- Add -pix_fmt yuv420p to multi_res_output.py libx264 path so browsers
can decode CPU-encoded segments (was producing yuv444p / High 4:4:4).
- Switch silent auth check and coop fragment middlewares from opt-out
blocklists to opt-in: only run for GET requests with Accept: text/html.
Prevents unnecessary nav-tree/auth-menu HTTP calls on every HLS segment,
IPFS proxy, and API request.
- Add opaque grant token verification to L1/L2 dependencies.
- Migrate client CLI to device authorization flow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The server-to-server token exchange was hitting the external URL
(https://account.rose-ash.com/...) which can fail from inside Docker
due to DNS/hairpin NAT. Now uses INTERNAL_URL_ACCOUNT (already set in
both docker-compose files) for the POST. Adds logging at all three
failure points so silent redirects are diagnosable.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Existing sessions have email=None since the field was just added.
Username IS the email in Art-DAG (OAuth returns user.email as username).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
