From 8f82ac481a348fdd16cb717afae2fd38f7c40bf3 Mon Sep 17 00:00:00 2001
From: Gauvain <contact@uruk.dev>
Date: Mon, 8 Jun 2026 13:33:54 +0200
Subject: [PATCH 1/3] chore: enforce LF line endings repo-wide via
 .gitattributes (#1643)

---
 .gitattributes                |  29 +++++++++-
 .github/workflows/crowdin.yml | 102 +++++++++++++++++-----------------
 .gitignore                    |  11 +---
 3 files changed, 81 insertions(+), 61 deletions(-)

diff --git a/.gitattributes b/.gitattributes
index 56dea9663..4d651aeb4 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,28 @@
-.modules/vlc-player/Frameworks/*.xcframework filter=lfs diff=lfs merge=lfs -text
+# Normalise line endings to LF for everyone. Files are stored as LF in git and
+# checked out as LF on every OS, so Windows clones stop producing CRLF churn
+# (no more "LF will be replaced by CRLF" warnings) regardless of core.autocrlf.
+* text=auto eol=lf
+
+# Windows-only scripts must stay CRLF
+*.bat text eol=crlf
+*.cmd text eol=crlf
+
+# Binary assets — never touched / never normalised
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.gif binary
+*.webp binary
+*.ico binary
+*.icns binary
+*.ttf binary
+*.otf binary
+*.woff binary
+*.woff2 binary
+*.mp3 binary
+*.mp4 binary
+*.mov binary
+*.pdf binary
+*.keystore binary
+*.jks binary
+*.p12 binary
diff --git a/.github/workflows/crowdin.yml b/.github/workflows/crowdin.yml
index c6effebf1..feb9a00fe 100644
--- a/.github/workflows/crowdin.yml
+++ b/.github/workflows/crowdin.yml
@@ -1,51 +1,51 @@
-name: 🌐 Translation Sync
-
-on:
-  push:
-    branches: [develop]
-    paths:
-      - "translations/**"
-      - "crowdin.yml"
-      - "i18n.ts"
-      - ".github/workflows/crowdin.yml"
-  # Run weekly to pull new translations
-  schedule:
-    - cron: "0 2 * * 1" # Every Monday at 2 AM UTC
-  workflow_dispatch:
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  sync-translations:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: 📥 Checkout Repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-
-      - name: 🌐 Sync Translations with Crowdin
-        uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2.16.2
-        with:
-          upload_sources: true
-          upload_translations: true
-          download_translations: true
-          localization_branch_name: I10n_crowdin_translations
-          create_pull_request: true
-          pull_request_title: "feat: New Crowdin Translations"
-          pull_request_body: "New Crowdin translations by [Crowdin GH Action](https://github.com/crowdin/github-action)"
-          pull_request_base_branch_name: "develop"
-          pull_request_labels: "🌐 translation"
-          # Quality control options
-          skip_untranslated_strings: false
-          skip_untranslated_files: false
-          export_only_approved: false
-          # Commit customization
-          commit_message: "feat(i18n): update translations from Crowdin"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+name: 🌐 Translation Sync
+
+on:
+  push:
+    branches: [develop]
+    paths:
+      - "translations/**"
+      - "crowdin.yml"
+      - "i18n.ts"
+      - ".github/workflows/crowdin.yml"
+  # Run weekly to pull new translations
+  schedule:
+    - cron: "0 2 * * 1" # Every Monday at 2 AM UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  sync-translations:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: 📥 Checkout Repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: 🌐 Sync Translations with Crowdin
+        uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2.16.2
+        with:
+          upload_sources: true
+          upload_translations: true
+          download_translations: true
+          localization_branch_name: I10n_crowdin_translations
+          create_pull_request: true
+          pull_request_title: "feat: New Crowdin Translations"
+          pull_request_body: "New Crowdin translations by [Crowdin GH Action](https://github.com/crowdin/github-action)"
+          pull_request_base_branch_name: "develop"
+          pull_request_labels: "🌐 translation"
+          # Quality control options
+          skip_untranslated_strings: false
+          skip_untranslated_files: false
+          export_only_approved: false
+          # Commit customization
+          commit_message: "feat(i18n): update translations from Crowdin"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
diff --git a/.gitignore b/.gitignore
index ef41769f9..d46c8a6f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,5 @@
 # Dependencies and Package Managers
 node_modules/
-bun.lock
 bun.lockb
 package-lock.json
 
@@ -21,10 +20,8 @@ web-build/
 # Gradle caches (top-level + per-module native projects)
 **/.gradle/
 
-# Module-specific Builds
-modules/mpv-player/android/build
-modules/player/android
-modules/hls-downloader/android/build
+# Native module build outputs (any module)
+modules/*/android/build/
 
 # Generated Applications
 Streamyfin.app
@@ -69,10 +66,6 @@ certs/
 
 # Version and Backup Files
 /version-backup-*
-/modules/sf-player/android/build
-/modules/music-controls/android/build
-modules/background-downloader/android/build/*
-/modules/mpv-player/android/build
 
 # ios:unsigned-build Artifacts
 build/

From 36ed7539a25c3201eb1fcbdfb10a22c12bcfb640 Mon Sep 17 00:00:00 2001
From: Gauvain <contact@uruk.dev>
Date: Mon, 8 Jun 2026 14:05:23 +0200
Subject: [PATCH 2/3] ci(security): add Trivy filesystem scan to code scanning
 (#1644)

---
 .github/workflows/trivy-scan.yml | 60 ++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 .github/workflows/trivy-scan.yml

diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
new file mode 100644
index 000000000..9eea1fbc1
--- /dev/null
+++ b/.github/workflows/trivy-scan.yml
@@ -0,0 +1,60 @@
+name: 🛡️ Trivy Security Scan
+
+# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
+# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
+# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
+# upload needs a write token that fork PRs don't get).
+on:
+  push:
+    branches: [develop, master]
+  schedule:
+    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: trivy-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    name: 🔎 Filesystem scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write # upload SARIF to code scanning
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # Rotate the DB cache weekly (matches the scheduled scan): cache hits within the week
+      # instead of a fresh immutable entry per run, still refreshing the DB every week.
+      - name: 🗓️ Compute weekly Trivy cache key
+        id: trivy-cache-key
+        run: echo "value=trivy-db-${{ runner.os }}-$(date -u +%G-%V)" >> "$GITHUB_OUTPUT"
+
+      - name: 💾 Cache Trivy vulnerability DB
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.cache/trivy
+          key: ${{ steps.trivy-cache-key.outputs.value }}
+          restore-keys: trivy-db-${{ runner.os }}-
+
+      - name: 🔎 Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: vuln,secret,misconfig
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: 📤 Upload results to code scanning
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-fs

From 168557140695218b07abd502240158f782e22a40 Mon Sep 17 00:00:00 2001
From: boolemancer <48014766+boolemancer@users.noreply.github.com>
Date: Mon, 8 Jun 2026 05:59:29 -0700
Subject: [PATCH 3/3] fix(downloads): Use mediaSource.Id instead of item.Id in
 direct download URL (#1666)

Co-authored-by: lance chant <13349722+lancechant@users.noreply.github.com>
Co-authored-by: Gauvain <contact@uruk.dev>
---
 utils/jellyfin/media/getDownloadUrl.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/jellyfin/media/getDownloadUrl.ts b/utils/jellyfin/media/getDownloadUrl.ts
index a63353b2b..989dc3656 100644
--- a/utils/jellyfin/media/getDownloadUrl.ts
+++ b/utils/jellyfin/media/getDownloadUrl.ts
@@ -50,7 +50,7 @@ export const getDownloadUrl = async ({
   if (maxBitrate.key === "Max" && !streamDetails?.mediaSource?.TranscodingUrl) {
     console.log("Downloading item directly");
     return {
-      url: `${api.basePath}/Items/${item.Id}/Download?api_key=${api.accessToken}`,
+      url: `${api.basePath}/Items/${mediaSource.Id}/Download?api_key=${api.accessToken}`,
       mediaSource: streamDetails?.mediaSource ?? null,
     };
   }