v1.3.0: Massive WebUI cleanup, Fixed/Stabilized scrobbling, Significant security hardening, added user login to WebUI, refactored searching/interleaving to work MUCH better, Tidal Powered recommendations for SquidWTF provider, Fixed double scrobbling, inferring stops much better, fixed playlist cron rebuilding, stale injected playlist artwork, and search cache TTL

.env.example

@@ -2,6 +2,29 @@
 # Choose which media server backend to use: Subsonic or Jellyfin
 BACKEND_TYPE=Jellyfin
 
+# ===== ADMIN NETWORK ACCESS (PORT 5275) =====
+# Keep false to bind admin UI to localhost only (recommended)
+# Set true only if you need LAN access from another device
+ADMIN_BIND_ANY_IP=false
+
+# Comma-separated trusted CIDR ranges allowed to access admin port when bind is enabled
+# Examples: 192.168.1.0/24,10.0.0.0/8
+ADMIN_TRUSTED_SUBNETS=
+
+# ===== CORS POLICY =====
+# Cross-origin requests are disabled by default.
+# Set explicit origins if you need browser access from another host.
+# Example: https://my-jellyfin.example.com,http://localhost:3000
+CORS_ALLOWED_ORIGINS=
+
+# Explicit allowed methods and headers for CORS preflight.
+# Keep these restrictive unless you have a concrete requirement.
+CORS_ALLOWED_METHODS=GET,POST,PUT,PATCH,DELETE,OPTIONS,HEAD
+CORS_ALLOWED_HEADERS=Accept,Authorization,Content-Type,Range,X-Requested-With,X-Emby-Authorization,X-MediaBrowser-Token
+
+# Set true only when your allowed origins require cookies/auth credentials.
+CORS_ALLOW_CREDENTIALS=false
+
 # ===== REDIS CACHE (REQUIRED) =====
 # Redis is the primary cache for all runtime data (search results, playlists, lyrics, etc.)
 # File cache (/app/cache) acts as a persistence layer for cold starts
@@ -113,6 +136,14 @@ QOBUZ_USER_ID=
 # If not specified, the highest available quality will be used
 QOBUZ_QUALITY=
 
+# ===== MUSICBRAINZ CONFIGURATION =====
+# Enable MusicBrainz metadata lookups (optional, default: true)
+MUSICBRAINZ_ENABLED=true
+
+# Optional MusicBrainz account credentials for authenticated requests
+MUSICBRAINZ_USERNAME=
+MUSICBRAINZ_PASSWORD=
+
 # ===== GENERAL SETTINGS =====
 # External playlists support (optional, default: true)
 # When enabled, allows searching and downloading playlists from Deezer/Qobuz
@@ -232,6 +263,11 @@ SCROBBLING_ENABLED=false
 # This ensures Allstarr only scrobbles external tracks (Spotify, Deezer, Qobuz)
 SCROBBLING_LOCAL_TRACKS_ENABLED=false
 
+# Emit synthetic local "played" events from progress when local scrobbling is disabled (default: false)
+# Only enable this if you explicitly need UserPlayedItems-based plugin triggering.
+# Keep false to avoid duplicate local scrobbles with Jellyfin plugins.
+SCROBBLING_SYNTHETIC_LOCAL_PLAYED_SIGNAL_ENABLED=false
+
 # ===== LAST.FM SCROBBLING =====
 # Enable Last.fm scrobbling (default: false)
 SCROBBLING_LASTFM_ENABLED=false
@@ -270,7 +306,11 @@ SCROBBLING_LISTENBRAINZ_USER_TOKEN=
 # Enable detailed request logging (default: false)
 # When enabled, logs every incoming HTTP request with full details:
 # - Method, path, query string
-# - Headers (auth tokens are masked)
+# - Headers
 # - Response status and timing
 # Useful for debugging client issues and seeing what API calls are being made
 DEBUG_LOG_ALL_REQUESTS=false
+
+# Redact auth/query sensitive values in request logs (default: false).
+# Set true if you want DEBUG_LOG_ALL_REQUESTS while still masking tokens.
+DEBUG_REDACT_SENSITIVE_REQUEST_VALUES=false