giuseppe99barchetta
diff --git a/‎.github/pull_request_template.md‎
Lines changed: 9 additions & 0 deletions b/‎.github/pull_request_template.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/docker_hub_build.yml‎
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/docker_hub_build.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎.github/workflows/docker_hub_build_nightly.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/docker_hub_build_nightly.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 28 additions & 2 deletions b/‎CONTRIBUTING.md‎
Lines changed: 28 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 7 deletions b/‎README.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎TMDB_API_ENDPOINTS.md‎
Lines changed: 4 additions & 4 deletions b/‎TMDB_API_ENDPOINTS.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎api_service/app.py‎
Lines changed: 17 additions & 5 deletions b/‎api_service/app.py‎
Lines changed: 17 additions & 5 deletions
diff --git a/‎api_service/auth/auth_service.py‎
Lines changed: 22 additions & 6 deletions b/‎api_service/auth/auth_service.py‎
Lines changed: 22 additions & 6 deletions
diff --git a/‎api_service/auth/middleware.py‎
Lines changed: 2 additions & 0 deletions b/‎api_service/auth/middleware.py‎
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,9 @@
+## Summary
+
+Describe the change and why it is needed.
+
+## Checklist
+
+- [ ] Tests added/updated when applicable
+- [ ] Documentation updated when behavior or setup changed
+- [ ] No hardcoded styles introduced
@@ -46,7 +46,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Node.js
-        uses: actions/setup-node@v6.2.0
+        uses: actions/setup-node@v6.3.0
         with:
           node-version: '20'
 
 
@@ -20,7 +20,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Node.js
-        uses: actions/setup-node@v6.2.0
+        uses: actions/setup-node@v6.3.0
         with:
           node-version: '20'
 
@@ -100,10 +100,10 @@ jobs:
         run: git pull origin main
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.12.0
+        uses: docker/setup-buildx-action@v4.0.0
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3.7.0
+        uses: docker/login-action@v4.0.0
         with:
           username: ciuse99
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
@@ -113,7 +113,7 @@ jobs:
         run: echo "platform_slug=$(echo '${{ matrix.platform }}' | tr '/' '-')" >> $GITHUB_OUTPUT
 
       - name: Build and push platform image
-        uses: docker/build-push-action@v6.19.2
+        uses: docker/build-push-action@v7.0.0
         with:
           context: .
           file: docker/Dockerfile
@@ -136,13 +136,13 @@ jobs:
 
     steps:
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3.7.0
+        uses: docker/login-action@v4.0.0
         with:
           username: ciuse99
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.12.0
+        uses: docker/setup-buildx-action@v4.0.0
 
       - name: Create and push multi-platform manifest
         env:
 
@@ -25,10 +25,10 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.12.0
+        uses: docker/setup-buildx-action@v4.0.0
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3.7.0
+        uses: docker/login-action@v4.0.0
         with:
           username: ciuse99
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
@@ -38,7 +38,7 @@ jobs:
         run: echo "platform_slug=$(echo '${{ matrix.platform }}' | tr '/' '-')" >> $GITHUB_OUTPUT
 
       - name: Build and push platform image
-        uses: docker/build-push-action@v6.19.2
+        uses: docker/build-push-action@v7.0.0
         with:
           context: .
           file: docker/Dockerfile
@@ -60,13 +60,13 @@ jobs:
 
     steps:
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3.7.0
+        uses: docker/login-action@v4.0.0
         with:
           username: ciuse99
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.12.0
+        uses: docker/setup-buildx-action@v4.0.0
 
       - name: Create and push multi-platform manifest
         run: |
 
@@ -1,4 +1,4 @@
-# Contributing to Jellyseer Request Automation
+# Contributing to Suggestarr
 
 Thank you for considering contributing to this project! Here's how you can get started:
 
@@ -9,11 +9,37 @@ Thank you for considering contributing to this project! Here's how you can get s
 - **Improve Documentation**: You can contribute by improving this documentation or adding new sections to it.
 
 ## Guidelines:
-1. Fork the repository and create your branch from `main`.
+1. Fork the repository and create your branch from `nightly`.
 2. If you've added code that should be tested, add tests.
 3. Ensure the code is well-documented.
 4. Open a pull request and provide a clear explanation of the changes.
 
+## Frontend Design System Rules (Required)
+
+For all CSS and Vue `<style>` changes under `client/src`:
+
+- Use design tokens from `client/src/assets/styles/variables.css`.
+- Do **not** introduce hardcoded color values (`#hex`, `rgb/rgba`, `hsl/hsla`) in style declarations.
+- Do **not** introduce hardcoded spacing values for `margin`, `padding`, or `gap`; use `var(--spacing-*)` (or `calc(...)` from tokens).
+- Do **not** introduce hardcoded `border-radius`; use `var(--radius-*)` / component radius tokens.
+- Do **not** introduce hardcoded `font-size`; use typography tokens (`var(--font-size-*)`, input/button font-size tokens).
+
+### Advisory Linting (Warning-level)
+
+The frontend includes warning-level style checks:
+
+```bash
+cd client && npm run lint:styles
+```
+
+This command is advisory-first (warning-level rules) to avoid breaking existing code while enforcing new contributions.
+
+## Pull Request Checklist
+
+- [ ] Tests added/updated when applicable
+- [ ] Documentation updated when behavior or setup changed
+- [ ] No hardcoded styles introduced
+
 ## Building the Docker Image
 To build the Docker image for development, run the following commands:
 ```bash
 
@@ -11,14 +11,14 @@
 [![](https://dcbadge.limes.pink/api/server/https://discord.com/invite/JXwFd3PnXY?style=flat)](https://discord.com/invite/JXwFd3PnXY)
 </div>
 
-SuggestArr is a project designed to automate media content recommendations and download requests based on user activity in media servers like **Jellyfin**, **Plex**, and now **Emby**. It retrieves recently watched content, searches for similar titles using the TMDb API, and sends automated download requests to **Jellyseer** or **Overseer**.
+SuggestArr is a project designed to automate media content recommendations and download requests based on user activity in media servers like **Jellyfin**, **Plex**, and now **Emby**. It retrieves recently watched content, searches for similar titles using the TMDb API, and sends automated download requests to **Seer**.
 
 ## Features
 - **Multi-Media Server Support**: Supports Jellyfin, Plex, and Emby for retrieving media content.
 - **TMDb Integration**: Searches for similar movies and TV shows on TMDb.
 - **AI-Powered Recommendations** *(beta)*: Uses any OpenAI-compatible LLM (OpenAI, Ollama, Gemini, LiteLLM…) to generate hyper-personalized suggestions based on watch history, complete with AI reasoning for each pick.
 - **AI Search** *(beta)*: Describe in natural language what you want to watch and let the AI find matching titles, personalised to your viewing history, with one-click request to Seer.
-- **Automated Requests**: Sends download requests for recommended content to Jellyseer or Seer.
+- **Automated Requests**: Sends download requests for recommended content to Seer.
 - **Web Interface**: A user-friendly interface for configuration and management.
 - **Real-Time Logs**: View and filter logs in real time (e.g., `INFO`, `ERROR`, `DEBUG`).
 - **User Selection**: Choose specific users to initiate requests, allowing management and approval of auto-requested content.
@@ -31,7 +31,7 @@ SuggestArr is a project designed to automate media content recommendations and d
 - **Python 3.x** or **Docker**
 - **[TMDb API Key](https://www.themoviedb.org/documentation/api)**
 - Configured **[Jellyfin](https://jellyfin.org/)**, **[Plex](https://www.plex.tv/)**, or **[Emby](https://emby.media/)**
-- Configured **[Jellyseer](https://github.com/Fallenbagel/jellyseerr)** or **[Overseer](https://github.com/sct/overseerr)**
+- Configured **[Seer](https://github.com/seerr-team/seerr)**
 - (Optional) External database (PostgreSQL or MySQL) for improved performance
 
 ## Docker Usage
@@ -68,15 +68,15 @@ Access the web interface at: http://localhost:5000 (or your custom port if confi
 
 Make sure your environment is set up correctly and that the application is running to access the web interface.
 
-### Using a Specific Jellyseer/Overseer User for Requests
-If you'd like to use a specific Jellyseer user to make media requests, follow these steps:
+### Using a Specific Seer User for Requests
+If you'd like to use a specific Seer user to make media requests, follow these steps:
 
 1. In the web interface, enable the user selection option by checking the corresponding box.
 2. Select the desired user from the dropdown list.
 3. Enter the password for the selected user.
 4. The system will now use this user to make media requests, rather than using the admin or default profile.
 
-Note: Currently, only local Jellyseer users are supported.
+Note: Currently, only local Seer users are supported.
 
 ## AI-Powered Recommendations (Beta)
 
@@ -163,7 +163,7 @@ Type a natural-language description of what you feel like watching. The LLM inte
 - **Natural language queries** — describe mood, genre, decade, language, or specific themes
 - **Viewing-history personalisation** — the AI tailors results based on what you (or your users) have already watched
 - **Exclude already-watched titles** — hide content you've already seen
-- **One-click requesting** — send results directly to Jellyseer/Overseer without leaving the page
+- **One-click requesting** — send results directly to Seer without leaving the page
 - **Query interpretation badge** — see how the AI parsed your query (genres, year range, language, min rating)
 
 ### How to enable
 
@@ -92,11 +92,11 @@ Tests the Jellyfin server connection with provided API token and URL.
 - `400 Bad Request`: Missing token or URL, or connection failed
 - `500 Internal Server Error`: Internal error
 
-## Overseer/Jellyseer Endpoints
+## Seer Endpoints
 
 ### POST `/api/seer/test`
 
-Tests the Overseer/Jellyseer API connection with provided API key and URL.
+Tests the Seer API connection with provided API key and URL.
 
 **Request Body:**
 ```json
@@ -111,7 +111,7 @@ Tests the Overseer/Jellyseer API connection with provided API key and URL.
 ```json
 {
   "status": "success",
-  "message": "Overseer/Jellyseer connection successful!",
+  "message": "Seer connection successful!",
   "data": {
     "users_count": 4,
     "server_url": "http://localhost:5055",
@@ -208,7 +208,7 @@ All service test endpoints have been enhanced with robust validation:
 ```json
 {
   "status": "success",
-  "message": "Overseer/Jellyseer connection successful but no users found",
+  "message": "Seer connection successful but no users found",
   "data": {
     "users_count": 0,
     "server_url": "http://localhost:5055"
 
@@ -22,6 +22,7 @@
 from api_service.blueprints.seer.routes import seer_bp
 from api_service.blueprints.plex.routes import plex_bp
 from api_service.blueprints.automation.routes import automation_bp
+from api_service.blueprints.integrations.routes import integrations_bp
 from api_service.blueprints.logs.routes import logs_bp
 from api_service.blueprints.config.routes import config_bp
 from api_service.blueprints.tmdb.routes import tmdb_bp
@@ -60,6 +61,11 @@ def __call__(self, environ, start_response):
 logger = LoggerManager.get_logger("APP") 
 logger.debug(f"Current log level: {logging.getLevelName(logger.getEffectiveLevel())}")
 
+DEFAULT_CORS_ORIGINS = [
+    'http://localhost:8080',
+    'http://127.0.0.1:8080',
+]
+
 # App Factory Pattern for modularity and testability
 def create_app():
     """
@@ -81,9 +87,10 @@ def create_app():
 
     # ------------------------------------------------------------------
     # CORS
-    # Default: allow all origins so existing LAN deployments keep working.
-    # Operators who expose SuggestArr to the internet SHOULD restrict this
-    # via the SUGGESTARR_ALLOWED_ORIGINS env var (comma-separated list).
+    # Default: allow the local frontend dev servers used by the Vue app.
+    # Credentialed requests cannot use wildcard origins, so operators who
+    # expose SuggestArr elsewhere SHOULD set SUGGESTARR_ALLOWED_ORIGINS to
+    # a comma-separated allowlist of exact origins.
     # Example: SUGGESTARR_ALLOWED_ORIGINS=https://suggestarr.home.example.com
     # ------------------------------------------------------------------
     allowed_origins_env = os.environ.get('SUGGESTARR_ALLOWED_ORIGINS', '').strip()
@@ -96,8 +103,12 @@ def create_app():
              methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"])
         logger.info("CORS restricted to: %s", allowed_origins)
     else:
-        # Wildcard — backward-compatible default for LAN deployments.
-        CORS(application)
+        CORS(application,
+             origins=DEFAULT_CORS_ORIGINS,
+             supports_credentials=True,
+             allow_headers=["Authorization", "Content-Type"],
+             methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"])
+        logger.info("CORS using default frontend origins: %s", DEFAULT_CORS_ORIGINS)
 
     # ------------------------------------------------------------------
     # Rate limiter
@@ -150,6 +161,7 @@ def handle_500(exc):
     application.register_blueprint(seer_bp, url_prefix='/api/seer')
     application.register_blueprint(plex_bp, url_prefix='/api/plex')
     application.register_blueprint(automation_bp, url_prefix='/api/automation')
+    application.register_blueprint(integrations_bp, url_prefix='/api/integrations')
     application.register_blueprint(logs_bp, url_prefix='/api')
     application.register_blueprint(config_bp, url_prefix='/api/config')
     application.register_blueprint(tmdb_bp, url_prefix='/api/tmdb')
 
@@ -25,6 +25,7 @@
 
 from api_service.auth.secret_key import load_secret_key
 from api_service.config.logger_manager import LoggerManager
+from api_service.db.database_manager import DatabaseManager
 
 logger = LoggerManager.get_logger("AuthService")
 
@@ -95,12 +96,14 @@ def create_access_token(user_id: int, username: str, role: str) -> str:
         Issue a short-lived signed JWT access token.
 
         Payload claims:
-          sub      — user ID (string)
-          username — display name
-          role     — 'admin' or 'user'
-          iat      — issued-at timestamp
-          exp      — expiry timestamp (now + ACCESS_TOKEN_EXPIRE_MINUTES)
-          jti      — unique token ID (reserved for future revocation list)
+          sub            — user ID (string)
+          username       — display name
+          role           — 'admin' or 'user'
+          iat            — issued-at timestamp
+          exp            — expiry timestamp (now + ACCESS_TOKEN_EXPIRE_MINUTES)
+          jti            — unique token ID (reserved for future revocation list)
+          can_manage_ai  — boolean flag for per‑user AI management
+          visible_tabs   — comma‑separated list of UI tabs the user may access
 
         Args:
             user_id:  Internal DB primary key of the authenticated user.
@@ -111,13 +114,26 @@ def create_access_token(user_id: int, username: str, role: str) -> str:
             str: Signed JWT string.
         """
         now = datetime.now(tz=timezone.utc)
+        # Fetch permission fields from DB, fallback to defaults on error
+        try:
+            db = DatabaseManager()
+            user_record = db.get_auth_user_by_id(user_id)
+            can_manage_ai = bool(user_record.get('can_manage_ai', 0))
+            visible_tabs = user_record.get('visible_tabs', 'requests,jobs,profile')
+        except Exception as e:
+            logger = LoggerManager.get_logger('AuthService')
+            logger.warning("Failed to fetch permission fields for JWT payload: %s", e)
+            can_manage_ai = False
+            visible_tabs = 'requests,jobs,profile'
         payload = {
             "sub": str(user_id),
             "username": username,
             "role": role,
             "iat": now,
             "exp": now + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES),
             "jti": str(uuid.uuid4()),
+            "can_manage_ai": can_manage_ai,
+            "visible_tabs": visible_tabs,
         }
         return jwt.encode(payload, load_secret_key(), algorithm=_JWT_ALGORITHM)
 
 
@@ -227,6 +227,8 @@ def enforce_authentication() -> Optional[tuple]:
         "id": payload["sub"],
         "username": payload.get("username", ""),
         "role": payload.get("role", "user"),
+        "can_manage_ai": payload.get("can_manage_ai", 0),
+        "visible_tabs": payload.get("visible_tabs", "requests,jobs,profile"),
     }
 
     return None  # Allow the request to continue.
Original file line number	Diff line number	Diff line change
`@@ -227,6 +227,8 @@ def enforce_authentication() -> Optional[tuple]:`
`227`	`227`	`"id": payload["sub"],`
`228`	`228`	`"username": payload.get("username", ""),`
`229`	`229`	`"role": payload.get("role", "user"),`
	`230`	`+ "can_manage_ai": payload.get("can_manage_ai", 0),`
	`231`	`+ "visible_tabs": payload.get("visible_tabs", "requests,jobs,profile"),`
`230`	`232`	`}`
`231`	`233`
`232`	`234`	`return None # Allow the request to continue.`