Changelog

[0.9.0] - 2026-05-02

Highlights

• Unified media, history, and enrichment provider selection across Setup, /api/config, and the main UI so selected, available, effective, and degraded states are visible instead of silently falling back.
• Promoted Mismatch Center and provider diagnostics into first-class troubleshooting tools, with provider-aware mismatch reasons across supported history and enrichment providers.
• Finalized the basic, basic_local_bypass, and external auth/deployment model with setup validation, recovery guidance, and documented support boundaries for direct, reverse-proxy, Docker, Unraid, and Windows installs.
• Expanded the modern UI pass across the toolbar, filters, status blocks, setup flow, tables, provider chips, mobile controls, and reduced-motion-safe animations.
• Expanded German UI coverage and refreshed the translation catalog for the 0.9.0 interface.

Fixes

• Setup provider-state summaries now treat stored-secret-backed providers and Arr instances as configured during live setup preview, so the Setup page no longer marks active Tautulli/Plex/Arr selections as unavailable when the main app is already using them.
• Mismatch Center now distinguishes between loaded rows and total mismatch counts when the response is capped, avoiding contradictory summaries such as showing 3000 loaded rows while reporting a larger provider-conflict total.
• Provider Insights and Mismatch Center now render explicit loading states on first open instead of presenting mostly empty shells while their API requests are still in flight.
• Mobile filter/header layout keeps the advanced-help control aligned with the filter bar and gives the footer controls a more stable stack on narrow coarse-pointer screens.
• Status blocks now surface provider-specific activity more clearly: media and enrichment blocks show active loading/refresh text, and each block’s top gradient animates while its provider is doing work.
• Main UI polish now refines ambient surfaces, toolbar/filter hierarchy, filter focus states, table depth, and reduced-motion-safe animation behavior.
• Mismatch Center now compares effective history/enrichment providers by default so inactive configured providers do not create pending/conflict rows; pass include_configured=1 to audit every configured provider.

Follow-up

• Table row-alignment scroll snapping is intentionally disabled for 0.9.0; revisit the implementation for 0.9.1 as a configurable or lower-cost behavior.

Added Emby and Tracearr provider support, plus the new basic local auth bypass mode.

Features

• Added Emby direct media-source support for shows and movies, including setup/test wiring, cached background refresh, provider-aware drilldowns, image proxying, mismatch-center participation, and Emby-backed diagnostics and insights.
• Added Emby as a selectable enrichment provider, including setup reuse when Emby is already chosen as the active media source.
• Added Tracearr as a selectable history provider, including setup/test/save wiring, cache/refresh support, mismatch-center participation, and playback-match diagnostics support.
• Tracearr support now uses its public API with automatic fallback from stable-ID matching to title/year matching when the newer public fields are unavailable.
• Added an explicit basic_local_bypass authentication mode for trusted direct LAN installs. This mode requires configured Basic Auth credentials, a direct proxy mode, and an explicit local-bypass opt-in; only direct peer addresses in the configured local CIDRs can bypass the browser auth prompt, and forwarded headers are ignored for bypass decisions.
• Auth modes are now explicitly split as:
  • basic: Sortarr challenges every client with its own Basic Auth credentials.
  • basic_local_bypass: Sortarr still requires Basic Auth credentials, but allowed direct local peers can bypass the browser auth prompt.
  • external: Sortarr trusts a configured upstream auth header from a trusted reverse proxy and does not require Sortarr-managed Basic Auth for steady-state access.
• Setup, /api/config, and setup bootstrap payloads now expose shared provider-state data for media, history, and enrichment, making selected, available, effective, and reason values explicit.

Fixes

• Setup source selection is now authoritative: when a specific media, history, or enrichment provider is selected, Sortarr warns when that provider is not configured or not currently effective instead of silently falling back to another configured provider.
• Split media-source, history-source, and enrichment-provider semantics more consistently across setup summaries, helper text, and provider-specific actions so history-only flows no longer imply that media-provider features are active.

# 0.8.9

Features

• Setup now shows live per-section header summaries so collapsed steps indicate the current media, history, security, and advanced configuration state at a glance.
• Setup now prioritizes Plex, Jellystat, Streamystats, or Tautulli within the history/playback section based on the selected preferred history source, keeping the chosen provider closest to the top of the step.
• Setup now progressively reveals optional Sonarr and Radarr instances behind explicit add actions, keeps history/playback provider forms hidden until they are preferred, already configured, or explicitly added, and adds explicit Remove connection actions for saved optional provider blocks.
• Setup now adds section-level setup status badges, routes validation failures back to the relevant step, keeps stored-secret-backed sections understandable even when secret fields are blank, and splits setup validation into section-oriented backend helpers.
• Setup now uses a five-step source-category flow: Media info source, History source, Playback and enrichment providers, Protect access, and Advanced network and performance, with explicit Plex/Jellyfin connection reuse between steps.
• Added Jellyfin direct media-source support for shows and movies, including provider-aware drilldowns, image proxying, mismatch-center support, and provider-aware insights.
• Added Jellyfin diagnostics and provider-aware /api/playback/insights support, including library-scoped Jellyfin match-health views.
• Added Streamystats as a selectable history provider, including setup/test/save wiring, background refresh/cache support, mismatch-center participation, and Streamystats-backed playback overlays for Sonarr/Radarr rows.

Fixes

• Stopped deleting on-disk Arr, Plex, Tautulli, and Jellystat caches on routine app-version changes during startup. Sortarr now keeps warm caches across normal upgrades and instead relies on explicit cache payload version mismatches to invalidate stale cache formats.
• Basic Auth setup now accepts a newly entered password even if the remove-password checkbox is ticked, avoiding the upgrade/setup trap where replacing credentials could be misread as requiring the old password to be cleared first.
• Added env-driven iframe embedding control via SORTARR_FRAME_ANCESTORS while keeping the secure default deny posture. Same-origin embedding now emits X-Frame-Options: SAMEORIGIN; multi-origin embedding relies on CSP frame-ancestors.
• Sonarr season expansion layout now supports a Merged mode in the season dropdown, combining visible seasons into one sortable episode grid.
• Sonarr season expansion episode lists now support field-based sorting, including CF Score, via both sticky header clicks and dedicated sort field/order controls.
• Sonarr score extrema columns now default hidden, and the visible labels/tooltips clarify that they represent the lowest and highest episode custom format scores found within the series or season.
• Reused the existing startup Arr bootstrap load instead of issuing a second duplicate first-tab fetch during frontend init, reducing redundant initial network and render work without changing visible behavior.
• Delayed only the hidden-tab startup Arr prefetch so first-load audits prioritize the active tab; manual refreshes and later background refresh behavior are unchanged.
• Deferred non-critical mobile startup UI wiring for filter/panel controls and Radarr poster hover behavior until after first paint settles, reducing mobile main-thread startup work without changing table load behavior.
• Expanded header-triggered column filters to more unambiguous numeric and boolean fields, still reusing the existing filter-token engine so sorting and active-filter state stay in sync.
• Added contextual per-column active filter chips inside the header filter popup so existing column-specific filters are visible and removable without leaving the header workflow.
• Expanded header-triggered column filters to additional real table columns with unambiguous existing parser semantics, including Instance, Sonarr Avg / Ep and Title Slug, Edition, Video HDR, Watch Time, and TMDB ID.
• Added the remaining date-like header funnels with conservative raw date-fragment matching for Date Added, Last Aired, Last Search, and Last Watched, keeping the existing parser semantics instead of inventing new date operators.
• Added a first Excel-style Values mode for safe enum/bool header filters, using the existing popup shell and token engine with dataset-driven checklist values for columns like Status, Monitored, Quality, Resolution, Video Codec, Audio Codec, Has File, Available, and related low-cardinality fields.
• Expanded the mixed Values/Advanced header popup to Studio and Release Group, using case-insensitive distinct values from the active dataset while keeping the existing advanced text matching available.
• Capped noisy header checklist popups, added an in-popup overflow hint with search guidance, and frequency-sorted Studio and Release Group values so large distinct-value lists remain usable without disabling mixed mode.
• Kept Audio Languages and Subtitle Languages in Advanced mode only after auditing the underlying language data, and fixed Users Watched so its header condition menu correctly exposes the numeric operators.
• Upgraded requests to 2.33.0 to address the current GitHub dependabot advisory for insecure temporary file reuse in extract_zipped_paths().
• Hardened local secret-file resolution so only files whose real paths remain under the expected base/secrets roots are eligible for loading.
• Added a defensive secret scrub in env-file writes so plaintext secret values are converted to file/credential refs, or cleared when an external secret ref already exists, before persisting config.
• Added a lightweight Plex sections bootstrap cache so /api/config can populate plex_libraries without loading the full Plex index cache on cold startup, while still validating the snapshot against the current Plex server URL/token and falling back to the full cache when needed.
• Jellyfin direct media rows now populate size and bitrate fields from Jellyfin media metadata instead of relying only on local filesystem stats.
• Jellyfin and Plex direct-media modes now hide Arr-only workflow columns that do not make sense outside Sonarr/Radarr-backed views.
• Fixed Jellyfin mismatch-center inclusion, insights provider selection, and cache/refresh edge cases that could leave stale partial Jellyfin state in use.
• Fixed provider-aware match-health reporting so Plex and Jellyfin insights reflect the active playback/history provider instead of misleading provider self-match totals, and now label match summaries as Series / Movies.
• Fixed direct-media season and episode drilldowns plus poster proxying for Jellyfin and Plex-backed views.
• Removed the hardcoded sample SORTARR_FRAME_ANCESTORS value from the Docker Compose example, refreshed the Unraid template product description, and expanded Docker entrypoint ownership prep to cover Plex, Jellyfin, Jellystat, and Streamystats cache path overrides.