ci(security): add Trivy filesystem scan to code scanning

Streamyfin ships no container image, so this runs a Trivy *filesystem* scan
(vulnerable deps, secrets, misconfig) and uploads SARIF to GitHub code scanning,
complementing CodeQL and dependency-review. Runs on push to develop/master,
weekly, and on demand (not on PRs — fork PRs can't upload SARIF, and
dependency-review already gates PR dependencies). Reports findings (CRITICAL/HIGH,
ignore-unfixed) without failing the build; the Security tab surfaces them.

.github/workflows/trivy-scan.yml

@@ -0,0 +1,62 @@
+name: 🛡️ Trivy Security Scan
+
+# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
+# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
+# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
+# upload needs a write token that fork PRs don't get).
+on:
+  push:
+    branches: [develop, master]
+    paths:
+      - "package.json"
+      - "bun.lock"
+      - "**/*.ts"
+      - "**/*.tsx"
+      - "**/*.js"
+      - "**/*.jsx"
+      - ".github/workflows/trivy-scan.yml"
+  schedule:
+    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: trivy-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    name: 🔎 Filesystem scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write # upload SARIF to code scanning
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: 💾 Cache Trivy vulnerability DB
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.cache/trivy
+          key: trivy-db-${{ github.run_id }}
+          restore-keys: trivy-db-
+
+      - name: 🔎 Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: vuln,secret,misconfig
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: 📤 Upload results to code scanning
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-fs

app/(auth)/(tabs)/(home)/settings.tsx

@@ -59,17 +59,19 @@ function SettingsMobile() {
 
         <QuickConnect className='mb-4' />
 
-        <View className='mb-4'>
+        {Platform.OS !== "ios" && (
-          <ListGroup title={t("pairing.pair_with_phone_title")}>
+          <View className='mb-4'>
-            <ListItem
+            <ListGroup title={t("pairing.pair_with_phone_title")}>
-              onPress={() =>
+              <ListItem
-                router.push("/(auth)/(tabs)/(home)/companion-login")
+                onPress={() =>
-              }
+                  router.push("/(auth)/(tabs)/(home)/companion-login")
-              title={t("pairing.pair_with_phone")}
+                }
-              textColor='blue'
+                title={t("pairing.pair_with_phone")}
-            />
+                textColor='blue'
-          </ListGroup>
+              />
-        </View>
+            </ListGroup>
+          </View>
+        )}
 
         <View className='mb-4'>
           <AppLanguageSelector />

app/(auth)/(tabs)/(home)/settings/plugins/streamystats/page.tsx

@@ -114,7 +114,7 @@ export default function StreamystatsPage() {
   };
 
   const handleRefreshFromServer = useCallback(async () => {
-    const newPluginSettings = await refreshStreamyfinPluginSettings(true);
+    const newPluginSettings = await refreshStreamyfinPluginSettings();
     // Update local state with new values
     const newUrl = newPluginSettings?.streamyStatsServerUrl?.value || "";
     setUrl(newUrl);

components/login/TVAddServerForm.tsx

@@ -1,6 +1,6 @@
 import { t } from "i18next";
 import React, { useCallback, useState } from "react";
-import { ScrollView, View } from "react-native";
+import { Platform, ScrollView, View } from "react-native";
 import { Button } from "@/components/Button";
 import { Text } from "@/components/common/Text";
 import { useScaledTVTypography } from "@/constants/TVTypography";
@@ -107,7 +107,7 @@ export const TVAddServerForm: React.FC<TVAddServerFormProps> = ({
         </View>
 
         {/* Pair with Phone */}
-        {onStartPairing && (
+        {Platform.OS !== "ios" && onStartPairing && (
           <View>
             <Button
               onPress={onStartPairing}

components/settings/OtherSettings.tsx

@@ -196,7 +196,10 @@ export const OtherSettings: React.FC = () => {
             }
           />
         </ListItem>
-        <ListItem title={t("home.settings.other.max_auto_play_episode_count")}>
+        <ListItem
+          title={t("home.settings.other.max_auto_play_episode_count")}
+          disabled={pluginSettings?.maxAutoPlayEpisodeCount?.locked}
+        >
           <PlatformDropdown
             groups={autoPlayEpisodeOptions}
             trigger={

components/settings/PlaybackControlsSettings.tsx

@@ -229,7 +229,10 @@ export const PlaybackControlsSettings: React.FC = () => {
 
         <ListItem
           title={t("home.settings.other.max_auto_play_episode_count")}
-          disabled={!settings.autoPlayNextEpisode}
+          disabled={
+            !settings.autoPlayNextEpisode ||
+            pluginSettings?.maxAutoPlayEpisodeCount?.locked
+          }
         >
           <PlatformDropdown
             groups={autoPlayEpisodeOptions}

components/video-player/controls/Controls.tv.tsx

@@ -1254,7 +1254,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}
@@ -1448,7 +1448,7 @@ export const Controls: FC<Props> = ({
                 <Text
                   style={[styles.endsAtText, { fontSize: typography.callout }]}
                 >
-                  {t("player.ends_at")} {getFinishTime()}
+                  {t("player.ends_at", { time: getFinishTime() })}
                 </Text>
               </View>
             )}

providers/WebSocketProvider.tsx

@@ -1,5 +1,4 @@
 import { getSessionApi } from "@jellyfin/sdk/lib/utils/api";
-import { router } from "expo-router";
 import { useAtomValue } from "jotai";
 import {
   createContext,
@@ -12,6 +11,7 @@ import {
   useState,
 } from "react";
 import { AppState, type AppStateStatus } from "react-native";
+import useRouter from "@/hooks/useAppRouter";
 import { useNetworkAwareQueryClient } from "@/hooks/useNetworkAwareQueryClient";
 import { apiAtom, getOrSetDeviceId } from "@/providers/JellyfinProvider";
 import { useNetworkStatus } from "@/providers/NetworkStatusProvider";
@@ -28,20 +28,6 @@ const LIBRARY_CHANGE_QUERY_KEYS = [
   ["episodes"],
 ] as const;
 
-// Query keys that depend on per-user playback state (resume position, played
-// status, favorites) and should be refreshed when the server reports a
-// `UserDataChanged`. Scoped to the progression-based sections so finishing an
-// episode does not pointlessly refetch "recently added" or suggestions.
-const USER_DATA_CHANGE_QUERY_KEYS = [
-  ["home", "continueAndNextUp"],
-  ["home", "resumeItems"],
-  ["home", "nextUp-all"],
-  ["home", "heroItems"],
-  ["resumeItems"],
-  ["nextUp-all"],
-  ["nextUp"],
-] as const;
-
 interface WebSocketMessage {
   MessageType: string;
   Data: any;
@@ -52,30 +38,10 @@ interface WebSocketProviderProps {
   children: ReactNode;
 }
 
-/**
- * Handler invoked for every message of a given `MessageType`. Receives the
- * message `Data` payload and the full message.
- */
-type WebSocketMessageHandler = (data: any, message: WebSocketMessage) => void;
-
 interface WebSocketContextType {
   ws: WebSocket | null;
   isConnected: boolean;
-  /**
-   * @deprecated Prefer `subscribe`. `lastMessage` only keeps the most recent
-   * message, so bursts arriving in the same tick are coalesced and lost. Kept
-   * for `useWebsockets` (GeneralCommand handling) until it is migrated.
-   */
   lastMessage: WebSocketMessage | null;
-  /**
-   * Subscribe to a given message type. The handler is called synchronously for
-   * every matching message (no coalescing, unlike `lastMessage`). Returns an
-   * unsubscribe function to call on cleanup.
-   */
-  subscribe: (
-    messageType: string,
-    handler: WebSocketMessageHandler,
-  ) => () => void;
   sendMessage: (message: any) => void;
   clearLastMessage: () => void;
 }
@@ -88,6 +54,7 @@ export const WebSocketProvider = ({ children }: WebSocketProviderProps) => {
   const [ws, setWs] = useState<WebSocket | null>(null);
   const [isConnected, setIsConnected] = useState(false);
   const [lastMessage, setLastMessage] = useState<WebSocketMessage | null>(null);
+  const router = useRouter();
   const queryClient = useNetworkAwareQueryClient();
   const deviceId = useMemo(() => {
     return getOrSetDeviceId();
@@ -96,52 +63,6 @@ export const WebSocketProvider = ({ children }: WebSocketProviderProps) => {
   const libraryChangeDebounceRef = useRef<ReturnType<typeof setTimeout> | null>(
     null,
   );
-  const userDataChangeDebounceRef = useRef<ReturnType<
-    typeof setTimeout
-  > | null>(null);
-
-  // Pub/sub registry: messageType -> set of handlers. Stored in a ref so
-  // subscribing/dispatching never triggers a re-render.
-  const listenersRef = useRef<Map<string, Set<WebSocketMessageHandler>>>(
-    new Map(),
-  );
-
-  const subscribe = useCallback(
-    (messageType: string, handler: WebSocketMessageHandler) => {
-      const listeners = listenersRef.current;
-      let handlers = listeners.get(messageType);
-      if (!handlers) {
-        handlers = new Set();
-        listeners.set(messageType, handlers);
-      }
-      handlers.add(handler);
-      return () => {
-        handlers?.delete(handler);
-        if (handlers && handlers.size === 0) {
-          listeners.delete(messageType);
-        }
-      };
-    },
-    [],
-  );
-
-  const dispatchMessage = useCallback((message: WebSocketMessage) => {
-    const handlers = listenersRef.current.get(message.MessageType);
-    if (!handlers || handlers.size === 0) return;
-    // Copy to tolerate handlers that unsubscribe during dispatch.
-    for (const handler of [...handlers]) {
-      // Isolate each handler so one throwing subscriber can't abort the rest
-      // (and isn't misreported as a parse failure by the outer onmessage catch).
-      try {
-        handler(message.Data, message);
-      } catch (error) {
-        console.error(
-          `Error handling WebSocket message type "${message.MessageType}":`,
-          error,
-        );
-      }
-    }
-  }, []);
 
   const connectWebSocket = useCallback(() => {
     if (!deviceId || !api?.accessToken || !isNetworkConnected) {
@@ -192,10 +113,7 @@ export const WebSocketProvider = ({ children }: WebSocketProviderProps) => {
     newWebSocket.onmessage = (e) => {
       try {
         const message = JSON.parse(e.data);
-        // Legacy single-slot state, still consumed by useWebsockets.
+        setLastMessage(message); // Store the last message in context
-        setLastMessage(message);
-        // Pub/sub: deliver to every subscriber without coalescing.
-        dispatchMessage(message);
       } catch (error) {
         console.error("Error parsing WebSocket message:", error);
       }
@@ -208,7 +126,7 @@ export const WebSocketProvider = ({ children }: WebSocketProviderProps) => {
       }
       newWebSocket.close();
     };
-  }, [api, deviceId, isNetworkConnected, dispatchMessage]);
+  }, [api, deviceId, isNetworkConnected]);
 
   const handleLibraryChanged = useCallback(
     (data: any) => {
@@ -239,77 +157,47 @@ export const WebSocketProvider = ({ children }: WebSocketProviderProps) => {
     [queryClient],
   );
 
-  const handleUserDataChanged = useCallback(
+  useEffect(() => {
-    (data: any) => {
+    if (!lastMessage) {
-      // Jellyfin sends UserDataChanged when playback position, played status
+      return;
-      // or favorites change (e.g. finishing an episode). Only the
+    }
-      // progression-based home sections care about it.
+    if (lastMessage.MessageType === "Play") {
-      if (!((data?.UserDataList?.length ?? 0) > 0)) {
+      handlePlayCommand(lastMessage.Data);
-        return;
+    } else if (lastMessage.MessageType === "LibraryChanged") {
-      }
+      handleLibraryChanged(lastMessage.Data);
-
+    }
-      // Finishing an item can emit several UserDataChanged messages, so
+  }, [lastMessage, router, handleLibraryChanged]);
-      // debounce to invalidate the affected sections only once.
-      if (userDataChangeDebounceRef.current) {
-        clearTimeout(userDataChangeDebounceRef.current);
-      }
-      userDataChangeDebounceRef.current = setTimeout(() => {
-        for (const queryKey of USER_DATA_CHANGE_QUERY_KEYS) {
-          queryClient.invalidateQueries({ queryKey: [...queryKey] });
-        }
-      }, 800);
-    },
-    [queryClient],
-  );
-
-  // Refresh library-dependent queries when the server reports a change.
-  useEffect(
-    () => subscribe("LibraryChanged", handleLibraryChanged),
-    [subscribe, handleLibraryChanged],
-  );
-
-  // Refresh "Continue Watching" / "Next Up" when playback state changes.
-  useEffect(
-    () => subscribe("UserDataChanged", handleUserDataChanged),
-    [subscribe, handleUserDataChanged],
-  );
 
   useEffect(() => {
     return () => {
       if (libraryChangeDebounceRef.current) {
         clearTimeout(libraryChangeDebounceRef.current);
       }
-      if (userDataChangeDebounceRef.current) {
-        clearTimeout(userDataChangeDebounceRef.current);
-      }
     };
   }, []);
 
-  const handlePlayCommand = useCallback((data: any) => {
+  const handlePlayCommand = useCallback(
-    if (!data?.ItemIds?.length) {
+    (data: any) => {
-      return;
+      if (!data?.ItemIds?.length) {
-    }
+        return;
+      }
 
-    const itemId = data.ItemIds[0];
+      const itemId = data.ItemIds[0];
 
-    router.push({
+      router.push({
-      pathname: "/(auth)/player/direct-player",
+        pathname: "/(auth)/player/direct-player",
-      params: {
+        params: {
-        itemId: itemId,
+          itemId: itemId,
-        playCommand: data.PlayCommand || "PlayNow",
+          playCommand: data.PlayCommand || "PlayNow",
-        audioIndex: data.AudioStreamIndex?.toString(),
+          audioIndex: data.AudioStreamIndex?.toString(),
-        subtitleIndex: data.SubtitleStreamIndex?.toString(),
+          subtitleIndex: data.SubtitleStreamIndex?.toString(),
-        mediaSourceId: data.MediaSourceId || "",
+          mediaSourceId: data.MediaSourceId || "",
-        bitrateValue: "",
+          bitrateValue: "",
-        offline: "false",
+          offline: "false",
-      },
+        },
-    });
+      });
-  }, []);
+    },
-
+    [router],
-  // Server-initiated "Play me this item" remote command.
-  useEffect(
-    () => subscribe("Play", handlePlayCommand),
-    [subscribe, handlePlayCommand],
   );
 
   useEffect(() => {
@@ -379,14 +267,7 @@ export const WebSocketProvider = ({ children }: WebSocketProviderProps) => {
   }, []);
   return (
     <WebSocketContext.Provider
-      value={{
+      value={{ ws, isConnected, lastMessage, sendMessage, clearLastMessage }}
-        ws,
-        isConnected,
-        lastMessage,
-        subscribe,
-        sendMessage,
-        clearLastMessage,
-      }}
     >
       {children}
     </WebSocketContext.Provider>

utils/atoms/settings.ts

@@ -6,6 +6,7 @@ import {
   type SortOrder,
   SubtitlePlaybackMode,
 } from "@jellyfin/sdk/lib/generated-client";
+import { t } from "i18next";
 import { atom, useAtom, useAtomValue } from "jotai";
 import { useCallback, useEffect, useMemo } from "react";
 import { BITRATES, type Bitrate } from "@/components/BitrateSelector";
@@ -121,6 +122,46 @@ export interface MaxAutoPlayEpisodeCount {
   value: number;
 }
 
+/**
+ * The plugin may send object-typed settings as plain primitives.
+ * Resolve to the proper option object from the available choices.
+ */
+const normalizePluginValue = (
+  settingsKey: keyof Settings,
+  value: unknown,
+): unknown => {
+  if (typeof value !== "object" || value === null) {
+    const defaultVal = defaultValues[settingsKey];
+    if (
+      typeof defaultVal === "object" &&
+      defaultVal !== null &&
+      "key" in defaultVal &&
+      "value" in defaultVal
+    ) {
+      // defaultBitrate needs a lookup because its keys are human-readable
+      // (e.g. "8 Mb/s") that can't be derived from the raw value (e.g. 8000000).
+      // Other { key, value } settings like maxAutoPlayEpisodeCount work with
+      // the fallback because their keys are just String(value) (e.g. "5").
+      if (settingsKey === "defaultBitrate") {
+        const match = BITRATES.find(
+          (b) => b.key === value || b.value === value,
+        );
+        if (match) return match;
+      }
+      // maxAutoPlayEpisodeCount: 0 is invalid (breaks autoplay), clamp to -1
+      // -1 key must match the translated dropdown label so the UI shows "Disabled"
+      if (
+        settingsKey === "maxAutoPlayEpisodeCount" &&
+        (value === 0 || value === -1)
+      ) {
+        return { key: t("home.settings.other.disabled"), value: -1 };
+      }
+      return { key: String(value), value };
+    }
+  }
+  return value;
+};
+
 export type HomeSectionLatestResolver = {
   parentId?: string;
   limit?: number;
@@ -427,61 +468,37 @@ export const useSettings = () => {
     [_setPluginSettings],
   );
 
-  const refreshStreamyfinPluginSettings = useCallback(
+  const refreshStreamyfinPluginSettings = useCallback(async () => {
-    async (forceOverride = false) => {
+    if (!api) {
-      if (!api) {
+      return;
-        return;
+    }
+    const newPluginSettings = await api.getStreamyfinPluginConfig().then(
+      ({ data }) => {
+        writeInfoLog("Got plugin settings", data?.settings);
+        return data?.settings;
+      },
+      (_err) => undefined,
+    );
+    setPluginSettings(newPluginSettings);
+
+    // Locked/unlocked values are handled by the settings memo, which
+    // applies locked values at runtime without overwriting user storage.
+    // We only handle auto-enabling Streamystats here.
+    if (newPluginSettings && _settings) {
+      const streamyStatsUrl = newPluginSettings.streamyStatsServerUrl;
+      if (streamyStatsUrl?.value && _settings.searchEngine !== "Streamystats") {
+        const newSettings = {
+          ...defaultValues,
+          ..._settings,
+          searchEngine: "Streamystats",
+        } as Settings;
+        setSettings(newSettings);
+        saveSettings(newSettings);
       }
-      const newPluginSettings = await api.getStreamyfinPluginConfig().then(
+    }
-        ({ data }) => {
-          writeInfoLog("Got plugin settings", data?.settings);
-          return data?.settings;
-        },
-        (_err) => undefined,
-      );
-      setPluginSettings(newPluginSettings);
 
-      // Apply plugin values to settings
+    return newPluginSettings;
-      if (newPluginSettings && _settings) {
+  }, [api, _settings]);
-        const updates: Partial<Settings> = {};
-        for (const [key, setting] of Object.entries(newPluginSettings)) {
-          if (setting && !setting.locked && setting.value !== undefined) {
-            const settingsKey = key as keyof Settings;
-            const effectiveValue = getEffectiveSettingValue(
-              _settings,
-              settingsKey,
-            );
-            // Apply if forceOverride is true, or if neither persisted settings
-            // nor app defaults provide a meaningful value.
-            if (forceOverride || !hasMeaningfulSettingValue(effectiveValue)) {
-              (updates as any)[settingsKey] = setting.value;
-            }
-          }
-        }
-
-        // Auto-enable Streamystats if server URL is provided
-        const streamyStatsUrl = newPluginSettings.streamyStatsServerUrl;
-        if (
-          streamyStatsUrl?.value &&
-          _settings.searchEngine !== "Streamystats"
-        ) {
-          updates.searchEngine = "Streamystats";
-        }
-        if (Object.keys(updates).length > 0) {
-          const newSettings = {
-            ...defaultValues,
-            ..._settings,
-            ...updates,
-          } as Settings;
-          setSettings(newSettings);
-          saveSettings(newSettings);
-        }
-      }
-
-      return newPluginSettings;
-    },
-    [api, _settings],
-  );
 
   const updateSettings = (update: Partial<Settings>) => {
     if (!_settings) {
@@ -512,8 +529,13 @@ export const useSettings = () => {
       Partial<Settings>
     >((acc, [key, setting]) => {
       if (setting) {
-        const { value, locked } = setting;
+        let { value } = setting;
+        const { locked } = setting;
         const settingsKey = key as keyof Settings;
+
+        // Normalize object-typed settings from plugin (plain primitive → { key, value })
+        value = normalizePluginValue(settingsKey, value);
+
         const effectiveValue = getEffectiveSettingValue(_settings, settingsKey);
 
         (acc as any)[settingsKey] = locked

utils/pairingService.ts

@@ -27,6 +27,7 @@ export function startPairingListener(
   });
 
   socket.on("error", (err) => {
+    if (!active) return;
     if (__DEV__) console.error("[PairingService] Socket error:", err);
     onError?.(err.message);
     cleanup();