release
runs-on: docker
container:
# Docker-in-Docker capable image — buildx + qemu pre-installed.
image: docker.io/library/docker:27-cli
steps:
- uses: actions/checkout@v4
- name: Install buildx
run: |
apk add --no-cache curl
mkdir -p ~/.docker/cli-plugins
curl -sSL https://github.com/docker/buildx/releases/latest/download/buildx-linux-amd64 \
-o ~/.docker/cli-plugins/docker-buildx
chmod +x ~/.docker/cli-plugins/docker-buildx
- name: Login to Docker Hub
env:
DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}
DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
run: echo "$DH_TOKEN" | docker login -u "$DH_USER" --password-stdin
- name: Set up qemu
run: docker run --rm --privileged tonistiigi/binfmt --install all
- name: Build + push multi-arch image
env:
VERSION: ${{ github.ref_name }}
run: |
set -euo pipefail
VERSION_SEMVER="${VERSION#v}"
MAJOR_MINOR="${VERSION_SEMVER%.*}"
docker buildx create --name builder --use --driver docker-container
docker buildx build \
--platform linux/amd64,linux/arm64 \
--build-arg "VERSION=$VERSION" \
--tag "torrentclaw/unarr:$VERSION_SEMVER" \
--tag "torrentclaw/unarr:$MAJOR_MINOR" \
--tag "torrentclaw/unarr:latest" \
--push \
.

74
.forgejo/workflows/ci.yml → .github/workflows/ci.yml vendored
View file

@ -12,26 +12,35 @@ permissions:
jobs: jobs:
test: test:
name: Test name: Test
runs-on: docker runs-on: ubuntu-latest
container: strategy:
image: docker.io/library/golang:1.25 matrix:
go-version: ["1.25"]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ matrix.go-version }}
- name: Run tests - name: Run tests
run: go test -v -race -count=1 ./... run: go test -v -race -count=1 ./...
build: build:
name: Build name: Build
runs-on: docker runs-on: ubuntu-latest
container:
image: docker.io/library/golang:1.25
strategy: strategy:
matrix: matrix:
goos: [linux, darwin, windows] goos: [linux, darwin, windows]
goarch: [amd64, arm64] goarch: [amd64, arm64]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: "1.25"
- name: Build - name: Build
env: env:
@ -41,30 +50,30 @@ jobs:
lint: lint:
name: Lint name: Lint
runs-on: docker runs-on: ubuntu-latest
container:
image: docker.io/library/golang:1.25
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v6
- name: Install golangci-lint - name: Set up Go
run: | uses: actions/setup-go@v6
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/v2.11.4/install.sh \ with:
| sh -s -- -b /usr/local/bin v2.11.4 go-version: "1.25"
- name: Run golangci-lint - name: Run golangci-lint
run: golangci-lint run ./... uses: golangci/golangci-lint-action@v9
with:
version: v2.11.4
coverage: coverage:
name: Coverage name: Coverage
runs-on: docker runs-on: ubuntu-latest
container:
image: docker.io/library/golang:1.25
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v6
- name: Install python3 - name: Set up Go
run: apt-get update && apt-get install -y --no-install-recommends python3 uses: actions/setup-go@v6
with:
go-version: "1.25"
- name: Run tests with coverage (all packages) - name: Run tests with coverage (all packages)
run: | run: |
@ -93,13 +102,24 @@ jobs:
print('OK: Coverage meets minimum threshold') print('OK: Coverage meets minimum threshold')
" "
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v6
with:
files: ./coverage.out
fail_ci_if_error: false
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
vet: vet:
name: Vet name: Vet
runs-on: docker runs-on: ubuntu-latest
container:
image: docker.io/library/golang:1.25
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: "1.25"
- name: Run go vet - name: Run go vet
run: go vet ./... run: go vet ./...

52
.github/workflows/docker-rebuild.yml vendored Normal file
View file

@ -0,0 +1,52 @@
# Rebuilds and re-pushes the `latest` image without a version bump so newly
# *fixed* Alpine / ffmpeg / Go patches land between tagged releases. Versioned
# tags are immutable and never touched here. Runs weekly and on demand.
name: Docker rebuild
on:
schedule:
# Mondays 04:17 UTC (off the hour to avoid the scheduler rush)
- cron: "17 4 * * 1"
workflow_dispatch:
jobs:
rebuild:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
# Stamp the binary with the most recent release tag (not "dev").
- name: Resolve version
id: ver
run: echo "version=$(git describe --tags --abbrev=0 2>/dev/null || echo dev)" >> "$GITHUB_OUTPUT"
- uses: docker/setup-qemu-action@v4
- uses: docker/setup-buildx-action@v4
- uses: docker/login-action@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- uses: docker/build-push-action@v7
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
# Refresh the floating tag only — never overwrite a versioned release.
tags: torrentclaw/unarr:latest
build-args: |
VERSION=${{ steps.ver.outputs.version }}
# Force a fresh base pull so apk upgrade picks up new patches.
no-cache: true
- name: Scan image for fixable CVEs (gate)
uses: docker/scout-action@v1
with:
command: cves
image: torrentclaw/unarr:latest
only-severities: critical,high
only-fixed: true
exit-code: true

52
.github/workflows/pages.yml vendored Normal file
View file

@ -0,0 +1,52 @@
name: Deploy install scripts to Pages
on:
push:
branches: [main]
paths:
- install.sh
- install.ps1
- CNAME
- .nojekyll
- .github/workflows/pages.yml
workflow_dispatch:
permissions:
contents: read
pages: write
id-token: write
concurrency:
group: pages
cancel-in-progress: false
jobs:
deploy:
runs-on: ubuntu-latest
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/checkout@v4
- uses: actions/configure-pages@v5
- name: Stage install scripts
run: |
mkdir -p _site
cp install.sh install.ps1 _site/
[ -f CNAME ] && cp CNAME _site/
touch _site/.nojekyll
# Also index page (humans landing)
cat > _site/index.html <<'HTML'
<!doctype html>
<html><head><meta charset=utf-8><title>unarr installer</title></head>
<body><h1>unarr CLI installer</h1>
<pre>Linux/macOS: curl -fsSL https://unarr.torrentclaw.com/install.sh | sh
Windows: irm https://unarr.torrentclaw.com/install.ps1 | iex</pre>
<p>Source: <a href="https://github.com/torrentclaw/unarr">github.com/torrentclaw/unarr</a></p>
</body></html>
HTML
- uses: actions/upload-pages-artifact@v3
with:
path: _site
- id: deployment
uses: actions/deploy-pages@v4

210
.github/workflows/release.yml vendored Normal file
View file

@ -0,0 +1,210 @@
name: Release
on:
push:
tags:
- "v*"
permissions:
contents: write
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
- uses: goreleaser/goreleaser-action@v6
with:
version: "~> v2"
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
# Empty when RELEASE_SIGNING_PUBKEY variable is unset — goreleaser
# accepts it and the resulting binary disables signature checks
# (back-compat: pre-signing releases continue to update). Set
# RELEASE_SIGNING_PUBKEY (variable) + RELEASE_SIGNING_KEY (secret)
# to turn verification on.
RELEASE_SIGNING_PUBKEY: ${{ vars.RELEASE_SIGNING_PUBKEY }}
- name: Sign checksums.txt with ed25519
# Reference secrets.X directly — step-level env defined in this same
# step is unreliable to read from this step's own if: expression.
if: ${{ vars.RELEASE_SIGNING_PUBKEY != '' && secrets.RELEASE_SIGNING_KEY != '' }}
env:
RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }}
RELEASE_TAG: ${{ github.ref_name }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
go run ./scripts/sign-checksums \
-key "$RELEASE_SIGNING_KEY" \
-in dist/checksums.txt \
-out dist/checksums.txt.sig
gh release upload "$RELEASE_TAG" dist/checksums.txt.sig --clobber
docker:
needs: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Docker meta
id: meta
uses: docker/metadata-action@v6
with:
images: torrentclaw/unarr
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest
- uses: docker/setup-qemu-action@v4
- uses: docker/setup-buildx-action@v4
- uses: docker/login-action@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- uses: docker/build-push-action@v7
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
VERSION=${{ github.ref_name }}
# CVE gate. Fails the release on FIXABLE critical/high only — unfixed
# upstream ffmpeg codec CVEs are accepted (see SECURITY.md), so the
# codec noise does not block. Runs post-push (image already published);
# a failure here flags that a fixable CVE slipped through.
- name: Scan image for fixable CVEs (gate)
uses: docker/scout-action@v1
with:
command: cves
image: torrentclaw/unarr:latest
only-severities: critical,high
only-fixed: true
exit-code: true
# Sync the Docker Hub repo description from DOCKERHUB.md. Non-fatal: a
# description-API auth hiccup must not undo a successful image push.
- name: Update Docker Hub description
uses: peter-evans/dockerhub-description@v4
continue-on-error: true
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: torrentclaw/unarr
readme-filepath: ./DOCKERHUB.md
short-description: "unarr — the single binary that replaces your *arr stack"
virustotal:
needs: release
runs-on: ubuntu-latest
if: vars.VT_ENABLED == 'true'
steps:
- name: Get release tag
id: tag
run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
- name: Download release assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir -p assets
gh release download "${{ steps.tag.outputs.tag }}" \
--repo "${{ github.repository }}" \
--dir assets \
--pattern '*.tar.gz' \
--pattern '*.zip' \
--pattern 'checksums.txt'
- name: Scan assets with VirusTotal
env:
VT_API_KEY: ${{ secrets.VT_API_KEY }}
run: |
mkdir -p results
for file in assets/*; do
filename=$(basename "$file")
echo "Uploading $filename to VirusTotal..."
response=$(curl -s --request POST \
--url https://www.virustotal.com/api/v3/files \
--header "x-apikey: $VT_API_KEY" \
--form "file=@$file")
analysis_id=$(echo "$response" | jq -r '.data.id // empty')
if [ -z "$analysis_id" ]; then
echo "::warning::Failed to upload $filename: $response"
continue
fi
echo "$filename=$analysis_id" >> results/scans.txt
echo " Analysis ID: $analysis_id"
# Rate limit: VT free tier allows 4 req/min
sleep 16
done
- name: Wait for analysis completion
env:
VT_API_KEY: ${{ secrets.VT_API_KEY }}
run: |
echo "Waiting 60s for VirusTotal analysis to complete..."
sleep 60
vt_report="## 🛡️ VirusTotal Scan Results\n\n"
vt_report+="| File | Result | Link |\n"
vt_report+="|------|--------|------|\n"
while IFS='=' read -r filename analysis_id; do
result=$(curl -s --request GET \
--url "https://www.virustotal.com/api/v3/analyses/$analysis_id" \
--header "x-apikey: $VT_API_KEY")
malicious=$(echo "$result" | jq -r '.data.attributes.stats.malicious // 0')
undetected=$(echo "$result" | jq -r '.data.attributes.stats.undetected // 0')
sha256=$(echo "$result" | jq -r '.meta.file_info.sha256 // empty')
if [ "$malicious" = "0" ]; then
status="✅ Clean ($undetected engines)"
else
status="⚠️ $malicious detections"
fi
link="https://www.virustotal.com/gui/file/$sha256"
vt_report+="| \`$filename\` | $status | [View]($link) |\n"
sleep 16
done < results/scans.txt
echo -e "$vt_report" > results/report.md
cat results/report.md
- name: Append scan results to release notes
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
current_body=$(gh release view "${{ steps.tag.outputs.tag }}" \
--repo "${{ github.repository }}" \
--json body --jq '.body')
new_body="${current_body}
$(cat results/report.md)"
gh release edit "${{ steps.tag.outputs.tag }}" \
--repo "${{ github.repository }}" \
--notes "$new_body"

17
.gitignore vendored
View file

@ -43,5 +43,18 @@ tmp/
config/ config/
dist-ffbinaries/ dist-ffbinaries/
# Claude Code: keep entirely local, do not track # Claude Code: global ~/.gitignore excludes .claude/ by default, which hides
.claude/ # project-shared agents/commands/hooks. Override here to commit the shared
# pieces (agents, commands, hooks, settings.json). Keep per-user state local.
!.claude/
!.claude/agents/
!.claude/agents/**
!.claude/commands/
!.claude/commands/**
!.claude/hooks/
!.claude/hooks/**
!.claude/settings.json
.claude/settings.local.json
.claude/projects/
.claude/scheduled_tasks.lock
.claude/skills/

16
.goreleaser.yml
View file

@ -59,22 +59,6 @@ changelog:
- "^test:" - "^test:"
- "^chore:" - "^chore:"
# Self-hosted Forgejo at git.torrentclaw.com. goreleaser detects GITEA_TOKEN +
# these URLs and publishes the release there instead of GitHub. Reachable via
# `forgejo` hostname inside the dokploy-network (the runner shares it); for
# local goreleaser runs outside the network, override via env GITEA_API_URL.
#
# In goreleaser v2 `gitea_urls` is a top-level key (was nested under `release`
# in v1).
gitea_urls:
api: http://forgejo:3000/api/v1
download: https://git.torrentclaw.com
skip_tls_verify: false
release:
draft: false
prerelease: auto
# Homebrew tap — requires PAT with repo scope (not GITHUB_TOKEN) # Homebrew tap — requires PAT with repo scope (not GITHUB_TOKEN)
# Enable when torrentclaw/homebrew-tap PAT is configured as HOMEBREW_TAP_TOKEN # Enable when torrentclaw/homebrew-tap PAT is configured as HOMEBREW_TAP_TOKEN
# brews: # brews:

86
CHANGELOG.md
View file

@ -5,63 +5,37 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [0.9.15] - 2026-05-27
### Added
- **sentry**: enhance error handling by skipping user input errors in CaptureError
### Changed
- **ci**: point Forgejo URLs at torrentclaw org (post-transfer)
- **sentry**: decouple agent import via string-match, rename predicate
### Documentation
- **positioning**: reframe unarr around download/stream/transcode, drop misleading search-first wording
### Fixed
- **ci**: unset GITHUB_TOKEN so goreleaser uses GITEA_TOKEN
- **sentry**: skip "daemon not running" stop/reload errors
### Other
- **scripts**: harden release.sh against double-release and inline version bumps
- untrack .claude/ (private local config)
## [0.9.14] - 2026-05-27
### Added
- **vaapi**: hybrid CPU-scale + hwupload encode path (QW2, 0.9.14)
### CI/CD
- port workflows from .github/ to .forgejo/ (Forgejo Actions)
### Fixed
- **daemon**: defensive IsClosed check in watchSessionReady poll loop
- **daemon**: use parent ctx for MarkSessionReady so cancel propagates
- **release**: move gitea_urls to top-level (goreleaser v2 schema)
## [0.9.13] - 2026-05-27 ## [0.9.13] - 2026-05-27
### Added
- **Session-ready webhook** (`/api/internal/agent/session-ready`). Daemon
watches every new HLSSession's segment counter and, the moment seg-0 +
init.mp4 land on disk, POSTs the sessionId to the server. The web side
flips `streaming_session.ready_at = NOW()`, which its new SSE endpoint
pushes to subscribed players so the "Preparando…" UI flips to
"Stream listo" without waiting for the player's HEAD-probe retry loop
to discover it. Cache-HIT sessions fire the webhook immediately on
StartHLSSession return.
- `engine.HLSSession.ReadyCount()` + `FromCache()` accessors so the
ready-watcher goroutine doesn't reach into private state.
## [0.9.12] - 2026-05-27
### Added ### Added
- **agent**: session-ready webhook for SSE-driven player handshake (0.9.13) - **transcoder diagnostic in register payload**: daemon now sends the full
- **agent**: send full transcoder diagnostic in register payload (0.9.12) HWAccel diagnostic (ffmpeg version, resolved binary path, list of HW
encoders compiled in, list of device files / drivers present) up to the
server on register. The web "Diagnose transcoder" modal surfaces these
so a user stuck on software libx264 can see *why* (e.g. ffmpeg shipped
without `--enable-nvenc`, or `/dev/nvidia0` missing inside a container)
without SSHing into their machine + running `unarr probe-hwaccel`.
- **`[transcode]` startup log line**: daemon prints a single one-line
summary of the picked backend + version + binary path + devices at
start. Same data the web shows; convenient for `journalctl --user -u
unarr | grep transcode`.
### Fixed
- **daemon**: defer probeCancel so a panic mid-diagnostic still releases ctx
### Other
- **release**: add ship.sh end-to-end pipeline as GH Actions backup
- **skills**: add /publish slash command + allow .claude/ in git
## [0.9.11] - 2026-05-27 ## [0.9.11] - 2026-05-27
@ -79,10 +53,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- **cors**: allow play from .to / staging / onion mirrors - **cors**: allow play from .to / staging / onion mirrors
- **library**: classify resolution by width + height, not height alone - **library**: classify resolution by width + height, not height alone
- **transcode**: make preset libx264-only + restore quality opt-in - **transcode**: make preset libx264-only + restore quality opt-in
### Other
- **release**: 0.9.11
## [0.9.8] - 2026-05-27 ## [0.9.8] - 2026-05-27
@ -545,9 +515,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Build ### Build
- add -s -w -trimpath to Makefile, add build-small target with UPX - add -s -w -trimpath to Makefile, add build-small target with UPX
[0.9.15]: https://github.com/torrentclaw/unarr/compare/v0.9.14...v0.9.15 [0.9.11]: https://github.com/torrentclaw/unarr/compare/v0.9.8...v0.9.11
[0.9.14]: https://github.com/torrentclaw/unarr/compare/v0.9.13...v0.9.14 [0.9.8]: https://github.com/torrentclaw/unarr/compare/v0.9.7...v0.9.8
[0.9.13]: https://github.com/torrentclaw/unarr/compare/v0.9.11...v0.9.13 [0.9.12]: https://github.com/torrentclaw/unarr/compare/v0.9.11...v0.9.12
[0.9.11]: https://github.com/torrentclaw/unarr/compare/v0.9.8...v0.9.11 [0.9.11]: https://github.com/torrentclaw/unarr/compare/v0.9.8...v0.9.11
[0.9.8]: https://github.com/torrentclaw/unarr/compare/v0.9.7...v0.9.8 [0.9.8]: https://github.com/torrentclaw/unarr/compare/v0.9.7...v0.9.8
[0.9.7]: https://github.com/torrentclaw/unarr/compare/v0.9.6...v0.9.7 [0.9.7]: https://github.com/torrentclaw/unarr/compare/v0.9.6...v0.9.7

7
DOCKERHUB.md
View file

@ -1,9 +1,8 @@
# unarr # unarr
**The single binary that replaces your whole *arr stack.** Built-in torrent, **The single binary that replaces your whole *arr stack.** Search 30+ torrent
debrid, and usenet engines. Stream, transcode, and organize your library from sources, inspect real quality before you download, grab subtitles, and manage
one terminal — or run it as a headless daemon with a web dashboard, WireGuard your media library — all from one terminal tool or a headless daemon.
split-tunnel, and Cloudflare Funnel remote access.
**[Website & docs](https://torrentclaw.com/unarr)** · **[Install guide](https://torrentclaw.com/cli)** · **[Get an API key](https://torrentclaw.com)** **[Website & docs](https://torrentclaw.com/unarr)** · **[Install guide](https://torrentclaw.com/cli)** · **[Get an API key](https://torrentclaw.com)**

4
README.md
View file

@ -11,9 +11,9 @@
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
[![Go Version](https://img.shields.io/github/go-mod/go-version/torrentclaw/unarr)](go.mod) [![Go Version](https://img.shields.io/github/go-mod/go-version/torrentclaw/unarr)](go.mod)
The single-binary terminal client for torrent, debrid, and usenet downloads. **Free and open source.** Powerful terminal tool for torrent search and management. **Free and open source.**
Built-in torrent engine, debrid (Real-Debrid / AllDebrid), and NZB support. Stream to mpv/vlc, transcode on the fly with hardware acceleration, and manage your library — one binary or a headless daemon with WireGuard split-tunnel and Cloudflare Funnel remote access. Search 30+ torrent sources, inspect torrent quality, discover popular content, find streaming providers, and manage your media collection — all from your terminal.
<!-- GIF demo placeholder --> <!-- GIF demo placeholder -->
<!-- ![unarr Demo](docs/demo.gif) --> <!-- ![unarr Demo](docs/demo.gif) -->

33
internal/agent/state.go
View file

@ -2,8 +2,6 @@ package agent
import ( import (
"encoding/json" "encoding/json"
"errors"
"fmt"
"os" "os"
"path/filepath" "path/filepath"
"time" "time"
@ -11,13 +9,6 @@ import (
"github.com/torrentclaw/unarr/internal/config" "github.com/torrentclaw/unarr/internal/config"
) )
// ErrDaemonNotRunning is returned when no daemon state file exists on disk.
// Callers may wrap it with %w; downstream code uses errors.Is to detect it.
// NOTE: the message text is matched by the sentry package (string-match, to
// avoid an import cycle). Keep the prefix "daemon does not appear to be
// running" stable, or update sentry.daemonNotRunningMarker accordingly.
var ErrDaemonNotRunning = errors.New("daemon does not appear to be running (state file not found)")
// DaemonState is written to disk every heartbeat for external tools to read. // DaemonState is written to disk every heartbeat for external tools to read.
type DaemonState struct { type DaemonState struct {
AgentID string `json:"agentId"` AgentID string `json:"agentId"`
@ -78,31 +69,17 @@ func WriteState(state *DaemonState) {
os.Rename(tmp, path) os.Rename(tmp, path)
} }
// ReadState reads the daemon state from disk. Returns nil if not found or // ReadState reads the daemon state from disk. Returns nil if not found.
// unreadable. Use LoadState when callers need to distinguish "not running"
// from "state file corrupted".
func ReadState() *DaemonState { func ReadState() *DaemonState {
state, _ := LoadState()
return state
}
// LoadState reads the daemon state and returns explicit errors:
// - ErrDaemonNotRunning when the state file does not exist
// - a wrapped json error when the file exists but cannot be decoded
// (a real bug worth reporting to Sentry)
func LoadState() (*DaemonState, error) {
data, err := os.ReadFile(StateFilePath()) data, err := os.ReadFile(StateFilePath())
if err != nil { if err != nil {
if errors.Is(err, os.ErrNotExist) { return nil
return nil, ErrDaemonNotRunning
}
return nil, err
} }
var state DaemonState var state DaemonState
if err := json.Unmarshal(data, &state); err != nil { if json.Unmarshal(data, &state) != nil {
return nil, fmt.Errorf("decode daemon state %s: %w", StateFilePath(), err) return nil
} }
return &state, nil return &state
} }
// RemoveState deletes the state file (called on clean shutdown). // RemoveState deletes the state file (called on clean shutdown).

37
internal/agent/state_test.go
View file

@ -1,7 +1,6 @@
package agent package agent
import ( import (
"errors"
"os" "os"
"path/filepath" "path/filepath"
"testing" "testing"
@ -105,39 +104,3 @@ func TestReadStateCorruptedJSON(t *testing.T) {
t.Errorf("ReadState() should return nil for corrupted JSON, got %+v", state) t.Errorf("ReadState() should return nil for corrupted JSON, got %+v", state)
} }
} }
func TestLoadStateNotFound(t *testing.T) {
tmpDir := t.TempDir()
origFn := stateFilePathFn
stateFilePathFn = func() string { return filepath.Join(tmpDir, "nonexistent.json") }
defer func() { stateFilePathFn = origFn }()
state, err := LoadState()
if state != nil {
t.Errorf("LoadState() state = %+v, want nil", state)
}
if !errors.Is(err, ErrDaemonNotRunning) {
t.Errorf("LoadState() err = %v, want ErrDaemonNotRunning", err)
}
}
func TestLoadStateCorruptedJSON(t *testing.T) {
tmpDir := t.TempDir()
origFn := stateFilePathFn
path := filepath.Join(tmpDir, "daemon.state.json")
stateFilePathFn = func() string { return path }
defer func() { stateFilePathFn = origFn }()
os.WriteFile(path, []byte("not valid json{{{"), 0o644)
state, err := LoadState()
if state != nil {
t.Errorf("LoadState() state = %+v, want nil", state)
}
if err == nil {
t.Fatal("LoadState() err = nil, want decode error")
}
if errors.Is(err, ErrDaemonNotRunning) {
t.Error("corrupt state must not be reported as ErrDaemonNotRunning — it would be filtered from Sentry")
}
}

12
internal/cmd/daemon.go
View file

@ -960,19 +960,9 @@ func watchSessionReady(ctx context.Context, client *agent.Client, hsess *engine.
ticker := time.NewTicker(200 * time.Millisecond) ticker := time.NewTicker(200 * time.Millisecond)
defer ticker.Stop() defer ticker.Stop()
for { for {
// Session torn down through a path that didn't cancel ctx (registry
// replace, idle sweep, internal kill). Bail before polling further —
// without this check the watcher could keep alive for up to 60 s on
// a dead HLSSession that's never going to become ready.
if hsess.IsClosed() {
return
}
// Cache HIT or seg-0 ready → notify + done. // Cache HIT or seg-0 ready → notify + done.
if hsess.FromCache() || hsess.ReadyCount() >= 1 { if hsess.FromCache() || hsess.ReadyCount() >= 1 {
// Parent ctx so a session cancel mid-POST (user closed tab, rctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
// daemon shutdown) tears down the in-flight webhook instead of
// blocking the goroutine for up to 10 s on a now-orphan call.
rctx, cancel := context.WithTimeout(ctx, 10*time.Second)
if err := client.MarkSessionReady(rctx, sessionID); err != nil { if err := client.MarkSessionReady(rctx, sessionID); err != nil {
log.Printf("[hls %s] mark-ready failed: %v", agent.ShortID(sessionID), err) log.Printf("[hls %s] mark-ready failed: %v", agent.ShortID(sessionID), err)
} }

10
internal/cmd/daemon_control.go
View file

@ -1,7 +1,6 @@
package cmd package cmd
import ( import (
"errors"
"fmt" "fmt"
"os" "os"
"os/exec" "os/exec"
@ -263,12 +262,9 @@ func runDaemonReload() error {
// stopDaemonByPID reads the state file and sends a graceful stop to the daemon PID. // stopDaemonByPID reads the state file and sends a graceful stop to the daemon PID.
// Used as fallback on platforms without a service manager (and as Windows implementation). // Used as fallback on platforms without a service manager (and as Windows implementation).
func stopDaemonByPID() error { func stopDaemonByPID() error {
state, err := agent.LoadState() state := agent.ReadState()
if err != nil { if state == nil {
if errors.Is(err, agent.ErrDaemonNotRunning) { return fmt.Errorf("daemon does not appear to be running (state file not found)")
return err
}
return fmt.Errorf("read daemon state: %w", err)
} }
return killPID(state.PID) return killPID(state.PID)
} }

10
internal/cmd/reload_unix.go
View file

@ -3,7 +3,6 @@
package cmd package cmd
import ( import (
"errors"
"fmt" "fmt"
"log" "log"
"os" "os"
@ -44,12 +43,9 @@ func startReloadWatcher(rc *ReloadableConfig) {
// sendReloadSignal sends SIGUSR1 to the running daemon process. // sendReloadSignal sends SIGUSR1 to the running daemon process.
func sendReloadSignal() error { func sendReloadSignal() error {
state, err := agent.LoadState() state := agent.ReadState()
if err != nil { if state == nil {
if errors.Is(err, agent.ErrDaemonNotRunning) { return fmt.Errorf("daemon does not appear to be running (state file not found)")
return err
}
return fmt.Errorf("read daemon state: %w", err)
} }
p, err := os.FindProcess(state.PID) p, err := os.FindProcess(state.PID)
if err != nil { if err != nil {

18
internal/cmd/root.go
View file

@ -26,19 +26,15 @@ var (
func init() { func init() {
rootCmd = &cobra.Command{ rootCmd = &cobra.Command{
Use: "unarr", Use: "unarr",
Version: Version, Short: "unarr — torrent search and management",
Short: "Terminal torrent + debrid + usenet client — download, stream, transcode", Long: `unarr is a powerful terminal tool for torrent search and management.
Long: `unarr is a terminal-native client that downloads torrents, debrid links,
and usenet (NZB) all from the same binary. It streams content straight Search 30+ torrent sources, inspect torrent quality, discover popular content,
to mpv/vlc with sequential piece prioritization, transcodes on the fly via find streaming providers, and manage your media collection all from your terminal.
ffmpeg with hardware acceleration (NVENC, QSV, VA-API, VideoToolbox), and
organizes your library into Movies/TV folders. Run it one-shot or as a
long-running daemon with a built-in WireGuard split-tunnel and remote
playback over Cloudflare Funnel.
Get started: Get started:
unarr init First-time configuration wizard unarr init First-time configuration wizard
unarr download <magnet|hash> Grab a torrent one-shot unarr search "breaking bad" Search for content
unarr start Start the download daemon unarr start Start the download daemon
Documentation: https://torrentclaw.com/cli Documentation: https://torrentclaw.com/cli
@ -59,7 +55,7 @@ Source: https://github.com/torrentclaw/unarr`,
// Command groups for organized help output // Command groups for organized help output
rootCmd.AddGroup( rootCmd.AddGroup(
&cobra.Group{ID: "start", Title: "Getting Started:"}, &cobra.Group{ID: "start", Title: "Getting Started:"},
&cobra.Group{ID: "search", Title: "Catalog & Discovery:"}, &cobra.Group{ID: "search", Title: "Search & Discovery:"},
&cobra.Group{ID: "download", Title: "Downloads & Streaming:"}, &cobra.Group{ID: "download", Title: "Downloads & Streaming:"},
&cobra.Group{ID: "daemon", Title: "Daemon Management:"}, &cobra.Group{ID: "daemon", Title: "Daemon Management:"},
&cobra.Group{ID: "system", Title: "System & Diagnostics:"}, &cobra.Group{ID: "system", Title: "System & Diagnostics:"},

2
internal/cmd/version.go
View file

@ -1,4 +1,4 @@
package cmd package cmd
// Version is the CLI version. Overridden by goreleaser ldflags at release time. // Version is the CLI version. Overridden by goreleaser ldflags at release time.
var Version = "0.9.15" var Version = "0.9.13"

42
internal/engine/hls.go
View file

@ -534,13 +534,6 @@ func (s *HLSSession) ReadyCount() int {
// circuit polling — a cache HIT is ready the moment we return. // circuit polling — a cache HIT is ready the moment we return.
func (s *HLSSession) FromCache() bool { return s.fromCache } func (s *HLSSession) FromCache() bool { return s.fromCache }
// IsClosed reports whether Close() has been invoked. Exposed (vs the
// internal isClosed) so external watchers — the ready-webhook
// goroutine in cmd/daemon.go — can short-circuit polling on a session
// that was torn down through a different code path (registry replace,
// idle sweep) without racing on the unexported helper.
func (s *HLSSession) IsClosed() bool { return s.isClosed() }
// MasterPlaylist returns the rendered master.m3u8 contents. // MasterPlaylist returns the rendered master.m3u8 contents.
func (s *HLSSession) MasterPlaylist() string { return s.manifestRoot } func (s *HLSSession) MasterPlaylist() string { return s.manifestRoot }
@ -1168,17 +1161,6 @@ func buildHLSFFmpegArgsAt(cfg HLSSessionConfig, probe *StreamProbe, tmpDir strin
// silently ignores `-q:v`, so the constant-quality knob never // silently ignores `-q:v`, so the constant-quality knob never
// took effect anyway. // took effect anyway.
args = append(args, "-realtime", "1") args = append(args, "-realtime", "1")
case "h264_vaapi":
// h264_vaapi has no preset knob. Bitrate args (set later) drive
// rate control. Add `-vaapi_device /dev/dri/renderD128` so the
// encoder doesn't fall back to a NULL device on multi-GPU hosts
// where the default render node is a non-VAAPI GPU (an Nvidia
// dGPU's render node, etc.). The filter chain below switches to
// `format=nv12,hwupload` so frames land on the right VAAPI
// surface before the encoder; we intentionally avoid scale_vaapi
// because mesa 25 + Raphael iGPU emits "Cannot allocate memory"
// per session start, polluting logs even though encode succeeds.
args = append(args, "-vaapi_device", "/dev/dri/renderD128")
} }
// Derive H.264 level from the actual output height. A fixed "4.0" caps the // Derive H.264 level from the actual output height. A fixed "4.0" caps the
// encoder at 1080p — anything taller (1440p, 4K source on quality=original) // encoder at 1080p — anything taller (1440p, 4K source on quality=original)
@ -1229,32 +1211,14 @@ func buildHLSFFmpegArgsAt(cfg HLSSessionConfig, probe *StreamProbe, tmpDir strin
if maxH == 0 { if maxH == 0 {
maxH = cfg.Transcode.MaxHeight maxH = cfg.Transcode.MaxHeight
} }
// VAAPI needs frames as nv12 VAAPI surfaces before the encoder. We do
// scale + format conversion on CPU then `hwupload` once at the end —
// skips the mesa 25 + Raphael iGPU "Cannot allocate memory" log spam
// that scale_vaapi triggers per-session-start while still delivering
// the encoder a GPU surface. setparams is dropped because VAAPI
// surfaces don't expose VUI fields the way libx264 does; the encoder
// records its own color metadata via the source PTS chain.
pixFormat := "yuv420p"
hwUploadTail := ""
colorTail := ",setparams=colorspace=bt709:color_trc=bt709:color_primaries=bt709:range=tv"
if codec == "h264_vaapi" {
pixFormat = "nv12"
hwUploadTail = ",hwupload"
colorTail = ""
}
var filterChain string var filterChain string
if maxH > 0 && probe.Height > maxH { if maxH > 0 && probe.Height > maxH {
filterChain = fmt.Sprintf( filterChain = fmt.Sprintf(
"scale=-2:%d:force_original_aspect_ratio=decrease,scale=trunc(iw/2)*2:trunc(ih/2)*2,format=%s%s%s", "scale=-2:%d:force_original_aspect_ratio=decrease,scale=trunc(iw/2)*2:trunc(ih/2)*2,format=yuv420p,setparams=colorspace=bt709:color_trc=bt709:color_primaries=bt709:range=tv",
maxH, pixFormat, colorTail, hwUploadTail, maxH,
) )
} else { } else {
filterChain = fmt.Sprintf( filterChain = "scale=trunc(iw/2)*2:trunc(ih/2)*2,format=yuv420p,setparams=colorspace=bt709:color_trc=bt709:color_primaries=bt709:range=tv"
"scale=trunc(iw/2)*2:trunc(ih/2)*2,format=%s%s%s",
pixFormat, colorTail, hwUploadTail,
)
} }
args = append(args, "-vf", filterChain) args = append(args, "-vf", filterChain)

97
internal/engine/vaapi_args_test.go
View file

@ -1,97 +0,0 @@
package engine
import (
"strings"
"testing"
)
func TestBuildHLSFFmpegArgsVAAPI(t *testing.T) {
cfg := HLSSessionConfig{
SessionID: "test",
SourcePath: "/tmp/test.mkv",
Quality: "720p",
AudioIndex: 0,
Transcode: TranscodeRuntime{
FFmpegPath: "/usr/bin/ffmpeg",
FFprobePath: "/usr/bin/ffprobe",
HWAccel: HWAccelVAAPI,
},
}
probe := &StreamProbe{Width: 1920, Height: 1080, DurationSec: 100}
args := buildHLSFFmpegArgsAt(cfg, probe, "/tmp/tmpdir", 0, 0)
got := strings.Join(args, " ")
wants := []string{
"-hwaccel vaapi",
"-vaapi_device /dev/dri/renderD128",
"-c:v h264_vaapi",
"format=nv12",
"hwupload",
}
for _, want := range wants {
if !strings.Contains(got, want) {
t.Errorf("argv missing %q\n%s", want, got)
}
}
if strings.Contains(got, "scale_vaapi") {
t.Errorf("argv unexpectedly contains scale_vaapi (mesa bug): %s", got)
}
if strings.Contains(got, "format=yuv420p") {
t.Errorf("argv contains format=yuv420p (libx264 path) for VAAPI codec: %s", got)
}
}
func TestBuildHLSFFmpegArgsLibx264NoRegression(t *testing.T) {
cfg := HLSSessionConfig{
SessionID: "test",
SourcePath: "/tmp/test.mkv",
Quality: "720p",
AudioIndex: 0,
Transcode: TranscodeRuntime{
FFmpegPath: "/usr/bin/ffmpeg",
FFprobePath: "/usr/bin/ffprobe",
HWAccel: HWAccelNone,
},
}
probe := &StreamProbe{Width: 1920, Height: 1080, DurationSec: 100}
args := buildHLSFFmpegArgsAt(cfg, probe, "/tmp/tmpdir", 0, 0)
got := strings.Join(args, " ")
for _, want := range []string{"-c:v libx264", "format=yuv420p", "setparams=colorspace=bt709"} {
if !strings.Contains(got, want) {
t.Errorf("libx264 argv missing %q: %s", want, got)
}
}
for _, bad := range []string{"-vaapi_device", "format=nv12", "hwupload"} {
if strings.Contains(got, bad) {
t.Errorf("libx264 argv unexpectedly contains %q: %s", bad, got)
}
}
}
// TestBuildHLSFFmpegArgsVAAPIDump prints the full argv buildHLSFFmpegArgsAt
// emits for a typical VAAPI session. Mimics the daemon spawn step so the
// operator can verify the ffmpeg command-line shape without booting the
// stack — equivalent to `journalctl --user -u unarr-dev | grep ffmpeg`
// but without waiting for a real player session.
func TestBuildHLSFFmpegArgsVAAPIDump(t *testing.T) {
cfg := HLSSessionConfig{
SessionID: "vaapi-smoke",
SourcePath: "/mnt/nas/peliculas/sample.mkv",
Quality: "720p",
AudioIndex: -1,
Transcode: TranscodeRuntime{
FFmpegPath: "/usr/bin/ffmpeg",
FFprobePath: "/usr/bin/ffprobe",
HWAccel: HWAccelVAAPI,
},
}
probe := &StreamProbe{
VideoCodec: "hevc",
Width: 3840,
Height: 2160,
DurationSec: 5400,
AudioTracks: []ProbeAudioTrack{{Index: 0, Lang: "en", Codec: "ac3"}},
}
args := buildHLSFFmpegArgsAt(cfg, probe, "/tmp/smoke-tmpdir", 0, 0)
t.Logf("ffmpeg %s", strings.Join(args, " "))
}

26
internal/sentry/sentry.go
View file

@ -1,14 +1,12 @@
package sentry package sentry
import ( import (
"errors"
"os" "os"
"runtime" "runtime"
"strings" "strings"
"time" "time"
gosentry "github.com/getsentry/sentry-go" gosentry "github.com/getsentry/sentry-go"
"github.com/spf13/pflag"
) )
// dsn is injected at build time via ldflags. If empty, Sentry is disabled. // dsn is injected at build time via ldflags. If empty, Sentry is disabled.
@ -46,16 +44,9 @@ func Close() {
gosentry.Flush(flushTimeout) gosentry.Flush(flushTimeout)
} }
// daemonNotRunningMarker matches the message of agent.ErrDaemonNotRunning
// without importing the agent package — avoids a sentry → agent dependency
// that would risk a cycle if agent ever needed to report errors itself.
const daemonNotRunningMarker = "daemon does not appear to be running"
// CaptureError sends a non-fatal error to Sentry with optional command context. // CaptureError sends a non-fatal error to Sentry with optional command context.
// Expected non-bug errors (bad CLI input, daemon not running) are skipped to
// keep the issue feed signal-heavy.
func CaptureError(err error, command string) { func CaptureError(err error, command string) {
if err == nil || shouldSkipSentry(err) { if err == nil {
return return
} }
@ -67,21 +58,6 @@ func CaptureError(err error, command string) {
}) })
} }
func shouldSkipSentry(err error) bool {
var notExist *pflag.NotExistError
var valueReq *pflag.ValueRequiredError
var invalidVal *pflag.InvalidValueError
var invalidSyn *pflag.InvalidSyntaxError
if errors.As(err, &notExist) || errors.As(err, &valueReq) ||
errors.As(err, &invalidVal) || errors.As(err, &invalidSyn) {
return true
}
msg := err.Error()
return strings.HasPrefix(msg, "unknown command ") ||
strings.HasPrefix(msg, "required flag(s)") ||
strings.Contains(msg, daemonNotRunningMarker)
}
// RecoverPanic captures a panic and re-panics after reporting. // RecoverPanic captures a panic and re-panics after reporting.
// Usage: defer sentry.RecoverPanic() // Usage: defer sentry.RecoverPanic()
func RecoverPanic() { func RecoverPanic() {

19
internal/sentry/sentry_test.go
View file

@ -1,10 +1,6 @@
package sentry package sentry
import ( import "testing"
"errors"
"fmt"
"testing"
)
func TestEnvironment(t *testing.T) { func TestEnvironment(t *testing.T) {
tests := []struct { tests := []struct {
@ -49,16 +45,3 @@ func TestSetUser(t *testing.T) {
// Should not panic without initialization // Should not panic without initialization
SetUser("agent-123") SetUser("agent-123")
} }
func TestShouldSkipSentryDaemonNotRunning(t *testing.T) {
// String must stay in sync with agent.ErrDaemonNotRunning. If that sentinel
// is reworded, this test fails loudly so the marker can be updated.
err := errors.New("daemon does not appear to be running (state file not found)")
if !shouldSkipSentry(err) {
t.Error("ErrDaemonNotRunning message should be skipped")
}
wrapped := fmt.Errorf("read daemon state: %w", err)
if !shouldSkipSentry(wrapped) {
t.Error("wrapped ErrDaemonNotRunning message should be skipped")
}
}

11
scripts/release.sh
View file

@ -55,17 +55,6 @@ fi
CURRENT_BRANCH=$(git branch --show-current) CURRENT_BRANCH=$(git branch --show-current)
[ "$CURRENT_BRANCH" = "main" ] || warn "Not on main branch (current: $CURRENT_BRANCH)" [ "$CURRENT_BRANCH" = "main" ] || warn "Not on main branch (current: $CURRENT_BRANCH)"
HEAD_SUBJECT=$(git log -1 --pretty=%s)
if [[ "$HEAD_SUBJECT" =~ \(([0-9]+\.[0-9]+\.[0-9]+)\) ]]; then
die "HEAD commit subject contains inline version bump: \"$HEAD_SUBJECT\"
Release contract: version bumps MUST live in a dedicated 'chore(release): X.Y.Z' commit.
Revert the inline bump and re-run this script — it will create the proper commit."
fi
if [[ "$HEAD_SUBJECT" =~ ^chore\(release\): ]]; then
die "HEAD is already a chore(release) commit: \"$HEAD_SUBJECT\"
Nothing new to release. Add commits since the last release or amend intentionally outside this script."
fi
# ── Resolve version ──────────────────────────────────────────────── # ── Resolve version ────────────────────────────────────────────────
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0") LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
LATEST_VERSION="${LATEST_TAG#v}" LATEST_VERSION="${LATEST_TAG#v}"

54
scripts/ship.sh
View file

@ -17,8 +17,7 @@
# 3. Rsync to Hetzner via web/scripts/publish-cli-release.sh # 3. Rsync to Hetzner via web/scripts/publish-cli-release.sh
# 4. Multi-arch Docker build + push (amd64 + arm64) to Docker Hub # 4. Multi-arch Docker build + push (amd64 + arm64) to Docker Hub
# 5. Smoke checks (torrentclaw.com/version + docker run image version) # 5. Smoke checks (torrentclaw.com/version + docker run image version)
# 6. Prune Forgejo releases older than FORGEJO_PRUNE_DAYS (default 90) # 6. Optional `git push --follow-tags`
# 7. Optional `git push --follow-tags`
# #
# Usage: # Usage:
# scripts/ship.sh Detect version from internal/cmd/version.go # scripts/ship.sh Detect version from internal/cmd/version.go
@ -34,10 +33,6 @@
# SKIP_DOCKER=1 skip Docker build/push # SKIP_DOCKER=1 skip Docker build/push
# SKIP_HETZNER=1 skip Hetzner publish # SKIP_HETZNER=1 skip Hetzner publish
# SKIP_SMOKE=1 skip smoke checks # SKIP_SMOKE=1 skip smoke checks
# SKIP_FORGEJO_PRUNE=1 skip Forgejo retention prune
# FORGEJO_TOKEN PAT with write:repository for prune (no token = skip + warn)
# FORGEJO_PRUNE_DAYS retention window, default 90 days
# FORGEJO_REPO default torrentclaw/unarr
# #
set -euo pipefail set -euo pipefail
@ -49,10 +44,6 @@ PUBLISH_SCRIPT="${PUBLISH_SCRIPT:-$REPO_DIR/../torrentclaw-web/scripts/publish-c
SKIP_DOCKER="${SKIP_DOCKER:-0}" SKIP_DOCKER="${SKIP_DOCKER:-0}"
SKIP_HETZNER="${SKIP_HETZNER:-0}" SKIP_HETZNER="${SKIP_HETZNER:-0}"
SKIP_SMOKE="${SKIP_SMOKE:-0}" SKIP_SMOKE="${SKIP_SMOKE:-0}"
SKIP_FORGEJO_PRUNE="${SKIP_FORGEJO_PRUNE:-0}"
FORGEJO_PRUNE_DAYS="${FORGEJO_PRUNE_DAYS:-90}"
FORGEJO_REPO="${FORGEJO_REPO:-torrentclaw/unarr}"
FORGEJO_BASE="${FORGEJO_BASE:-https://git.torrentclaw.com}"
DRY_RUN=false DRY_RUN=false
PUSH_TAG=false PUSH_TAG=false
@ -170,48 +161,7 @@ if [ "$SKIP_SMOKE" != "1" ]; then
fi fi
fi fi
# 6. Forgejo retention prune # 5. Optional push
if [ "$SKIP_FORGEJO_PRUNE" != "1" ]; then
if [ -z "${FORGEJO_TOKEN:-}" ]; then
warn "FORGEJO_TOKEN not set — skipping Forgejo prune (set it to enable >${FORGEJO_PRUNE_DAYS}-day cleanup)"
else
info "pruning Forgejo releases older than $FORGEJO_PRUNE_DAYS days"
FORGEJO_API="$FORGEJO_BASE/api/v1/repos/$FORGEJO_REPO/releases"
RELEASES_JSON="$(curl -fsSL -H "Authorization: token $FORGEJO_TOKEN" "$FORGEJO_API?limit=50" || echo '[]')"
PRUNE_IDS="$(echo "$RELEASES_JSON" | python3 -c "
import json, sys
from datetime import datetime, timedelta, timezone
days = int('${FORGEJO_PRUNE_DAYS}')
cutoff = datetime.now(timezone.utc) - timedelta(days=days)
for r in json.load(sys.stdin):
created = datetime.fromisoformat(r['created_at'].replace('Z', '+00:00'))
if created < cutoff:
print(f\"{r['id']}\t{r['tag_name']}\t{r['created_at']}\")
" 2>/dev/null || true)"
DELETED=0
FAILED=0
if [ -n "$PRUNE_IDS" ]; then
while IFS=$'\t' read -r REL_ID REL_TAG REL_CREATED; do
[ -z "$REL_ID" ] && continue
CODE="$(curl -s -o /dev/null -w '%{http_code}' -X DELETE -H "Authorization: token $FORGEJO_TOKEN" "$FORGEJO_API/$REL_ID")"
if [ "$CODE" = "204" ]; then
echo " deleted $REL_TAG (created $REL_CREATED)"
DELETED=$((DELETED + 1))
else
warn " failed to delete $REL_TAG (id=$REL_ID, http=$CODE)"
FAILED=$((FAILED + 1))
fi
done <<< "$PRUNE_IDS"
fi
if [ "$FAILED" -gt 0 ]; then
warn "Forgejo prune: $DELETED removed, $FAILED failed"
else
ok "Forgejo prune: $DELETED release(s) removed (>${FORGEJO_PRUNE_DAYS} days old)"
fi
fi
fi
# 7. Optional push
if [ "$PUSH_TAG" = true ]; then if [ "$PUSH_TAG" = true ]; then
info "git push origin main --follow-tags" info "git push origin main --follow-tags"
git push origin main --follow-tags git push origin main --follow-tags