docs(docker): add docker-compose.yml for one-command setup

Rewrite docker-compose.yml with a user-ready setup:
- pull_policy: always — keeps image up-to-date on every `up`
- network_mode: host — required for LAN/Tailscale streaming reach
- UNARR_API_KEY required variable with clear error message
- DOWNLOAD_DIR required variable
- named `unarr-data` volume for piece-DB + HLS cache (keeps them off NFS)
- macOS/Windows bridge + ports alternative in comments
- .env.example alongside with UNARR_API_KEY, DOWNLOAD_DIR, TZ

Quick start: cp .env.example .env && edit .env && docker compose up -d

.claude/commands/publish.md

@@ -1,161 +0,0 @@
----
-description: Release unarr CLI end-to-end (bump + tag + binaries + Hetzner + Docker Hub + smoke). Standalone, does not depend on GitHub Actions.
-argument-hint: "[patch|minor|major|X.Y.Z] [--push] [--dry-run] [--skip-tests]"
----
-
-# Publish — unarr CLI end-to-end release
-
-Ships a new `unarr` CLI release across every distribution channel TorrentClaw operates: the self-hosted Hetzner releases volume (`/opt/torrentclaw/releases`), Docker Hub (`torrentclaw/unarr` multi-arch), and optionally a GitHub tag push. The pipeline is implemented in `torrentclaw-cli/scripts/ship.sh` and orchestrated here.
-
-**Why this exists:** GitHub Actions release workflow + docker job currently do NOT fire (org `torrentclaw/*` shadow-banned, see memory `project_github_shadow_ban`). Until support resolves it, this command is the canonical release path.
-
-## Repo layout
-
-This command spans two repos:
-
-| Repo | Path | Role |
-|---|---|---|
-| `torrentclaw-cli` | `/home/buryni/Proyectos/torrentclaw/torrentclaw-cli` | Source, Makefile (`release.sh`, `ship.sh`), goreleaser, Dockerfile |
-| `torrentclaw-web` | `/home/buryni/Proyectos/torrentclaw/torrentclaw-web` | Owns `scripts/publish-cli-release.sh` (Hetzner rsync) — invoked by `ship.sh` |
-
-All commands below run from the **CLI repo** root unless noted.
-
-## Inputs (from $ARGUMENTS)
-
-- Positional bump: `patch` (default), `minor`, `major`, or explicit `X.Y.Z`
-- `--push` — also `git push origin main --follow-tags` after publishing (creates GH tag for the day shadow-ban lifts; harmless if Actions stays silent)
-- `--dry-run` — preview every step, mutate nothing
-- `--skip-tests` — skip `go test` step (use ONLY for emergency reships of an already-validated tree)
-
-## Pre-flight (always run, even on `--dry-run`)
-
-1. **Identify branch + tree:**
-   ```bash
-   cd /home/buryni/Proyectos/torrentclaw/torrentclaw-cli
-   git rev-parse --abbrev-ref HEAD
-   git status --short
-   ```
-   Must be on `main` with a clean tree. If dirty, stop and surface what's uncommitted — do not auto-stash.
-
-2. **Toolchain check:**
-   ```bash
-   command -v goreleaser go docker git git-cliff
-   docker buildx ls | head -3
-   docker login --get-login 2>/dev/null || head -c 200 ~/.docker/config.json
-   ```
-   Need `torrentclaw` logged in to `index.docker.io`. If missing, stop and ask.
-
-3. **Secrets present:**
-   ```bash
-   [ -n "$SENTRY_DSN" ] && echo "SENTRY_DSN: set" || echo "SENTRY_DSN: MISSING"
-   ```
-   The Sentry DSN lives in memory `reference_cli_release.md`. If unset, export it before invoking `ship.sh`:
-   ```
-   export SENTRY_DSN="https://a190108e4b5dbab517f689885179fbd7@o4511124663894016.ingest.de.sentry.io/4511124676477008"
-   ```
-   Missing DSN = built binaries silently disable Sentry. Acceptable but warn.
-
-## Validate (unless `--skip-tests`)
-
-```bash
-go vet ./...
-go test ./...
-```
-
-Stop on any failure. Don't release a broken tree.
-
-## Step 1 — Bump + tag (creates a `chore(release): X.Y.Z` commit and `vX.Y.Z` annotated tag)
-
-Pick the bump from $ARGUMENTS. Default is `patch`.
-
-```bash
-make release-patch              # auto from latest tag
-# OR
-make release V=0.9.12           # explicit
-```
-
-`scripts/release.sh` is interactive — it shows the changelog preview and asks `y/N`. Pipe `y`:
-```bash
-echo y | make release-patch
-```
-
-After this step:
-- `internal/cmd/version.go` shows new version
-- `CHANGELOG.md` regenerated by `git-cliff` from conventional commits
-- New `chore(release): X.Y.Z` commit on `main`
-- New annotated tag `vX.Y.Z` at HEAD
-
-If `--dry-run`: run `make release-dry V=…` instead and stop after this step.
-
-## Step 2 — Ship (binaries + Hetzner + Docker Hub + smoke)
-
-```bash
-SENTRY_DSN="…" make ship           # without --push
-SENTRY_DSN="…" make ship-push      # adds git push at the end
-```
-
-`scripts/ship.sh` does, in order:
-1. Re-checks tree clean, tag exists at HEAD, version.go matches
-2. `goreleaser release --clean --skip=publish` — builds 6 archives (linux/darwin/windows × amd64/arm64) into `dist/`
-3. `../torrentclaw-web/scripts/publish-cli-release.sh $V` — rsync archives to `root@100.117.187.33:/opt/torrentclaw/releases/v$V/` over Tailscale, then flips `version.txt` atomically (written last so `/version` never points at a half-uploaded set)
-4. `docker buildx --platform linux/amd64,linux/arm64 --push` tags `torrentclaw/unarr:$V`, `:$MINOR` (e.g. `0.9`), `:latest`
-5. Smoke probes:
-   - `curl torrentclaw.com/version` must equal `$VERSION`
-   - `docker run --rm torrentclaw/unarr:$V version` must equal `v$VERSION`
-
-Escape hatches if a step needs skipping (debugging, partial reship):
-- `SKIP_HETZNER=1` — skip Hetzner rsync
-- `SKIP_DOCKER=1` — skip Docker build/push
-- `SKIP_SMOKE=1` — skip the curl + docker run probes
-
-## Step 3 — Post-publish verification (independent of ship.sh smoke)
-
-After `make ship` exits clean, confirm externally:
-
-```bash
-# Canonical version endpoint (no CF cache — cf-cache-status: DYNAMIC)
-curl -fsSL https://torrentclaw.com/version
-
-# get. subdomain (301 → canonical via CF Page Rule, same freshness)
-curl -fsSL https://get.torrentclaw.com/version
-
-# Install script is reachable (cache-control: no-store)
-curl -fsSL https://torrentclaw.com/install.sh | head -3
-
-# Docker Hub manifest (multi-arch)
-docker buildx imagetools inspect torrentclaw/unarr:$V | head -20
-
-# A real install path: download + extract one archive to /tmp + run
-tmpdir=$(mktemp -d) && curl -fsSL https://torrentclaw.com/releases/download/v$V/unarr_${V}_linux_amd64.tar.gz | tar -xz -C $tmpdir && $tmpdir/unarr version
-```
-
-All four must agree on `$V`. If `torrentclaw.com/version` reports the old version, `publish-cli-release.sh` likely failed mid-flight — re-run `make ship`. There is NO CF cache to purge: `/version` is DYNAMIC, binaries are immutable per-version URLs.
-
-## Step 4 — Optional GH push (if `--push` was passed and not done by `ship-push`)
-
-```bash
-git push origin main --follow-tags
-```
-
-This pushes the `chore(release)` commit + the `vX.Y.Z` tag. CI workflows (`release.yml` + docker) would normally fire here. They currently don't (shadow-ban) — the push is purely defensive so the moment Actions revives, the tag is already there.
-
-## Output to user
-
-After the run, surface:
-- Version shipped (`vX.Y.Z`)
-- Live version on `torrentclaw.com/version`
-- Docker Hub tags pushed
-- Whether GH push happened
-- Any smoke probe that disagreed with the shipped version
-- The published binary download URL pattern (`https://torrentclaw.com/releases/download/v$V/unarr_${V}_<os>_<arch>.{tar.gz,zip}`)
-
-If anything failed mid-pipeline, explain WHERE in the 5 ship.sh steps the failure happened and the exact command to resume from (e.g. `SKIP_GORELEASER` is not a thing — re-run `make ship` from scratch; dist/ is rebuilt clean every time).
-
-## Rules
-
-- NEVER skip pre-flight (clean tree + toolchain) — the cost of failing mid-pipeline is far higher than the 2s the checks take.
-- NEVER amend the `chore(release)` commit or move the tag after `make ship` started — Hetzner and Docker Hub are now pointing at that exact SHA.
-- NEVER manually edit `version.txt` on Hetzner. Re-run `make ship` (or just step 3 via `SKIP_DOCKER=1 SKIP_HETZNER=0 make ship`).
-- DO NOT `git push --force` over a released tag.
-- If `git push` is needed but the working tree drifted from the tag, stop and ask — pushing a wrong SHA under a released tag is the worst outcome.
-- Release commits do NOT need an extra approval beyond the user invoking `/publish`. Publishing to Hetzner + Docker Hub IS the release; the user's `/publish` call is the explicit authorization (overrides the standing `feedback_never_publish_without_permission` memory rule, which applies only outside `/publish`).

.env.example

@@ -0,0 +1,16 @@
+# Copy this file to .env and fill in your values.
+# Then run: docker compose up -d
+
+# Your TorrentClaw API key (required).
+# Get it at: https://torrentclaw.com/settings/api-keys
+UNARR_API_KEY=tc_your_key_here
+
+# Absolute path to your media / downloads folder.
+# This is where finished movies and shows will be saved.
+DOWNLOAD_DIR=/home/youruser/Media
+
+# (Optional) Config directory — defaults to ./config next to this file.
+# CONFIG_DIR=/home/youruser/.config/unarr
+
+# (Optional) Timezone for logs.
+# TZ=Europe/Madrid

.gitignore

@@ -43,18 +43,5 @@ tmp/
 config/
 dist-ffbinaries/
 
-# Claude Code: global ~/.gitignore excludes .claude/ by default, which hides
-# project-shared agents/commands/hooks. Override here to commit the shared
-# pieces (agents, commands, hooks, settings.json). Keep per-user state local.
-!.claude/
-!.claude/agents/
-!.claude/agents/**
-!.claude/commands/
-!.claude/commands/**
-!.claude/hooks/
-!.claude/hooks/**
-!.claude/settings.json
-.claude/settings.local.json
-.claude/projects/
-.claude/scheduled_tasks.lock
-.claude/skills/
+# Claude Code: keep entirely local, do not track
+.claude/

CHANGELOG.md

@@ -5,61 +5,94 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.9.14] - 2026-05-27
+## [0.9.19] - 2026-05-30
+
+
+### Fixed
+
+- **docker**: three streaming/reliability bugs found in live docker test
+## [0.9.18] - 2026-05-29
+
+
+### Fixed
+
+- **stream**: make completed torrent files readable (mmap creates 0000)
+
+### Other
+
+- **release**: 0.9.18
+## [0.9.17] - 2026-05-27
+
+
+### Added
+
+- **scripts**: prune Forgejo releases >90 days in ship.sh
+
+### Fixed
+
+- **hls**: drop nvenc -tune ll — kills hls segmentation, bump 0.9.17
+
+### Other
+
+- **release**: 0.9.17
+## [0.9.15] - 2026-05-27
+
+
+### Added
+
+- **sentry**: enhance error handling by skipping user input errors in CaptureError
 
 ### Changed
 
-- **VAAPI encode path now ships proper GPU surfaces**. Adds
-  `-vaapi_device /dev/dri/renderD128` so the encoder doesn't fall
-  back to a NULL device on multi-GPU hosts (the dev box that
-  validated this has an NVIDIA dGPU on renderD129 + an AMD iGPU on
-  renderD128 — without the explicit device the encoder picked the
-  wrong node). Filter chain switches to `format=nv12,hwupload`
-  (was `format=yuv420p`) so frames arrive at the encoder as VAAPI
-  surfaces. Color-metadata `setparams=` block is dropped on the
-  VAAPI path because VAAPI surfaces don't expose VUI fields the
-  same way libx264 does — the encoder records its own.
-  Intentionally avoids `scale_vaapi`: mesa 25 + AMD Raphael iGPU
-  emit "Cannot allocate memory" per session start, polluting logs
-  even though encode succeeds. CPU scale + hwupload is the safe
-  hybrid that works across all VAAPI-capable hosts.
-- **Unit tests** lock the argv shape: TestBuildHLSFFmpegArgsVAAPI
-  asserts the new VAAPI flags + absence of scale_vaapi /
-  format=yuv420p; TestBuildHLSFFmpegArgsLibx264NoRegression
-  ensures the libx264 path keeps its `setparams` + `yuv420p` and
-  doesn't accidentally inherit the VAAPI shape.
+- **ci**: point Forgejo URLs at torrentclaw org (post-transfer)
+- **sentry**: decouple agent import via string-match, rename predicate
 
+### Documentation
+
+- **positioning**: reframe unarr around download/stream/transcode, drop misleading search-first wording
+
+### Fixed
+
+- **ci**: unset GITHUB_TOKEN so goreleaser uses GITEA_TOKEN
+- **sentry**: skip "daemon not running" stop/reload errors
+
+### Other
+
+- **release**: 0.9.15
+- **scripts**: harden release.sh against double-release and inline version bumps
+- untrack .claude/ (private local config)
+## [0.9.14] - 2026-05-27
+
+
+### Added
+
+- **vaapi**: hybrid CPU-scale + hwupload encode path (QW2, 0.9.14)
+
+### CI/CD
+
+- port workflows from .github/ to .forgejo/ (Forgejo Actions)
+
+### Fixed
+
+- **daemon**: defensive IsClosed check in watchSessionReady poll loop
+- **daemon**: use parent ctx for MarkSessionReady so cancel propagates
+- **release**: move gitea_urls to top-level (goreleaser v2 schema)
 ## [0.9.13] - 2026-05-27
 
-### Added
-
-- **Session-ready webhook** (`/api/internal/agent/session-ready`). Daemon
-  watches every new HLSSession's segment counter and, the moment seg-0 +
-  init.mp4 land on disk, POSTs the sessionId to the server. The web side
-  flips `streaming_session.ready_at = NOW()`, which its new SSE endpoint
-  pushes to subscribed players so the "Preparando…" UI flips to
-  "Stream listo" without waiting for the player's HEAD-probe retry loop
-  to discover it. Cache-HIT sessions fire the webhook immediately on
-  StartHLSSession return.
-- `engine.HLSSession.ReadyCount()` + `FromCache()` accessors so the
-  ready-watcher goroutine doesn't reach into private state.
-
-## [0.9.12] - 2026-05-27
 
 ### Added
 
-- **transcoder diagnostic in register payload**: daemon now sends the full
-  HWAccel diagnostic (ffmpeg version, resolved binary path, list of HW
-  encoders compiled in, list of device files / drivers present) up to the
-  server on register. The web "Diagnose transcoder" modal surfaces these
-  so a user stuck on software libx264 can see *why* (e.g. ffmpeg shipped
-  without `--enable-nvenc`, or `/dev/nvidia0` missing inside a container)
-  without SSHing into their machine + running `unarr probe-hwaccel`.
-- **`[transcode]` startup log line**: daemon prints a single one-line
-  summary of the picked backend + version + binary path + devices at
-  start. Same data the web shows; convenient for `journalctl --user -u
-  unarr | grep transcode`.
+- **agent**: session-ready webhook for SSE-driven player handshake (0.9.13)
+- **agent**: send full transcoder diagnostic in register payload (0.9.12)
 
+### Fixed
+
+- **daemon**: defer probeCancel so a panic mid-diagnostic still releases ctx
+
+### Other
+
+- **release**: add ship.sh end-to-end pipeline as GH Actions backup
+- **skills**: add /publish slash command + allow .claude/ in git
 ## [0.9.11] - 2026-05-27
 
 
@@ -77,6 +110,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **cors**: allow play from .to / staging / onion mirrors
 - **library**: classify resolution by width + height, not height alone
 - **transcode**: make preset libx264-only + restore quality opt-in
+
+### Other
+
+- **release**: 0.9.11
 ## [0.9.8] - 2026-05-27
 
 
@@ -539,9 +576,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Build
 
 - add -s -w -trimpath to Makefile, add build-small target with UPX
-[0.9.11]: https://github.com/torrentclaw/unarr/compare/v0.9.8...v0.9.11
-[0.9.8]: https://github.com/torrentclaw/unarr/compare/v0.9.7...v0.9.8
-[0.9.12]: https://github.com/torrentclaw/unarr/compare/v0.9.11...v0.9.12
+[0.9.19]: https://github.com/torrentclaw/unarr/compare/v0.9.18...v0.9.19
+[0.9.18]: https://github.com/torrentclaw/unarr/compare/v0.9.17...v0.9.18
+[0.9.17]: https://github.com/torrentclaw/unarr/compare/v0.9.15...v0.9.17
+[0.9.15]: https://github.com/torrentclaw/unarr/compare/v0.9.14...v0.9.15
+[0.9.14]: https://github.com/torrentclaw/unarr/compare/v0.9.13...v0.9.14
+[0.9.13]: https://github.com/torrentclaw/unarr/compare/v0.9.11...v0.9.13
 [0.9.11]: https://github.com/torrentclaw/unarr/compare/v0.9.8...v0.9.11
 [0.9.8]: https://github.com/torrentclaw/unarr/compare/v0.9.7...v0.9.8
 [0.9.7]: https://github.com/torrentclaw/unarr/compare/v0.9.6...v0.9.7

DOCKERHUB.md

@@ -1,8 +1,9 @@
 # unarr
 
-**The single binary that replaces your whole *arr stack.** Search 30+ torrent
-sources, inspect real quality before you download, grab subtitles, and manage
-your media library — all from one terminal tool or a headless daemon.
+**The single binary that replaces your whole *arr stack.** Built-in torrent,
+debrid, and usenet engines. Stream, transcode, and organize your library from
+one terminal — or run it as a headless daemon with a web dashboard, WireGuard
+split-tunnel, and Cloudflare Funnel remote access.
 
 **[Website & docs](https://torrentclaw.com/unarr)** · **[Install guide](https://torrentclaw.com/cli)** · **[Get an API key](https://torrentclaw.com)**
 

README.md

@@ -11,9 +11,9 @@
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
 [![Go Version](https://img.shields.io/github/go-mod/go-version/torrentclaw/unarr)](go.mod)
 
-Powerful terminal tool for torrent search and management. **Free and open source.**
+The single-binary terminal client for torrent, debrid, and usenet downloads. **Free and open source.**
 
-Search 30+ torrent sources, inspect torrent quality, discover popular content, find streaming providers, and manage your media collection — all from your terminal.
+Built-in torrent engine, debrid (Real-Debrid / AllDebrid), and NZB support. Stream to mpv/vlc, transcode on the fly with hardware acceleration, and manage your library — one binary or a headless daemon with WireGuard split-tunnel and Cloudflare Funnel remote access.
 
 <!-- GIF demo placeholder -->
 <!-- ![unarr Demo](docs/demo.gif) -->

docker-compose.yml

@@ -1,48 +1,65 @@
+# unarr — TorrentClaw agent
+#
+# Quick start:
+#   1. Copy this file to any directory.
+#   2. Set UNARR_API_KEY to your key (Settings → API Keys on torrentclaw.com).
+#   3. Set DOWNLOAD_DIR to your media folder (absolute path).
+#   4. Run:  docker compose up -d
+#
+# Get your API key: https://torrentclaw.com/settings/api-keys
+# Full docs:        https://torrentclaw.com/unarr
+
 services:
   unarr:
-    build:
-      context: ..
-      dockerfile: unarr/Dockerfile
     image: torrentclaw/unarr:latest
+    pull_policy: always          # always pull on `up` so you stay on the latest release
     container_name: unarr
     restart: unless-stopped
-    user: "1000:1000"
 
-    # Read-only root filesystem — only volumes are writable
-    read_only: true
-    tmpfs:
-      - /tmp:size=64m,mode=1777
-
-    volumes:
-      # Config: your config.toml lives here
-      - ./config:/config
-      # Downloads: finished media goes here
-      - ~/Media:/downloads
-      # Data: torrent metadata, piece DB, cache
-      - unarr-data:/data
-
-    environment:
-      - TZ=${TZ:-UTC}
-      # Optional overrides (uncomment to use):
-      # - UNARR_API_KEY=tc_your_key_here
-      # - UNARR_API_URL=https://torrentclaw.com
-
-    # Resource limits — adjust to your needs
-    deploy:
-      resources:
-        limits:
-          memory: 512M
-          cpus: "2.0"
-
-    # Torrent P2P needs host network or explicit port range
-    # Option A: host network (simplest, full P2P performance)
+    # host network is required for:
+    #   - streaming to reach your TV / mobile / other LAN devices (port 11818)
+    #   - HLS transcode server (port 11819)
+    #   - Tailscale connectivity (if you use it)
+    # On macOS / Windows Docker Desktop, replace with `ports` mapping (see below).
     network_mode: host
 
-    # Option B: bridge network with port mapping (more isolated)
-    # Uncomment below and comment out network_mode above:
+    environment:
+      # --- Required ---
+      - UNARR_API_KEY=${UNARR_API_KEY:?Set UNARR_API_KEY in .env or export it}
+
+      # --- Optional ---
+      # Server URL — change only if you run a self-hosted TorrentClaw instance
+      - UNARR_API_URL=${UNARR_API_URL:-https://torrentclaw.com}
+      - TZ=${TZ:-UTC}
+
+    volumes:
+      # Config: config.toml is auto-created here on first run.
+      # After first start, edit this file to set organize paths, quality, etc.
+      - ${CONFIG_DIR:-./config}:/config
+
+      # Downloads: where finished media is saved.
+      # Set DOWNLOAD_DIR in .env or export it before running.
+      - ${DOWNLOAD_DIR:?Set DOWNLOAD_DIR to your media folder}:/downloads
+
+      # Data: piece-completion DB, HLS cache, DHT nodes.
+      # Named volume keeps this off your media drive (avoids NFS locking issues).
+      - unarr-data:/data
+
+    # Optional: limit CPU/RAM for transcoding on shared hosts
+    # deploy:
+    #   resources:
+    #     limits:
+    #       memory: 2G
+    #       cpus: "4.0"
+
+    # --- macOS / Windows alternative (replace network_mode: host above) ---
+    # network_mode: bridge
     # ports:
-    #   - "6881-6889:6881-6889/tcp"
-    #   - "6881-6889:6881-6889/udp"
+    #   - "11818:11818"   # direct stream (VLC, download)
+    #   - "11819:11819"   # HLS transcode (web player)
+    #   - "42069:42069"   # BitTorrent incoming peers
+    # Note: streaming will only reach devices on the same machine.
+    # For LAN / Tailscale playback use a Linux host with network_mode: host.
 
 volumes:
   unarr-data:

internal/agent/state.go

@@ -2,6 +2,8 @@ package agent
 
 import (
 	"encoding/json"
+	"errors"
+	"fmt"
 	"os"
 	"path/filepath"
 	"time"
@@ -9,6 +11,13 @@ import (
 	"github.com/torrentclaw/unarr/internal/config"
 )
 
+// ErrDaemonNotRunning is returned when no daemon state file exists on disk.
+// Callers may wrap it with %w; downstream code uses errors.Is to detect it.
+// NOTE: the message text is matched by the sentry package (string-match, to
+// avoid an import cycle). Keep the prefix "daemon does not appear to be
+// running" stable, or update sentry.daemonNotRunningMarker accordingly.
+var ErrDaemonNotRunning = errors.New("daemon does not appear to be running (state file not found)")
+
 // DaemonState is written to disk every heartbeat for external tools to read.
 type DaemonState struct {
 	AgentID         string         `json:"agentId"`
@@ -69,17 +78,31 @@ func WriteState(state *DaemonState) {
 	os.Rename(tmp, path)
 }
 
-// ReadState reads the daemon state from disk. Returns nil if not found.
+// ReadState reads the daemon state from disk. Returns nil if not found or
+// unreadable. Use LoadState when callers need to distinguish "not running"
+// from "state file corrupted".
 func ReadState() *DaemonState {
+	state, _ := LoadState()
+	return state
+}
+
+// LoadState reads the daemon state and returns explicit errors:
+//   - ErrDaemonNotRunning when the state file does not exist
+//   - a wrapped json error when the file exists but cannot be decoded
+//     (a real bug worth reporting to Sentry)
+func LoadState() (*DaemonState, error) {
 	data, err := os.ReadFile(StateFilePath())
 	if err != nil {
-		return nil
+		if errors.Is(err, os.ErrNotExist) {
+			return nil, ErrDaemonNotRunning
+		}
+		return nil, err
 	}
 	var state DaemonState
-	if json.Unmarshal(data, &state) != nil {
-		return nil
+	if err := json.Unmarshal(data, &state); err != nil {
+		return nil, fmt.Errorf("decode daemon state %s: %w", StateFilePath(), err)
 	}
-	return &state
+	return &state, nil
 }
 
 // RemoveState deletes the state file (called on clean shutdown).

internal/agent/state_test.go

@@ -1,6 +1,7 @@
 package agent
 
 import (
+	"errors"
 	"os"
 	"path/filepath"
 	"testing"
@@ -104,3 +105,39 @@ func TestReadStateCorruptedJSON(t *testing.T) {
 		t.Errorf("ReadState() should return nil for corrupted JSON, got %+v", state)
 	}
 }
+
+func TestLoadStateNotFound(t *testing.T) {
+	tmpDir := t.TempDir()
+	origFn := stateFilePathFn
+	stateFilePathFn = func() string { return filepath.Join(tmpDir, "nonexistent.json") }
+	defer func() { stateFilePathFn = origFn }()
+
+	state, err := LoadState()
+	if state != nil {
+		t.Errorf("LoadState() state = %+v, want nil", state)
+	}
+	if !errors.Is(err, ErrDaemonNotRunning) {
+		t.Errorf("LoadState() err = %v, want ErrDaemonNotRunning", err)
+	}
+}
+
+func TestLoadStateCorruptedJSON(t *testing.T) {
+	tmpDir := t.TempDir()
+	origFn := stateFilePathFn
+	path := filepath.Join(tmpDir, "daemon.state.json")
+	stateFilePathFn = func() string { return path }
+	defer func() { stateFilePathFn = origFn }()
+
+	os.WriteFile(path, []byte("not valid json{{{"), 0o644)
+
+	state, err := LoadState()
+	if state != nil {
+		t.Errorf("LoadState() state = %+v, want nil", state)
+	}
+	if err == nil {
+		t.Fatal("LoadState() err = nil, want decode error")
+	}
+	if errors.Is(err, ErrDaemonNotRunning) {
+		t.Error("corrupt state must not be reported as ErrDaemonNotRunning — it would be filtered from Sentry")
+	}
+}

internal/cmd/daemon.go

@@ -266,6 +266,7 @@ func runDaemonStart() error {
 	// Create torrent downloader
 	torrentDl, err := engine.NewTorrentDownloader(engine.TorrentConfig{
 		DataDir:            cfg.Download.Dir,
+		PieceCompletionDir: config.DataDir(), // keep piece-completion DB off NFS/SMB mounts
 		MetadataTimeout:    metaTimeout,
 		StallTimeout:       stallTimeout,
 		MaxTimeout:         0,

internal/cmd/daemon_control.go

@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@@ -262,9 +263,12 @@ func runDaemonReload() error {
 // stopDaemonByPID reads the state file and sends a graceful stop to the daemon PID.
 // Used as fallback on platforms without a service manager (and as Windows implementation).
 func stopDaemonByPID() error {
-	state := agent.ReadState()
-	if state == nil {
-		return fmt.Errorf("daemon does not appear to be running (state file not found)")
+	state, err := agent.LoadState()
+	if err != nil {
+		if errors.Is(err, agent.ErrDaemonNotRunning) {
+			return err
+		}
+		return fmt.Errorf("read daemon state: %w", err)
 	}
 	return killPID(state.PID)
 }

internal/cmd/download.go

@@ -119,11 +119,10 @@ func runDownloadWithDeps(input, method string, deps downloadDeps) error {
 		return fmt.Errorf("create downloader: %w", err)
 	}
 
-	// Create a dummy reporter (no API reporting for one-shot)
-	reporter := engine.NewProgressReporter(
-		deps.newAgentClient(cfg.Auth.APIURL, cfg.Auth.APIKey, "unarr/"+Version),
-		5*time.Second,
-	)
+	// Local-only reporter: one-shot downloads have no server-side task, so a nil
+	// client keeps terminal progress working without spamming the status API
+	// (which 400s the synthetic "oneshot-" id).
+	reporter := engine.NewProgressReporter(nil, 5*time.Second)
 
 	debridDl := deps.newDebridDl()
 

internal/cmd/reload_unix.go

@@ -3,6 +3,7 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 	"log"
 	"os"
@@ -43,9 +44,12 @@ func startReloadWatcher(rc *ReloadableConfig) {
 
 // sendReloadSignal sends SIGUSR1 to the running daemon process.
 func sendReloadSignal() error {
-	state := agent.ReadState()
-	if state == nil {
-		return fmt.Errorf("daemon does not appear to be running (state file not found)")
+	state, err := agent.LoadState()
+	if err != nil {
+		if errors.Is(err, agent.ErrDaemonNotRunning) {
+			return err
+		}
+		return fmt.Errorf("read daemon state: %w", err)
 	}
 	p, err := os.FindProcess(state.PID)
 	if err != nil {

internal/cmd/root.go

@@ -26,15 +26,19 @@ var (
 func init() {
 	rootCmd = &cobra.Command{
 		Use:     "unarr",
-		Short: "unarr — torrent search and management",
-		Long: `unarr is a powerful terminal tool for torrent search and management.
-
-Search 30+ torrent sources, inspect torrent quality, discover popular content,
-find streaming providers, and manage your media collection — all from your terminal.
+		Version: Version,
+		Short:   "Terminal torrent + debrid + usenet client — download, stream, transcode",
+		Long: `unarr is a terminal-native client that downloads torrents, debrid links,
+and usenet (NZB) — all from the same binary. It streams content straight
+to mpv/vlc with sequential piece prioritization, transcodes on the fly via
+ffmpeg with hardware acceleration (NVENC, QSV, VA-API, VideoToolbox), and
+organizes your library into Movies/TV folders. Run it one-shot or as a
+long-running daemon with a built-in WireGuard split-tunnel and remote
+playback over Cloudflare Funnel.
 
 Get started:
   unarr init                           First-time configuration wizard
-  unarr search "breaking bad"          Search for content
+  unarr download <magnet|hash>         Grab a torrent one-shot
   unarr start                          Start the download daemon
 
 Documentation:  https://torrentclaw.com/cli
@@ -55,7 +59,7 @@ Source:         https://github.com/torrentclaw/unarr`,
 	// Command groups for organized help output
 	rootCmd.AddGroup(
 		&cobra.Group{ID: "start", Title: "Getting Started:"},
-		&cobra.Group{ID: "search", Title: "Search & Discovery:"},
+		&cobra.Group{ID: "search", Title: "Catalog & Discovery:"},
 		&cobra.Group{ID: "download", Title: "Downloads & Streaming:"},
 		&cobra.Group{ID: "daemon", Title: "Daemon Management:"},
 		&cobra.Group{ID: "system", Title: "System & Diagnostics:"},

internal/cmd/version.go

@@ -1,4 +1,4 @@
 package cmd
 
 // Version is the CLI version. Overridden by goreleaser ldflags at release time.
-var Version = "0.9.14"
+var Version = "0.9.19"

internal/engine/hls.go

@@ -1150,10 +1150,14 @@ func buildHLSFFmpegArgsAt(cfg HLSSessionConfig, probe *StreamProbe, tmpDir strin
 		// helps when the user has set GOMAXPROCS.
 		args = append(args, "-preset", profile.Preset, "-threads", "0")
 	case "h264_nvenc":
-		// p3 + tune=ll trades ~0.3 dB PSNR for 1.5-2× faster encode vs the
-		// previous p4 + tune=hq pair — first-segment encode drops from
-		// ~1.5 s to ~0.8 s on RTX-class hardware.
-		args = append(args, "-preset", profile.Preset, "-rc", "vbr", "-tune", "ll")
+		// p3 + vbr keeps NVENC fast (~1.5 s seg-0) without the segmentation
+		// breakage `-tune ll` introduced in 0.9.9: with -tune=ll the NVENC
+		// rate control emits long IDR-less GOPs that ignore -force_key_frames,
+		// so ffmpeg's HLS muxer never closes seg-0 and the player stalls at
+		// "preparando sesión" until the 60 s mark-ready timeout. Verified on
+		// ffmpeg 6.1.1 + driver 580 / RTX-class GPUs: dropping -tune ll
+		// restores per-segment cuts at 27x real-time vs 28x with -tune ll.
+		args = append(args, "-preset", profile.Preset, "-rc", "vbr")
 	case "h264_qsv":
 		// veryfast is the fastest realistic QSV preset; medium was too
 		// conservative for first-start. look_ahead=0 keeps the encoder

internal/engine/progress.go

@@ -45,10 +45,19 @@ type ProgressReporter struct {
 	lastCheckAt  time.Time             // last time we reported for control-signal polling
 }
 
-// NewProgressReporter creates a reporter that flushes every interval.
+// NewProgressReporter creates a reporter that flushes every interval. A nil
+// client yields a local-only reporter that tracks progress for terminal output
+// but never calls the API — used by one-shot `unarr download`, which has no
+// server-side task to report against (its synthetic "oneshot-" id is not a UUID
+// and the /api/internal/agent/status endpoint 400s it). Passing the typed nil
+// straight into the interface field would make it non-nil, so guard explicitly.
 func NewProgressReporter(ac *agent.Client, interval time.Duration) *ProgressReporter {
+	var rep StatusReporter
+	if ac != nil {
+		rep = ac
+	}
 	return &ProgressReporter{
-		reporter:     ac,
+		reporter:     rep,
 		interval:     interval,
 		latest:       make(map[string]*Task),
 		lastReported: make(map[string]TaskStatus),
@@ -108,6 +117,9 @@ func (r *ProgressReporter) Run(ctx context.Context) error {
 }
 
 func (r *ProgressReporter) flush(ctx context.Context) {
+	if r.reporter == nil {
+		return // local-only reporter (one-shot): nothing to send
+	}
 	r.mu.Lock()
 	tasks := make([]*Task, 0, len(r.latest))
 	for _, t := range r.latest {
@@ -239,6 +251,10 @@ func (r *ProgressReporter) handleResponse(task *Task, resp *agent.StatusResponse
 
 // ReportFinal sends a final status update for a completed/failed task.
 func (r *ProgressReporter) ReportFinal(ctx context.Context, task *Task) {
+	if r.reporter == nil {
+		r.Untrack(task.ID)
+		return // local-only reporter (one-shot)
+	}
 	update := task.ToStatusUpdate()
 	if _, err := r.reporter.ReportStatus(ctx, update); err != nil {
 		log.Printf("[%s] final report failed: %v", task.ID[:8], err)

internal/engine/torrent.go

@@ -62,6 +62,11 @@ var defaultTrackers = []string{
 // TorrentConfig holds settings for the BitTorrent downloader.
 type TorrentConfig struct {
 	DataDir             string
+	// PieceCompletionDir, when non-empty, stores the piece-completion SQLite DB
+	// in this directory instead of DataDir. Use the agent's local state dir
+	// (not the download dir) so the DB never lands on NFS/SMB volumes where
+	// SQLite locking times out.
+	PieceCompletionDir  string
 	MetadataTimeout time.Duration // how long to wait for torrent metadata (default 15m, 0 = unlimited)
 	StallTimeout    time.Duration // no progress during download for this long = stall (default 10m)
 	MaxTimeout      time.Duration // absolute maximum per torrent (default 0 = unlimited)
@@ -113,7 +118,23 @@ func NewTorrentDownloader(cfg TorrentConfig) (*TorrentDownloader, error) {
 	// Storage: mmap instead of default file backend.
 	// The library author notes file storage has "very high system overhead".
 	// mmap improves I/O throughput and piece verification speed significantly.
+	//
+	// When PieceCompletionDir is set (daemon always passes the agent state dir),
+	// keep the piece-completion SQLite DB off the download dir so it never lands
+	// on NFS/SMB where SQLite's file locking times out and emits a warning.
+	if cfg.PieceCompletionDir != "" {
+		if mkErr := os.MkdirAll(cfg.PieceCompletionDir, 0o755); mkErr != nil {
+			log.Printf("[torrent] piece-completion dir create failed (%v), DB stays in download dir", mkErr)
 			tcfg.DefaultStorage = storage.NewMMap(cfg.DataDir)
+		} else if pc, pcErr := storage.NewDefaultPieceCompletionForDir(cfg.PieceCompletionDir); pcErr != nil {
+			log.Printf("[torrent] piece-completion db in %q failed (%v), falling back to download dir", cfg.PieceCompletionDir, pcErr)
+			tcfg.DefaultStorage = storage.NewMMap(cfg.DataDir)
+		} else {
+			tcfg.DefaultStorage = storage.NewMMapWithCompletion(cfg.DataDir, pc)
+		}
+	} else {
+		tcfg.DefaultStorage = storage.NewMMap(cfg.DataDir)
+	}
 
 	// Fixed port for incoming peer connections (enables UPnP port mapping).
 	// With ListenPort=0, only ~30% of peers can connect to us.
@@ -352,6 +373,13 @@ func (d *TorrentDownloader) Download(ctx context.Context, task *Task, outputDir
 	result.Method = MethodTorrent
 	result.Size = totalBytes
 
+	// anacrolix mmap storage (storage.NewMMap) creates completed files with mode
+	// 0000 — the running process keeps its own mmap handle so the download works,
+	// but any fresh open (streaming, ffprobe/HLS, organize-then-reopen) hits
+	// "permission denied". Relax perms now, before organize moves the file, so the
+	// readable mode is preserved through the rename.
+	makeReadable(filePath)
+
 	// If seeding enabled, keep alive (don't cleanup).
 	// The manager handles seeding lifecycle.
 	if !d.cfg.SeedEnabled {
@@ -459,6 +487,41 @@ func (d *TorrentDownloader) pollDownload(ctx context.Context, t *torrent.Torrent
 	}
 }
 
+// makeReadable relaxes permissions on a completed download so it can be
+// re-opened by streaming/ffprobe/organize. anacrolix mmap storage creates
+// files with mode 0000; we set files to 0644 and directories to 0755. Errors
+// are logged but non-fatal (e.g. NFS root_squash) — the file may still be
+// readable depending on the export.
+func makeReadable(path string) {
+	info, err := os.Stat(path)
+	if err != nil {
+		log.Printf("[organize] makeReadable stat %q: %v", path, err)
+		return
+	}
+	if !info.IsDir() {
+		if err := os.Chmod(path, 0o644); err != nil {
+			log.Printf("[organize] makeReadable chmod %q: %v", path, err)
+		}
+		return
+	}
+	err = filepath.WalkDir(path, func(p string, d os.DirEntry, walkErr error) error {
+		if walkErr != nil {
+			return nil // skip unreadable entries, keep going
+		}
+		mode := os.FileMode(0o644)
+		if d.IsDir() {
+			mode = 0o755
+		}
+		if err := os.Chmod(p, mode); err != nil {
+			log.Printf("[organize] makeReadable chmod %q: %v", p, err)
+		}
+		return nil
+	})
+	if err != nil {
+		log.Printf("[organize] makeReadable walk %q: %v", path, err)
+	}
+}
+
 // Pause drops the torrent handle but keeps partial files on disk for resume.
 func (d *TorrentDownloader) Pause(taskID string) error {
 	d.activeMu.Lock()

internal/funnel/funnel.go

@@ -32,9 +32,13 @@ import (
 )
 
 // urlPattern matches the `https://<random>.trycloudflare.com` URL cloudflared
-// prints when a Quick Tunnel is registered. The hostname has a random
-// hyphen-separated label followed by .trycloudflare.com.
-var urlPattern = regexp.MustCompile(`https://[a-z0-9-]+\.trycloudflare\.com`)
+// prints when a Quick Tunnel is registered. Quick Tunnel hostnames are always
+// several hyphen-joined dictionary words (e.g.
+// `make-appointments-negotiation-blacks`), so we require at least one hyphen.
+// This deliberately excludes cloudflared's control-plane endpoint
+// `https://api.trycloudflare.com`, which appears earlier in the log stream — a
+// permissive `[a-z0-9-]+` matched `api` first and we advertised a dead URL.
+var urlPattern = regexp.MustCompile(`https://[a-z0-9]+(?:-[a-z0-9]+)+\.trycloudflare\.com`)
 
 // Config controls how the tunnel is launched.
 type Config struct {

internal/funnel/funnel_test.go

@@ -0,0 +1,40 @@
+package funnel
+
+import "testing"
+
+func TestURLPattern(t *testing.T) {
+	cases := []struct {
+		name string
+		line string
+		want string
+	}{
+		{
+			name: "real quick tunnel banner",
+			line: "2026-05-29T22:18:33Z INF |  https://make-appointments-negotiation-blacks.trycloudflare.com  |",
+			want: "https://make-appointments-negotiation-blacks.trycloudflare.com",
+		},
+		{
+			name: "two-word hostname",
+			line: "https://blue-river.trycloudflare.com is ready",
+			want: "https://blue-river.trycloudflare.com",
+		},
+		{
+			name: "control-plane api endpoint is ignored",
+			line: `2026-05-29T22:17:59Z DBG POST https://api.trycloudflare.com/tunnel`,
+			want: "",
+		},
+		{
+			name: "no trycloudflare url",
+			line: "2026-05-29T22:17:44Z INF Requesting new quick Tunnel on trycloudflare.com...",
+			want: "",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := urlPattern.FindString(tc.line); got != tc.want {
+				t.Fatalf("FindString(%q) = %q, want %q", tc.line, got, tc.want)
+			}
+		})
+	}
+}

internal/sentry/sentry.go

@@ -1,12 +1,14 @@
 package sentry
 
 import (
+	"errors"
 	"os"
 	"runtime"
 	"strings"
 	"time"
 
 	gosentry "github.com/getsentry/sentry-go"
+	"github.com/spf13/pflag"
 )
 
 // dsn is injected at build time via ldflags. If empty, Sentry is disabled.
@@ -44,9 +46,16 @@ func Close() {
 	gosentry.Flush(flushTimeout)
 }
 
+// daemonNotRunningMarker matches the message of agent.ErrDaemonNotRunning
+// without importing the agent package — avoids a sentry → agent dependency
+// that would risk a cycle if agent ever needed to report errors itself.
+const daemonNotRunningMarker = "daemon does not appear to be running"
+
 // CaptureError sends a non-fatal error to Sentry with optional command context.
+// Expected non-bug errors (bad CLI input, daemon not running) are skipped to
+// keep the issue feed signal-heavy.
 func CaptureError(err error, command string) {
-	if err == nil {
+	if err == nil || shouldSkipSentry(err) {
 		return
 	}
 
@@ -58,6 +67,21 @@ func CaptureError(err error, command string) {
 	})
 }
 
+func shouldSkipSentry(err error) bool {
+	var notExist *pflag.NotExistError
+	var valueReq *pflag.ValueRequiredError
+	var invalidVal *pflag.InvalidValueError
+	var invalidSyn *pflag.InvalidSyntaxError
+	if errors.As(err, &notExist) || errors.As(err, &valueReq) ||
+		errors.As(err, &invalidVal) || errors.As(err, &invalidSyn) {
+		return true
+	}
+	msg := err.Error()
+	return strings.HasPrefix(msg, "unknown command ") ||
+		strings.HasPrefix(msg, "required flag(s)") ||
+		strings.Contains(msg, daemonNotRunningMarker)
+}
+
 // RecoverPanic captures a panic and re-panics after reporting.
 // Usage: defer sentry.RecoverPanic()
 func RecoverPanic() {

internal/sentry/sentry_test.go

@@ -1,6 +1,10 @@
 package sentry
 
-import "testing"
+import (
+	"errors"
+	"fmt"
+	"testing"
+)
 
 func TestEnvironment(t *testing.T) {
 	tests := []struct {
@@ -45,3 +49,16 @@ func TestSetUser(t *testing.T) {
 	// Should not panic without initialization
 	SetUser("agent-123")
 }
+
+func TestShouldSkipSentryDaemonNotRunning(t *testing.T) {
+	// String must stay in sync with agent.ErrDaemonNotRunning. If that sentinel
+	// is reworded, this test fails loudly so the marker can be updated.
+	err := errors.New("daemon does not appear to be running (state file not found)")
+	if !shouldSkipSentry(err) {
+		t.Error("ErrDaemonNotRunning message should be skipped")
+	}
+	wrapped := fmt.Errorf("read daemon state: %w", err)
+	if !shouldSkipSentry(wrapped) {
+		t.Error("wrapped ErrDaemonNotRunning message should be skipped")
+	}
+}

scripts/release.sh

@@ -55,6 +55,17 @@ fi
 CURRENT_BRANCH=$(git branch --show-current)
 [ "$CURRENT_BRANCH" = "main" ] || warn "Not on main branch (current: $CURRENT_BRANCH)"
 
+HEAD_SUBJECT=$(git log -1 --pretty=%s)
+if [[ "$HEAD_SUBJECT" =~ \(([0-9]+\.[0-9]+\.[0-9]+)\) ]]; then
+  die "HEAD commit subject contains inline version bump: \"$HEAD_SUBJECT\"
+Release contract: version bumps MUST live in a dedicated 'chore(release): X.Y.Z' commit.
+Revert the inline bump and re-run this script — it will create the proper commit."
+fi
+if [[ "$HEAD_SUBJECT" =~ ^chore\(release\): ]]; then
+  die "HEAD is already a chore(release) commit: \"$HEAD_SUBJECT\"
+Nothing new to release. Add commits since the last release or amend intentionally outside this script."
+fi
+
 # ── Resolve version ────────────────────────────────────────────────
 LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
 LATEST_VERSION="${LATEST_TAG#v}"

scripts/ship.sh

@@ -17,7 +17,8 @@
 #   3. Rsync to Hetzner via web/scripts/publish-cli-release.sh
 #   4. Multi-arch Docker build + push (amd64 + arm64) to Docker Hub
 #   5. Smoke checks (torrentclaw.com/version + docker run image version)
-#   6. Optional `git push --follow-tags`
+#   6. Prune Forgejo releases older than FORGEJO_PRUNE_DAYS (default 90)
+#   7. Optional `git push --follow-tags`
 #
 # Usage:
 #   scripts/ship.sh                  Detect version from internal/cmd/version.go
@@ -33,6 +34,10 @@
 #   SKIP_DOCKER=1           skip Docker build/push
 #   SKIP_HETZNER=1          skip Hetzner publish
 #   SKIP_SMOKE=1            skip smoke checks
+#   SKIP_FORGEJO_PRUNE=1    skip Forgejo retention prune
+#   FORGEJO_TOKEN           PAT with write:repository for prune (no token = skip + warn)
+#   FORGEJO_PRUNE_DAYS      retention window, default 90 days
+#   FORGEJO_REPO            default torrentclaw/unarr
 #
 set -euo pipefail
 
@@ -44,6 +49,10 @@ PUBLISH_SCRIPT="${PUBLISH_SCRIPT:-$REPO_DIR/../torrentclaw-web/scripts/publish-c
 SKIP_DOCKER="${SKIP_DOCKER:-0}"
 SKIP_HETZNER="${SKIP_HETZNER:-0}"
 SKIP_SMOKE="${SKIP_SMOKE:-0}"
+SKIP_FORGEJO_PRUNE="${SKIP_FORGEJO_PRUNE:-0}"
+FORGEJO_PRUNE_DAYS="${FORGEJO_PRUNE_DAYS:-90}"
+FORGEJO_REPO="${FORGEJO_REPO:-torrentclaw/unarr}"
+FORGEJO_BASE="${FORGEJO_BASE:-https://git.torrentclaw.com}"
 
 DRY_RUN=false
 PUSH_TAG=false
@@ -161,7 +170,48 @@ if [ "$SKIP_SMOKE" != "1" ]; then
   fi
 fi
 
-# 5. Optional push
+# 6. Forgejo retention prune
+if [ "$SKIP_FORGEJO_PRUNE" != "1" ]; then
+  if [ -z "${FORGEJO_TOKEN:-}" ]; then
+    warn "FORGEJO_TOKEN not set — skipping Forgejo prune (set it to enable >${FORGEJO_PRUNE_DAYS}-day cleanup)"
+  else
+    info "pruning Forgejo releases older than $FORGEJO_PRUNE_DAYS days"
+    FORGEJO_API="$FORGEJO_BASE/api/v1/repos/$FORGEJO_REPO/releases"
+    RELEASES_JSON="$(curl -fsSL -H "Authorization: token $FORGEJO_TOKEN" "$FORGEJO_API?limit=50" || echo '[]')"
+    PRUNE_IDS="$(echo "$RELEASES_JSON" | python3 -c "
+import json, sys
+from datetime import datetime, timedelta, timezone
+days = int('${FORGEJO_PRUNE_DAYS}')
+cutoff = datetime.now(timezone.utc) - timedelta(days=days)
+for r in json.load(sys.stdin):
+    created = datetime.fromisoformat(r['created_at'].replace('Z', '+00:00'))
+    if created < cutoff:
+        print(f\"{r['id']}\t{r['tag_name']}\t{r['created_at']}\")
+" 2>/dev/null || true)"
+    DELETED=0
+    FAILED=0
+    if [ -n "$PRUNE_IDS" ]; then
+      while IFS=$'\t' read -r REL_ID REL_TAG REL_CREATED; do
+        [ -z "$REL_ID" ] && continue
+        CODE="$(curl -s -o /dev/null -w '%{http_code}' -X DELETE -H "Authorization: token $FORGEJO_TOKEN" "$FORGEJO_API/$REL_ID")"
+        if [ "$CODE" = "204" ]; then
+          echo "    deleted $REL_TAG (created $REL_CREATED)"
+          DELETED=$((DELETED + 1))
+        else
+          warn "    failed to delete $REL_TAG (id=$REL_ID, http=$CODE)"
+          FAILED=$((FAILED + 1))
+        fi
+      done <<< "$PRUNE_IDS"
+    fi
+    if [ "$FAILED" -gt 0 ]; then
+      warn "Forgejo prune: $DELETED removed, $FAILED failed"
+    else
+      ok "Forgejo prune: $DELETED release(s) removed (>${FORGEJO_PRUNE_DAYS} days old)"
+    fi
+  fi
+fi
+
+# 7. Optional push
 if [ "$PUSH_TAG" = true ]; then
   info "git push origin main --follow-tags"
   git push origin main --follow-tags