Skip to content

fix(templates): source-verify app templates and consolidate audit fixes#100

Open
bakerboy448 wants to merge 14 commits into
Notifiarr:developfrom
bakerboy448:cursor/template-audit-fixes-f0b1
Open

fix(templates): source-verify app templates and consolidate audit fixes#100
bakerboy448 wants to merge 14 commits into
Notifiarr:developfrom
bakerboy448:cursor/template-audit-fixes-f0b1

Conversation

@bakerboy448

@bakerboy448 bakerboy448 commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

Consolidated template audit for 12 third-party apps, one commit per app/template. Replaces and supersedes #98 and #99.

Each template was checked against upstream source code so StarrProxy only grants endpoints the app actually calls.

Template changes

Kometa (radarr + sonarr)

  • Add bulk import/editor, tag POST, languageprofile, seasonpass
  • Sonarr: add /series/import, /seasonpass; remove ineffective POST /series
  • Radarr: add GET /movie/{id} — confirmed via live traffic that Kometa's scheduled run fetches single-movie detail by ID; only the bulk /movie list was granted, causing recurring 401s

Prowlarr (radarr + sonarr)

  • Add DELETE /indexer/{id} (indexer removal during sync)
  • Remove unused: testall, config/indexer*, indexerflag, system/status

Maintainerr (radarr + sonarr)

  • Expand to servarr helper surface: command, editor, history, qualityprofile, files, exclusions/bulk, tags

Seerr (replaces Jellyseerr + Overseerr)

  • Verified against seerr-team/seerr servarr API
  • Removed jellyseerr.json and overseerr.jsonSeerr is the unified successor (automatic migration from either project)
  • Updated seerr.json: delete, episode/monitor, tag PUT

Other apps

App Change
Bazarr +history; sonarr +languageprofile
DAPS movie/series files, history, queue/bulk, delete paths (arrpy.py)
Unmanic queue, series, tag, qualityprofile, episodefile; +series/{id} GET for webhook rules
Nabarr trimmed to actual GET/POST calls only
Omegabrr +tag GET (when tag filters configured)
Recyclarr removed unused command/{id}
Cross-seed deleted prowlarr/cross-seed.json (only uses radarr/sonarr /parse)
Titlecardmaker removed unused rootfolder, series/lookup

Docs

  • README: Jellyseerr/Overseerr moved to removed list; Seerr is the active template

CI

  • Re-enable Renovate (.github/renovate.json): enabled: false was added by a195176 with fork-scoped intent ("chore: disable renovate on fork") but landed on this repo's develop directly, disabling Renovate project-wide. Restored to the pre-a195176 state.

Supersedes

Add bulk import/editor endpoints, tag auto-creation POST, languageprofile,
and seasonpass grants per Kometa-Team/ArrAPI. Sonarr: add /series/import,
remove ineffective POST /series.
Add DELETE /indexer/{id} (RemoveIndexer). Remove endpoints Prowlarr
never calls: indexer/testall, indexer/action/{name}, config/indexer*,
indexerflag, system/status. Verified against RadarrV3Proxy.cs /
SonarrV3Proxy.cs.
Add command, editor, history, qualityprofile, files, exclusions/bulk,
and tags endpoints.
Seerr (https://docs.seerr.dev) is the unified successor to Jellyseerr
and Overseerr with automatic migration from either project on first
startup. Removed jellyseerr.json and overseerr.json, updated seerr.json
(delete, episode/monitor, tag PUT), README, and cSpell wordlist.
Add movie/series files, history, queue/bulk, and delete paths.
Add queue, series, tag, qualityprofile, episodefile endpoints; add
GET series/{id} for webhook rule matching.
cross-seed only calls radarr/sonarr /parse; the prowlarr grant was
unused.
Kometa's scheduled run fetches single-movie detail via GET
/api/v3/movie/{id}; only the bulk /movie list endpoint was granted.
Confirmed against live traffic: recurring 401s on this exact endpoint
every ~4h since 2026-07-11.
.github/renovate.json enabled:false was added by a195176 ("chore:
disable renovate on fork") — that commit's intent was fork-scoped but
landed on upstream develop directly, disabling Renovate for the
actual project. Restoring pre-a195176 state (no enabled key, implicit
default).
@bakerboy448

Copy link
Copy Markdown
Contributor Author

Ran every endpoint change in this PR against real access_<consumer>.log traffic on a live instance running these templates. No mutations, read-only.

Traffic-confirmed (beyond source-code verification already in the PR body):

App Endpoint Change Evidence
Kometa (radarr) GET /movie/{id} add 12x 401 (missing from scope) 2026-07-11→07-14, then 200 once granted
Kometa (radarr) POST /tag add 15x 405 (wrong method), recurring every ~4h, still occurring at last log entry

Confirmed safe to remove — zero traffic across the full retention window (~7 days), any status code:

  • Kometa: rootfolder/{id} GET (both radarr, sonarr)
  • Maintainerr: sonarr episodefile (base) GET
  • Prowlarr: all 10 removed endpoints (indexer/testall, indexer/action/{name}, config/indexer*, indexerflag, system/status) across every registered radarr/sonarr instance

One weaker justification, not a red flag but worth a maintainer's eye: Seerr's importlistexclusion GET removal shows zero traffic here too, but that endpoint only fires when a user explicitly declines a recommendation in Seerr — rare, not dead-by-design like the Prowlarr removals. Zero traffic in one week doesn't rule out it being used occasionally.

Everything else (additions across Maintainerr, Bazarr, DAPS, Prowlarr indexer/{id} DELETE, Seerr) is unverifiable from this instance's traffic — either never called in the window or the consumer isn't registered here at all (Nabarr, Omegabrr, Recyclarr, cross-seed, Titlecardmaker, Unmanic have no access log on this instance). Not a negative finding, just outside what I can confirm empirically; the source-code verification already documented per-app covers those.

Worth flagging separately: this PR fully deletes prowlarr/cross-seed.json, a template merged two commits before this PR's base (#90). No traffic evidence either way since cross-seed isn't registered on this instance — just noting it's a full retraction of a very recently added template, not a trim.

@bakerboy448

bakerboy448 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Ran this diff against ~7 days of access_<consumer>.log traffic on a live production deployment (:develop, multiple radarr/sonarr instances, several of these templates in active use) plus source-level checks for one thing I couldn't test live. Splitting findings by how they're grounded, since that matters for how much weight to put on each:

VERIFIED (live traffic on this instance)

Change Evidence
radarr/kometa.json add movie/{id} GET 12x 401 (2026-07-11 → 07-14T04:14) then 200s from 07-14T05:23 onward once granted live — endpoint really was missing
radarr/kometa.json add tag POST 15x 405 recurring every ~4h, still firing at time of writing — endpoint granted, method wasn't
Removals touching a live consumer here (radarr/sonarr kometa.json rootfolder/{id}, both prowlarr.json indexer/testall/indexer/action/{name}/config/indexer/config/indexer/{id}/indexerflag, sonarr/prowlarr.json system/status, sonarr/seerr.json importlistexclusion, sonarr/maintainerr.json episodefile base) zero calls, any status, across the full window — safe to drop

No other addition in this diff (bazarr, daps, maintainerr, seerr, remaining prowlarr changes) corresponds to an observed rejection on this instance — that's not evidence they're wrong, just that this deployment's traffic doesn't exercise them (e.g. maintainerr here only ever calls movie/tag GET, nothing else, so its ~17 new grants are simply untested by this instance).

Not a registered consumer here at all (no traffic either way): nabarr, omegabrr, recyclarr, cross-seed, titlecardmaker, unmanic.

Grounded in code review, not traffic-tested (worth a second look before merging)

prowlarr/cross-seed.json is deleted outright. cross-seed's own docs (cross-seed.org/docs/basics/options.md) specify the Torznab URL as http://prowlarr:9696/{indexerId}/api?apikey=.... Prowlarr's NewznabController maps that route as an alias of the same action as /api/v1/indexer/{id}/newznab:

[HttpGet("/api/v1/indexer/{id:int}/newznab")]
[HttpGet("{id:int}/api")]
public async Task<IActionResult> GetNewznabResponse(...)

but starrproxy's own isAllowedEndpoint() matches on segment count (Starr.php ~L284-288: explode('/', $endpoint) count must equal the granted endpoint's segment count). {id}/api is 3 segments, /api/v1/indexer/{id}/newznab is 6 — they can never match under that check. So the deleted template's only grant likely never matched cross-seed's actual, documented request path in the first place, independent of this PR. Worth confirming intent: is this PR dropping cross-seed support because it's genuinely unused, or should the replacement (if any) grant {id}/api instead of the versioned path? Couldn't verify from traffic since cross-seed isn't a live consumer on this instance either way.

One unrelated observation while cross-referencing: the deployed :develop image's live radarr/prowlarr.json/sonarr/prowlarr.json already grant indexer GET+POST, while this PR's diff base shows POST-only for that line — just a base/:develop drift note, doesn't affect any verdict above since those are unchanged by this PR either way.

Happy to share the raw log greps if useful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant