Issue fixes:
- #155: /api/browse/playlists/parse now handles YouTube/YouTube Music URLs
- #156: stop passing album MBID to verifyArtistName (was calling MB /artist/{id}
with an album MBID, always 404d); fix spotify trackCount stale value
- #154: remove hardcoded port-3030 detection from getApiBaseUrl -- now returns
relative URLs by default so any host:port mapping works
- #25 (partial): fix spotify playlist trackCount to use tracks.length instead of
stale playlist.tracks.total after pagination
Dead code / quality:
- Remove unused rootFolderPath param from processDownload + call sites
- Remove unused req params in route handlers (prefix _req)
- Remove dead push condition from integration.yml job gate
- Remove dead baseUrl constructor param and private field from ApiService
- Fix LibraryTabs hover effect: remove inline style={{ opacity: 0.1 }} that
overrode Tailwind group-hover; change to group-hover:opacity-10
- Fix mobile tab centering in LibraryTabs (add justify-center)
CI security:
- Mask TEST_PASS before writing to GITHUB_ENV in all three workflow files
- Add missing concurrency block to nightly.yml
- Add username validation + remove credential echo in create-e2e-user.sh
- Fix global.setup.ts error message to mention .env.test
E2E:
- Fix vibe test race condition: replace Promise.race + transient text with
stable trackCount.or(noData) assertion
- Fix security test flakiness: toBe(beforeCount) -> not.toBeGreaterThan for
playlist count check (parallel tests can delete playlists concurrently)
- Fix global.setup.ts error message to reference .env.test file
Vibe map:
- Increase cluster label size (13->15 / 10->12 px) and opacity (50->70 / 35->50)
for slightly better readability
Each CI run generates a fresh random password with openssl rand, writes it to
GITHUB_ENV, and passes it to both create-e2e-user.sh and Playwright. The test
user is ephemeral (container torn down after the run) but the password is now
unique per run and never committed to source.
Previously KimaE2ETest2026! was hardcoded as a fallback -- an admin account
backdoor anyone with repo access could exploit on a production instance that
had run the setup script.
Your Name