chore(security): harden helpers + document conflict-labeler safety

From the workflow security audit:
- symlink-native-dirs.js: drop the execSync shell strings for fs.symlink/mkdir
  (removes a latent shell-injection surface; also clears dead commented code).
- automerge.sh: add 'set -euo pipefail' and restore the starting branch on exit
  so a mid-merge failure can't leave the repo on the wrong branch.
- conflict.yml: document that this pull_request_target workflow must never check
  out or run PR-head code (it only labels via the API today).

.github/workflows/conflict.yml

@@ -3,6 +3,11 @@ name: 🏷️🔀Merge Conflict Labeler
 on:
   push:
     branches: [develop]
+  # SECURITY: pull_request_target runs with the base repo's write token and secrets.
+  # This job only labels via the API and is safe ONLY because it never checks out or
+  # runs the PR head's code. NEVER add `actions/checkout` of the PR head (or any `run:`
+  # that interpolates PR-controlled data) to this workflow — that would turn it into a
+  # full repo-compromise vector.
   pull_request_target:
     branches: [develop]
     types: [synchronize]

app/(auth)/(tabs)/(home)/settings.tsx

@@ -59,6 +59,7 @@ function SettingsMobile() {
 
         <QuickConnect className='mb-4' />
 
+        {Platform.OS !== "ios" && (
           <View className='mb-4'>
             <ListGroup title={t("pairing.pair_with_phone_title")}>
               <ListItem
@@ -70,6 +71,7 @@ function SettingsMobile() {
               />
             </ListGroup>
           </View>
+        )}
 
         <View className='mb-4'>
           <AppLanguageSelector />

app/(auth)/(tabs)/(home)/settings/plugins/streamystats/page.tsx

@@ -114,7 +114,7 @@ export default function StreamystatsPage() {
   };
 
   const handleRefreshFromServer = useCallback(async () => {
-    const newPluginSettings = await refreshStreamyfinPluginSettings(true);
+    const newPluginSettings = await refreshStreamyfinPluginSettings();
     // Update local state with new values
     const newUrl = newPluginSettings?.streamyStatsServerUrl?.value || "";
     setUrl(newUrl);

components/login/TVAddServerForm.tsx

@@ -1,6 +1,6 @@
 import { t } from "i18next";
 import React, { useCallback, useState } from "react";
-import { ScrollView, View } from "react-native";
+import { Platform, ScrollView, View } from "react-native";
 import { Button } from "@/components/Button";
 import { Text } from "@/components/common/Text";
 import { useScaledTVTypography } from "@/constants/TVTypography";
@@ -107,7 +107,7 @@ export const TVAddServerForm: React.FC<TVAddServerFormProps> = ({
         </View>
 
         {/* Pair with Phone */}
-        {onStartPairing && (
+        {Platform.OS !== "ios" && onStartPairing && (
           <View>
             <Button
               onPress={onStartPairing}

components/settings/OtherSettings.tsx

@@ -196,7 +196,10 @@ export const OtherSettings: React.FC = () => {
             }
           />
         </ListItem>
-        <ListItem title={t("home.settings.other.max_auto_play_episode_count")}>
+        <ListItem
+          title={t("home.settings.other.max_auto_play_episode_count")}
+          disabled={pluginSettings?.maxAutoPlayEpisodeCount?.locked}
+        >
           <PlatformDropdown
             groups={autoPlayEpisodeOptions}
             trigger={

components/settings/PlaybackControlsSettings.tsx

@@ -229,7 +229,10 @@ export const PlaybackControlsSettings: React.FC = () => {
 
         <ListItem
           title={t("home.settings.other.max_auto_play_episode_count")}
-          disabled={!settings.autoPlayNextEpisode}
+          disabled={
+            !settings.autoPlayNextEpisode ||
+            pluginSettings?.maxAutoPlayEpisodeCount?.locked
+          }
         >
           <PlatformDropdown
             groups={autoPlayEpisodeOptions}

components/video-player/controls/Controls.tv.tsx

@@ -1254,7 +1254,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}
@@ -1448,7 +1448,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}

scripts/automerge.sh

@@ -1,12 +1,22 @@
 #!/bin/bash
-[[ -z $(git status --porcelain) ]] &&
+# Local helper: fast-forward master into develop and back. Aborts on any failure and
-git checkout master &&
+# restores the branch you started on. Not used in CI.
-git pull --ff-only &&
+set -euo pipefail
-git checkout develop &&
+
-git merge master &&
+if [[ -n $(git status --porcelain) ]]; then
-git push --follow-tags &&
+  echo "Error: working tree is not clean — commit or stash first." >&2
-git checkout master &&
+  exit 1
-git merge develop --ff-only &&
+fi
-git push &&
+
-git checkout develop ||
+start_branch=$(git rev-parse --abbrev-ref HEAD)
-(echo "Error: Failed to merge" && exit 1)
+trap 'git checkout "$start_branch" >/dev/null 2>&1 || true' EXIT
+
+git checkout master
+git pull --ff-only
+git checkout develop
+git merge master
+git push --follow-tags
+git checkout master
+git merge develop --ff-only
+git push
+git checkout develop

scripts/symlink-native-dirs.js

@@ -1,62 +1,28 @@
 #!/usr/bin/env node
 
-const _fs = require("node:fs");
+// Symlinks the platform-specific native dirs to `ios` / `android` depending on EXPO_TV.
+// Uses fs APIs (no shell) so there is no command-injection surface.
+
+const fs = require("node:fs");
 const path = require("node:path");
-const process = require("node:process");
-const { execSync } = require("node:child_process");
 
 const root = process.cwd();
-// const tvosPath = path.join(root, 'iostv');
+const isTV = process.env.EXPO_TV && process.env.EXPO_TV !== "0";
-// const iosPath = path.join(root, 'iosmobile');
-// const androidPath = path.join(root, 'androidmobile');
-// const androidTVPath = path.join(root, 'androidtv');
-// const device = process.argv[2];
-// const platform = process.argv[2];
-const isTV = process.env.EXPO_TV || false;
 
-const paths = new Map([
+const links = isTV
-  ["tvos", path.join(root, "iostv")],
+  ? { ios: path.join(root, "iostv"), android: path.join(root, "androidtv") }
-  ["ios", path.join(root, "iosmobile")],
+  : {
-  ["android", path.join(root, "androidmobile")],
+      ios: path.join(root, "iosmobile"),
-  ["androidtv", path.join(root, "androidtv")],
+      android: path.join(root, "androidmobile"),
-]);
+    };
 
-// const platformPath = paths.get(platform);
+for (const [link, target] of Object.entries(links)) {
-
+  fs.mkdirSync(target, { recursive: true });
-if (isTV) {
+  try {
-  stdout = execSync(
+    fs.unlinkSync(link); // replace an existing symlink/file (ln -nsf)
-    `mkdir -p ${paths.get("tvos")}; ln -nsf ${paths.get("tvos")} ios`,
+  } catch {
-  );
+    // nothing to remove
-  console.log(stdout.toString());
+  }
-  stdout = execSync(
+  fs.symlinkSync(target, link);
-    `mkdir -p ${paths.get("androidtv")}; ln -nsf ${paths.get(
+  console.log(`${link} -> ${target}`);
-      "androidtv",
-    )} android`,
-  );
-  console.log(stdout.toString());
-} else {
-  stdout = execSync(
-    `mkdir -p ${paths.get("ios")}; ln -nsf ${paths.get("ios")} ios`,
-  );
-  console.log(stdout.toString());
-  stdout = execSync(
-    `mkdir -p ${paths.get("android")}; ln -nsf ${paths.get("android")} android`,
-  );
-  console.log(stdout.toString());
 }
-
-// target = "";
-// switch (platform) {
-//   case "tvos":
-//     target = "ios";
-//     break;
-//   case "ios":
-//     target = "ios";
-//     break;
-//   case "android":
-//     target = "android";
-//     break;
-//   case "androidtv":
-//     target = "android";
-//     break;
-// }

utils/atoms/settings.ts

@@ -6,6 +6,7 @@ import {
   type SortOrder,
   SubtitlePlaybackMode,
 } from "@jellyfin/sdk/lib/generated-client";
+import { t } from "i18next";
 import { atom, useAtom, useAtomValue } from "jotai";
 import { useCallback, useEffect, useMemo } from "react";
 import { BITRATES, type Bitrate } from "@/components/BitrateSelector";
@@ -121,6 +122,46 @@ export interface MaxAutoPlayEpisodeCount {
   value: number;
 }
 
+/**
+ * The plugin may send object-typed settings as plain primitives.
+ * Resolve to the proper option object from the available choices.
+ */
+const normalizePluginValue = (
+  settingsKey: keyof Settings,
+  value: unknown,
+): unknown => {
+  if (typeof value !== "object" || value === null) {
+    const defaultVal = defaultValues[settingsKey];
+    if (
+      typeof defaultVal === "object" &&
+      defaultVal !== null &&
+      "key" in defaultVal &&
+      "value" in defaultVal
+    ) {
+      // defaultBitrate needs a lookup because its keys are human-readable
+      // (e.g. "8 Mb/s") that can't be derived from the raw value (e.g. 8000000).
+      // Other { key, value } settings like maxAutoPlayEpisodeCount work with
+      // the fallback because their keys are just String(value) (e.g. "5").
+      if (settingsKey === "defaultBitrate") {
+        const match = BITRATES.find(
+          (b) => b.key === value || b.value === value,
+        );
+        if (match) return match;
+      }
+      // maxAutoPlayEpisodeCount: 0 is invalid (breaks autoplay), clamp to -1
+      // -1 key must match the translated dropdown label so the UI shows "Disabled"
+      if (
+        settingsKey === "maxAutoPlayEpisodeCount" &&
+        (value === 0 || value === -1)
+      ) {
+        return { key: t("home.settings.other.disabled"), value: -1 };
+      }
+      return { key: String(value), value };
+    }
+  }
+  return value;
+};
+
 export type HomeSectionLatestResolver = {
   parentId?: string;
   limit?: number;
@@ -427,8 +468,7 @@ export const useSettings = () => {
     [_setPluginSettings],
   );
 
-  const refreshStreamyfinPluginSettings = useCallback(
+  const refreshStreamyfinPluginSettings = useCallback(async () => {
-    async (forceOverride = false) => {
     if (!api) {
       return;
     }
@@ -441,37 +481,16 @@ export const useSettings = () => {
     );
     setPluginSettings(newPluginSettings);
 
-      // Apply plugin values to settings
+    // Locked/unlocked values are handled by the settings memo, which
+    // applies locked values at runtime without overwriting user storage.
+    // We only handle auto-enabling Streamystats here.
     if (newPluginSettings && _settings) {
-        const updates: Partial<Settings> = {};
-        for (const [key, setting] of Object.entries(newPluginSettings)) {
-          if (setting && !setting.locked && setting.value !== undefined) {
-            const settingsKey = key as keyof Settings;
-            const effectiveValue = getEffectiveSettingValue(
-              _settings,
-              settingsKey,
-            );
-            // Apply if forceOverride is true, or if neither persisted settings
-            // nor app defaults provide a meaningful value.
-            if (forceOverride || !hasMeaningfulSettingValue(effectiveValue)) {
-              (updates as any)[settingsKey] = setting.value;
-            }
-          }
-        }
-
-        // Auto-enable Streamystats if server URL is provided
       const streamyStatsUrl = newPluginSettings.streamyStatsServerUrl;
-        if (
+      if (streamyStatsUrl?.value && _settings.searchEngine !== "Streamystats") {
-          streamyStatsUrl?.value &&
-          _settings.searchEngine !== "Streamystats"
-        ) {
-          updates.searchEngine = "Streamystats";
-        }
-        if (Object.keys(updates).length > 0) {
         const newSettings = {
           ...defaultValues,
           ..._settings,
-            ...updates,
+          searchEngine: "Streamystats",
         } as Settings;
         setSettings(newSettings);
         saveSettings(newSettings);
@@ -479,9 +498,7 @@ export const useSettings = () => {
     }
 
     return newPluginSettings;
-    },
+  }, [api, _settings]);
-    [api, _settings],
-  );
 
   const updateSettings = (update: Partial<Settings>) => {
     if (!_settings) {
@@ -512,8 +529,13 @@ export const useSettings = () => {
       Partial<Settings>
     >((acc, [key, setting]) => {
       if (setting) {
-        const { value, locked } = setting;
+        let { value } = setting;
+        const { locked } = setting;
         const settingsKey = key as keyof Settings;
+
+        // Normalize object-typed settings from plugin (plain primitive → { key, value })
+        value = normalizePluginValue(settingsKey, value);
+
         const effectiveValue = getEffectiveSettingValue(_settings, settingsKey);
 
         (acc as any)[settingsKey] = locked

utils/pairingService.ts

@@ -27,6 +27,7 @@ export function startPairingListener(
   });
 
   socket.on("error", (err) => {
+    if (!active) return;
     if (__DEV__) console.error("[PairingService] Socket error:", err);
     onError?.(err.message);
     cleanup();