From c9718c548345e954406af38a0628c2afa8286376 Mon Sep 17 00:00:00 2001
From: Emily Boudreaux <thomas@boudreauxmail.com>
Date: Fri, 20 Mar 2026 15:00:24 -0400
Subject: [PATCH] feat(main): main

---
 AGENTS.md                                     |   96 ++
 api/api.py                                    |    5 +
 api/routers/auth.py                           |  105 ++
 api/routers/backups.py                        |  156 +++
 api/routers/channel.py                        |   18 +-
 api/tests/test_auth.py                        |   53 +
 api/tests/test_backups.py                     |   82 ++
 core/apps.py                                  |   12 +
 core/management/commands/backup_now.py        |   12 +
 core/management/commands/run_backup_worker.py |   30 +
 core/migrations/0006_channel_requires_auth.py |   21 +
 core/migrations/0007_backupschedule.py        |   27 +
 core/models.py                                |   25 +
 core/scripts/__init__.py                      |    0
 core/scripts/make_user.py                     |   41 +
 core/services/backups.py                      |  227 ++++
 core/services/bootstrap.py                    |   92 ++
 docker-compose.yml                            |   15 +
 frontend/src/App.jsx                          |   97 +-
 frontend/src/AuthContext.jsx                  |   56 +
 frontend/src/api.js                           |   42 +
 frontend/src/components/AdminSetup.jsx        |   84 ++
 frontend/src/components/LoginModal.css        |  117 ++
 frontend/src/components/LoginModal.jsx        |   73 ++
 frontend/src/components/Settings.jsx          |  409 +++++--
 frontend/src/index.css                        | 1086 ++++++++++-------
 pyproject.toml                                |   10 +
 pytv/settings.py                              |   11 +
 tests/test_channel_auth.py                    |   68 ++
 uv.lock                                       |    2 +-
 30 files changed, 2513 insertions(+), 559 deletions(-)
 create mode 100644 AGENTS.md
 create mode 100644 api/routers/auth.py
 create mode 100644 api/routers/backups.py
 create mode 100644 api/tests/test_auth.py
 create mode 100644 api/tests/test_backups.py
 create mode 100644 core/management/commands/backup_now.py
 create mode 100644 core/management/commands/run_backup_worker.py
 create mode 100644 core/migrations/0006_channel_requires_auth.py
 create mode 100644 core/migrations/0007_backupschedule.py
 create mode 100644 core/scripts/__init__.py
 create mode 100644 core/scripts/make_user.py
 create mode 100644 core/services/backups.py
 create mode 100644 core/services/bootstrap.py
 create mode 100644 frontend/src/AuthContext.jsx
 create mode 100644 frontend/src/components/AdminSetup.jsx
 create mode 100644 frontend/src/components/LoginModal.css
 create mode 100644 frontend/src/components/LoginModal.jsx
 create mode 100644 tests/test_channel_auth.py

diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..41a905c
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,96 @@
+# AGENTS.md
+
+## What this project is
+- PYTV is a Django + Django-Ninja backend (`core/`, `api/`, `pytv/`) with a React/Vite frontend (`frontend/`) for a "cable TV" style experience.
+- Core domain model is in `core/models.py`: `Channel`, `ScheduleTemplate`/`ScheduleBlock`, `Airing`, `MediaSource`, `MediaItem`.
+- API entrypoint is `api/api.py`; all HTTP API routes are mounted under `/api/` in `pytv/urls.py`.
+
+## Architecture and data flow to understand first
+- Schedule generation: `api/routers/schedule.py` -> `core/services/scheduler.py` (`ScheduleGenerator.generate_for_date`) -> creates `Airing` rows.
+- Playback signaling: `api/routers/channel.py` (`/channel/{id}/now`, `/airings`) computes `exact_playback_offset_seconds` for frontend sync.
+- Media caching pipeline for YouTube sources:
+  - metadata sync only: `core/services/youtube.py::sync_source`
+  - just-in-time download: `core/services/cache.py::run_cache` + `youtube.download_for_airing`
+  - emergency replacement (<1h before air with no cache): `ScheduleGenerator.replace_undownloaded_airings`.
+- Local media serving in dev uses range-aware endpoint `api/views.py::serve_video_with_range` mounted at `/media/*` when `DEBUG=True`.
+
+## Backend conventions (project-specific)
+- API style: Django Ninja `Schema`/Pydantic payloads in routers under `api/routers/`.
+- Auth pattern: session auth + CSRF cookie (`api/routers/auth.py`); frontend sends `withCredentials` and `X-CSRFToken` (`frontend/src/api.js`).
+- Session persistence is settings-driven; use `SESSION_COOKIE_AGE`/`SESSION_EXPIRE_AT_BROWSER_CLOSE` in `pytv/settings.py` (do not hardcode lifetimes in routers/frontend).
+- `Channel.requires_auth` is actively enforced in channel endpoints (`/now`, `/airings`, `/status`).
+- Source-rule behavior is business-critical: `allow/prefer/avoid/block` weighting in `core/services/scheduler.py` (not just CRUD metadata).
+- In `api/routers/sources.py`, literal routes (e.g. `/cache-upcoming`) must stay before parameterized routes (explicitly documented in file).
+
+## Frontend/backend integration points
+- Frontend API client is centralized in `frontend/src/api.js` (do not scatter fetch logic).
+- Dev proxy is configured in `frontend/vite.config.js` for both `/api` and `/media` to `http://localhost:8000`.
+- Channel playback UX depends on `frontend/src/components/ChannelTuner.jsx` triple-buffer behavior and backend-provided offset.
+
+## Developer workflows (discovered commands)
+```bash
+# Local backend (from repo root)
+python manage.py migrate
+python manage.py runserver 0.0.0.0:8000
+python manage.py seed
+python manage.py cache_upcoming --hours 24
+python manage.py run_cache_worker --interval 600 --hours 24
+python manage.py backup_now
+python manage.py run_backup_worker --interval 60
+python manage.py state --channel <id> --test-generate
+
+# Tests (pytest configured via pytest.ini)
+pytest
+
+# Frontend (from frontend/)
+npm install
+npm run dev
+npm run build
+npm run lint
+
+# Docker stack (repo root)
+docker compose up --build
+
+# Docker migrations (ALWAYS run inside the web container)
+docker compose exec web python manage.py migrate
+
+# Local DB reset (admin/dev only, destructive)
+docker compose exec web python manage.py flush --no-input
+docker compose exec web python manage.py migrate
+
+# Optional: reseed mock data after reset
+docker compose exec web python manage.py seed
+
+# Optional: run tests in the same containerized environment
+docker compose exec web pytest
+```
+
+## Agent execution safety rails
+- In this repo, assume the user controls long-running processes. Do not start/stop `docker compose up`, Django dev server, or Vite dev server unless explicitly asked.
+- Prefer read-only investigation first (`read_file`, targeted tests) before broad edits.
+- Keep business logic in `core/services/`; routers should remain thin orchestration/API layers.
+- Preserve public API shapes used by frontend (`frontend/src/api.js`) unless the task explicitly includes coordinated frontend updates.
+- Do not reorder literal and parameterized source routes in `api/routers/sources.py` in a way that changes URL matching behavior.
+- Treat `cached_file_path` and `/media/...` URL behavior as compatibility-sensitive; verify signaling paths when changing cache/playback logic.
+- Backups are compatibility-sensitive and stored at fixed path `/Backups`; do not add user-configurable backup destination paths.
+
+## Containerized dev/test expectations
+- The user runs Docker and dev servers; agents should not spin them up by default.
+- If a schema change is introduced, run migrations via container exec, not host Python:
+  - `docker compose exec web python manage.py makemigrations`
+  - `docker compose exec web python manage.py migrate`
+- Prefer running validation commands inside `web` for parity with runtime dependencies (yt-dlp/node/ffprobe path assumptions).
+- When sharing run steps in PR notes, provide container commands first, then local equivalents as secondary options.
+
+## Testing map and where to extend
+- API router tests: `api/tests/test_*.py`.
+- End-to-end domain behavior tests: `tests/test_channel_actions.py`, `tests/test_source_rules.py`, `tests/test_playback_sync.py`, `tests/test_channel_auth.py`.
+- If changing scheduler/cache/youtube logic, update both API-level tests and service-behavior tests.
+
+## Practical guardrails for AI agents
+- Prefer editing service-layer logic in `core/services/` over embedding business rules in routers.
+- Preserve idempotent schedule generation semantics (`generate_for_date` clears/rebuilds block window airings).
+- Keep `MediaItem.cached_file_path` semantics intact: frontend playback and cache status depend on it.
+- Validate cross-layer changes by exercising both API endpoints and frontend assumptions around `/media/...` URLs.
+
+
diff --git a/api/api.py b/api/api.py
index 1dbdb20..6905766 100644
--- a/api/api.py
+++ b/api/api.py
@@ -7,6 +7,8 @@ from api.routers.channel import router as channel_router
 from api.routers.schedule import router as schedule_router
 from api.routers.user import router as user_router
 from api.routers.sources import router as sources_router
+from api.routers.auth import router as auth_router
+from api.routers.backups import router as backups_router
 
 api.add_router("/library/", library_router)
 api.add_router("/collections/", collections_router)
@@ -14,3 +16,6 @@ api.add_router("/channel/", channel_router)
 api.add_router("/schedule/", schedule_router)
 api.add_router("/user/", user_router)
 api.add_router("/sources/", sources_router)
+api.add_router("/auth/", auth_router)
+api.add_router("/backups/", backups_router)
+
diff --git a/api/routers/auth.py b/api/routers/auth.py
new file mode 100644
index 0000000..7262eff
--- /dev/null
+++ b/api/routers/auth.py
@@ -0,0 +1,105 @@
+from ninja import Router, Schema
+from django.contrib.auth import authenticate, login, logout
+from django.http import JsonResponse
+from django.conf import settings
+from ninja.errors import HttpError
+from pydantic import BaseModel
+from core.models import AppUser
+
+router = Router(tags=["auth"])
+
+class LoginSchema(Schema):
+    username: str
+    password: str
+
+class UserSchema(Schema):
+    id: int
+    username: str
+    email: str
+    is_staff: bool
+    is_superuser: bool
+
+class SetupSchema(Schema):
+    username: str
+    password: str
+    email: str
+
+@router.get("/has-users")
+def check_has_users(request):
+    """Returns True if any users exist in the database."""
+    return {"has_users": AppUser.objects.exists()}
+
+@router.post("/setup")
+def setup_admin(request, payload: SetupSchema):
+    """Allows creating a superuser if and only if the database is entirely empty."""
+    if AppUser.objects.exists():
+        raise HttpError(403, "Database already has users. Cannot run initial setup.")
+    
+    user = AppUser.objects.create_superuser(
+        username=payload.username,
+        email=payload.email,
+        password=payload.password
+    )
+
+    # Bootstrap a default library now that the first user exists.
+    from core.services.bootstrap import ensure_default_library
+    ensure_default_library()
+
+    # Log them in automatically
+    user = authenticate(request, username=payload.username, password=payload.password)
+    login(request, user)
+    request.session.set_expiry(settings.SESSION_COOKIE_AGE)
+
+    from django.middleware.csrf import get_token
+    csrf_token = get_token(request)
+    
+    return {
+        "success": True,
+        "user": {
+            "id": user.id,
+            "username": user.username,
+            "email": user.email,
+            "is_staff": user.is_staff,
+            "is_superuser": user.is_superuser
+        },
+        "csrf_token": csrf_token
+    }
+
+@router.post("/login")
+def auth_login(request, payload: LoginSchema):
+    # Passwords in django are already PBKDF2 hashed and verified through `authenticate`
+    user = authenticate(request, username=payload.username, password=payload.password)
+    
+    if user is not None:
+        login(request, user)
+        request.session.set_expiry(settings.SESSION_COOKIE_AGE)
+        # We also need to get the CSRF token to be placed in the cookie so the frontend can send it back natively.
+        from django.middleware.csrf import get_token
+        csrf_token = get_token(request)
+        return {
+            "success": True,
+            "user": {
+                "id": user.id,
+                "username": user.username,
+                "email": user.email,
+                "is_staff": user.is_staff,
+                "is_superuser": user.is_superuser
+            },
+            "csrf_token": csrf_token
+        }
+    else:
+        raise HttpError(401, "Invalid username or password")
+
+@router.post("/logout")
+def auth_logout(request):
+    logout(request)
+    resp = JsonResponse({"success": True})
+    resp.delete_cookie(settings.SESSION_COOKIE_NAME, path='/')
+    return resp
+
+@router.get("/me", response=UserSchema)
+def auth_me(request):
+    if request.user.is_authenticated:
+        return request.user
+    else:
+        raise HttpError(401, "Not authenticated")
diff --git a/api/routers/backups.py b/api/routers/backups.py
new file mode 100644
index 0000000..de4056e
--- /dev/null
+++ b/api/routers/backups.py
@@ -0,0 +1,156 @@
+from datetime import datetime
+
+from django.http import FileResponse
+from ninja import File, Router, Schema
+from ninja.errors import HttpError
+from ninja.files import UploadedFile
+
+from core.models import BackupSchedule
+from core.services.backups import (
+    compute_next_run,
+    create_backup_now,
+    get_backup_file,
+    import_backup_content,
+    is_backup_due,
+    list_backups,
+)
+
+router = Router(tags=["backups"])
+
+
+class BackupScheduleSchema(Schema):
+    enabled: bool
+    frequency: str
+    minute: int
+    hour: int
+    day_of_week: int
+    day_of_month: int
+    retention_count: int
+    last_run_at: datetime | None = None
+    next_run_at: datetime | None = None
+
+
+class BackupScheduleUpdateSchema(Schema):
+    enabled: bool
+    frequency: str
+    minute: int = 0
+    hour: int = 2
+    day_of_week: int = 0
+    day_of_month: int = 1
+    retention_count: int = 14
+
+
+class BackupFileSchema(Schema):
+    filename: str
+    size_bytes: int
+    created_at: str
+
+
+def _require_admin(request):
+    if not request.user.is_authenticated:
+        raise HttpError(401, "Authentication required.")
+    if not request.user.is_staff:
+        raise HttpError(403, "Admin permissions required.")
+
+
+@router.get("/settings", response=BackupScheduleSchema)
+def get_backup_schedule(request):
+    _require_admin(request)
+    schedule = BackupSchedule.get_solo()
+    return {
+        "enabled": schedule.enabled,
+        "frequency": schedule.frequency,
+        "minute": schedule.minute,
+        "hour": schedule.hour,
+        "day_of_week": schedule.day_of_week,
+        "day_of_month": schedule.day_of_month,
+        "retention_count": schedule.retention_count,
+        "last_run_at": schedule.last_run_at,
+        "next_run_at": compute_next_run(schedule),
+    }
+
+
+@router.put("/settings", response=BackupScheduleSchema)
+def update_backup_schedule(request, payload: BackupScheduleUpdateSchema):
+    _require_admin(request)
+    if payload.frequency not in BackupSchedule.Frequency.values:
+        raise HttpError(400, "Invalid frequency")
+    if not 0 <= payload.minute <= 59:
+        raise HttpError(400, "minute must be 0..59")
+    if not 0 <= payload.hour <= 23:
+        raise HttpError(400, "hour must be 0..23")
+    if not 0 <= payload.day_of_week <= 6:
+        raise HttpError(400, "day_of_week must be 0..6")
+    if not 1 <= payload.day_of_month <= 28:
+        raise HttpError(400, "day_of_month must be 1..28")
+    if payload.retention_count < 1:
+        raise HttpError(400, "retention_count must be >= 1")
+
+    schedule = BackupSchedule.get_solo()
+    for attr, value in payload.dict().items():
+        setattr(schedule, attr, value)
+    schedule.save()
+
+    return {
+        "enabled": schedule.enabled,
+        "frequency": schedule.frequency,
+        "minute": schedule.minute,
+        "hour": schedule.hour,
+        "day_of_week": schedule.day_of_week,
+        "day_of_month": schedule.day_of_month,
+        "retention_count": schedule.retention_count,
+        "last_run_at": schedule.last_run_at,
+        "next_run_at": compute_next_run(schedule),
+    }
+
+
+@router.post("/run")
+def run_backup_now(request):
+    _require_admin(request)
+    path = create_backup_now()
+    return {"status": "ok", "filename": path.name}
+
+
+@router.get("/", response=list[BackupFileSchema])
+def get_backups(request):
+    _require_admin(request)
+    return [x.__dict__ for x in list_backups()]
+
+
+@router.get("/{filename}/download")
+def download_backup(request, filename: str):
+    _require_admin(request)
+    try:
+        target = get_backup_file(filename)
+    except FileNotFoundError:
+        raise HttpError(404, "Backup not found")
+
+    response = FileResponse(open(target, "rb"), content_type="application/json")
+    response["Content-Disposition"] = f'attachment; filename="{target.name}"'
+    return response
+
+
+@router.post("/import")
+def import_backup(request, file: UploadedFile = File(...), mode: str = "append"):
+    _require_admin(request)
+    if mode not in {"append", "override"}:
+        raise HttpError(400, "mode must be append or override")
+
+    content = file.read().decode("utf-8")
+    try:
+        result = import_backup_content(content, mode=mode)
+    except ValueError as exc:
+        raise HttpError(400, str(exc))
+
+    return {"status": "ok", **result}
+
+
+@router.post("/run-if-due")
+def run_if_due(request):
+    _require_admin(request)
+    schedule = BackupSchedule.get_solo()
+    if not is_backup_due(schedule):
+        return {"status": "skipped"}
+    path = create_backup_now()
+    return {"status": "ok", "filename": path.name}
+
diff --git a/api/routers/channel.py b/api/routers/channel.py
index cd4580d..18fd650 100644
--- a/api/routers/channel.py
+++ b/api/routers/channel.py
@@ -17,6 +17,7 @@ class ChannelSchema(Schema):
     library_id: int
     owner_user_id: int
     fallback_collection_id: Optional[int] = None
+    requires_auth: bool
 
 class ChannelCreateSchema(Schema):
     name: str
@@ -26,6 +27,7 @@ class ChannelCreateSchema(Schema):
     library_id: int
     owner_user_id: int # Mock Auth User
     fallback_collection_id: Optional[int] = None
+    requires_auth: bool = False
 
 class ChannelUpdateSchema(Schema):
     name: Optional[str] = None
@@ -35,6 +37,7 @@ class ChannelUpdateSchema(Schema):
     visibility: Optional[str] = None
     is_active: Optional[bool] = None
     fallback_collection_id: Optional[int] = None
+    requires_auth: Optional[bool] = None
 
 class ChannelSourceRuleSchema(Schema):
     id: int
@@ -135,6 +138,10 @@ class ChannelStatusSchema(Schema):
 @router.get("/{channel_id}/status", response=ChannelStatusSchema)
 def get_channel_status(request, channel_id: int):
     channel = get_object_or_404(Channel, id=channel_id)
+    if channel.requires_auth and not request.user.is_authenticated:
+        from ninja.errors import HttpError
+        raise HttpError(401, "Authentication required for this channel.")
+        
     now = timezone.now()
     window_end = now + timedelta(hours=24)
     
@@ -196,7 +203,8 @@ def create_channel(request, payload: ChannelCreateSchema):
         slug=payload.slug,
         channel_number=payload.channel_number,
         description=payload.description,
-        fallback_collection_id=payload.fallback_collection_id
+        fallback_collection_id=payload.fallback_collection_id,
+        requires_auth=payload.requires_auth
     )
     return 201, channel
 
@@ -260,6 +268,10 @@ def remove_source_from_channel(request, channel_id: int, rule_id: int):
 def channel_now_playing(request, channel_id: int):
     """Return the Airing currently on-air for this channel, or null."""
     channel = get_object_or_404(Channel, id=channel_id)
+    if channel.requires_auth and not request.user.is_authenticated:
+        from ninja.errors import HttpError
+        raise HttpError(401, "Authentication required for this channel.")
+        
     # Using a 1-second buffer to handle boundary conditions smoothly
     now = timezone.now()
     airing = (
@@ -279,6 +291,10 @@ def channel_airings(request, channel_id: int, hours: int = 4):
     [now - 2 hours, now + {hours} hours]
     """
     channel = get_object_or_404(Channel, id=channel_id)
+    if channel.requires_auth and not request.user.is_authenticated:
+        from ninja.errors import HttpError
+        raise HttpError(401, "Authentication required for this channel.")
+
     now = timezone.now()
     window_start = now - timedelta(hours=2) # Look back 2h for context
     window_end = now + timedelta(hours=hours)
diff --git a/api/tests/test_auth.py b/api/tests/test_auth.py
new file mode 100644
index 0000000..54c16e5
--- /dev/null
+++ b/api/tests/test_auth.py
@@ -0,0 +1,53 @@
+import json
+
+import pytest
+
+from core.models import AppUser
+
+
+@pytest.mark.django_db
+def test_login_sets_bounded_session_expiry(client, settings):
+    settings.SESSION_COOKIE_AGE = 3600
+
+    AppUser.objects.create_user(
+        username="auth_user",
+        email="auth@example.com",
+        password="secret-pass-123",
+    )
+
+    response = client.post(
+        "/api/auth/login",
+        data=json.dumps({"username": "auth_user", "password": "secret-pass-123"}),
+        content_type="application/json",
+    )
+
+    assert response.status_code == 200
+    assert response.json()["success"] is True
+
+    # Session should be persisted, but bounded to SESSION_COOKIE_AGE.
+    assert 0 < client.session.get_expiry_age() <= settings.SESSION_COOKIE_AGE
+
+
+@pytest.mark.django_db
+def test_logout_forces_session_logout(client):
+    AppUser.objects.create_user(
+        username="logout_user",
+        email="logout@example.com",
+        password="secret-pass-123",
+    )
+
+    login_response = client.post(
+        "/api/auth/login",
+        data=json.dumps({"username": "logout_user", "password": "secret-pass-123"}),
+        content_type="application/json",
+    )
+    assert login_response.status_code == 200
+
+    assert client.get("/api/auth/me").status_code == 200
+
+    logout_response = client.post("/api/auth/logout")
+    assert logout_response.status_code == 200
+
+    # Session is no longer authenticated after explicit logout.
+    assert client.get("/api/auth/me").status_code == 401
+
diff --git a/api/tests/test_backups.py b/api/tests/test_backups.py
new file mode 100644
index 0000000..0be61e6
--- /dev/null
+++ b/api/tests/test_backups.py
@@ -0,0 +1,82 @@
+import json
+from pathlib import Path
+
+import pytest
+
+from core.models import AppUser, BackupSchedule, Library, MediaSource, MediaItem
+
+
+@pytest.fixture
+def admin_user(db):
+    return AppUser.objects.create_superuser("backup_admin", "backup@example.com", "secret-pass-123")
+
+
+@pytest.mark.django_db
+def test_backup_schedule_requires_admin(client):
+    response = client.get("/api/backups/settings")
+    assert response.status_code == 401
+
+
+@pytest.mark.django_db
+def test_backup_schedule_get_and_update(client, admin_user):
+    client.login(username="backup_admin", password="secret-pass-123")
+
+    response = client.get("/api/backups/settings")
+    assert response.status_code == 200
+
+    payload = {
+        "enabled": True,
+        "frequency": "weekly",
+        "minute": 30,
+        "hour": 3,
+        "day_of_week": 6,
+        "day_of_month": 1,
+        "retention_count": 5,
+    }
+    update = client.put(
+        "/api/backups/settings",
+        data=json.dumps(payload),
+        content_type="application/json",
+    )
+    assert update.status_code == 200
+
+    schedule = BackupSchedule.get_solo()
+    assert schedule.enabled is True
+    assert schedule.frequency == "weekly"
+    assert schedule.retention_count == 5
+
+
+@pytest.mark.django_db
+def test_backup_now_writes_json_and_strips_cached_paths(client, admin_user, settings, tmp_path):
+    settings.BACKUP_ROOT = str(tmp_path)
+    client.login(username="backup_admin", password="secret-pass-123")
+
+    library = Library.objects.create(owner_user=admin_user, name="Backup Lib")
+    source = MediaSource.objects.create(
+        library=library,
+        name="YT",
+        source_type="youtube_playlist",
+        uri="https://example.com/list",
+    )
+    MediaItem.objects.create(
+        media_source=source,
+        title="Cached Item",
+        item_kind="movie",
+        runtime_seconds=60,
+        file_path="https://youtube.com/watch?v=abc",
+        cached_file_path="/tmp/pytv_cache/abc.mp4",
+    )
+
+    resp = client.post("/api/backups/run")
+    assert resp.status_code == 200
+    filename = resp.json()["filename"]
+
+    backup_path = Path(settings.BACKUP_ROOT) / filename
+    assert backup_path.exists()
+
+    payload = json.loads(backup_path.read_text(encoding="utf-8"))
+    media_entries = [x for x in payload["items"] if x["model"] == "core.mediaitem"]
+    assert media_entries
+    assert media_entries[0]["fields"]["cached_file_path"] is None
+
+
diff --git a/core/apps.py b/core/apps.py
index 5ef1d60..9fcaea8 100644
--- a/core/apps.py
+++ b/core/apps.py
@@ -3,3 +3,15 @@ from django.apps import AppConfig
 
 class CoreConfig(AppConfig):
     name = "core"
+
+    def ready(self):
+        from django.db.models.signals import post_migrate
+        from django.core.signals import request_started
+        from core.services.bootstrap import _on_post_migrate, _on_first_request
+
+        # After every `manage.py migrate` run.
+        post_migrate.connect(_on_post_migrate, sender=self)
+
+        # On every server start, run the check lazily on the first incoming
+        # request so the DB is guaranteed to be ready (avoids RuntimeWarning).
+        request_started.connect(_on_first_request)
diff --git a/core/management/commands/backup_now.py b/core/management/commands/backup_now.py
new file mode 100644
index 0000000..80db177
--- /dev/null
+++ b/core/management/commands/backup_now.py
@@ -0,0 +1,12 @@
+from django.core.management.base import BaseCommand
+
+from core.services.backups import create_backup_now
+
+
+class Command(BaseCommand):
+    help = "Create a backup JSON under /Backups immediately."
+
+    def handle(self, *args, **options):
+        path = create_backup_now()
+        self.stdout.write(self.style.SUCCESS(f"Backup created: {path}"))
+
diff --git a/core/management/commands/run_backup_worker.py b/core/management/commands/run_backup_worker.py
new file mode 100644
index 0000000..347c702
--- /dev/null
+++ b/core/management/commands/run_backup_worker.py
@@ -0,0 +1,30 @@
+import time
+
+from django.core.management.base import BaseCommand
+
+from core.models import BackupSchedule
+from core.services.backups import create_backup_now, is_backup_due
+
+
+class Command(BaseCommand):
+    help = "Continuously check backup schedule and run backups when due."
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--interval",
+            type=int,
+            default=60,
+            help="Polling interval in seconds (default: 60).",
+        )
+
+    def handle(self, *args, **options):
+        interval = options["interval"]
+        self.stdout.write(self.style.SUCCESS(f"Starting backup worker (interval={interval}s)"))
+
+        while True:
+            schedule = BackupSchedule.get_solo()
+            if schedule.enabled and is_backup_due(schedule):
+                path = create_backup_now()
+                self.stdout.write(self.style.SUCCESS(f"Backup created: {path.name}"))
+            time.sleep(interval)
+
diff --git a/core/migrations/0006_channel_requires_auth.py b/core/migrations/0006_channel_requires_auth.py
new file mode 100644
index 0000000..cad9944
--- /dev/null
+++ b/core/migrations/0006_channel_requires_auth.py
@@ -0,0 +1,21 @@
+# Generated by Django 6.0.3 on 2026-03-10 12:44
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("core", "0005_mediasource_max_age_days_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="channel",
+            name="requires_auth",
+            field=models.BooleanField(
+                default=False,
+                help_text="If True, only signed-in users can stream or fetch schedules for this channel.",
+            ),
+        ),
+    ]
diff --git a/core/migrations/0007_backupschedule.py b/core/migrations/0007_backupschedule.py
new file mode 100644
index 0000000..78f3d69
--- /dev/null
+++ b/core/migrations/0007_backupschedule.py
@@ -0,0 +1,27 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0006_channel_requires_auth'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='BackupSchedule',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('enabled', models.BooleanField(default=False)),
+                ('frequency', models.CharField(choices=[('hourly', 'Hourly'), ('daily', 'Daily'), ('weekly', 'Weekly'), ('monthly', 'Monthly')], default='daily', max_length=16)),
+                ('minute', models.PositiveSmallIntegerField(default=0)),
+                ('hour', models.PositiveSmallIntegerField(default=2)),
+                ('day_of_week', models.PositiveSmallIntegerField(default=0)),
+                ('day_of_month', models.PositiveSmallIntegerField(default=1)),
+                ('retention_count', models.PositiveIntegerField(default=14)),
+                ('last_run_at', models.DateTimeField(blank=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+            ],
+        ),
+    ]
+
diff --git a/core/models.py b/core/models.py
index a529c04..223c326 100644
--- a/core/models.py
+++ b/core/models.py
@@ -231,6 +231,7 @@ class Channel(models.Model):
         
     scheduling_mode = models.CharField(max_length=24, choices=SchedulingMode.choices, default=SchedulingMode.TEMPLATE_DRIVEN)
     is_active = models.BooleanField(default=True)
+    requires_auth = models.BooleanField(default=False, help_text="If True, only signed-in users can stream or fetch schedules for this channel.")
     created_at = models.DateTimeField(auto_now_add=True)
     updated_at = models.DateTimeField(auto_now=True)
 
@@ -514,3 +515,27 @@ class MediaResumePoint(models.Model):
         constraints = [
             models.UniqueConstraint(fields=['user', 'media_item'], name='unique_media_resume_point')
         ]
+
+
+class BackupSchedule(models.Model):
+    class Frequency(models.TextChoices):
+        HOURLY = 'hourly', 'Hourly'
+        DAILY = 'daily', 'Daily'
+        WEEKLY = 'weekly', 'Weekly'
+        MONTHLY = 'monthly', 'Monthly'
+
+    enabled = models.BooleanField(default=False)
+    frequency = models.CharField(max_length=16, choices=Frequency.choices, default=Frequency.DAILY)
+    minute = models.PositiveSmallIntegerField(default=0)
+    hour = models.PositiveSmallIntegerField(default=2)
+    day_of_week = models.PositiveSmallIntegerField(default=0)  # 0=Mon
+    day_of_month = models.PositiveSmallIntegerField(default=1)
+    retention_count = models.PositiveIntegerField(default=14)
+    last_run_at = models.DateTimeField(blank=True, null=True)
+    updated_at = models.DateTimeField(auto_now=True)
+
+    @classmethod
+    def get_solo(cls):
+        obj, _ = cls.objects.get_or_create(id=1)
+        return obj
+
diff --git a/core/scripts/__init__.py b/core/scripts/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/core/scripts/make_user.py b/core/scripts/make_user.py
new file mode 100644
index 0000000..530ad34
--- /dev/null
+++ b/core/scripts/make_user.py
@@ -0,0 +1,41 @@
+import os
+import sys
+import django
+from getpass import getpass
+
+def main():
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "pytv.settings")
+    django.setup()
+    
+    from core.models import AppUser
+
+    print("--- Create PYTV User ---")
+    try:
+        username = input("Username: ").strip()
+        if not username:
+            print("Username is required!")
+            sys.exit(1)
+            
+        email = input("Email: ").strip()
+        password = getpass("Password: ")
+        
+        is_admin_str = input("Is Admin? (y/N): ").strip().lower()
+        is_admin = is_admin_str in ['y', 'yes']
+
+        if AppUser.objects.filter(username=username).exists():
+            print(f"User '{username}' already exists!")
+            sys.exit(1)
+
+        if is_admin:
+            AppUser.objects.create_superuser(username=username, email=email, password=password)
+            print(f"Superuser '{username}' created successfully!")
+        else:
+            AppUser.objects.create_user(username=username, email=email, password=password)
+            print(f"User '{username}' created successfully!")
+            
+    except KeyboardInterrupt:
+        print("\nOperation cancelled.")
+        sys.exit(0)
+
+if __name__ == "__main__":
+    main()
diff --git a/core/services/backups.py b/core/services/backups.py
new file mode 100644
index 0000000..2463407
--- /dev/null
+++ b/core/services/backups.py
@@ -0,0 +1,227 @@
+import json
+import decimal
+import uuid
+from dataclasses import dataclass
+from datetime import datetime, date, time, timedelta, timezone as dt_timezone
+from pathlib import Path
+
+from django.apps import apps
+from django.conf import settings
+from django.core.management import call_command
+from django.core import serializers
+from django.db import connection
+from django.utils import timezone
+
+from core.models import BackupSchedule, MediaItem
+
+
+class _BackupJSONEncoder(json.JSONEncoder):
+    """Encode types that Django's Python serializer produces but stdlib json cannot handle."""
+
+    def default(self, obj):
+        if isinstance(obj, (datetime, date, time)):
+            return obj.isoformat()
+        if isinstance(obj, decimal.Decimal):
+            return float(obj)
+        if isinstance(obj, uuid.UUID):
+            return str(obj)
+        return super().default(obj)
+
+
+@dataclass
+class BackupFileInfo:
+    filename: str
+    size_bytes: int
+    created_at: str
+
+
+def get_backup_root() -> Path:
+    # Backups are always written under a fixed directory.
+    root = Path(getattr(settings, "BACKUP_ROOT", "/Backups"))
+    root.mkdir(parents=True, exist_ok=True)
+    return root
+
+
+def _export_payload() -> dict:
+    items = []
+    for model in apps.get_models():
+        if model._meta.label_lower == "sessions.session":
+            continue
+        queryset = model.objects.all().order_by("pk")
+        serialized = serializers.serialize("python", queryset)
+
+        # Strip cache-path metadata so backups stay DB-only and file-agnostic.
+        if model is MediaItem:
+            for item in serialized:
+                item["fields"]["cached_file_path"] = None
+                item["fields"]["cache_expires_at"] = None
+
+        items.extend(serialized)
+
+    return {
+        "version": 1,
+        "created_at": timezone.now().isoformat(),
+        "items": items,
+    }
+
+
+def create_backup_now() -> Path:
+    root = get_backup_root()
+    stamp = timezone.localtime().strftime("%Y%m%d_%H%M%S")
+    filename = f"pytv_backup_{stamp}.json"
+    path = root / filename
+
+    payload = _export_payload()
+    path.write_text(json.dumps(payload, indent=2, cls=_BackupJSONEncoder), encoding="utf-8")
+
+    schedule = BackupSchedule.get_solo()
+    schedule.last_run_at = timezone.now()
+    schedule.save(update_fields=["last_run_at"])
+    apply_retention(schedule.retention_count)
+    return path
+
+
+def list_backups() -> list[BackupFileInfo]:
+    root = get_backup_root()
+    files = sorted(root.glob("*.json"), key=lambda p: p.stat().st_mtime, reverse=True)
+    return [
+        BackupFileInfo(
+            filename=f.name,
+            size_bytes=f.stat().st_size,
+            created_at=datetime.fromtimestamp(f.stat().st_mtime, tz=dt_timezone.utc).isoformat(),
+        )
+        for f in files
+    ]
+
+
+def apply_retention(retention_count: int):
+    if retention_count <= 0:
+        return
+    files = list_backups()
+    to_delete = files[retention_count:]
+    root = get_backup_root()
+    for item in to_delete:
+        target = root / item.filename
+        if target.exists():
+            target.unlink()
+
+
+def get_backup_file(filename: str) -> Path:
+    root = get_backup_root().resolve()
+    target = (root / filename).resolve()
+    if not str(target).startswith(str(root)):
+        raise FileNotFoundError("Invalid backup path")
+    if not target.exists() or target.suffix.lower() != ".json":
+        raise FileNotFoundError("Backup not found")
+    return target
+
+
+def import_backup_content(content: str, mode: str = "append") -> dict:
+    if mode not in {"append", "override"}:
+        raise ValueError("mode must be 'append' or 'override'")
+
+    payload = json.loads(content)
+    items = payload.get("items") if isinstance(payload, dict) else None
+    if items is None:
+        raise ValueError("Invalid backup payload")
+
+    if mode == "override":
+        # Flush DB tables first (DB-only restore; does not touch media cache files).
+        call_command("flush", verbosity=0, interactive=False)
+
+    created = 0
+    updated = 0
+
+    serialized = json.dumps(items)
+    with connection.constraint_checks_disabled():
+        for deserialized in serializers.deserialize("json", serialized):
+            obj = deserialized.object
+            model = obj.__class__
+            existing = model.objects.filter(pk=obj.pk).first()
+            if existing is None:
+                deserialized.save()
+                created += 1
+                continue
+
+            if mode == "append":
+                for field in model._meta.local_fields:
+                    if field.primary_key:
+                        continue
+                    setattr(existing, field.name, getattr(obj, field.name))
+                existing.save()
+                for m2m_field, values in deserialized.m2m_data.items():
+                    getattr(existing, m2m_field).set(values)
+                updated += 1
+            else:
+                deserialized.save()
+                updated += 1
+
+    return {"created": created, "updated": updated, "mode": mode}
+
+
+def compute_next_run(schedule: BackupSchedule, now=None):
+    now = now or timezone.now()
+
+    if not schedule.enabled:
+        return None
+
+    if schedule.frequency == BackupSchedule.Frequency.HOURLY:
+        candidate = now.replace(second=0, microsecond=0, minute=schedule.minute)
+        if candidate <= now:
+            candidate += timedelta(hours=1)
+        return candidate
+
+    candidate = now.replace(second=0, microsecond=0, minute=schedule.minute, hour=schedule.hour)
+
+    if schedule.frequency == BackupSchedule.Frequency.DAILY:
+        if candidate <= now:
+            candidate += timedelta(days=1)
+        return candidate
+
+    if schedule.frequency == BackupSchedule.Frequency.WEEKLY:
+        target = schedule.day_of_week
+        delta = (target - candidate.weekday()) % 7
+        candidate += timedelta(days=delta)
+        if candidate <= now:
+            candidate += timedelta(days=7)
+        return candidate
+
+    # monthly
+    day = max(1, min(schedule.day_of_month, 28))
+    candidate = candidate.replace(day=day)
+    if candidate <= now:
+        month = candidate.month + 1
+        year = candidate.year
+        if month > 12:
+            month = 1
+            year += 1
+        candidate = candidate.replace(year=year, month=month, day=day)
+    return candidate
+
+
+def is_backup_due(schedule: BackupSchedule, now=None) -> bool:
+    now = now or timezone.now()
+    if not schedule.enabled:
+        return False
+
+    if schedule.last_run_at is None:
+        return True
+
+    if schedule.frequency == BackupSchedule.Frequency.HOURLY:
+        next_due = schedule.last_run_at + timedelta(hours=1)
+    elif schedule.frequency == BackupSchedule.Frequency.DAILY:
+        next_due = schedule.last_run_at + timedelta(days=1)
+    elif schedule.frequency == BackupSchedule.Frequency.WEEKLY:
+        next_due = schedule.last_run_at + timedelta(days=7)
+    else:
+        next_due = schedule.last_run_at + timedelta(days=28)
+
+    next_target = now.replace(second=0, microsecond=0)
+    if schedule.frequency != BackupSchedule.Frequency.HOURLY:
+        next_target = next_target.replace(hour=schedule.hour)
+    next_target = next_target.replace(minute=schedule.minute)
+
+    return now >= max(next_due, next_target)
+
+
+
diff --git a/core/services/bootstrap.py b/core/services/bootstrap.py
new file mode 100644
index 0000000..827fbce
--- /dev/null
+++ b/core/services/bootstrap.py
@@ -0,0 +1,92 @@
+"""
+Bootstrap service — idempotent startup initialisation.
+
+Ensures a default media library exists as soon as the first user is available.
+Called from three places:
+  1. AppConfig.ready()          – every server start (DB already populated)
+  2. post_migrate signal        – after `manage.py migrate` runs
+  3. auth.setup_admin endpoint  – immediately after the first user is created
+"""
+import logging
+
+logger = logging.getLogger(__name__)
+
+DEFAULT_LIBRARY_NAME = "Default Library"
+
+# One-shot flag: after the first request triggers the bootstrap, disconnect
+# the signal so we don't repeat the DB check on every subsequent request.
+_startup_bootstrap_done = False
+
+
+def ensure_default_library():
+    """
+    Create a default media library if none exists yet.
+
+    Idempotent — safe to call multiple times; does nothing when a library
+    already exists.  Returns the newly-created Library, or None if no action
+    was taken (either a library already exists, or no users exist yet to be
+    the owner).
+    """
+    from core.models import Library, AppUser
+
+    if Library.objects.exists():
+        return None  # Already bootstrapped
+
+    # Need an owner — prefer the first superuser, fall back to any user.
+    owner = (
+        AppUser.objects.filter(is_superuser=True).order_by("date_joined").first()
+        or AppUser.objects.order_by("date_joined").first()
+    )
+    if owner is None:
+        # No users yet — setup_admin will call us again once the first user exists.
+        logger.debug("ensure_default_library: no users yet, skipping.")
+        return None
+
+    library = Library.objects.create(
+        owner_user=owner,
+        name=DEFAULT_LIBRARY_NAME,
+        visibility="public",
+        description=(
+            "Default media library. "
+            "Add media sources here to start building your channels."
+        ),
+    )
+    logger.info(
+        "Bootstrap: created default library '%s' (id=%d) owned by '%s'.",
+        library.name,
+        library.id,
+        owner.username,
+    )
+    return library
+
+
+# ---------------------------------------------------------------------------
+# Signal handlers — wired up in CoreConfig.ready()
+# ---------------------------------------------------------------------------
+
+def _on_post_migrate(sender, **kwargs):
+    """Run bootstrap after every successful migration."""
+    try:
+        ensure_default_library()
+    except Exception as exc:  # pragma: no cover
+        logger.warning("ensure_default_library failed in post_migrate: %s", exc)
+
+
+def _on_first_request(sender, **kwargs):
+    """
+    One-shot: run bootstrap on the very first HTTP request after server start.
+    Disconnects itself immediately so subsequent requests pay zero overhead.
+    """
+    global _startup_bootstrap_done
+    if _startup_bootstrap_done:
+        return
+    _startup_bootstrap_done = True
+
+    from django.core.signals import request_started
+    request_started.disconnect(_on_first_request)
+
+    try:
+        ensure_default_library()
+    except Exception as exc:  # pragma: no cover
+        logger.warning("ensure_default_library failed on first request: %s", exc)
+
diff --git a/docker-compose.yml b/docker-compose.yml
index 50bfd13..a0aca5b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,6 +19,7 @@ services:
       - .:/app
       - ./mock:/mock
       - ./cache:/tmp/pytv_cache
+      - ./backups:/Backups
     ports:
       - "8000:8000"
     environment:
@@ -35,6 +36,20 @@ services:
       - .:/app
       - ./mock:/mock
       - ./cache:/tmp/pytv_cache
+      - ./backups:/Backups
+    environment:
+      - DEBUG=True
+      - SECRET_KEY=django-insecure-development-key-replace-in-production
+      - DATABASE_URL=postgres://pytv_user:pytv_password@db:5432/pytv_db
+    depends_on:
+      - db
+
+  backup_worker:
+    build: .
+    command: python manage.py run_backup_worker --interval 60
+    volumes:
+      - .:/app
+      - ./backups:/Backups
     environment:
       - DEBUG=True
       - SECRET_KEY=django-insecure-development-key-replace-in-production
diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx
index d58c22a..f7ad5a6 100644
--- a/frontend/src/App.jsx
+++ b/frontend/src/App.jsx
@@ -2,31 +2,82 @@ import React, { useState } from 'react';
 import ChannelTuner from './components/ChannelTuner';
 import Guide from './components/Guide';
 import Settings from './components/Settings';
+import LoginModal from './components/LoginModal';
+import AdminSetup from './components/AdminSetup';
+import { AuthProvider, useAuth } from './AuthContext';
+import axios from 'axios';
 
-function App() {
+function MainApp() {
+  const { user, hasUsers, loading } = useAuth();
   const [showGuide, setShowGuide] = useState(false);
   const [showSettings, setShowSettings] = useState(false);
+  const [needsLogin, setNeedsLogin] = useState(false);
+
+  React.useEffect(() => {
+    // Intercept generic axios response to catch 401 globally if not handled locally
+    const interceptor = axios.interceptors.response.use(
+      response => response,
+      error => {
+        if (error.response?.status === 401) {
+          setNeedsLogin(true);
+        }
+        return Promise.reject(error);
+      }
+    );
+    return () => axios.interceptors.response.eject(interceptor);
+  }, []);
 
   React.useEffect(() => {
     const handleKey = (e) => {
-      // 'S' key opens settings (when nothing else is open)
-      if (e.key === 's' && !showGuide && !showSettings) {
-        setShowSettings(true);
+      if (loading) return;
+      const key = (e.key || '').toLowerCase();
+
+      // Never intercept keys while the user is typing in a form field.
+      const tag = document.activeElement?.tagName;
+      const isTyping = ['INPUT', 'TEXTAREA', 'SELECT'].includes(tag)
+        || document.activeElement?.isContentEditable;
+
+      // If Settings is open, Esc/Backspace should only close Settings —
+      // but only when the user is NOT typing in a field inside the modal.
+      if (showSettings && ['escape', 'backspace'].includes(key) && !isTyping) {
+        e.preventDefault();
+        setShowSettings(false);
+        return;
       }
-      // Escape/Backspace closes whatever is open
-      if (['Escape', 'Backspace'].includes(e.key)) {
+
+      // 'S' key opens settings (when nothing else is open and not typing)
+      if (key === 's' && !showGuide && !showSettings && !isTyping) {
+        e.preventDefault();
+        if (!user) {
+          setNeedsLogin(true);
+        } else {
+          setShowSettings(true);
+        }
+      }
+      // Escape/Backspace closes whatever is open (not while typing)
+      if (['escape', 'backspace'].includes(key) && !isTyping) {
+        e.preventDefault();
         setShowGuide(false);
         setShowSettings(false);
       }
     };
     window.addEventListener('keydown', handleKey);
     return () => window.removeEventListener('keydown', handleKey);
-  }, [showGuide, showSettings]);
+  }, [showGuide, showSettings, user, loading]);
 
   return (
     <>
       {/* ChannelTuner always stays mounted to preserve buffering */}
-      <ChannelTuner onOpenGuide={() => setShowGuide(!showGuide)} />
+      <ChannelTuner
+        onOpenGuide={() => {
+          // If Settings is open, Back/Escape should only close Settings.
+          if (showSettings) {
+            setShowSettings(false);
+            return;
+          }
+          setShowGuide(prev => !prev);
+        }}
+      />
 
       {showGuide && (
         <Guide
@@ -41,14 +92,40 @@ function App() {
       {!showGuide && !showSettings && (
         <button
           className="settings-gear-btn"
-          onClick={() => setShowSettings(true)}
-          title="Settings (S)"
+          onClick={() => {
+            if (loading) return;
+            if (!user) setNeedsLogin(true);
+            else setShowSettings(true);
+          }}
+          title={loading ? 'Checking session...' : 'Settings (S)'}
+          disabled={loading}
         >
           ⚙
         </button>
       )}
+      
+      
+      {!loading && needsLogin && hasUsers && (
+        <LoginModal 
+          onSuccess={() => {
+            setNeedsLogin(false);
+            setShowSettings(true); // auto-open settings after login
+          }} 
+          onClose={() => setNeedsLogin(false)}
+        />
+      )}
+
+      {!hasUsers && <AdminSetup />}
     </>
   );
 }
 
+function App() {
+  return (
+    <AuthProvider>
+      <MainApp />
+    </AuthProvider>
+  );
+}
+
 export default App;
diff --git a/frontend/src/AuthContext.jsx b/frontend/src/AuthContext.jsx
new file mode 100644
index 0000000..27a0d35
--- /dev/null
+++ b/frontend/src/AuthContext.jsx
@@ -0,0 +1,56 @@
+import React, { createContext, useContext, useState, useEffect } from 'react';
+import { fetchCurrentUser, loginUser, logoutUser, checkHasUsers } from './api';
+
+const AuthContext = createContext(null);
+
+export const AuthProvider = ({ children }) => {
+  const [user, setUser] = useState(null);
+  const [hasUsers, setHasUsers] = useState(true); // default true to avoid flashing setup screen
+  const [loading, setLoading] = useState(true);
+
+  // Checks on initial load if we have an active session cookie and if the database is empty
+  useEffect(() => {
+    Promise.all([
+      fetchCurrentUser().catch(err => {
+        if (err.response?.status !== 401) console.error("Auth check error:", err);
+        return null;
+      }),
+      checkHasUsers().catch(err => {
+        console.error("Failed to check has-users status", err);
+        return { has_users: true };
+      })
+    ]).then(([userData, hasUsersData]) => {
+      setUser(userData);
+      setHasUsers(hasUsersData.has_users);
+    }).finally(() => {
+      setLoading(false);
+    });
+  }, []);
+
+  const login = async (username, password) => {
+    const data = await loginUser(username, password);
+    if (data.success && data.user) {
+      setUser(data.user);
+      return data.user;
+    }
+    throw new Error("Invalid response from server");
+  };
+
+  const logout = async () => {
+    try {
+      await logoutUser();
+    } catch (e) {
+      console.error("Logout error", e);
+    } finally {
+      setUser(null);
+    }
+  };
+
+  return (
+    <AuthContext.Provider value={{ user, loading, hasUsers, setHasUsers, login, logout }}>
+      {children}
+    </AuthContext.Provider>
+  );
+};
+
+export const useAuth = () => useContext(AuthContext);
diff --git a/frontend/src/api.js b/frontend/src/api.js
index f3a7700..5d4ea82 100644
--- a/frontend/src/api.js
+++ b/frontend/src/api.js
@@ -3,6 +3,17 @@ import axios from 'axios';
 const apiClient = axios.create({
   baseURL: '/api',
   headers: { 'Content-Type': 'application/json' },
+  withCredentials: true // send session cookies securely
+});
+
+// CSRF wrapper for POST/PUT/PATCH/DELETE
+apiClient.interceptors.request.use(config => {
+  // Try to find the csrftoken cookie Django sets
+  const csrfCookie = document.cookie.split('; ').find(row => row.startsWith('csrftoken='));
+  if (csrfCookie) {
+    config.headers['X-CSRFToken'] = csrfCookie.split('=')[1];
+  }
+  return config;
 });
 
 // ── Channels ──────────────────────────────────────────────────────────────
@@ -11,6 +22,13 @@ export const createChannel = async (payload) => (await apiClient.post('/channel/
 export const updateChannel = async (id, payload) => (await apiClient.patch(`/channel/${id}`, payload)).data;
 export const deleteChannel = async (id) => { await apiClient.delete(`/channel/${id}`); };
 
+// ── Authentication ──────────────────────────────────────────────────────────
+export const checkHasUsers = async () => (await apiClient.get('/auth/has-users')).data;
+export const setupAdmin = async (payload) => (await apiClient.post('/auth/setup', payload)).data;
+export const loginUser = async (username, password) => (await apiClient.post('/auth/login', { username, password })).data;
+export const logoutUser = async () => (await apiClient.post('/auth/logout')).data;
+export const fetchCurrentUser = async () => (await apiClient.get('/auth/me')).data;
+
 // Channel program data
 export const fetchChannelNow = async (channelId) =>
   (await apiClient.get(`/channel/${channelId}/now`)).data;
@@ -77,3 +95,27 @@ export const fetchUsers = async () => (await apiClient.get('/user/')).data;
 export const createUser = async (payload) => (await apiClient.post('/user/', payload)).data;
 export const updateUser = async (id, payload) => (await apiClient.patch(`/user/${id}`, payload)).data;
 export const deleteUser = async (id) => { await apiClient.delete(`/user/${id}`); };
+
+// -- Backups ----------------------------------------------------------------
+export const fetchBackupSchedule = async () => (await apiClient.get('/backups/settings')).data;
+export const updateBackupSchedule = async (payload) => (await apiClient.put('/backups/settings', payload)).data;
+export const runBackupNow = async () => (await apiClient.post('/backups/run')).data;
+export const fetchBackups = async () => (await apiClient.get('/backups/')).data;
+
+export const downloadBackup = async (filename) => {
+  const response = await apiClient.get(`/backups/${encodeURIComponent(filename)}/download`, {
+    responseType: 'blob',
+  });
+  return response.data;
+};
+
+export const importBackup = async (file, mode = 'append') => {
+  const form = new FormData();
+  form.append('file', file);
+  return (
+    await apiClient.post(`/backups/import?mode=${mode}`, form, {
+      headers: { 'Content-Type': 'multipart/form-data' },
+    })
+  ).data;
+};
+
diff --git a/frontend/src/components/AdminSetup.jsx b/frontend/src/components/AdminSetup.jsx
new file mode 100644
index 0000000..b6833b6
--- /dev/null
+++ b/frontend/src/components/AdminSetup.jsx
@@ -0,0 +1,84 @@
+import React, { useState } from 'react';
+import { setupAdmin, loginUser } from '../api';
+import { useAuth } from '../AuthContext';
+import './LoginModal.css';
+
+const AdminSetup = () => {
+  const { setHasUsers, login } = useAuth();
+  const [username, setUsername] = useState('');
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [error, setError] = useState(null);
+  const [loading, setLoading] = useState(false);
+
+  const handleSubmit = async (e) => {
+    e.preventDefault();
+    setError(null);
+    setLoading(true);
+
+    try {
+      await setupAdmin({ username, email, password });
+      
+      // Auto-login after setup success (the backend already logs the session in,
+      // but fetchCurrentUser wasn't called. Setup router returns the user.)
+      // Alternatively, we can force a manual login to populate the frontend context.
+      await login(username, password);
+      
+      setHasUsers(true);
+    } catch (err) {
+      setError(err.response?.data?.detail || "Setup failed. The database might not be empty.");
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  return (
+    <div className="login-modal-overlay">
+      <div className="login-modal">
+        <h2>Welcome to PYTV</h2>
+        <p className="login-description">No users exist in the database. Please create an administrator account to begin.</p>
+        
+        {error && <div className="login-error">{error}</div>}
+        
+        <form onSubmit={handleSubmit} className="login-form">
+          <label>
+            Admin Username
+            <input 
+              type="text" 
+              value={username} 
+              onChange={e => setUsername(e.target.value)} 
+              required 
+              autoFocus
+            />
+          </label>
+          <label>
+            Email
+            <input 
+              type="email" 
+              value={email} 
+              onChange={e => setEmail(e.target.value)} 
+              required 
+            />
+          </label>
+          <label>
+            Password
+            <input 
+              type="password" 
+              value={password} 
+              onChange={e => setPassword(e.target.value)} 
+              required 
+            />
+          </label>
+          
+          <div className="login-actions">
+            <button type="submit" className="btn-primary" disabled={loading}>
+              {loading ? 'Creating...' : 'Create Admin Account'}
+            </button>
+          </div>
+        </form>
+      </div>
+    </div>
+  );
+};
+
+export default AdminSetup;
diff --git a/frontend/src/components/LoginModal.css b/frontend/src/components/LoginModal.css
new file mode 100644
index 0000000..785cfc6
--- /dev/null
+++ b/frontend/src/components/LoginModal.css
@@ -0,0 +1,117 @@
+.login-modal-overlay {
+  position: fixed;
+  top: 0; left: 0; right: 0; bottom: 0;
+  background: rgba(0, 0, 0, 0.85);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 9999;
+  backdrop-filter: blur(4px);
+}
+
+.login-modal {
+  background: #1e1e24;
+  padding: 2rem;
+  border-radius: 12px;
+  width: 100%;
+  max-width: 400px;
+  box-shadow: 0 10px 40px rgba(0,0,0,0.5);
+  border: 1px solid rgba(255,255,255,0.1);
+  color: #fff;
+}
+
+.login-modal h2 {
+  margin-top: 0;
+  margin-bottom: 0.5rem;
+  font-size: 1.5rem;
+  text-align: center;
+}
+
+.login-description {
+  color: #a0a0b0;
+  font-size: 0.95rem;
+  text-align: center;
+  margin-bottom: 1.5rem;
+}
+
+.login-error {
+  background: rgba(255, 60, 60, 0.1);
+  color: #ff6b6b;
+  border: 1px solid rgba(255, 60, 60, 0.3);
+  padding: 0.75rem;
+  border-radius: 6px;
+  margin-bottom: 1.5rem;
+  font-size: 0.9rem;
+  text-align: center;
+}
+
+.login-form {
+  display: flex;
+  flex-direction: column;
+  gap: 1.25rem;
+}
+
+.login-form label {
+  display: flex;
+  flex-direction: column;
+  gap: 0.5rem;
+  font-size: 0.9rem;
+  font-weight: 500;
+  color: #e0e0e0;
+}
+
+.login-form input {
+  padding: 0.75rem;
+  border-radius: 6px;
+  border: 1px solid #333;
+  background: #111;
+  color: #fff;
+  font-size: 1rem;
+  transition: border-color 0.2s;
+}
+
+.login-form input:focus {
+  outline: none;
+  border-color: #4a90e2;
+}
+
+.login-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 1rem;
+  margin-top: 1rem;
+}
+
+.login-actions button {
+  padding: 0.75rem 1.5rem;
+  border-radius: 6px;
+  font-size: 1rem;
+  font-weight: 600;
+  cursor: pointer;
+  border: none;
+  transition: all 0.2s;
+}
+
+.btn-cancel {
+  background: transparent;
+  color: #a0a0b0;
+}
+
+.btn-cancel:hover {
+  background: rgba(255,255,255,0.05);
+  color: #fff;
+}
+
+.btn-primary {
+  background: #4a90e2;
+  color: white;
+}
+
+.btn-primary:hover:not(:disabled) {
+  background: #357abd;
+}
+
+.btn-primary:disabled {
+  opacity: 0.7;
+  cursor: not-allowed;
+}
diff --git a/frontend/src/components/LoginModal.jsx b/frontend/src/components/LoginModal.jsx
new file mode 100644
index 0000000..ccd37be
--- /dev/null
+++ b/frontend/src/components/LoginModal.jsx
@@ -0,0 +1,73 @@
+import React, { useState } from 'react';
+import { useAuth } from '../AuthContext';
+import './LoginModal.css';
+
+const LoginModal = ({ onClose, onSuccess }) => {
+  const { login } = useAuth();
+  const [username, setUsername] = useState('');
+  const [password, setPassword] = useState('');
+  const [error, setError] = useState(null);
+  const [loading, setLoading] = useState(false);
+
+  const handleSubmit = async (e) => {
+    e.preventDefault();
+    setError(null);
+    setLoading(true);
+
+    try {
+      await login(username, password);
+      onSuccess?.();
+      onClose?.();
+    } catch (err) {
+      setError(err.response?.data?.detail || "Invalid credentials or network error");
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  return (
+    <div className="login-modal-overlay">
+      <div className="login-modal">
+        <h2>Sign In Required</h2>
+        <p className="login-description">This channel requires authentication to stream.</p>
+        
+        {error && <div className="login-error">{error}</div>}
+        
+        <form onSubmit={handleSubmit} className="login-form">
+          <label>
+            Username
+            <input 
+              type="text" 
+              value={username} 
+              onChange={e => setUsername(e.target.value)} 
+              required 
+              autoFocus
+            />
+          </label>
+          <label>
+            Password
+            <input 
+              type="password" 
+              value={password} 
+              onChange={e => setPassword(e.target.value)} 
+              required 
+            />
+          </label>
+          
+          <div className="login-actions">
+            {onClose && (
+              <button type="button" onClick={onClose} className="btn-cancel">
+                Cancel
+              </button>
+            )}
+            <button type="submit" className="btn-primary" disabled={loading}>
+              {loading ? 'Signing In...' : 'Sign In'}
+            </button>
+          </div>
+        </form>
+      </div>
+    </div>
+  );
+};
+
+export default LoginModal;
diff --git a/frontend/src/components/Settings.jsx b/frontend/src/components/Settings.jsx
index a065168..c484586 100644
--- a/frontend/src/components/Settings.jsx
+++ b/frontend/src/components/Settings.jsx
@@ -9,23 +9,27 @@ import {
   fetchLibraries, fetchCollections,
   fetchDownloadStatus, triggerCacheUpcoming, downloadItem, fetchDownloadProgress,
   fetchChannelStatus, triggerChannelDownload,
+  fetchBackupSchedule, updateBackupSchedule, runBackupNow,
+  fetchBackups, downloadBackup, importBackup,
 } from '../api';
+import { useAuth } from '../AuthContext';
 
 // ─── Constants ────────────────────────────────────────────────────────────
 
 const TABS = [
-  { id: 'channels',  label: '📺 Channels' },
-  { id: 'sources',   label: '📡 Sources' },
-  { id: 'downloads', label: '⬇ Downloads' },
-  { id: 'schedule',  label: '📅 Scheduling' },
-  { id: 'users',     label: '👤 Users' },
+  { id: 'channels',  label: 'Channels' },
+  { id: 'sources',   label: 'Sources' },
+  { id: 'downloads', label: 'Downloads' },
+  { id: 'schedule',  label: 'Schedule' },
+  { id: 'backups',   label: 'Backups' },
+  { id: 'users',     label: 'Users' },
 ];
 
 const SOURCE_TYPE_OPTIONS = [
-  { value: 'youtube_channel',  label: '▶ YouTube Channel' },
-  { value: 'youtube_playlist', label: '▶ YouTube Playlist' },
-  { value: 'local_directory',  label: '📁 Local Directory' },
-  { value: 'stream',           label: '📡 Live Stream' },
+  { value: 'youtube_channel',  label: 'YouTube Channel' },
+  { value: 'youtube_playlist', label: 'YouTube Playlist' },
+  { value: 'local_directory',  label: 'Local Directory' },
+  { value: 'stream',           label: 'Live Stream' },
 ];
 
 const RULE_MODE_OPTIONS = [
@@ -167,7 +171,7 @@ function ChannelsTab() {
   const [channelSources, setChannelSources] = useState({});  // { channelId: [rules] }
   const [channelStatuses, setChannelStatuses] = useState({}); // { channelId: statusData }
   const [showForm, setShowForm] = useState(false);
-  const [form, setForm] = useState({ name: '', slug: '', channel_number: '', description: '', library_id: '', owner_user_id: '' });
+  const [form, setForm] = useState({ name: '', slug: '', channel_number: '', description: '', library_id: '', owner_user_id: '', requires_auth: false });
   const [assignForm, setAssignForm] = useState({ source_id: '', rule_mode: 'allow', weight: 1.0, schedule_block_label: '' });
   const [syncingId, setSyncingId] = useState(null);
   const [downloadingId, setDownloadingId] = useState(null);
@@ -217,10 +221,11 @@ function ChannelsTab() {
         channel_number: form.channel_number ? parseInt(form.channel_number) : undefined,
         library_id: parseInt(form.library_id),
         owner_user_id: parseInt(form.owner_user_id),
+        requires_auth: form.requires_auth,
       });
       setChannels(c => [...c, ch]);
       setShowForm(false);
-      setForm({ name: '', slug: '', channel_number: '', description: '', library_id: '', owner_user_id: '' });
+      setForm({ name: '', slug: '', channel_number: '', description: '', library_id: '', owner_user_id: '', requires_auth: false });
       ok(`Channel "${ch.name}" created.`);
     } catch { err('Failed to create channel. Check slug is unique.'); }
   };
@@ -286,6 +291,14 @@ function ChannelsTab() {
     } catch { err('Failed to update fallback collection.'); }
   };
 
+  const handleToggleAuth = async (ch) => {
+    try {
+      const updated = await updateChannel(ch.id, { requires_auth: !ch.requires_auth });
+      setChannels(cs => cs.map(c => c.id === updated.id ? updated : c));
+      ok(updated.requires_auth ? 'Authentication enabled.' : 'Authentication disabled.');
+    } catch { err('Failed to update auth requirement.'); }
+  };
+
   return (
     <div className="tab-content">
       <Feedback fb={feedback} clear={() => setFeedback(null)} />
@@ -317,7 +330,14 @@ function ChannelsTab() {
               </select>
             </label>
           </div>
-          <label>Description<input value={form.description} onChange={e => setForm(f => ({ ...f, description: e.target.value }))} /></label>
+          <div className="form-row">
+            <label>Description<input value={form.description} onChange={e => setForm(f => ({ ...f, description: e.target.value }))} /></label>
+            <label className="checkbox-label" style={{ alignSelf: 'flex-end', marginBottom: '0.75rem' }}>
+              <input type="checkbox" checked={form.requires_auth} onChange={e => setForm(f => ({ ...f, requires_auth: e.target.checked }))} />
+              Require Sign-In
+            </label>
+          </div>
+          
           <button type="submit" className="btn-accent">Create Channel</button>
         </form>
       )}
@@ -337,6 +357,7 @@ function ChannelsTab() {
                   <strong>{ch.name}</strong>
                   <span className="row-sub">{ch.slug} · {ch.scheduling_mode}</span>
                   <span className="row-badges">
+                    {ch.requires_auth && <span className="badge badge-error">🔒 Private</span>}
                     {!hasRules && isExpanded === false && channelSources[ch.id] !== undefined && (
                       <span className="badge badge-warn" style={{ marginLeft: '0.2rem' }}>⚠️ Fallback Library Mode</span>
                     )}
@@ -370,29 +391,29 @@ function ChannelsTab() {
 
                   {/* ─── Channel Status ──────────────────────────────────── */}
                   {channelStatuses[ch.id] && (
-                    <div style={{ marginBottom: '1.25rem', padding: '0.75rem', background: 'rgba(59, 130, 246, 0.1)', border: '1px solid rgba(59, 130, 246, 0.3)', borderRadius: '6px' }}>
-                      <div style={{ fontWeight: 600, marginBottom: '0.4rem', color: '#60a5fa' }}>Schedule Status (Next 24 Hours)</div>
-                      <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: '0.5rem', fontSize: '0.9rem' }}>
+                    <div className="expand-card is-info">
+                      <div className="expand-card-title is-info">Schedule Status — Next 24 Hours</div>
+                      <div className="expand-card-grid">
                         <span><strong>Total Upcoming:</strong> {channelStatuses[ch.id].total_upcoming_airings}</span>
                         <span><strong>Cached:</strong> {channelStatuses[ch.id].total_cached_airings} ({Math.round(channelStatuses[ch.id].percent_cached)}%)</span>
                       </div>
                       {channelStatuses[ch.id].missing_items?.length > 0 && (
-                        <div style={{ marginTop: '0.75rem', fontSize: '0.8rem', opacity: 0.8 }}>
-                          <strong>Missing Downloads:</strong> {channelStatuses[ch.id].missing_items.slice(0, 3).map(i => `[${i.source_name}] ${i.title}`).join(', ')}
+                        <p>
+                          <strong>Missing:</strong>{' '}
+                          {channelStatuses[ch.id].missing_items.slice(0, 3).map(i => i.title).join(', ')}
                           {channelStatuses[ch.id].missing_items.length > 3 ? ` +${channelStatuses[ch.id].missing_items.length - 3} more` : ''}
-                        </div>
+                        </p>
                       )}
                     </div>
                   )}
 
                   {/* ─── Fallback block selector ───────────────────────── */}
-                  <div style={{ marginBottom: '1.25rem', padding: '0.75rem', background: 'rgba(239,68,68,0.1)', border: '1px solid rgba(239,68,68,0.3)', borderRadius: '6px' }}>
-                    <label style={{ display: 'flex', alignItems: 'center', gap: '0.75rem', fontSize: '0.9rem' }}>
-                      <span style={{ whiteSpace: 'nowrap', fontWeight: 600 }}>⛔ Error Fallback Collection</span>
+                  <div className="expand-card is-warn">
+                    <div className="expand-card-title is-warn">Error Fallback Collection</div>
+                    <label>
                       <select
                         value={ch.fallback_collection_id ?? ''}
                         onChange={e => handleSetFallback(ch, e.target.value)}
-                        style={{ flex: 1 }}
                         title="When scheduled programming cannot play, items from this collection will air instead."
                       >
                         <option value="">— None (use block sources) —</option>
@@ -402,9 +423,20 @@ function ChannelsTab() {
                         }
                       </select>
                     </label>
-                    <p style={{ margin: '0.4rem 0 0 0', fontSize: '0.78rem', opacity: 0.65 }}>
-                      Items in this collection will air when a scheduled video cannot be played (missing file). If none is set, the scheduler picks a safe video from the block's normal sources.
-                    </p>
+                    <p>Items from this collection air when a scheduled video cannot be played. If none is set, the scheduler picks a safe video from the block's normal sources.</p>
+                  </div>
+
+                  {/* ─── Security Settings ────────────────────────────── */}
+                  <div className="expand-card">
+                    <label className="checkbox-label">
+                      <input
+                        type="checkbox"
+                        checked={ch.requires_auth}
+                        onChange={() => handleToggleAuth(ch)}
+                      />
+                      Require Sign-In to Stream
+                    </label>
+                    <p>If enabled, viewers must be logged in to watch or see the schedule for this channel.</p>
                   </div>
 
                   <h4 className="expand-section-title">Assigned Sources</h4>
@@ -426,9 +458,8 @@ function ChannelsTab() {
                   ))}
 
                   {/* Assign form */}
-                  <div className="assign-form" style={{ display: 'flex', flexDirection: 'column', gap: '0.5rem', marginTop: '1rem' }}>
-                    
-                    <div style={{ display: 'flex', gap: '0.5rem', alignItems: 'center' }}>
+                  <div className="assign-form">
+                    <div className="assign-form-row">
                       <select
                         value={assignForm.source_id}
                         onChange={e => setAssignForm(f => ({ ...f, source_id: e.target.value }))}
@@ -437,23 +468,21 @@ function ChannelsTab() {
                         <option value="">— Select source —</option>
                         {sources.map(s => <option key={s.id} value={s.id}>{s.name} ({s.source_type})</option>)}
                       </select>
-                      
-                      <button 
-                        className="btn-accent" 
+                      <button
+                        className="btn-accent"
                         onClick={() => {
                           if (!assignForm.source_id) { err('Select a source first.'); return; }
                           setAssignForm(f => ({ ...f, rule_mode: 'prefer', weight: 10.0 }));
-                          // We wait for re-render state update before submit
                           setTimeout(() => handleAssign(ch.id), 0);
                         }}
-                        title="Quick add as heavily preferred source to ensure it dominates schedule"
+                        title="Add as heavily preferred source to dominate scheduling"
                       >
-                        ★ Set as Primary Source
+                        Set as Primary
                       </button>
                     </div>
 
-                    <div style={{ display: 'flex', gap: '0.5rem', alignItems: 'center', opacity: 0.8, fontSize: '0.9rem' }}>
-                      <span>Or custom rule:</span>
+                    <div className="assign-form-hint">
+                      <span>Custom rule:</span>
                       <select
                         value={assignForm.rule_mode}
                         onChange={e => setAssignForm(f => ({ ...f, rule_mode: e.target.value }))}
@@ -464,16 +493,16 @@ function ChannelsTab() {
                         type="number" min="0.1" max="10" step="0.1"
                         value={assignForm.weight}
                         onChange={e => setAssignForm(f => ({ ...f, weight: e.target.value }))}
-                        style={{ width: 60 }}
+                        style={{ width: 56 }}
                         title="Weight (higher = more airings)"
                       />
                       <select
                         value={assignForm.schedule_block_label}
                         onChange={e => setAssignForm(f => ({ ...f, schedule_block_label: e.target.value }))}
                         style={{ flex: 1 }}
-                        title="If set, this source will ONLY play during blocks with this exact name. Leaving it empty applies to all blocks."
+                        title="Restrict to a named block, or leave empty for all blocks"
                       >
-                        <option value="">— Any Time (Default) —</option>
+                        <option value="">— Any block —</option>
                         {Array.from(new Set(
                           templates.filter(t => t.channel_id === ch.id)
                             .flatMap(t => (templateBlocks[t.id] || []).map(b => b.name))
@@ -481,7 +510,7 @@ function ChannelsTab() {
                           <option key={name} value={name}>{name}</option>
                         ))}
                       </select>
-                      <button className="btn-sync sm" onClick={() => handleAssign(ch.id)}>+ Add Rule</button>
+                      <button className="btn-sync sm" onClick={() => handleAssign(ch.id)}>+ Add</button>
                     </div>
 
                   </div>
@@ -582,6 +611,13 @@ function SourcesTab() {
   };
 
   const isYT = (src) => src.source_type.startsWith('youtube');
+  const sourceAvatar = (src) => {
+    if (src.source_type === 'youtube_channel')  return 'YTC';
+    if (src.source_type === 'youtube_playlist') return 'YTP';
+    if (src.source_type === 'local_directory')  return 'DIR';
+    if (src.source_type === 'stream')           return 'STR';
+    return 'SRC';
+  };
 
   return (
     <div className="tab-content">
@@ -663,7 +699,7 @@ function SourcesTab() {
           const synced = src.last_scanned_at;
           return (
             <div key={src.id} className="settings-row">
-              <div className="row-avatar">{isYT(src) ? '▶' : '📁'}</div>
+              <div className={`row-avatar${isYT(src) ? ' is-accent' : ''}`}>{sourceAvatar(src)}</div>
               <div className="row-info">
                 <strong>{src.name}</strong>
                 <span className="row-sub">{src.uri}</span>
@@ -842,11 +878,11 @@ function DownloadsTab() {
         {!loading && visibleItems.length === 0 && (
           <EmptyState text="No YouTube videos found. Sync a source first." />
         )}
-        {visibleItems.map(item => (
-          <div key={item.id} className={`settings-row download-item-row ${item.cached ? 'is-cached' : ''}`}>
-            <div className="row-avatar" style={{ fontSize: '0.8rem', background: item.cached ? 'rgba(34,197,94,0.12)' : 'rgba(255,255,255,0.05)', borderColor: item.cached ? 'rgba(34,197,94,0.3)' : 'var(--pytv-glass-border)', color: item.cached ? '#86efac' : 'var(--pytv-text-dim)' }}>
-              {item.cached ? '✓' : '▶'}
-            </div>
+          {visibleItems.map(item => (
+            <div key={item.id} className={`settings-row download-item-row ${item.cached ? 'is-cached' : ''}`}>
+              <div className={`row-avatar${item.cached ? ' is-accent' : ''}`}>
+                {item.cached ? '✓' : 'YT'}
+              </div>
             <div className="row-info">
               <strong>{item.title}</strong>
               <span className="row-sub">{item.source_name} · {item.runtime_seconds}s</span>
@@ -949,7 +985,7 @@ function SchedulingTab() {
     let total = 0;
     for (const id of chIds) {
       try { const r = await generateScheduleToday(id); total += r.airings_created; }
-      catch {}
+      catch (e) { console.warn('Failed to generate schedule for channel', id, e); }
     }
     ok(`Generated today's schedule: ${total} total airings created.`);
   };
@@ -962,8 +998,8 @@ function SchedulingTab() {
 
       <div className="settings-section-title">
         <h3>Schedule Templates</h3>
-        <div style={{ display: 'flex', gap: '0.5rem' }}>
-          <button className="btn-sync" onClick={handleGenerateAll}>▶ Generate All Today</button>
+        <div className="row-actions">
+          <button className="btn-sync" onClick={handleGenerateAll}>Generate All Today</button>
           <button className="btn-accent" onClick={() => setShowForm(f => !f)}>
             {showForm ? '— Cancel' : '+ New Template'}
           </button>
@@ -1009,7 +1045,7 @@ function SchedulingTab() {
           return (
             <div key={t.id} className={`settings-row-expandable ${isExpanded ? 'expanded' : ''}`}>
               <div className="settings-row" onClick={() => toggleExpand(t)}>
-                <div className="row-avatar" style={{ fontSize: '1.2rem' }}>📄</div>
+                <div className="row-avatar">TPL</div>
                 <div className="row-info">
                   <strong>{t.name}</strong>
                   <span className="row-sub">{channelName(t.channel_id)} · {t.timezone_name}</span>
@@ -1028,34 +1064,34 @@ function SchedulingTab() {
               </div>
               
               {isExpanded && (
-                <div className="channel-expand-panel block-editor" style={{ background: 'rgba(0,0,0,0.1)', borderTop: 'none', padding: '1rem', borderBottomLeftRadius: '6px', borderBottomRightRadius: '6px' }}>
-                  <h4 style={{ margin: '0 0 1rem 0', opacity: 0.9 }}>Schedule Blocks</h4>
-                  
+                <div className="channel-expand-panel block-editor">
+                  <h4 className="expand-section-title">Schedule Blocks</h4>
+
                   {blocks.length === 0 && (
-                    <div style={{ fontSize: '0.9rem', opacity: 0.7, marginBottom: '1rem' }}>
-                      No blocks defined. By default, PYTV acts as if there is a single 24/7 block. If you define blocks here, you must completely cover the 24 hours of a day to avoid dead air.
-                    </div>
+                    <p style={{ fontSize: '0.82rem', color: 'var(--pytv-text-dim)', marginBottom: '0.5rem' }}>
+                      No blocks defined. By default PYTV uses a single 24/7 block. Define blocks here to create specific programming windows.
+                    </p>
                   )}
 
                   {blocks.length > 0 && (
-                    <div style={{ position: 'relative', width: '100%', height: '32px', background: '#2f3640', borderRadius: '4px', marginBottom: '1.5rem', overflow: 'hidden', border: '1px solid var(--pytv-glass-border)' }}>
-                      {/* Timeline tick marks */}
+                    <div className="block-timeline">
                       {[0, 6, 12, 18].map(h => (
-                        <div key={h} style={{ position: 'absolute', left: `${(h/24)*100}%`, height: '100%', borderLeft: '1px dashed rgba(255,255,255,0.2)', pointerEvents: 'none', paddingLeft: '2px', fontSize: '0.65rem', color: 'rgba(255,255,255,0.4)', paddingTop: '2px' }}>
+                        <div key={h} className="block-timeline-tick" style={{ left: `${(h / 24) * 100}%` }}>
                           {h}:00
                         </div>
                       ))}
                       {blocks.map(b => {
                         const startPct = timeToPct(b.start_local_time);
                         let endPct = timeToPct(b.end_local_time);
-                        if (endPct <= startPct) endPct = 100; // spills past midnight visually
+                        if (endPct <= startPct) endPct = 100;
                         const width = endPct - startPct;
-                        const color = b.block_type === 'OFF_AIR' ? 'rgba(248, 113, 113, 0.8)' : 'rgba(96, 165, 250, 0.8)'; // red vs blue
+                        const cls = b.block_type === 'OFF_AIR' ? 'is-off-air' : 'is-programming';
                         return (
-                          <div 
-                            key={`vis-${b.id}`} 
-                            style={{ position: 'absolute', left: `${startPct}%`, width: `${width}%`, height: '100%', background: color, borderRight: '1px solid rgba(0,0,0,0.5)', display: 'flex', alignItems: 'center', justifyContent: 'center', fontSize: '0.75rem', color: '#fff', whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis', padding: '0 4px' }}
-                            title={`${b.name} (${b.start_local_time.slice(0,5)} - ${b.end_local_time.slice(0,5)}) Rating: ${b.target_content_rating || 'Any'}`}
+                          <div
+                            key={`vis-${b.id}`}
+                            className={`block-timeline-segment ${cls}`}
+                            style={{ left: `${startPct}%`, width: `${width}%` }}
+                            title={`${b.name} (${b.start_local_time.slice(0,5)}–${b.end_local_time.slice(0,5)})`}
                           >
                             {width > 8 ? b.name : ''}
                           </div>
@@ -1064,13 +1100,13 @@ function SchedulingTab() {
                     </div>
                   )}
 
-                  <div style={{ display: 'flex', flexDirection: 'column', gap: '0.5rem', marginBottom: '1.5rem' }}>
+                  <div className="block-list">
                     {blocks.map(b => (
-                      <div key={b.id} style={{ display: 'flex', gap: '0.5rem', background: '#353b48', padding: '0.5rem', borderRadius: '4px', alignItems: 'center', fontSize: '0.9rem' }}>
-                        <strong style={{ minWidth: 100 }}>{b.name}</strong>
-                        <span style={{ fontFamily: 'monospace', opacity: 0.8 }}>{b.start_local_time.slice(0,5)} - {b.end_local_time.slice(0,5)}</span>
+                      <div key={b.id} className="block-row">
+                        <span className="block-row-name">{b.name}</span>
+                        <span className="block-row-time">{b.start_local_time.slice(0,5)} – {b.end_local_time.slice(0,5)}</span>
                         <span className={`badge ${b.block_type === 'OFF_AIR' ? 'badge-warn' : 'badge-ok'}`}>{b.block_type}</span>
-                        {b.target_content_rating && <span className="badge badge-type">Rating Tier: {b.target_content_rating}</span>}
+                        {b.target_content_rating && <span className="badge badge-type">Rating {b.target_content_rating}</span>}
                         <div style={{ flex: 1 }} />
                         <IconBtn icon="✕" kind="danger" onClick={async () => {
                           try {
@@ -1083,9 +1119,9 @@ function SchedulingTab() {
                     ))}
                   </div>
 
-                  <form className="assign-form" style={{ background: '#2f3640' }} onSubmit={async (e) => {
+                  <form className="block-add-form" onSubmit={async (e) => {
                     e.preventDefault();
-                    if (!blockForm.name || !blockForm.start_local_time || !blockForm.end_local_time) { err('Fill req fields'); return; }
+                    if (!blockForm.name || !blockForm.start_local_time || !blockForm.end_local_time) { err('Fill required fields'); return; }
                     try {
                       const nb = await createTemplateBlock({
                         schedule_template_id: t.id,
@@ -1100,19 +1136,19 @@ function SchedulingTab() {
                       ok('Block created.');
                     } catch { err('Failed to create block'); }
                   }}>
-                    <div style={{ display: 'flex', gap: '0.5rem', alignItems: 'center' }}>
-                      <input placeholder="Block Name (e.g. Morning News)" required style={{ flex: 1 }} value={blockForm.name} onChange={e => setBlockForm(f => ({...f, name: e.target.value}))} />
+                    <div className="block-add-row">
+                      <input placeholder="Block name" required style={{ flex: 1 }} value={blockForm.name} onChange={e => setBlockForm(f => ({...f, name: e.target.value}))} />
                       <select value={blockForm.block_type} onChange={e => setBlockForm(f => ({...f, block_type: e.target.value}))}>
                         <option value="PROGRAM">Programming</option>
-                        <option value="OFF_AIR">Off Air / Dead Time</option>
+                        <option value="OFF_AIR">Off Air</option>
                       </select>
-                      <input type="time" required value={blockForm.start_local_time} onChange={e => setBlockForm(f => ({...f, start_local_time: e.target.value}))} />
-                      <span style={{ opacity: 0.5 }}>to</span>
-                      <input type="time" required value={blockForm.end_local_time} onChange={e => setBlockForm(f => ({...f, end_local_time: e.target.value}))} />
                     </div>
-                    <div style={{ display: 'flex', gap: '0.5rem', alignItems: 'center', marginTop: '0.5rem' }}>
+                    <div className="block-add-row">
+                      <input type="time" required value={blockForm.start_local_time} onChange={e => setBlockForm(f => ({...f, start_local_time: e.target.value}))} />
+                      <span className="block-time-sep">to</span>
+                      <input type="time" required value={blockForm.end_local_time} onChange={e => setBlockForm(f => ({...f, end_local_time: e.target.value}))} />
                       <select value={blockForm.target_content_rating} onChange={e => setBlockForm(f => ({...f, target_content_rating: e.target.value}))}>
-                        <option value="">Any content rating</option>
+                        <option value="">Any rating</option>
                         <option value="1">TV-Y</option>
                         <option value="2">TV-Y7</option>
                         <option value="3">TV-G</option>
@@ -1134,10 +1170,217 @@ function SchedulingTab() {
   );
 }
 
+function BackupsTab() {
+  const [schedule, setSchedule] = useState(null);
+  const [files, setFiles] = useState([]);
+  const [importMode, setImportMode] = useState('append');
+  const [importFile, setImportFile] = useState(null);
+  const [busy, setBusy] = useState(false);
+  const [feedback, setFeedback, ok, err] = useFeedback();
+
+  const load = useCallback(async () => {
+    try {
+      const [sched, backups] = await Promise.all([fetchBackupSchedule(), fetchBackups()]);
+      setSchedule(sched);
+      setFiles(backups);
+    } catch {
+      err('Failed to load backup settings.');
+    }
+  }, [err]);
+
+  useEffect(() => { load(); }, [load]);
+
+  const saveSchedule = async () => {
+    if (!schedule) return;
+    setBusy(true);
+    try {
+      const updated = await updateBackupSchedule(schedule);
+      setSchedule(updated);
+      ok('Backup schedule saved.');
+    } catch {
+      err('Failed to save backup schedule.');
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  const handleBackupNow = async () => {
+    setBusy(true);
+    try {
+      const result = await runBackupNow();
+      ok(`Backup created: ${result.filename}`);
+      await load();
+    } catch {
+      err('Backup failed.');
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  const handleDownload = async (filename) => {
+    try {
+      const blob = await downloadBackup(filename);
+      const url = URL.createObjectURL(blob);
+      const a = document.createElement('a');
+      a.href = url;
+      a.download = filename;
+      a.click();
+      URL.revokeObjectURL(url);
+    } catch {
+      err('Failed to download backup.');
+    }
+  };
+
+  const handleImport = async () => {
+    if (!importFile) {
+      err('Choose a backup JSON file first.');
+      return;
+    }
+    setBusy(true);
+    try {
+      const result = await importBackup(importFile, importMode);
+      ok(`Import complete (${result.mode}): ${result.created} created, ${result.updated} updated.`);
+      await load();
+    } catch {
+      err('Import failed.');
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  return (
+    <div className="tab-content">
+      <Feedback fb={feedback} clear={() => setFeedback(null)} />
+      {!schedule && <EmptyState text="Loading backup settings..." />}
+      {schedule && (
+        <>
+          <div className="settings-section-title"><h3>Backup Schedule</h3></div>
+          <div className="settings-form">
+            <label className="checkbox-label">
+              <input
+                type="checkbox"
+                checked={schedule.enabled}
+                onChange={e => setSchedule(s => ({ ...s, enabled: e.target.checked }))}
+              />
+              Enable automatic backups
+            </label>
+            <div className="form-row">
+              <label>Frequency
+                <select value={schedule.frequency} onChange={e => setSchedule(s => ({ ...s, frequency: e.target.value }))}>
+                  <option value="hourly">Hourly</option>
+                  <option value="daily">Daily</option>
+                  <option value="weekly">Weekly</option>
+                  <option value="monthly">Monthly</option>
+                </select>
+              </label>
+              <label>Time (24h)
+                <input
+                  type="time"
+                  value={`${String(schedule.hour).padStart(2, '0')}:${String(schedule.minute).padStart(2, '0')}`}
+                  onChange={e => {
+                    const [h, m] = e.target.value.split(':').map(Number);
+                    setSchedule(s => ({ ...s, hour: h, minute: m }));
+                  }}
+                />
+              </label>
+            </div>
+
+            {schedule.frequency === 'weekly' && (
+              <label>Day of Week
+                <select value={schedule.day_of_week} onChange={e => setSchedule(s => ({ ...s, day_of_week: parseInt(e.target.value) }))}>
+                  <option value={0}>Monday</option>
+                  <option value={1}>Tuesday</option>
+                  <option value={2}>Wednesday</option>
+                  <option value={3}>Thursday</option>
+                  <option value={4}>Friday</option>
+                  <option value={5}>Saturday</option>
+                  <option value={6}>Sunday</option>
+                </select>
+              </label>
+            )}
+
+            {schedule.frequency === 'monthly' && (
+              <label>Day of Month
+                <input
+                  type="number"
+                  min={1}
+                  max={28}
+                  value={schedule.day_of_month}
+                  onChange={e => setSchedule(s => ({ ...s, day_of_month: parseInt(e.target.value || '1') }))}
+                />
+              </label>
+            )}
+
+            <label>Retention (number of backup files to keep)
+              <input
+                type="number"
+                min={1}
+                value={schedule.retention_count}
+                onChange={e => setSchedule(s => ({ ...s, retention_count: parseInt(e.target.value || '1') }))}
+              />
+            </label>
+
+            <div className="form-actions">
+              <button className="btn-accent" onClick={saveSchedule} disabled={busy}>Save Schedule</button>
+              <button className="btn-sync" onClick={handleBackupNow} disabled={busy}>Backup Now</button>
+            </div>
+            <p className="settings-empty" style={{ marginTop: '0.4rem' }}>
+              Backups are always stored on server path <code>/Backups</code>.
+            </p>
+          </div>
+
+          <div className="settings-section-title"><h3>Import Backup</h3></div>
+          <div className="settings-form">
+            <label>Backup File (JSON)
+              <input type="file" accept="application/json,.json" onChange={e => setImportFile(e.target.files?.[0] || null)} />
+            </label>
+            <label>Import Mode
+              <select value={importMode} onChange={e => setImportMode(e.target.value)}>
+                <option value="append">Append (merge into existing DB)</option>
+                <option value="override">Override (replace existing DB)</option>
+              </select>
+            </label>
+            <button className="btn-accent" onClick={handleImport} disabled={busy || !importFile}>Import Backup</button>
+          </div>
+
+          <div className="settings-section-title"><h3>Available Backups</h3></div>
+          <div className="settings-row-list">
+            {files.length === 0 && <EmptyState text="No backups found." />}
+            {files.map(file => (
+              <div key={file.filename} className="settings-row">
+                <div className="row-avatar">BK</div>
+                <div className="row-info">
+                  <strong>{file.filename}</strong>
+                  <span className="row-sub">{Math.round(file.size_bytes / 1024)} KB · {new Date(file.created_at).toLocaleString()}</span>
+                </div>
+                <div className="row-actions">
+                  <button className="btn-sync sm" onClick={() => handleDownload(file.filename)}>Download</button>
+                </div>
+              </div>
+            ))}
+          </div>
+        </>
+      )}
+    </div>
+  );
+}
+
 // ─── Root Settings Component ──────────────────────────────────────────────
 
 export default function Settings({ onClose }) {
   const [activeTab, setActiveTab] = useState('channels');
+  const { user, logout } = useAuth();
+  const [loggingOut, setLoggingOut] = useState(false);
+
+  const handleLogout = async () => {
+    setLoggingOut(true);
+    try {
+      await logout();
+      onClose();
+    } finally {
+      setLoggingOut(false);
+    }
+  };
 
   return (
     <div className="settings-overlay">
@@ -1146,6 +1389,11 @@ export default function Settings({ onClose }) {
         <div className="settings-header">
           <span className="settings-logo">PYTV</span>
           <h2>Settings</h2>
+          {user && (
+            <button className="btn-accent" onClick={handleLogout} disabled={loggingOut}>
+              {loggingOut ? 'Logging out...' : 'Logout'}
+            </button>
+          )}
           <button className="settings-close-btn" onClick={onClose}>✕ Close</button>
         </div>
 
@@ -1168,6 +1416,7 @@ export default function Settings({ onClose }) {
           {activeTab === 'sources'   && <SourcesTab />}
           {activeTab === 'downloads' && <DownloadsTab />}
           {activeTab === 'schedule'  && <SchedulingTab />}
+          {activeTab === 'backups'   && <BackupsTab />}
           {activeTab === 'users'     && <UsersTab />}
         </div>
       </div>
diff --git a/frontend/src/index.css b/frontend/src/index.css
index a34ef47..8ca3dce 100644
--- a/frontend/src/index.css
+++ b/frontend/src/index.css
@@ -593,48 +593,47 @@ body {
 }
 
 /* -------------------------------------------------------------------------- */
-/* Settings Overlay */
+/* Settings Overlay                                                            */
 /* -------------------------------------------------------------------------- */
 
 .settings-gear-btn {
   position: fixed;
-  bottom: 2rem;
-  right: 2rem;
+  bottom: 1.75rem;
+  right: 1.75rem;
   z-index: 15;
-  font-size: 1.8rem;
-  background: var(--pytv-surface);
-  border: 1px solid var(--pytv-glass-border);
+  font-size: 1.1rem;
+  background: rgba(12, 12, 18, 0.92);
+  border: 1px solid rgba(255, 255, 255, 0.1);
   color: var(--pytv-text-dim);
-  border-radius: 50%;
-  width: 52px;
-  height: 52px;
+  border-radius: 6px;
+  width: 40px;
+  height: 40px;
   cursor: pointer;
   backdrop-filter: blur(12px);
-  transition: all 0.2s ease;
+  transition: color 0.15s, border-color 0.15s;
   display: flex;
   align-items: center;
   justify-content: center;
-  opacity: 0.6;
 }
 
 .settings-gear-btn:hover {
   color: var(--pytv-accent);
-  border-color: var(--pytv-accent);
-  opacity: 1;
-  box-shadow: 0 0 18px var(--pytv-accent-glow);
+  border-color: rgba(0, 212, 255, 0.4);
 }
 
+/* ── Overlay backdrop ───────────────────────────────────────────────────── */
+
 .settings-overlay {
   position: fixed;
   inset: 0;
   z-index: 30;
-  background: rgba(0, 0, 0, 0.75);
-  backdrop-filter: blur(8px);
-  -webkit-backdrop-filter: blur(8px);
+  background: rgba(0, 0, 0, 0.8);
+  backdrop-filter: blur(6px);
+  -webkit-backdrop-filter: blur(6px);
   display: flex;
   align-items: center;
   justify-content: center;
-  animation: fadeIn 0.2s ease;
+  animation: fadeIn 0.15s ease;
 }
 
 @keyframes fadeIn {
@@ -642,79 +641,88 @@ body {
   to   { opacity: 1; }
 }
 
+/* ── Panel shell ────────────────────────────────────────────────────────── */
+
 .settings-panel {
-  width: min(900px, 92vw);
-  max-height: 85vh;
-  overflow-y: auto;
-  background: rgba(14, 14, 20, 0.96);
-  border: 1px solid var(--pytv-glass-border);
-  border-radius: 16px;
-  box-shadow: 0 24px 64px rgba(0,0,0,0.7), 0 0 0 1px rgba(255,255,255,0.05);
-  padding: 2rem;
+  width: min(960px, 94vw);
+  max-height: 88vh;
   display: flex;
   flex-direction: column;
-  gap: 1.5rem;
-  animation: slideUp 0.25s cubic-bezier(0.2, 0.8, 0.2, 1);
+  background: #0c0c12;
+  border: 1px solid rgba(255, 255, 255, 0.08);
+  border-radius: 10px;
+  box-shadow: 0 40px 100px rgba(0, 0, 0, 0.85);
+  overflow: hidden;
+  animation: slideUp 0.2s cubic-bezier(0.2, 0.8, 0.2, 1);
 }
 
+/* ── Header ─────────────────────────────────────────────────────────────── */
+
 .settings-header {
   display: flex;
   align-items: center;
   gap: 1rem;
+  padding: 1rem 1.5rem;
+  border-bottom: 1px solid rgba(255, 255, 255, 0.06);
+  flex-shrink: 0;
 }
 
 .settings-logo {
-  font-size: 0.85rem;
+  font-size: 0.68rem;
   font-weight: 900;
-  letter-spacing: 4px;
+  letter-spacing: 5px;
   color: var(--pytv-accent);
-  text-shadow: 0 0 10px var(--pytv-accent-glow);
   flex-shrink: 0;
 }
 
 .settings-header h2 {
-  font-size: 1.6rem;
-  font-weight: 300;
-  letter-spacing: 1px;
+  font-size: 0.78rem;
+  font-weight: 500;
+  letter-spacing: 2px;
+  text-transform: uppercase;
+  color: var(--pytv-text-dim);
   flex: 1;
 }
 
 .settings-close-btn {
   background: transparent;
-  border: 1px solid var(--pytv-glass-border);
+  border: 1px solid rgba(255, 255, 255, 0.09);
   color: var(--pytv-text-dim);
-  padding: 0.4rem 1rem;
-  border-radius: 8px;
+  padding: 0.3rem 0.8rem;
+  border-radius: 4px;
   cursor: pointer;
-  font-size: 0.9rem;
-  transition: all 0.2s;
+  font-size: 0.75rem;
+  letter-spacing: 0.5px;
+  font-family: var(--font-osd);
+  transition: border-color 0.15s, color 0.15s;
 }
 
 .settings-close-btn:hover {
-  border-color: var(--pytv-accent);
+  border-color: rgba(255, 255, 255, 0.22);
   color: var(--pytv-text);
 }
 
-/* Feedback */
+/* ── Feedback banner ────────────────────────────────────────────────────── */
+
 .settings-feedback {
   display: flex;
   align-items: center;
   justify-content: space-between;
-  padding: 0.75rem 1.25rem;
-  border-radius: 8px;
-  font-size: 0.95rem;
+  padding: 0.55rem 0.9rem;
+  border-radius: 5px;
+  font-size: 0.85rem;
   gap: 1rem;
 }
 
 .settings-feedback.success {
-  background: rgba(34, 197, 94, 0.15);
-  border: 1px solid rgba(34, 197, 94, 0.3);
+  background: rgba(34, 197, 94, 0.08);
+  border: 1px solid rgba(34, 197, 94, 0.18);
   color: #86efac;
 }
 
 .settings-feedback.error {
-  background: rgba(239, 68, 68, 0.15);
-  border: 1px solid rgba(239, 68, 68, 0.3);
+  background: rgba(239, 68, 68, 0.08);
+  border: 1px solid rgba(239, 68, 68, 0.18);
   color: #fca5a5;
 }
 
@@ -725,318 +733,305 @@ body {
   color: inherit;
   font-size: 1rem;
   flex-shrink: 0;
+  opacity: 0.6;
+  transition: opacity 0.15s;
 }
+.settings-feedback button:hover { opacity: 1; }
 
-/* Section title */
-.settings-section-title {
-  display: flex;
-  align-items: center;
-  justify-content: space-between;
-  border-bottom: 1px solid var(--pytv-glass-border);
-  padding-bottom: 0.75rem;
-}
-
-.settings-section-title h3 {
-  font-size: 1.1rem;
-  font-weight: 500;
-  color: var(--pytv-text-dim);
-  letter-spacing: 1px;
-  text-transform: uppercase;
-}
-
-/* Add Source Form */
-.settings-form {
-  display: flex;
-  flex-direction: column;
-  gap: 1rem;
-  background: rgba(255,255,255,0.03);
-  border: 1px solid var(--pytv-glass-border);
-  border-radius: 12px;
-  padding: 1.5rem;
-  animation: slideUp 0.2s ease;
-}
-
-.settings-form label {
-  display: flex;
-  flex-direction: column;
-  gap: 0.4rem;
-  font-size: 0.85rem;
-  color: var(--pytv-text-dim);
-  text-transform: uppercase;
-  letter-spacing: 0.5px;
-}
-
-.settings-form input,
-.settings-form select {
-  background: rgba(255,255,255,0.06);
-  border: 1px solid var(--pytv-glass-border);
-  color: var(--pytv-text);
-  font-size: 1rem;
-  padding: 0.6rem 0.9rem;
-  border-radius: 8px;
-  outline: none;
-  transition: border-color 0.2s;
-  font-family: var(--font-osd);
-}
-
-.settings-form input:focus,
-.settings-form select:focus {
-  border-color: var(--pytv-accent);
-  box-shadow: 0 0 0 2px var(--pytv-accent-glow);
-}
-
-/* Source list */
-.settings-source-list {
-  display: flex;
-  flex-direction: column;
-  gap: 0.75rem;
-}
-
-.settings-loading,
-.settings-empty {
-  text-align: center;
-  color: var(--pytv-text-dim);
-  padding: 2rem;
-  font-size: 1rem;
-}
-
-.settings-source-row {
-  display: grid;
-  grid-template-columns: 48px 1fr auto;
-  align-items: center;
-  gap: 1rem;
-  background: rgba(255,255,255,0.03);
-  border: 1px solid var(--pytv-glass-border);
-  border-radius: 10px;
-  padding: 1rem 1.25rem;
-  transition: background 0.15s;
-}
-
-.settings-source-row:hover {
-  background: rgba(255,255,255,0.06);
-}
-
-.source-icon {
-  font-size: 1.8rem;
-  text-align: center;
-}
-
-.source-info {
-  display: flex;
-  flex-direction: column;
-  gap: 0.2rem;
-  min-width: 0;
-}
-
-.source-info strong {
-  font-size: 1.05rem;
-}
-
-.source-type-label {
-  font-size: 0.78rem;
-  color: var(--pytv-accent);
-  text-transform: uppercase;
-  letter-spacing: 0.5px;
-}
-
-.source-uri {
-  font-size: 0.8rem;
-  color: var(--pytv-text-dim);
-  white-space: nowrap;
-  overflow: hidden;
-  text-overflow: ellipsis;
-}
-
-.source-badge {
-  font-size: 0.8rem;
-  font-weight: 600;
-}
-
-.source-actions {
-  display: flex;
-  gap: 0.5rem;
-  flex-shrink: 0;
-}
-
-.btn-accent {
-  background: var(--pytv-accent);
-  color: #000;
-  border: none;
-  border-radius: 8px;
-  padding: 0.5rem 1.1rem;
-  font-weight: 700;
-  font-size: 0.9rem;
-  cursor: pointer;
-  transition: opacity 0.2s, box-shadow 0.2s;
-  font-family: var(--font-osd);
-}
-
-.btn-accent:hover {
-  opacity: 0.85;
-  box-shadow: 0 0 14px var(--pytv-accent-glow);
-}
-
-.btn-sync {
-  background: rgba(0, 212, 255, 0.12);
-  border: 1px solid var(--pytv-accent);
-  color: var(--pytv-accent);
-  border-radius: 8px;
-  padding: 0.4rem 0.9rem;
-  font-size: 0.85rem;
-  cursor: pointer;
-  transition: all 0.2s;
-  font-family: var(--font-osd);
-}
-
-.btn-sync:hover:not(:disabled) {
-  background: rgba(0, 212, 255, 0.25);
-}
-
-.btn-sync:disabled {
-  opacity: 0.5;
-  cursor: not-allowed;
-}
-
-.btn-delete {
-  background: rgba(239, 68, 68, 0.1);
-  border: 1px solid rgba(239, 68, 68, 0.3);
-  color: #f87171;
-  border-radius: 8px;
-  padding: 0.4rem 0.7rem;
-  font-size: 1rem;
-  cursor: pointer;
-  transition: all 0.2s;
-}
-
-.btn-delete:hover {
-  background: rgba(239, 68, 68, 0.25);
-  border-color: #f87171;
-}
-
-.settings-hint {
-  font-size: 0.82rem;
-  color: var(--pytv-text-dim);
-  border-top: 1px solid var(--pytv-glass-border);
-  padding-top: 1rem;
-  line-height: 1.6;
-}
-
-.settings-hint code {
-  background: rgba(255,255,255,0.08);
-  padding: 0.1em 0.4em;
-  border-radius: 4px;
-  font-size: 0.9em;
-  color: var(--pytv-accent);
-}
-
-/* -------------------------------------------------------------------------- */
-/* Settings — Tab Bar                                                          */
-/* -------------------------------------------------------------------------- */
+/* ── Tab bar ────────────────────────────────────────────────────────────── */
 
 .settings-tab-bar {
   display: flex;
-  gap: 0.25rem;
-  border-bottom: 1px solid var(--pytv-glass-border);
-  padding-bottom: 0;
-  flex-wrap: wrap;
+  border-bottom: 1px solid rgba(255, 255, 255, 0.06);
+  flex-shrink: 0;
+  padding: 0 1.5rem;
+  gap: 0;
+  overflow-x: auto;
 }
 
+.settings-tab-bar::-webkit-scrollbar { display: none; }
+
 .settings-tab {
   background: transparent;
   border: none;
   border-bottom: 2px solid transparent;
   color: var(--pytv-text-dim);
-  padding: 0.6rem 1.1rem;
+  padding: 0.65rem 0.95rem;
   cursor: pointer;
   font-family: var(--font-osd);
-  font-size: 0.9rem;
-  border-radius: 6px 6px 0 0;
-  transition: all 0.15s ease;
+  font-size: 0.68rem;
+  font-weight: 700;
+  letter-spacing: 1.5px;
+  text-transform: uppercase;
+  border-radius: 0;
+  transition: color 0.15s;
   margin-bottom: -1px;
+  white-space: nowrap;
+  flex-shrink: 0;
 }
 
-.settings-tab:hover {
-  color: var(--pytv-text);
-  background: rgba(255,255,255,0.05);
-}
+.settings-tab:hover { color: var(--pytv-text); }
 
 .settings-tab.active {
   color: var(--pytv-accent);
   border-bottom-color: var(--pytv-accent);
-  background: rgba(0, 212, 255, 0.07);
 }
 
+/* ── Content wrapper ────────────────────────────────────────────────────── */
+
 .tab-content-wrapper {
   flex: 1;
   overflow-y: auto;
   min-height: 0;
+  padding: 1.5rem;
+}
+
+.tab-content-wrapper::-webkit-scrollbar { width: 4px; }
+.tab-content-wrapper::-webkit-scrollbar-track { background: transparent; }
+.tab-content-wrapper::-webkit-scrollbar-thumb {
+  background: rgba(255, 255, 255, 0.08);
+  border-radius: 2px;
 }
 
 .tab-content {
   display: flex;
   flex-direction: column;
-  gap: 1rem;
+  gap: 1.1rem;
 }
 
-/* -------------------------------------------------------------------------- */
-/* Settings — Generic Row List                                                 */
-/* -------------------------------------------------------------------------- */
+/* ── Section titles ─────────────────────────────────────────────────────── */
+
+.settings-section-title {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding-bottom: 0.55rem;
+  border-bottom: 1px solid rgba(255, 255, 255, 0.06);
+}
+
+.settings-section-title h3 {
+  font-size: 0.65rem;
+  font-weight: 700;
+  color: var(--pytv-text-dim);
+  letter-spacing: 1.5px;
+  text-transform: uppercase;
+}
+
+/* ── Forms ──────────────────────────────────────────────────────────────── */
+
+.settings-form {
+  display: flex;
+  flex-direction: column;
+  gap: 0.85rem;
+  background: rgba(255, 255, 255, 0.02);
+  border: 1px solid rgba(255, 255, 255, 0.06);
+  border-radius: 7px;
+  padding: 1.1rem;
+}
+
+.settings-form label {
+  display: flex;
+  flex-direction: column;
+  gap: 0.32rem;
+  font-size: 0.67rem;
+  color: var(--pytv-text-dim);
+  text-transform: uppercase;
+  letter-spacing: 0.8px;
+  font-weight: 700;
+}
+
+.settings-form input,
+.settings-form select {
+  background: rgba(255, 255, 255, 0.04);
+  border: 1px solid rgba(255, 255, 255, 0.09);
+  color: var(--pytv-text);
+  font-size: 0.88rem;
+  padding: 0.5rem 0.75rem;
+  border-radius: 5px;
+  outline: none;
+  transition: border-color 0.15s;
+  font-family: var(--font-osd);
+}
+
+.settings-form input:focus,
+.settings-form select:focus {
+  border-color: rgba(0, 212, 255, 0.45);
+}
+
+.form-row {
+  display: flex;
+  gap: 0.75rem;
+  flex-wrap: wrap;
+}
+
+.form-row > label {
+  flex: 1;
+  min-width: 140px;
+}
+
+.checkbox-label {
+  flex-direction: row !important;
+  align-items: center;
+  gap: 0.5rem !important;
+  font-size: 0.85rem !important;
+  text-transform: none !important;
+  letter-spacing: 0 !important;
+  font-weight: 400 !important;
+  cursor: pointer;
+}
+
+.form-actions {
+  display: flex;
+  gap: 0.5rem;
+  align-items: center;
+  flex-wrap: wrap;
+  padding-top: 0.15rem;
+}
+
+/* ── Buttons ────────────────────────────────────────────────────────────── */
+
+.btn-accent {
+  background: var(--pytv-accent);
+  color: #000;
+  border: none;
+  border-radius: 5px;
+  padding: 0.42rem 0.95rem;
+  font-weight: 700;
+  font-size: 0.78rem;
+  letter-spacing: 0.3px;
+  cursor: pointer;
+  font-family: var(--font-osd);
+  transition: opacity 0.15s;
+  flex-shrink: 0;
+}
+
+.btn-accent:hover { opacity: 0.82; }
+.btn-accent:disabled { opacity: 0.35; cursor: not-allowed; }
+
+.btn-sync {
+  background: transparent;
+  border: 1px solid rgba(0, 212, 255, 0.28);
+  color: var(--pytv-accent);
+  border-radius: 5px;
+  padding: 0.38rem 0.82rem;
+  font-size: 0.78rem;
+  cursor: pointer;
+  font-family: var(--font-osd);
+  transition: background 0.15s, border-color 0.15s;
+  flex-shrink: 0;
+}
+
+.btn-sync:hover:not(:disabled) {
+  background: rgba(0, 212, 255, 0.08);
+  border-color: rgba(0, 212, 255, 0.5);
+}
+
+.btn-sync:disabled { opacity: 0.35; cursor: not-allowed; }
+
+.btn-sync.sm {
+  padding: 0.3rem 0.65rem;
+  font-size: 0.73rem;
+}
+
+/* ── Icon buttons ───────────────────────────────────────────────────────── */
+
+.icon-btn {
+  background: transparent;
+  border: 1px solid rgba(255, 255, 255, 0.07);
+  border-radius: 4px;
+  width: 28px;
+  height: 28px;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  cursor: pointer;
+  font-size: 0.78rem;
+  transition: all 0.15s;
+  flex-shrink: 0;
+}
+
+.icon-btn-danger {
+  color: rgba(248, 113, 113, 0.65);
+  border-color: rgba(239, 68, 68, 0.14);
+}
+
+.icon-btn-danger:hover {
+  background: rgba(239, 68, 68, 0.1);
+  border-color: rgba(239, 68, 68, 0.3);
+  color: #f87171;
+}
+
+/* ── Row list ───────────────────────────────────────────────────────────── */
 
 .settings-row-list {
   display: flex;
   flex-direction: column;
-  gap: 0.5rem;
+  gap: 0.35rem;
 }
 
 .settings-row {
   display: grid;
-  grid-template-columns: 44px 1fr auto;
+  grid-template-columns: 36px 1fr auto;
   align-items: center;
-  gap: 0.9rem;
-  background: rgba(255,255,255,0.03);
-  border: 1px solid var(--pytv-glass-border);
-  border-radius: 10px;
-  padding: 0.85rem 1rem;
-  cursor: pointer;
-  transition: background 0.15s;
+  gap: 0.85rem;
+  background: rgba(255, 255, 255, 0.02);
+  border: 1px solid rgba(255, 255, 255, 0.06);
+  border-radius: 7px;
+  padding: 0.7rem 0.85rem;
+  transition: background 0.15s, border-color 0.15s;
+  cursor: default;
 }
 
 .settings-row:hover {
-  background: rgba(255,255,255,0.06);
+  background: rgba(255, 255, 255, 0.04);
+  border-color: rgba(255, 255, 255, 0.1);
 }
 
+/* Square geometric avatar */
 .row-avatar {
-  width: 40px;
-  height: 40px;
-  border-radius: 50%;
-  background: rgba(0,212,255,0.12);
-  border: 1px solid rgba(0,212,255,0.3);
+  width: 36px;
+  height: 36px;
+  border-radius: 4px;
+  background: rgba(255, 255, 255, 0.04);
+  border: 1px solid rgba(255, 255, 255, 0.07);
   display: flex;
   align-items: center;
   justify-content: center;
-  font-size: 1.1rem;
-  font-weight: 800;
-  color: var(--pytv-accent);
+  font-size: 0.65rem;
+  font-weight: 700;
+  color: var(--pytv-text-dim);
   flex-shrink: 0;
+  letter-spacing: 0.4px;
+  text-transform: uppercase;
+}
+
+.row-avatar.is-accent {
+  background: rgba(0, 212, 255, 0.06);
+  border-color: rgba(0, 212, 255, 0.14);
+  color: var(--pytv-accent);
 }
 
 .row-avatar.ch-num {
-  font-size: 0.9rem;
+  font-size: 1rem;
+  font-weight: 800;
+  color: var(--pytv-text);
+  letter-spacing: -0.5px;
 }
 
 .row-info {
   display: flex;
   flex-direction: column;
-  gap: 0.15rem;
+  gap: 0.1rem;
   min-width: 0;
 }
 
 .row-info strong {
-  font-size: 1rem;
+  font-size: 0.9rem;
+  font-weight: 600;
 }
 
 .row-sub {
-  font-size: 0.78rem;
+  font-size: 0.73rem;
   color: var(--pytv-text-dim);
   white-space: nowrap;
   overflow: hidden;
@@ -1046,104 +1041,74 @@ body {
 .row-badges {
   display: flex;
   flex-wrap: wrap;
-  gap: 0.3rem;
+  gap: 0.25rem;
   margin-top: 0.15rem;
 }
 
 .row-actions {
   display: flex;
-  gap: 0.4rem;
+  gap: 0.3rem;
   align-items: center;
   flex-shrink: 0;
 }
 
-/* -------------------------------------------------------------------------- */
-/* Badges                                                                      */
-/* -------------------------------------------------------------------------- */
+/* ── Badges ─────────────────────────────────────────────────────────────── */
 
 .badge {
-  font-size: 0.7rem;
-  font-weight: 600;
-  padding: 0.15em 0.55em;
-  border-radius: 4px;
+  font-size: 0.62rem;
+  font-weight: 700;
+  padding: 0.1em 0.48em;
+  border-radius: 3px;
   text-transform: uppercase;
-  letter-spacing: 0.3px;
+  letter-spacing: 0.4px;
 }
 
-.badge-accent  { background: rgba(0,212,255,0.15); color: var(--pytv-accent); border: 1px solid rgba(0,212,255,0.3); }
-.badge-ok      { background: rgba(34,197,94,0.12); color: #86efac; border: 1px solid rgba(34,197,94,0.25); }
-.badge-warn    { background: rgba(245,158,11,0.12); color: #fcd34d; border: 1px solid rgba(245,158,11,0.25); }
-.badge-muted   { background: rgba(255,255,255,0.07); color: var(--pytv-text-dim); border: 1px solid var(--pytv-glass-border); }
-.badge-type    { background: rgba(139,92,246,0.12); color: #c4b5fd; border: 1px solid rgba(139,92,246,0.25); }
+.badge-accent  { background: rgba(0,212,255,0.08);   color: var(--pytv-accent); border: 1px solid rgba(0,212,255,0.18); }
+.badge-ok      { background: rgba(34,197,94,0.07);   color: #86efac;            border: 1px solid rgba(34,197,94,0.18); }
+.badge-warn    { background: rgba(245,158,11,0.07);  color: #fcd34d;            border: 1px solid rgba(245,158,11,0.18); }
+.badge-error   { background: rgba(239,68,68,0.07);   color: #fca5a5;            border: 1px solid rgba(239,68,68,0.18); }
+.badge-muted   { background: rgba(255,255,255,0.04); color: var(--pytv-text-dim); border: 1px solid rgba(255,255,255,0.07); }
+.badge-type    { background: rgba(139,92,246,0.07);  color: #c4b5fd;            border: 1px solid rgba(139,92,246,0.18); }
+.badge-info    { background: rgba(0,212,255,0.05);   color: var(--pytv-text-dim); border: 1px solid rgba(0,212,255,0.1); }
 
-.badge-mode-allow  { background: rgba(34,197,94,0.12);  color: #86efac;  border: 1px solid rgba(34,197,94,0.25); }
-.badge-mode-prefer { background: rgba(0,212,255,0.12);  color: var(--pytv-accent); border: 1px solid rgba(0,212,255,0.25); }
-.badge-mode-avoid  { background: rgba(245,158,11,0.12); color: #fcd34d;  border: 1px solid rgba(245,158,11,0.25); }
-.badge-mode-block  { background: rgba(239,68,68,0.12);  color: #fca5a5;  border: 1px solid rgba(239,68,68,0.25); }
+.badge-mode-allow  { background: rgba(34,197,94,0.07);  color: #86efac;            border: 1px solid rgba(34,197,94,0.18); }
+.badge-mode-prefer { background: rgba(0,212,255,0.07);  color: var(--pytv-accent); border: 1px solid rgba(0,212,255,0.18); }
+.badge-mode-avoid  { background: rgba(245,158,11,0.07); color: #fcd34d;            border: 1px solid rgba(245,158,11,0.18); }
+.badge-mode-block  { background: rgba(239,68,68,0.07);  color: #fca5a5;            border: 1px solid rgba(239,68,68,0.18); }
 
-/* -------------------------------------------------------------------------- */
-/* Icon Buttons                                                                */
-/* -------------------------------------------------------------------------- */
-
-.icon-btn {
-  background: transparent;
-  border: 1px solid var(--pytv-glass-border);
-  border-radius: 6px;
-  width: 32px;
-  height: 32px;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  cursor: pointer;
-  font-size: 0.9rem;
-  transition: all 0.15s;
-  flex-shrink: 0;
-}
-
-.icon-btn-danger {
-  color: #f87171;
-  border-color: rgba(239,68,68,0.3);
-}
-
-.icon-btn-danger:hover {
-  background: rgba(239,68,68,0.15);
-  border-color: #f87171;
-}
-
-/* -------------------------------------------------------------------------- */
-/* Expandable Channel Row                                                      */
-/* -------------------------------------------------------------------------- */
+/* ── Expandable rows ────────────────────────────────────────────────────── */
 
 .settings-row-expandable {
-  border: 1px solid var(--pytv-glass-border);
-  border-radius: 10px;
+  border: 1px solid rgba(255, 255, 255, 0.06);
+  border-radius: 7px;
   overflow: hidden;
-  background: rgba(255,255,255,0.02);
+  background: rgba(255, 255, 255, 0.015);
   transition: border-color 0.2s;
 }
 
 .settings-row-expandable.expanded {
-  border-color: rgba(0,212,255,0.25);
+  border-color: rgba(0, 212, 255, 0.18);
 }
 
 .settings-row-expandable .settings-row {
   border: none;
   border-radius: 0;
   background: transparent;
+  cursor: pointer;
 }
 
 .expand-chevron {
-  font-size: 0.75rem;
+  font-size: 0.62rem;
   color: var(--pytv-text-dim);
-  margin-left: 0.25rem;
+  margin-left: 0.1rem;
 }
 
 .channel-expand-panel {
-  border-top: 1px solid var(--pytv-glass-border);
-  padding: 1rem 1.25rem;
+  border-top: 1px solid rgba(255, 255, 255, 0.06);
+  padding: 1rem;
   display: flex;
   flex-direction: column;
-  gap: 0.6rem;
+  gap: 0.7rem;
   animation: slideDown 0.15s ease;
 }
 
@@ -1152,144 +1117,218 @@ body {
   to   { opacity: 1; transform: translateY(0); }
 }
 
-.expand-section-title {
-  font-size: 0.8rem;
-  font-weight: 600;
-  text-transform: uppercase;
-  letter-spacing: 0.5px;
-  color: var(--pytv-text-dim);
-  margin-bottom: 0.2rem;
+/* Cards inside expand panel */
+.expand-card {
+  padding: 0.8rem 0.9rem;
+  border-radius: 6px;
+  background: rgba(255, 255, 255, 0.025);
+  border: 1px solid rgba(255, 255, 255, 0.06);
 }
 
-.rule-row {
+.expand-card.is-info {
+  background: rgba(0, 212, 255, 0.04);
+  border-color: rgba(0, 212, 255, 0.1);
+}
+
+.expand-card.is-warn {
+  background: rgba(239, 68, 68, 0.04);
+  border-color: rgba(239, 68, 68, 0.1);
+}
+
+.expand-card-title {
+  font-size: 0.62rem;
+  font-weight: 700;
+  text-transform: uppercase;
+  letter-spacing: 1px;
+  color: var(--pytv-text-dim);
+  margin-bottom: 0.55rem;
+}
+
+.expand-card-title.is-info { color: var(--pytv-accent); }
+.expand-card-title.is-warn { color: #fca5a5; }
+
+.expand-card-grid {
+  display: grid;
+  grid-template-columns: 1fr 1fr;
+  gap: 0.3rem 1rem;
+  font-size: 0.83rem;
+}
+
+.expand-card p {
+  font-size: 0.74rem;
+  color: var(--pytv-text-dim);
+  line-height: 1.5;
+  margin-top: 0.35rem;
+}
+
+.expand-card label {
   display: flex;
   align-items: center;
   gap: 0.6rem;
-  padding: 0.4rem 0.6rem;
-  background: rgba(255,255,255,0.03);
-  border-radius: 6px;
-  font-size: 0.88rem;
+  font-size: 0.83rem;
+  color: var(--pytv-text);
+  cursor: pointer;
+}
+
+.expand-card select {
+  flex: 1;
+  background: rgba(255, 255, 255, 0.05);
+  border: 1px solid rgba(255, 255, 255, 0.08);
+  color: var(--pytv-text);
+  font-size: 0.83rem;
+  padding: 0.38rem 0.65rem;
+  border-radius: 5px;
+  outline: none;
+  font-family: var(--font-osd);
+  transition: border-color 0.15s;
+}
+
+.expand-card select:focus { border-color: rgba(0, 212, 255, 0.4); }
+
+.expand-section-title {
+  font-size: 0.62rem;
+  font-weight: 700;
+  text-transform: uppercase;
+  letter-spacing: 1px;
+  color: var(--pytv-text-dim);
+  margin: 0.15rem 0 0 0;
+}
+
+/* Rule rows */
+.rule-row {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.38rem 0.6rem;
+  background: rgba(255, 255, 255, 0.02);
+  border: 1px solid rgba(255, 255, 255, 0.05);
+  border-radius: 4px;
+  font-size: 0.83rem;
 }
 
 .rule-source { flex: 1; font-weight: 500; }
-.rule-weight { font-size: 0.75rem; color: var(--pytv-text-dim); }
+.rule-weight { font-size: 0.7rem; color: var(--pytv-text-dim); font-family: monospace; }
 
-/* Assign form inside expanded channel */
+/* Assign form */
 .assign-form {
   display: flex;
-  gap: 0.5rem;
+  flex-direction: column;
+  gap: 0.45rem;
+  padding-top: 0.55rem;
+  border-top: 1px solid rgba(255, 255, 255, 0.05);
+  margin-top: 0.2rem;
+}
+
+.assign-form-row {
+  display: flex;
+  gap: 0.45rem;
   align-items: center;
   flex-wrap: wrap;
-  margin-top: 0.4rem;
-  padding-top: 0.6rem;
-  border-top: 1px solid rgba(255,255,255,0.06);
 }
 
 .assign-form select,
 .assign-form input[type="number"] {
-  background: rgba(255,255,255,0.06);
-  border: 1px solid var(--pytv-glass-border);
+  background: rgba(255, 255, 255, 0.04);
+  border: 1px solid rgba(255, 255, 255, 0.08);
   color: var(--pytv-text);
-  font-size: 0.88rem;
-  padding: 0.4rem 0.6rem;
-  border-radius: 6px;
+  font-size: 0.83rem;
+  padding: 0.37rem 0.6rem;
+  border-radius: 5px;
   outline: none;
   font-family: var(--font-osd);
+  transition: border-color 0.15s;
 }
 
 .assign-form select:focus,
-.assign-form input:focus {
-  border-color: var(--pytv-accent);
-}
+.assign-form input:focus { border-color: rgba(0, 212, 255, 0.4); }
 
-.btn-accent.sm {
-  padding: 0.35rem 0.8rem;
-  font-size: 0.85rem;
-}
-
-/* -------------------------------------------------------------------------- */
-/* Form layout helpers                                                         */
-/* -------------------------------------------------------------------------- */
-
-.form-row {
+.assign-form-hint {
+  font-size: 0.72rem;
+  color: var(--pytv-text-dim);
   display: flex;
-  gap: 1rem;
+  align-items: center;
+  gap: 0.45rem;
   flex-wrap: wrap;
 }
 
-.form-row > label {
-  flex: 1;
-  min-width: 160px;
+/* ── Hints ───────────────────────────────────────────────────────────────── */
+
+.settings-hint {
+  font-size: 0.76rem;
+  color: var(--pytv-text-dim);
+  border-top: 1px solid rgba(255, 255, 255, 0.05);
+  padding-top: 0.65rem;
+  line-height: 1.65;
 }
 
-.checkbox-label {
-  flex-direction: row !important;
-  align-items: center;
-  gap: 0.5rem !important;
-  font-size: 0.9rem !important;
-  text-transform: none !important;
-  letter-spacing: 0 !important;
-  cursor: pointer;
+.settings-hint code,
+.expand-card p code {
+  background: rgba(255, 255, 255, 0.07);
+  padding: 0.1em 0.35em;
+  border-radius: 3px;
+  font-size: 0.9em;
+  color: var(--pytv-accent);
+}
+
+.settings-loading,
+.settings-empty {
+  text-align: center;
+  color: var(--pytv-text-dim);
+  padding: 1.5rem;
+  font-size: 0.88rem;
 }
 
-/* Schedule info box */
 .schedule-hint {
-  background: rgba(0,212,255,0.05);
-  border: 1px solid rgba(0,212,255,0.15);
-  border-radius: 8px;
-  padding: 0.9rem 1.1rem;
-  font-size: 0.83rem;
-  line-height: 1.6;
+  background: rgba(0, 212, 255, 0.03);
+  border: 1px solid rgba(0, 212, 255, 0.09);
+  border-radius: 6px;
+  padding: 0.75rem 0.9rem;
+  font-size: 0.77rem;
+  line-height: 1.65;
+  color: var(--pytv-text-dim);
 }
 
-.settings-row-list .settings-empty.small {
-  padding: 0.5rem 0;
-  font-size: 0.85rem;
-  text-align: left;
-}
-
-/* -------------------------------------------------------------------------- */
-/* Downloads Tab                                                               */
-/* -------------------------------------------------------------------------- */
+/* ── Downloads tab ───────────────────────────────────────────────────────── */
 
 .download-stats-header {
   display: flex;
   gap: 1.5rem;
   align-items: center;
   flex-wrap: wrap;
-  background: rgba(255,255,255,0.03);
-  border: 1px solid var(--pytv-glass-border);
-  border-radius: 10px;
-  padding: 1rem 1.25rem;
+  background: rgba(255, 255, 255, 0.02);
+  border: 1px solid rgba(255, 255, 255, 0.06);
+  border-radius: 7px;
+  padding: 0.9rem 1.1rem;
 }
 
 .download-stat {
   display: flex;
   flex-direction: column;
-  gap: 0.15rem;
+  gap: 0.1rem;
 }
 
 .stat-val {
-  font-size: 1.6rem;
+  font-size: 1.4rem;
   font-weight: 800;
   font-family: var(--font-osd);
   line-height: 1;
 }
 
 .stat-label {
-  font-size: 0.72rem;
+  font-size: 0.62rem;
   color: var(--pytv-text-dim);
   text-transform: uppercase;
-  letter-spacing: 0.4px;
+  letter-spacing: 0.7px;
+  font-weight: 700;
 }
 
 .download-cache-bar {
   flex: 1;
-  min-width: 140px;
+  min-width: 120px;
   position: relative;
-  background: rgba(255,255,255,0.06);
-  border-radius: 6px;
-  height: 28px;
+  background: rgba(255, 255, 255, 0.05);
+  border-radius: 4px;
+  height: 22px;
   overflow: hidden;
   display: flex;
   align-items: center;
@@ -1298,24 +1337,23 @@ body {
 .cache-bar-fill {
   position: absolute;
   left: 0; top: 0; bottom: 0;
-  background: linear-gradient(90deg, rgba(34,197,94,0.5), rgba(34,197,94,0.25));
+  background: rgba(34, 197, 94, 0.3);
   transition: width 0.4s ease;
-  border-radius: 6px;
+  border-radius: 4px;
 }
 
 .cache-bar-label {
   position: relative;
   z-index: 1;
-  padding: 0 0.75rem;
-  font-size: 0.8rem;
-  font-weight: 600;
+  padding: 0 0.7rem;
+  font-size: 0.73rem;
+  font-weight: 700;
   color: #86efac;
 }
 
-/* Trigger row */
 .download-trigger-row {
   display: flex;
-  gap: 0.75rem;
+  gap: 0.55rem;
   align-items: center;
   flex-wrap: wrap;
 }
@@ -1323,8 +1361,8 @@ body {
 .trigger-hours-label {
   display: flex;
   align-items: center;
-  gap: 0.5rem;
-  font-size: 0.85rem;
+  gap: 0.45rem;
+  font-size: 0.8rem;
   color: var(--pytv-text-dim);
   flex-direction: row !important;
   text-transform: none !important;
@@ -1332,70 +1370,184 @@ body {
 }
 
 .trigger-hours-label select {
-  background: rgba(255,255,255,0.06);
-  border: 1px solid var(--pytv-glass-border);
+  background: rgba(255, 255, 255, 0.04);
+  border: 1px solid rgba(255, 255, 255, 0.08);
   color: var(--pytv-text);
-  padding: 0.4rem 0.6rem;
-  border-radius: 6px;
+  padding: 0.37rem 0.6rem;
+  border-radius: 5px;
   font-family: var(--font-osd);
-  font-size: 0.85rem;
+  font-size: 0.8rem;
   outline: none;
+  transition: border-color 0.15s;
 }
 
-.trigger-hours-label select:focus {
-  border-color: var(--pytv-accent);
-}
+.trigger-hours-label select:focus { border-color: rgba(0, 212, 255, 0.4); }
 
-/* Run result box */
 .run-result-box {
   display: flex;
   gap: 1rem;
   flex-wrap: wrap;
-  background: rgba(0,212,255,0.05);
-  border: 1px solid rgba(0,212,255,0.15);
-  border-radius: 8px;
-  padding: 0.75rem 1rem;
-  font-size: 0.85rem;
+  background: rgba(255, 255, 255, 0.02);
+  border: 1px solid rgba(255, 255, 255, 0.06);
+  border-radius: 5px;
+  padding: 0.6rem 0.9rem;
+  font-size: 0.8rem;
   animation: slideDown 0.15s ease;
 }
 
-.rr-item { font-weight: 600; }
+.rr-item   { font-weight: 600; }
 .rr-ok     { color: #86efac; }
 .rr-cached { color: var(--pytv-accent); }
 .rr-pruned { color: var(--pytv-text-dim); }
 .rr-fail   { color: #f87171; }
 
-/* Filter row */
 .download-filter-row {
   display: flex;
   align-items: center;
-  gap: 0.75rem;
-  font-size: 0.85rem;
+  gap: 0.55rem;
+  font-size: 0.8rem;
 }
 
 .filter-label { color: var(--pytv-text-dim); }
 
 .download-filter-row select {
-  background: rgba(255,255,255,0.06);
-  border: 1px solid var(--pytv-glass-border);
+  background: rgba(255, 255, 255, 0.04);
+  border: 1px solid rgba(255, 255, 255, 0.08);
   color: var(--pytv-text);
-  padding: 0.35rem 0.6rem;
-  border-radius: 6px;
+  padding: 0.3rem 0.6rem;
+  border-radius: 5px;
   font-family: var(--font-osd);
-  font-size: 0.85rem;
+  font-size: 0.8rem;
   outline: none;
+  transition: border-color 0.15s;
 }
 
-.download-filter-row select:focus {
-  border-color: var(--pytv-accent);
+.download-filter-row select:focus { border-color: rgba(0, 212, 255, 0.4); }
+
+.download-item-row { position: relative; }
+.download-item-row.is-cached { opacity: 0.5; }
+.download-item-row.is-cached:hover { opacity: 1; }
+
+/* ── Block editor (Schedule tab) ─────────────────────────────────────────── */
+
+.block-editor {
+  background: rgba(0, 0, 0, 0.15);
+  border-top: none;
+  padding: 1rem;
 }
 
-/* Item rows */
-.download-item-row.is-cached {
-  opacity: 0.6;
+.block-list {
+  display: flex;
+  flex-direction: column;
+  gap: 0.35rem;
+  margin-bottom: 1rem;
 }
 
-.download-item-row.is-cached:hover {
-  opacity: 1;
+.block-row {
+  display: flex;
+  gap: 0.5rem;
+  background: rgba(255, 255, 255, 0.03);
+  border: 1px solid rgba(255, 255, 255, 0.06);
+  padding: 0.5rem 0.7rem;
+  border-radius: 5px;
+  align-items: center;
+  font-size: 0.85rem;
 }
 
+.block-row-name {
+  min-width: 90px;
+  font-weight: 600;
+  font-size: 0.83rem;
+}
+
+.block-row-time {
+  font-family: monospace;
+  font-size: 0.8rem;
+  color: var(--pytv-text-dim);
+}
+
+.block-add-form {
+  display: flex;
+  flex-direction: column;
+  gap: 0.45rem;
+  background: rgba(255, 255, 255, 0.025);
+  border: 1px solid rgba(255, 255, 255, 0.06);
+  border-radius: 6px;
+  padding: 0.85rem;
+}
+
+.block-add-row {
+  display: flex;
+  gap: 0.45rem;
+  align-items: center;
+  flex-wrap: wrap;
+}
+
+.block-add-form input,
+.block-add-form select {
+  background: rgba(255, 255, 255, 0.04);
+  border: 1px solid rgba(255, 255, 255, 0.08);
+  color: var(--pytv-text);
+  font-size: 0.83rem;
+  padding: 0.38rem 0.6rem;
+  border-radius: 5px;
+  outline: none;
+  font-family: var(--font-osd);
+  transition: border-color 0.15s;
+}
+
+.block-add-form input:focus,
+.block-add-form select:focus { border-color: rgba(0, 212, 255, 0.4); }
+
+.block-time-sep {
+  font-size: 0.75rem;
+  color: var(--pytv-text-dim);
+  flex-shrink: 0;
+}
+
+/* Block timeline bar */
+.block-timeline {
+  position: relative;
+  width: 100%;
+  height: 28px;
+  background: rgba(255, 255, 255, 0.04);
+  border-radius: 4px;
+  margin-bottom: 1rem;
+  overflow: hidden;
+  border: 1px solid rgba(255, 255, 255, 0.06);
+}
+
+.block-timeline-tick {
+  position: absolute;
+  height: 100%;
+  border-left: 1px dashed rgba(255, 255, 255, 0.12);
+  pointer-events: none;
+  padding-left: 3px;
+  font-size: 0.6rem;
+  color: rgba(255, 255, 255, 0.3);
+  padding-top: 4px;
+}
+
+.block-timeline-segment {
+  position: absolute;
+  height: 100%;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  font-size: 0.7rem;
+  color: #fff;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  padding: 0 4px;
+}
+
+.block-timeline-segment.is-off-air {
+  background: rgba(248, 113, 113, 0.5);
+  border-right: 1px solid rgba(0, 0, 0, 0.3);
+}
+
+.block-timeline-segment.is-programming {
+  background: rgba(96, 165, 250, 0.5);
+  border-right: 1px solid rgba(0, 0, 0, 0.3);
+}
diff --git a/pyproject.toml b/pyproject.toml
index 749407a..a20691b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -17,3 +17,13 @@ dependencies = [
     "pytest-sugar>=1.1.1",
     "yt-dlp>=2026.3.3",
 ]
+
+[project.scripts]
+make_user = "core.scripts.make_user:main"
+
+[tool.uv]
+package = true
+
+[tool.setuptools.packages.find]
+include = ["api*", "core*", "pytv*"]
+exclude = ["frontend*", "node_modules*", "assets*", "mock*", "cache*", "tests*"]
\ No newline at end of file
diff --git a/pytv/settings.py b/pytv/settings.py
index 8d11831..4b44bb5 100644
--- a/pytv/settings.py
+++ b/pytv/settings.py
@@ -37,6 +37,8 @@ DEBUG = env('DEBUG')
 
 ALLOWED_HOSTS = ['localhost', '127.0.0.1', '0.0.0.0']
 CORS_ALLOW_ALL_ORIGINS = True  # Allows Vite dev server to connect
+CORS_ALLOW_CREDENTIALS = True
+CSRF_TRUSTED_ORIGINS = ['http://localhost:5173', 'http://127.0.0.1:5173']
 
 # Application definition
 
@@ -123,6 +125,11 @@ USE_TZ = True
 
 AUTH_USER_MODEL = 'core.AppUser'
 
+# Session lifetime: keep login persistent for a bounded time window.
+SESSION_COOKIE_AGE = env.int('SESSION_COOKIE_AGE', default=60 * 60 * 24 * 7)  # 7 days
+SESSION_EXPIRE_AT_BROWSER_CLOSE = env.bool('SESSION_EXPIRE_AT_BROWSER_CLOSE', default=False)
+SESSION_SAVE_EVERY_REQUEST = True
+
 
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/6.0/howto/static-files/
@@ -131,3 +138,7 @@ STATIC_URL = "static/"
 
 # YouTube video cache directory (used by core.services.youtube and cache_upcoming command)
 MEDIA_ROOT = env('MEDIA_ROOT', default='/tmp/pytv_cache')
+
+# Backups are always written to a fixed in-container location.
+BACKUP_ROOT = env('BACKUP_ROOT', default='/Backups')
+
diff --git a/tests/test_channel_auth.py b/tests/test_channel_auth.py
new file mode 100644
index 0000000..533f1a5
--- /dev/null
+++ b/tests/test_channel_auth.py
@@ -0,0 +1,68 @@
+import pytest
+from core.models import AppUser, Channel, Library
+from django.urls import reverse
+from datetime import datetime, timedelta
+from django.utils import timezone
+
+@pytest.mark.django_db
+class TestChannelAuthEnforcement:
+    def setup_method(self):
+        # Create user and library
+        self.user = AppUser.objects.create_user(
+            username="testuser",
+            password="password123",
+            email="test@example.com"
+        )
+        self.library = Library.objects.create(
+            owner_user=self.user,
+            name="Test Library"
+        )
+        
+        # Create a channel that requires auth
+        self.protected_channel = Channel.objects.create(
+            owner_user=self.user,
+            library=self.library,
+            name="Protected Channel",
+            slug="protected-channel",
+            requires_auth=True
+        )
+        
+        # Create a channel that does not require auth
+        self.public_channel = Channel.objects.create(
+            owner_user=self.user,
+            library=self.library,
+            name="Public Channel",
+            slug="public-channel",
+            requires_auth=False
+        )
+
+    def test_unauthenticated_access_to_protected_channel_now(self, client):
+        response = client.get(f"/api/channel/{self.protected_channel.id}/now")
+        assert response.status_code == 401
+        
+    def test_authenticated_access_to_protected_channel_now(self, client):
+        client.login(username="testuser", password="password123")
+        response = client.get(f"/api/channel/{self.protected_channel.id}/now")
+        assert response.status_code == 200
+        
+    def test_unauthenticated_access_to_public_channel_now(self, client):
+        response = client.get(f"/api/channel/{self.public_channel.id}/now")
+        assert response.status_code == 200
+
+    def test_unauthenticated_access_to_protected_channel_airings(self, client):
+        response = client.get(f"/api/channel/{self.protected_channel.id}/airings")
+        assert response.status_code == 401
+        
+    def test_authenticated_access_to_protected_channel_airings(self, client):
+        client.login(username="testuser", password="password123")
+        response = client.get(f"/api/channel/{self.protected_channel.id}/airings")
+        assert response.status_code == 200
+
+    def test_unauthenticated_access_to_protected_channel_status(self, client):
+        response = client.get(f"/api/channel/{self.protected_channel.id}/status")
+        assert response.status_code == 401
+        
+    def test_authenticated_access_to_protected_channel_status(self, client):
+        client.login(username="testuser", password="password123")
+        response = client.get(f"/api/channel/{self.protected_channel.id}/status")
+        assert response.status_code == 200
diff --git a/uv.lock b/uv.lock
index 0a9cf32..0d68efa 100644
--- a/uv.lock
+++ b/uv.lock
@@ -333,7 +333,7 @@ wheels = [
 [[package]]
 name = "pytv"
 version = "0.1.0"
-source = { virtual = "." }
+source = { editable = "." }
 dependencies = [
     { name = "django" },
     { name = "django-cors-headers" },