fix(templates): source-verify app templates and consolidate audit fixes#100
fix(templates): source-verify app templates and consolidate audit fixes#100bakerboy448 wants to merge 14 commits into
Conversation
Add bulk import/editor endpoints, tag auto-creation POST, languageprofile, and seasonpass grants per Kometa-Team/ArrAPI. Sonarr: add /series/import, remove ineffective POST /series.
Add DELETE /indexer/{id} (RemoveIndexer). Remove endpoints Prowlarr
never calls: indexer/testall, indexer/action/{name}, config/indexer*,
indexerflag, system/status. Verified against RadarrV3Proxy.cs /
SonarrV3Proxy.cs.
Add command, editor, history, qualityprofile, files, exclusions/bulk, and tags endpoints.
Seerr (https://docs.seerr.dev) is the unified successor to Jellyseerr and Overseerr with automatic migration from either project on first startup. Removed jellyseerr.json and overseerr.json, updated seerr.json (delete, episode/monitor, tag PUT), README, and cSpell wordlist.
Add movie/series files, history, queue/bulk, and delete paths.
Add queue, series, tag, qualityprofile, episodefile endpoints; add
GET series/{id} for webhook rule matching.
cross-seed only calls radarr/sonarr /parse; the prowlarr grant was unused.
ed4f844 to
82f57ea
Compare
Kometa's scheduled run fetches single-movie detail via GET
/api/v3/movie/{id}; only the bulk /movie list endpoint was granted.
Confirmed against live traffic: recurring 401s on this exact endpoint
every ~4h since 2026-07-11.
.github/renovate.json enabled:false was added by a195176 ("chore: disable renovate on fork") — that commit's intent was fork-scoped but landed on upstream develop directly, disabling Renovate for the actual project. Restoring pre-a195176 state (no enabled key, implicit default).
|
Ran every endpoint change in this PR against real Traffic-confirmed (beyond source-code verification already in the PR body):
Confirmed safe to remove — zero traffic across the full retention window (~7 days), any status code:
One weaker justification, not a red flag but worth a maintainer's eye: Seerr's Everything else (additions across Maintainerr, Bazarr, DAPS, Prowlarr Worth flagging separately: this PR fully deletes |
|
Ran this diff against ~7 days of VERIFIED (live traffic on this instance)
No other addition in this diff (bazarr, daps, maintainerr, seerr, remaining prowlarr changes) corresponds to an observed rejection on this instance — that's not evidence they're wrong, just that this deployment's traffic doesn't exercise them (e.g. maintainerr here only ever calls Not a registered consumer here at all (no traffic either way): nabarr, omegabrr, recyclarr, cross-seed, titlecardmaker, unmanic. Grounded in code review, not traffic-tested (worth a second look before merging)
[HttpGet("/api/v1/indexer/{id:int}/newznab")]
[HttpGet("{id:int}/api")]
public async Task<IActionResult> GetNewznabResponse(...)but One unrelated observation while cross-referencing: the deployed Happy to share the raw log greps if useful. |
Summary
Consolidated template audit for 12 third-party apps, one commit per app/template. Replaces and supersedes #98 and #99.
Each template was checked against upstream source code so StarrProxy only grants endpoints the app actually calls.
Template changes
Kometa (radarr + sonarr)
import/editor, tag POST, languageprofile, seasonpass/series/import,/seasonpass; remove ineffectivePOST /seriesGET /movie/{id}— confirmed via live traffic that Kometa's scheduled run fetches single-movie detail by ID; only the bulk/movielist was granted, causing recurring 401sProwlarr (radarr + sonarr)
DELETE /indexer/{id}(indexer removal during sync)Maintainerr (radarr + sonarr)
Seerr (replaces Jellyseerr + Overseerr)
jellyseerr.jsonandoverseerr.json— Seerr is the unified successor (automatic migration from either project)seerr.json: delete, episode/monitor, tag PUTOther apps
arrpy.py)series/{id}GET for webhook rulescommand/{id}prowlarr/cross-seed.json(only uses radarr/sonarr/parse)Docs
CI
.github/renovate.json):enabled: falsewas added bya195176with fork-scoped intent ("chore: disable renovate on fork") but landed on this repo'sdevelopdirectly, disabling Renovate project-wide. Restored to the pre-a195176state.Supersedes