fix(detect-duplicate): sanitize reposted issue titles

Security audit: the bot echoes other issues' titles back into a comment, so a
maliciously-named issue could ping (@everyone) or inject markdown/HTML. Break
@-mentions with a zero-width space and strip markdown/HTML control chars before
posting.

.github/workflows/detect-duplicate.yml

@@ -0,0 +1,38 @@
+name: 🔁 Detect Duplicate Issues
+
+on:
+  issues:
+    types: [opened]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: detect-duplicate-${{ github.event.issue.number }}
+  cancel-in-progress: true
+
+jobs:
+  detect:
+    name: 🔍 Find similar issues
+    if: github.actor != 'github-actions[bot]'
+    runs-on: ubuntu-24.04
+    permissions:
+      issues: write
+      contents: read
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: 🍞 Setup Bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
+        with:
+          bun-version: latest
+
+      - name: 🔍 Detect duplicate issues
+        run: bun scripts/detect-duplicate-issue.mjs
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_BODY: ${{ github.event.issue.body }}

app/(auth)/(tabs)/(home)/settings.tsx

@@ -59,17 +59,19 @@ function SettingsMobile() {
 
         <QuickConnect className='mb-4' />
 
-        <View className='mb-4'>
+        {Platform.OS !== "ios" && (
-          <ListGroup title={t("pairing.pair_with_phone_title")}>
+          <View className='mb-4'>
-            <ListItem
+            <ListGroup title={t("pairing.pair_with_phone_title")}>
-              onPress={() =>
+              <ListItem
-                router.push("/(auth)/(tabs)/(home)/companion-login")
+                onPress={() =>
-              }
+                  router.push("/(auth)/(tabs)/(home)/companion-login")
-              title={t("pairing.pair_with_phone")}
+                }
-              textColor='blue'
+                title={t("pairing.pair_with_phone")}
-            />
+                textColor='blue'
-          </ListGroup>
+              />
-        </View>
+            </ListGroup>
+          </View>
+        )}
 
         <View className='mb-4'>
           <AppLanguageSelector />

app/(auth)/(tabs)/(home)/settings/plugins/streamystats/page.tsx

@@ -114,7 +114,7 @@ export default function StreamystatsPage() {
   };
 
   const handleRefreshFromServer = useCallback(async () => {
-    const newPluginSettings = await refreshStreamyfinPluginSettings(true);
+    const newPluginSettings = await refreshStreamyfinPluginSettings();
     // Update local state with new values
     const newUrl = newPluginSettings?.streamyStatsServerUrl?.value || "";
     setUrl(newUrl);

components/login/TVAddServerForm.tsx

@@ -1,6 +1,6 @@
 import { t } from "i18next";
 import React, { useCallback, useState } from "react";
-import { ScrollView, View } from "react-native";
+import { Platform, ScrollView, View } from "react-native";
 import { Button } from "@/components/Button";
 import { Text } from "@/components/common/Text";
 import { useScaledTVTypography } from "@/constants/TVTypography";
@@ -107,7 +107,7 @@ export const TVAddServerForm: React.FC<TVAddServerFormProps> = ({
         </View>
 
         {/* Pair with Phone */}
-        {onStartPairing && (
+        {Platform.OS !== "ios" && onStartPairing && (
           <View>
             <Button
               onPress={onStartPairing}

components/settings/OtherSettings.tsx

@@ -196,7 +196,10 @@ export const OtherSettings: React.FC = () => {
             }
           />
         </ListItem>
-        <ListItem title={t("home.settings.other.max_auto_play_episode_count")}>
+        <ListItem
+          title={t("home.settings.other.max_auto_play_episode_count")}
+          disabled={pluginSettings?.maxAutoPlayEpisodeCount?.locked}
+        >
           <PlatformDropdown
             groups={autoPlayEpisodeOptions}
             trigger={

components/settings/PlaybackControlsSettings.tsx

@@ -229,7 +229,10 @@ export const PlaybackControlsSettings: React.FC = () => {
 
         <ListItem
           title={t("home.settings.other.max_auto_play_episode_count")}
-          disabled={!settings.autoPlayNextEpisode}
+          disabled={
+            !settings.autoPlayNextEpisode ||
+            pluginSettings?.maxAutoPlayEpisodeCount?.locked
+          }
         >
           <PlatformDropdown
             groups={autoPlayEpisodeOptions}

components/video-player/controls/Controls.tv.tsx

@@ -1254,7 +1254,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}
@@ -1448,7 +1448,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}

scripts/detect-duplicate-issue.mjs

@@ -0,0 +1,202 @@
+#!/usr/bin/env bun
+/**
+ * Flags likely-duplicate issues when a new issue is opened, using lexical similarity
+ * (Jaccard over word sets of the title and body) — no API key, no embeddings.
+ *
+ * On a match it posts ONE comment listing the closest open issues and adds the
+ * "possible duplicate" label. If nothing is similar enough, it does nothing.
+ *
+ * Env:
+ *   GITHUB_REPOSITORY   owner/repo
+ *   ISSUE_NUMBER        the new issue number
+ *   ISSUE_TITLE         the new issue title
+ *   ISSUE_BODY          the new issue body
+ *   GH_TOKEN/GITHUB_TOKEN  for gh (provided in CI)
+ *   DUP_THRESHOLD       similarity threshold 0..1 (default 0.3)
+ *   DUP_MAX             max matches to report (default 5)
+ *   DUP_FIXTURE         optional path to a JSON array of {number,title,body} (local testing)
+ *   DRY_RUN             if set, print results instead of commenting/labelling
+ */
+
+import { execFileSync } from "node:child_process";
+import { readFileSync } from "node:fs";
+
+const REPO = process.env.GITHUB_REPOSITORY || "streamyfin/streamyfin";
+const NUMBER = Number(process.env.ISSUE_NUMBER);
+const TITLE = process.env.ISSUE_TITLE || "";
+const BODY = process.env.ISSUE_BODY || "";
+const THRESHOLD = Number(process.env.DUP_THRESHOLD) || 0.3;
+const MAX = Number(process.env.DUP_MAX) || 5;
+const DRY = !!process.env.DRY_RUN;
+const LABEL = "possible duplicate";
+
+// Generic stop words only — keep domain/feature/platform words (android, downloads,
+// subtitles…) since those are exactly what makes two reports the same or different.
+const STOP = new Set(
+  (
+    "a an the and or but if then of to in on at by for with from as is are was were be been being do does did " +
+    "it its this that these those i you we they me my your our their he she him her " +
+    "when while where what which who how why so just then than too very can could would should will " +
+    "not no nor only own same s t don dont im ive please thanks hi hello also still get got use used using " +
+    "app application streamyfin issue bug"
+  ).split(/\s+/),
+);
+
+const stem = (w) => w.replace(/(ing|ed|es|s)$/, "");
+
+const tokens = (s) =>
+  (s || "")
+    .toLowerCase()
+    .replace(/```[\s\S]*?```/g, " ") // drop code blocks
+    .replace(/<!--[\s\S]*?-->/g, " ") // drop html comments
+    .replace(/https?:\/\/\S+/g, " ") // drop urls
+    .replace(/[^a-z0-9\s]/g, " ")
+    .split(/\s+/)
+    .filter((w) => w.length > 2 && !STOP.has(w))
+    .map(stem)
+    .filter((w) => w.length > 2);
+
+const jaccard = (a, b) => {
+  const A = new Set(a);
+  const B = new Set(b);
+  if (!A.size || !B.size) return 0;
+  let inter = 0;
+  for (const x of A) if (B.has(x)) inter++;
+  return inter / (A.size + B.size - inter);
+};
+
+const newTitle = tokens(TITLE);
+const newBody = tokens(BODY);
+const score = (o) =>
+  0.6 * jaccard(newTitle, tokens(o.title)) +
+  0.4 * jaccard(newBody, tokens(o.body));
+
+// fetch open issues (excluding PRs and the new issue itself)
+let issues;
+if (process.env.DUP_FIXTURE) {
+  issues = JSON.parse(readFileSync(process.env.DUP_FIXTURE, "utf8"));
+} else {
+  const raw = execFileSync(
+    "gh",
+    [
+      "api",
+      `repos/${REPO}/issues`,
+      "--paginate",
+      "-X",
+      "GET",
+      "-f",
+      "state=open",
+      "-f",
+      "per_page=100",
+      "--jq",
+      ".[] | select(.pull_request | not) | {number, title, body}",
+    ],
+    { encoding: "utf8", maxBuffer: 1e8 },
+  );
+  issues = raw
+    .split("\n")
+    .filter(Boolean)
+    .map((l) => JSON.parse(l));
+}
+
+const matches = issues
+  .filter((o) => o.number !== NUMBER)
+  .map((o) => ({ ...o, s: score(o) }))
+  .filter((o) => o.s >= THRESHOLD)
+  .sort((a, b) => b.s - a.s)
+  .slice(0, MAX);
+
+if (!matches.length) {
+  console.log("No likely duplicates found.");
+  process.exit(0);
+}
+
+// Neutralise other issues' titles before echoing them back: break @mentions and
+// strip markdown/HTML control chars so a maliciously-named issue can't ping people
+// or inject formatting into our comment. GitHub linkifies "#123" on its own.
+const safeTitle = (t) =>
+  (t || "")
+    .replace(/@/g, "@​")
+    .replace(/[`<>|*_~[\]]/g, " ")
+    .replace(/\s+/g, " ")
+    .trim()
+    .slice(0, 140);
+const list = matches
+  .map(
+    (m) =>
+      `- #${m.number} — ${safeTitle(m.title)} (≈ ${Math.round(m.s * 100)}% similar)`,
+  )
+  .join("\n");
+const comment = [
+  "<!-- duplicate-detector -->",
+  "🔍 **This looks like it might be a duplicate.** Possibly related open issues:",
+  "",
+  list,
+  "",
+  "If yours is different, ignore this — a maintainer will confirm. Otherwise, please 👍 the existing issue and add any extra details there.",
+].join("\n");
+
+console.log(`Found ${matches.length} possible duplicate(s):\n${list}`);
+
+if (DRY) {
+  console.log("\nDRY_RUN: not commenting/labelling.");
+  process.exit(0);
+}
+
+execFileSync(
+  "gh",
+  [
+    "api",
+    "-X",
+    "POST",
+    `repos/${REPO}/issues/${NUMBER}/comments`,
+    "-f",
+    `body=${comment}`,
+  ],
+  { stdio: "ignore" },
+);
+try {
+  execFileSync(
+    "gh",
+    [
+      "api",
+      "-X",
+      "POST",
+      `repos/${REPO}/issues/${NUMBER}/labels`,
+      "-f",
+      `labels[]=${LABEL}`,
+    ],
+    { stdio: "ignore" },
+  );
+} catch {
+  // label may not exist yet — create then add
+  execFileSync(
+    "gh",
+    [
+      "api",
+      "-X",
+      "POST",
+      `repos/${REPO}/labels`,
+      "-f",
+      `name=${LABEL}`,
+      "-f",
+      "color=fbca04",
+      "-f",
+      "description=Automatically flagged as a possible duplicate",
+    ],
+    { stdio: "ignore" },
+  );
+  execFileSync(
+    "gh",
+    [
+      "api",
+      "-X",
+      "POST",
+      `repos/${REPO}/issues/${NUMBER}/labels`,
+      "-f",
+      `labels[]=${LABEL}`,
+    ],
+    { stdio: "ignore" },
+  );
+}
+console.log("Commented and labelled.");

utils/atoms/settings.ts

@@ -6,6 +6,7 @@ import {
   type SortOrder,
   SubtitlePlaybackMode,
 } from "@jellyfin/sdk/lib/generated-client";
+import { t } from "i18next";
 import { atom, useAtom, useAtomValue } from "jotai";
 import { useCallback, useEffect, useMemo } from "react";
 import { BITRATES, type Bitrate } from "@/components/BitrateSelector";
@@ -121,6 +122,46 @@ export interface MaxAutoPlayEpisodeCount {
   value: number;
 }
 
+/**
+ * The plugin may send object-typed settings as plain primitives.
+ * Resolve to the proper option object from the available choices.
+ */
+const normalizePluginValue = (
+  settingsKey: keyof Settings,
+  value: unknown,
+): unknown => {
+  if (typeof value !== "object" || value === null) {
+    const defaultVal = defaultValues[settingsKey];
+    if (
+      typeof defaultVal === "object" &&
+      defaultVal !== null &&
+      "key" in defaultVal &&
+      "value" in defaultVal
+    ) {
+      // defaultBitrate needs a lookup because its keys are human-readable
+      // (e.g. "8 Mb/s") that can't be derived from the raw value (e.g. 8000000).
+      // Other { key, value } settings like maxAutoPlayEpisodeCount work with
+      // the fallback because their keys are just String(value) (e.g. "5").
+      if (settingsKey === "defaultBitrate") {
+        const match = BITRATES.find(
+          (b) => b.key === value || b.value === value,
+        );
+        if (match) return match;
+      }
+      // maxAutoPlayEpisodeCount: 0 is invalid (breaks autoplay), clamp to -1
+      // -1 key must match the translated dropdown label so the UI shows "Disabled"
+      if (
+        settingsKey === "maxAutoPlayEpisodeCount" &&
+        (value === 0 || value === -1)
+      ) {
+        return { key: t("home.settings.other.disabled"), value: -1 };
+      }
+      return { key: String(value), value };
+    }
+  }
+  return value;
+};
+
 export type HomeSectionLatestResolver = {
   parentId?: string;
   limit?: number;
@@ -427,61 +468,37 @@ export const useSettings = () => {
     [_setPluginSettings],
   );
 
-  const refreshStreamyfinPluginSettings = useCallback(
+  const refreshStreamyfinPluginSettings = useCallback(async () => {
-    async (forceOverride = false) => {
+    if (!api) {
-      if (!api) {
+      return;
-        return;
+    }
+    const newPluginSettings = await api.getStreamyfinPluginConfig().then(
+      ({ data }) => {
+        writeInfoLog("Got plugin settings", data?.settings);
+        return data?.settings;
+      },
+      (_err) => undefined,
+    );
+    setPluginSettings(newPluginSettings);
+
+    // Locked/unlocked values are handled by the settings memo, which
+    // applies locked values at runtime without overwriting user storage.
+    // We only handle auto-enabling Streamystats here.
+    if (newPluginSettings && _settings) {
+      const streamyStatsUrl = newPluginSettings.streamyStatsServerUrl;
+      if (streamyStatsUrl?.value && _settings.searchEngine !== "Streamystats") {
+        const newSettings = {
+          ...defaultValues,
+          ..._settings,
+          searchEngine: "Streamystats",
+        } as Settings;
+        setSettings(newSettings);
+        saveSettings(newSettings);
       }
-      const newPluginSettings = await api.getStreamyfinPluginConfig().then(
+    }
-        ({ data }) => {
-          writeInfoLog("Got plugin settings", data?.settings);
-          return data?.settings;
-        },
-        (_err) => undefined,
-      );
-      setPluginSettings(newPluginSettings);
 
-      // Apply plugin values to settings
+    return newPluginSettings;
-      if (newPluginSettings && _settings) {
+  }, [api, _settings]);
-        const updates: Partial<Settings> = {};
-        for (const [key, setting] of Object.entries(newPluginSettings)) {
-          if (setting && !setting.locked && setting.value !== undefined) {
-            const settingsKey = key as keyof Settings;
-            const effectiveValue = getEffectiveSettingValue(
-              _settings,
-              settingsKey,
-            );
-            // Apply if forceOverride is true, or if neither persisted settings
-            // nor app defaults provide a meaningful value.
-            if (forceOverride || !hasMeaningfulSettingValue(effectiveValue)) {
-              (updates as any)[settingsKey] = setting.value;
-            }
-          }
-        }
-
-        // Auto-enable Streamystats if server URL is provided
-        const streamyStatsUrl = newPluginSettings.streamyStatsServerUrl;
-        if (
-          streamyStatsUrl?.value &&
-          _settings.searchEngine !== "Streamystats"
-        ) {
-          updates.searchEngine = "Streamystats";
-        }
-        if (Object.keys(updates).length > 0) {
-          const newSettings = {
-            ...defaultValues,
-            ..._settings,
-            ...updates,
-          } as Settings;
-          setSettings(newSettings);
-          saveSettings(newSettings);
-        }
-      }
-
-      return newPluginSettings;
-    },
-    [api, _settings],
-  );
 
   const updateSettings = (update: Partial<Settings>) => {
     if (!_settings) {
@@ -512,8 +529,13 @@ export const useSettings = () => {
       Partial<Settings>
     >((acc, [key, setting]) => {
       if (setting) {
-        const { value, locked } = setting;
+        let { value } = setting;
+        const { locked } = setting;
         const settingsKey = key as keyof Settings;
+
+        // Normalize object-typed settings from plugin (plain primitive → { key, value })
+        value = normalizePluginValue(settingsKey, value);
+
         const effectiveValue = getEffectiveSettingValue(_settings, settingsKey);
 
         (acc as any)[settingsKey] = locked

utils/pairingService.ts

@@ -27,6 +27,7 @@ export function startPairingListener(
   });
 
   socket.on("error", (err) => {
+    if (!active) return;
     if (__DEV__) console.error("[PairingService] Socket error:", err);
     onError?.(err.message);
     cleanup();