### Added
- REST API endpoints for status, artist-requests, and stats with optional key-based access.
- Settings UI input for an API key and client-side wiring to include it in saved settings.
- Server-side config/storage for the API key and DataHandler support to propagate it at runtime.
### Added
- Broadcast artist rejection events to connected clients to trigger UI refresh.
### Changed
- Show "Pending Approval" for requested artists and mark rejections as an error state in the UI.
- Disable and restyle the add button for already-added, requested, failed, invalid, or rejected statuses.
### Fixed
- Correct datetime usage when recording approval timestamp to avoid a runtime error.
### Added
- Persistent artist request model and migration for tracking user requests.
- Admin interface for reviewing, approving, and rejecting pending requests.
- Socket endpoint for users to submit artist requests from the UI.
- Client-side request button and user-info emission so the UI can show request vs add actions.
- Server-side handler to create requests, emit toast notifications, and update the UI.
### Changed
- Button behavior now shows "Request" for non-admins and preserves add-to-service action for admins.
- Session state includes an admin flag and is sent to clients on connection.
- Approving a request now triggers adding the artist to the external content service and marks the request approved.
### Changed
- Rely on public Last.fm usernames for personal recommendations; the recommendation API endpoint was deprecated long ago
- Remove UI and client-side logic that showed or managed a "linked" session key; data handling no longer reads or exposes a linked session-key state.
### Deprecated
- Preserve migration chain with an explicit no-op migration after removing the session-key column from the schema.
### Removed
- Database column and model field for Last.fm session key.
- Server endpoints and UI flows for linking/authorizing via session tokens and session-based storage of link tokens.
### Fixed
- Prevents errors and unnecessary auth flows when fetching personal recommendations without user credentials.
### Added
- Persistent per-user Last.fm session key column.
- Link and completion endpoints plus UI controls to authorize and unlink accounts.
- A user-focused Last.fm service that supports authenticated requests and richer recommendation aggregation.
- Frontend indicators to show linked status and guide the linking flow.
### Changed
- Use stored session key when fetching personal recommendations and expose a linked flag to the UI.
- Prefer direct user recommendations when available, otherwise aggregate similar artists from top artists.
- Ensure the user's remote library cache is populated synchronously so owned artists are filtered reliably.
- Emit an acknowledgment and update sidebar state when personal discovery yields no seeds.
- Clear stored session key when a user unlinks their account.
### Removed
- Legacy simple recommendation implementation replaced by the new user-centric integration.
### Fixed
- Prevent spinner from hanging when there are no seeds by sending an ACK and stopping the run.
- Surface link token state and completion control in the profile flow so users can finish linking.
### Added
- Personal discovery support for Last.fm and ListenBrainz to fetch user-specific top/recommended artists.
- Profile fields for Last.fm username, ListenBrainz username and user token, with UI controls to add or remove the token.
- Sidebar controls, spinners and socket events to initiate and stream personal recommendations.
- Database migration adding user columns for listening service integration.
### Changed
- Recommendation flow now streams seed artists, deduplicates against the user's library, and presents missing/skip feedback.
- Session and socket logic extended to emit per-user service availability and detailed error/ack responses.
- Service initialization wires up Last.fm and ListenBrainz clients and broadcasts availability state to connected sessions.
### Fixed
- Ensures personal discovery state and UI refresh after profile updates and when opening the sidebar so availability is accurate.
### Security
- ListenBrainz token handling added with an option to clear the stored token; token input is treated as a secret in the UI.
### Added
- Adds a data-status attribute and default "info" state to the LED for per-artist status.
### Changed
- Moves the status indicator into the image container and switches from card-level status classes to a data-status on the LED.
- Updates runtime logic to compute a single status value and set the LED dataset instead of toggling classes on the card.
- Restyles the LED (size, border, shadow, transitions) and adds dark-theme visual tweaks.
- Adjusts image container to a square aspect ratio, inherit border radius, ensure block display, and hide overflow on the card for cleaner layout.
### Added
- Automatic paragraph wrapping for sanitized biography text, converting double-newline blocks into elements.
### Changed
- UI refactor for artist cards: tighter spacing, updated image aspect ratio, compact pill-style action buttons, and adjusted metadata visual hierarchy.
- Biography sanitation flow unified to consistently use sanitized output whether a sanitizer is available or not.
### Deprecated
- Legacy heavy card borders and oversized spacing.
### Removed
- Redundant legacy style rules for older card visuals and status border overrides.
### Fixed
- Prevents accidental HTML escaping when no sanitizer is present and preserves paragraph structure for plain-text bios.
### Security
- Ensures sanitized biography output is consistently used to reduce XSS risk.
### Added
- Biography renderer that preserves paragraphs, line breaks, and sanitizes HTML when available.
- Letter placeholder avatar for artists missing cover images.
- Enhanced card visuals and modal body styling for richer presentation.
### Changed
- Restructures card layout to separate primary and secondary actions and improve image handling.
- Moves status styling to the card element for clearer visual states and consistent updates.
- Biography modal now inserts sanitized/formatted content or displays an informational note when empty.
### Deprecated
- Old image overlay and stacked in-image action buttons.
### Removed
- Reliance on raw inner HTML for biographies without sanitization fallback.
### Fixed
- Prevents XSS by sanitizing or escaping biography content before insertion.
- Avoids runtime errors when updating cards by more robust element selection and placeholder handling.
### Security
- Uses a sanitizer when available and falls back to escaping to mitigate HTML injection risks.
### Added
- Adds constants for start/stop button labels to centralize text.
- Adds a prominent AI Assist action in the sidebar for quick access.
### Changed
- Uses label constants for the start/stop toggle and changes wording to "Start discovery"/"Stop" for clarity; disables selection controls while running.
- Refines sidebar layout and copy to prioritize discovery tools.
- Adds icons and reorganizes user menu entries; scopes configuration action to the main page.
- Enhances footer credit styling for better contrast across themes.
### Added
- Server-side success/error events so the UI receives clear feedback after saving.
- Client-side form submit flow, payload builder, and toast notifications for saves.
### Changed
- Modal converted to a real form; save button now submits the form and is disabled while saving.
- Client populates fields from loaded settings and registers/unregisters the loader when the modal opens/closes.
- Save message handling switched to accessible alert classes with consistent show/hide logic.
- Server reloads in-memory settings after persisting to ensure UI reflects the latest config.
### Removed
- Immediate inline hide timing for the save message in favor of explicit success/error handling.
### Fixed
- Unreported save failures are now logged and surfaced to the UI as a generic error; the save control is re-enabled on failure.
- Reduced potential race conditions around loading settings when the modal lifecycle changes.
### Security
- Prevents leaking sensitive exception details to clients by logging full errors server-side and returning a generic error message to the UI.
### Added
- Adds UI controls for advanced Lidarr, discovery, and external API options (profile IDs, root folder, API timeout, fallback/search/dry-run toggles, batch sizes, auto-start, Last.fm/YouTube keys, OpenAI model and seed limit).
- Adds a comprehensive sample environment enumerating available keys with sensible defaults.
### Changed
- Improves server-side settings handling with robust coercion/validation for strings, booleans, integers and floats (including minimums).
- Expands settings payload sent to clients and updates client logic to gracefully handle missing inputs and avoid sending when disconnected.
- Updates documentation to surface new settings.
### Deprecated
- None.
### Removed
- None.
### Fixed
- Fixes duplicated logger output by disabling propagation on the application logger.
- Improves settings save UX by checking connection status and showing feedback.
### Security
- None.
### Added
- AI Assist modal that turns plain-English prompts into seed artists and auto-starts discovery.
- OpenAI-backed recommender to pick seed artists from user intent.
- Realtime socket flow to submit prompts and receive ack/error feedback.
- Admin settings for OpenAI key/model and max seed artists; persisted and read from env.
- Dependency on the OpenAI SDK.
- Docs for setup and usage of the AI assistant.
### Changed
- Settings schema now stores OpenAI configuration.
- Settings UI surfaces OpenAI fields for quick configuration.
### Added
- Introduces modular application structure with blueprints.
- Includes new models for database interaction.
- Adds initial superadmin bootstrapping on startup.
### Changed
- Migrates application logic to a new structure for better maintainability.
- Updates dependencies and configuration management.
- Improves release update badge to cache for 60 seconds.
### Removed
- Removes the monolithic application file in favor of blueprints.
### Added
- iTunes preview support as a fallback when YouTube fails.
### Changed
- Improved error handling and logging for LastFM and YouTube.
- Replaces YouTube API key check with optional key use.
- Refactors audio modal content update to handle multiple sources.
### Added
- New `layout.html` template to serve as the base for all pages.
- Blocks for topbar leading elements, actions, and extra scripts.
- Theme switch functionality to `layout.html`.
### Changed
- Moves base HTML structure from `base.html` to `layout.html`.
- Modifies `base.html` to extend `layout.html` and define specific content sections.
- Removes theme switch logic from `script.js` and integrates it into `layout.html`.
- Updates default image link placeholder.
### Removed
- Redundant theme switch logic in `script.js`.
### Fixed
- Incorrect cached theme switch behavior.
### Changed
- Improves theme persistence across sessions by prioritizing `theme_switch_position` and providing fallback mechanisms.
- Migrates common page elements into a base template for better structure.
### Removed
- Removes redundant navigation elements from individual templates.
### Fixed
- Corrects theme initialization logic for improved consistency.
### Added
- User authentication and role-based access control.
- User profile management.
- Admin interface for user management.
### Changed
- Requires login to access the application.
- Configuration settings are now accessible only to administrators.
### Security
- Implements password hashing for user accounts.
