fix(dl): normalize non-scene episode folder/file naming

Ensure episode downloads use a consistent non-scene layout when
`scene_naming` is disabled by:

- adding a sanitized series-title directory before season/episode folders
  for sidecars, sample-based paths, and muxed outputs
- updating `Episode.get_filename()` to return `Season XX` for folder names
  in non-scene mode
- generating non-scene episode file names as
  `Title SXXEXX - Episode Name`
- adding token append helpers to avoid duplicate/empty naming tokens

This keeps output paths predictable across download stages and prevents
naming inconsistencies or duplicated suffixes.fix(dl): normalize non-scene episode folder/file naming

Ensure episode downloads use a consistent non-scene layout when
`scene_naming` is disabled by:

- adding a sanitized series-title directory before season/episode folders
  for sidecars, sample-based paths, and muxed outputs
- updating `Episode.get_filename()` to return `Season XX` for folder names
  in non-scene mode
- generating non-scene episode file names as
  `Title SXXEXX - Episode Name`
- adding token append helpers to avoid duplicate/empty naming tokens

This keeps output paths predictable across download stages and prevents
naming inconsistencies or duplicated suffixes.

.gitignore

@@ -1,5 +1,4 @@
 # unshackle
-unshackle.yaml
 unshackle.yml
 update_check.json
 *.mkv
@@ -26,7 +25,8 @@ unshackle/WVDs/
 unshackle/PRDs/
 temp/
 logs/
-services/
+Temp/
+binaries/
 
 # Byte-compiled / optimized / DLL files
 __pycache__/
@@ -237,3 +237,4 @@ CLAUDE.md
 marimo/_static/
 marimo/_lsp/
 __marimo__/
+Cache

unshackle/commands/dl.py

@@ -60,7 +60,7 @@ from unshackle.core.tracks import Audio, Subtitle, Tracks, Video
 from unshackle.core.tracks.attachment import Attachment
 from unshackle.core.tracks.hybrid import Hybrid
 from unshackle.core.utilities import (find_font_with_fallbacks, get_debug_logger, get_system_fonts, init_debug_logger,
-                                      is_close_match, suggest_font_packages, time_elapsed_since)
+                                      is_close_match, sanitize_filename, suggest_font_packages, time_elapsed_since)
 from unshackle.core.utils import tags
 from unshackle.core.utils.click_types import (AUDIO_CODEC_LIST, LANGUAGE_RANGE, QUALITY_LIST, SEASON_RANGE,
                                               ContextData, MultipleChoice, SubtitleCodecChoice, VideoCodecChoice)
@@ -2015,6 +2015,8 @@ class dl:
 
                                 sidecar_dir = config.directories.downloads
                                 if not no_folder and isinstance(title, (Episode, Song)) and media_info:
+                                    if isinstance(title, Episode) and not config.scene_naming:
+                                        sidecar_dir /= sanitize_filename(title.title.replace("$", "S"), " ")
                                     sidecar_dir /= title.get_filename(media_info, show_service=not no_source, folder=True)
                                 sidecar_dir.mkdir(parents=True, exist_ok=True)
 
@@ -2080,6 +2082,8 @@ class dl:
                         )
                         if sample_track and sample_track.path:
                             media_info = MediaInfo.parse(sample_track.path)
+                            if isinstance(title, Episode) and not config.scene_naming:
+                                final_dir /= sanitize_filename(title.title.replace("$", "S"), " ")
                             final_dir /= title.get_filename(media_info, show_service=not no_source, folder=True)
 
                     final_dir.mkdir(parents=True, exist_ok=True)
@@ -2122,6 +2126,8 @@ class dl:
                         audio_codec_suffix = muxed_audio_codecs.get(muxed_path)
 
                         if not no_folder and isinstance(title, (Episode, Song)):
+                            if isinstance(title, Episode) and not config.scene_naming:
+                                final_dir /= sanitize_filename(title.title.replace("$", "S"), " ")
                             final_dir /= title.get_filename(media_info, show_service=not no_source, folder=True)
 
                         final_dir.mkdir(parents=True, exist_ok=True)

unshackle/commands/serve.py

@@ -14,7 +14,7 @@ from unshackle.core.constants import context_settings
     short_help="Serve your Local Widevine/PlayReady Devices and REST API for Remote Access.",
     context_settings=context_settings,
 )
-@click.option("-h", "--host", type=str, default="127.0.0.1", help="Host to serve from.")
+@click.option("-h", "--host", type=str, default="0.0.0.0", help="Host to serve from.")
 @click.option("-p", "--port", type=int, default=8786, help="Port to serve from.")
 @click.option("--caddy", is_flag=True, default=False, help="Also serve with Caddy.")
 @click.option(

unshackle/core/titles/episode.py

@@ -123,14 +123,36 @@ class Episode(Title):
                 scan_suffix = "i"
             return f"{resolution}{scan_suffix}"
 
+        def _append_token(current: str, token: Optional[str]) -> str:
+            token = (token or "").strip()
+            current = current.rstrip()
+            if not token:
+                return current
+            if current.endswith(f" {token}"):
+                return current
+            return f"{current} {token}"
+
+        def _append_unique_token(tokens: list[str], token: Optional[str]) -> None:
+            token = (token or "").strip()
+            if token and token not in tokens:
+                tokens.append(token)
+
+        if folder and not config.scene_naming:
+            return sanitize_filename(f"Season {self.season:02}", " ")
+
+        non_scene_episode_file = not config.scene_naming and not folder
+        extra_tokens: list[str] = []
+
         # Title [Year] SXXEXX Name (or Title [Year] SXX if folder)
         if folder:
             name = f"{self.title}"
             if self.year and config.series_year:
                 name += f" {self.year}"
             name += f" S{self.season:02}"
-        else:
-            if config.dash_naming:
+        elif non_scene_episode_file:
+            episode_label = self.name or f"Episode {self.number:02}"
+            name = f"{self.title.replace('$', 'S')} S{self.season:02}E{self.number:02} - {episode_label}"
+        elif config.dash_naming:
             # Format: Title - SXXEXX - Episode Name
             name = self.title.replace("$", "S")  # e.g., Arli$$
 
@@ -159,10 +181,13 @@ class Episode(Title):
         if primary_video_track:
             resolution_token = _get_resolution_token(primary_video_track)
             if resolution_token:
+                if non_scene_episode_file:
+                    _append_unique_token(extra_tokens, resolution_token)
+                else:
                     name += f" {resolution_token}"
 
         # Service (use track source if available)
-        if show_service:
+        if show_service and config.scene_naming:
             source_name = None
             if self.tracks:
                 first_track = next(iter(self.tracks), None)
@@ -171,14 +196,21 @@ class Episode(Title):
             name += f" {source_name or self.service.__name__}"
 
         # 'WEB-DL'
+        if config.scene_naming:
             name += " WEB-DL"
 
         # DUAL
         if unique_audio_languages == 2:
+            if non_scene_episode_file:
+                _append_unique_token(extra_tokens, "DUAL")
+            else:
                 name += " DUAL"
 
         # MULTi
         if unique_audio_languages > 2:
+            if non_scene_episode_file:
+                _append_unique_token(extra_tokens, "MULTi")
+            else:
                 name += " MULTi"
 
         # Audio Codec + Channels (+ feature)
@@ -194,8 +226,15 @@ class Episode(Title):
                 channels = float(channel_count)
 
             features = primary_audio_track.format_additionalfeatures or ""
-            name += f" {AUDIO_CODEC_MAP.get(codec, codec)}{channels:.1f}"
+            audio_token = f"{AUDIO_CODEC_MAP.get(codec, codec)}{channels:.1f}"
+            if non_scene_episode_file:
+                _append_unique_token(extra_tokens, audio_token)
+            else:
+                name += f" {audio_token}"
             if "JOC" in features or primary_audio_track.joc:
+                if non_scene_episode_file:
+                    _append_unique_token(extra_tokens, "Atmos")
+                else:
                     name += " Atmos"
 
         # Video (dynamic range + hfr +) Codec
@@ -210,36 +249,55 @@ class Episode(Title):
             )
             frame_rate = float(primary_video_track.frame_rate)
 
-            def _append_token(current: str, token: Optional[str]) -> str:
-                token = (token or "").strip()
-                current = current.rstrip()
-                if not token:
-                    return current
-                if current.endswith(f" {token}"):
-                    return current
-                return f"{current} {token}"
-
             # Primary HDR format detection
             if hdr_format:
                 if hdr_format_full.startswith("Dolby Vision"):
+                    if non_scene_episode_file:
+                        _append_unique_token(extra_tokens, "DV")
+                    else:
                         name = _append_token(name, "DV")
                     if any(
                         indicator in (hdr_format_full + " " + hdr_format)
                         for indicator in ["HDR10", "SMPTE ST 2086"]
                     ):
+                        if non_scene_episode_file:
+                            _append_unique_token(extra_tokens, "HDR")
+                        else:
                             name = _append_token(name, "HDR")
                 elif "HDR Vivid" in hdr_format:
+                    if non_scene_episode_file:
+                        _append_unique_token(extra_tokens, "HDR")
+                    else:
                         name = _append_token(name, "HDR")
                 else:
                     dynamic_range = DYNAMIC_RANGE_MAP.get(hdr_format) or hdr_format or ""
+                    if non_scene_episode_file:
+                        _append_unique_token(extra_tokens, dynamic_range)
+                    else:
                         name = _append_token(name, dynamic_range)
             elif "HLG" in trc or "Hybrid Log-Gamma" in trc or "ARIB STD-B67" in trc or "arib-std-b67" in trc.lower():
+                if non_scene_episode_file:
+                    _append_unique_token(extra_tokens, "HLG")
+                else:
                     name += " HLG"
             elif any(indicator in trc for indicator in ["PQ", "SMPTE ST 2084", "BT.2100"]) or "smpte2084" in trc.lower() or "bt.2020-10" in trc.lower():
+                if non_scene_episode_file:
+                    _append_unique_token(extra_tokens, "HDR")
+                else:
                     name += " HDR"
             if frame_rate > 30:
+                if non_scene_episode_file:
+                    _append_unique_token(extra_tokens, "HFR")
+                else:
                     name += " HFR"
-            name += f" {VIDEO_CODEC_MAP.get(codec, codec)}"
+            video_codec_token = VIDEO_CODEC_MAP.get(codec, codec)
+            if non_scene_episode_file:
+                _append_unique_token(extra_tokens, video_codec_token)
+            else:
+                name += f" {video_codec_token}"
+
+        if non_scene_episode_file and extra_tokens:
+            name += f" - {' '.join(extra_tokens)}"
 
         if config.tag:
             name += f"-{config.tag}"

unshackle/core/titles/movie.py

@@ -1,3 +1,5 @@
+import re
+import unicodedata
 from abc import ABC
 from typing import Any, Iterable, Optional, Union
 
@@ -5,6 +7,7 @@ from langcodes import Language
 from pymediainfo import MediaInfo
 from rich.tree import Tree
 from sortedcontainers import SortedKeyList
+from unidecode import unidecode
 
 from unshackle.core.config import config
 from unshackle.core.constants import AUDIO_CODEC_MAP, DYNAMIC_RANGE_MAP, VIDEO_CODEC_MAP
@@ -52,6 +55,18 @@ class Movie(Title):
             return f"{self.name} ({self.year})"
         return self.name
 
+    @staticmethod
+    def _sanitize_non_scene_filename(filename: str) -> str:
+        if not config.unicode_filenames:
+            filename = unidecode(filename)
+
+        filename = "".join(c for c in filename if unicodedata.category(c) != "Mn")
+        filename = filename.replace("/", " & ").replace(";", " & ")
+        filename = re.sub(r"[\\:*!?¿,'\"<>|$#~]", "", filename)
+        filename = re.sub(r"\s{2,}", " ", filename)
+
+        return filename.strip()
+
     def get_filename(self, media_info: MediaInfo, folder: bool = False, show_service: bool = True) -> str:
         primary_video_track = next(iter(media_info.video_tracks), None)
         primary_audio_track = None
@@ -89,7 +104,11 @@ class Movie(Title):
             return f"{resolution}{scan_suffix}"
 
         # Name (Year)
-        name = str(self).replace("$", "S")  # e.g., Arli$$
+        name = self.name.replace("$", "S")  # e.g., Arli$$
+        if self.year:
+            name = f"{name} ({self.year})"
+            if not config.scene_naming:
+                name += " -"
 
         if primary_video_track:
             resolution_token = _get_resolution_token(primary_video_track)
@@ -179,7 +198,9 @@ class Movie(Title):
         if config.tag:
             name += f"-{config.tag}"
 
-        return sanitize_filename(name, "." if config.scene_naming else " ")
+        if config.scene_naming:
+            return sanitize_filename(name, ".")
+        return self._sanitize_non_scene_filename(name)
 
 
 class Movies(SortedKeyList, ABC):

unshackle/services/Netflix/MSL/MSLKeys.py

@@ -0,0 +1,10 @@
+from .MSLObject import MSLObject
+
+
+class MSLKeys(MSLObject):
+    def __init__(self, encryption=None, sign=None, rsa=None, mastertoken=None, cdm_session=None):
+        self.encryption = encryption
+        self.sign = sign
+        self.rsa = rsa
+        self.mastertoken = mastertoken
+        self.cdm_session = cdm_session

unshackle/services/Netflix/MSL/MSLObject.py

@@ -0,0 +1,6 @@
+import jsonpickle
+
+
+class MSLObject:
+    def __repr__(self):
+        return "<{} {}>".format(self.__class__.__name__, jsonpickle.encode(self, unpicklable=False))

unshackle/services/Netflix/MSL/__init__.py

@@ -0,0 +1,416 @@
+import base64
+import gzip
+import json
+import logging
+import os
+import random
+import re
+import sys
+import time
+import zlib
+from datetime import datetime
+from io import BytesIO
+from typing import Optional, Any
+
+import jsonpickle
+import requests
+from Cryptodome.Cipher import AES, PKCS1_OAEP
+from Cryptodome.Hash import HMAC, SHA256
+from Cryptodome.PublicKey import RSA
+from Cryptodome.Random import get_random_bytes
+from Cryptodome.Util import Padding
+
+from unshackle.core.cacher import Cacher
+
+from .MSLKeys import MSLKeys
+from .schemes import EntityAuthenticationSchemes  # noqa: F401
+from .schemes import KeyExchangeSchemes
+from .schemes.EntityAuthentication import EntityAuthentication
+from .schemes.KeyExchangeRequest import KeyExchangeRequest
+from pywidevine import Cdm, PSSH, Key
+
+class MSL:
+    log = logging.getLogger("MSL")
+
+    def __init__(self, session, endpoint, sender, keys, message_id, user_auth=None):
+        self.session = session
+        self.endpoint = endpoint
+        self.sender = sender
+        self.keys = keys
+        self.user_auth = user_auth
+        self.message_id = message_id
+
+    @classmethod
+    def handshake(cls, scheme: KeyExchangeSchemes, session: requests.Session, endpoint: str, sender: str, cache: Cacher, cdm: Optional[Cdm] = None, config: Any = None):
+        cache = cache.get(sender)
+        message_id = random.randint(0, pow(2, 52))
+        msl_keys = MSL.load_cache_data(cache)
+
+        if msl_keys is not None:
+            cls.log.info("Using cached MSL data")
+        else:
+            msl_keys = MSLKeys()
+            if scheme != KeyExchangeSchemes.Widevine:
+                msl_keys.rsa = RSA.generate(2048)
+
+
+            if scheme == KeyExchangeSchemes.Widevine:
+                if not cdm:
+                    raise Exception('Key exchange scheme Widevine but CDM instance is None.')
+                
+                session_id = cdm.open()
+                msl_keys.cdm_session = session_id
+                cdm.set_service_certificate(session_id, config["certificate"])
+                challenge = cdm.get_license_challenge(
+                    session_id=session_id,
+                    pssh=PSSH("AAAANHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABQIARIQAAAAAAPSZ0kAAAAAAAAAAA=="),
+                    license_type="OFFLINE",
+                    privacy_mode=True,
+
+                )
+                keyrequestdata = KeyExchangeRequest.Widevine(challenge)
+                entityauthdata = EntityAuthentication.Unauthenticated(sender)
+                # entityauthdata = EntityAuthentication.Widevine("TV", base64.b64encode(challenge).decode())
+            else:
+                entityauthdata = EntityAuthentication.Unauthenticated(sender)
+                keyrequestdata = KeyExchangeRequest.AsymmetricWrapped(
+                    keypairid="superKeyPair",
+                    mechanism="JWK_RSA",
+                    publickey=msl_keys.rsa.publickey().exportKey(format="DER")
+                )
+
+            data = jsonpickle.encode({
+                "entityauthdata": entityauthdata,
+                "headerdata": base64.b64encode(MSL.generate_msg_header(
+                    message_id=message_id,
+                    sender=sender,
+                    is_handshake=True,
+                    keyrequestdata=keyrequestdata
+                ).encode("utf-8")).decode("utf-8"),
+                "signature": ""
+            }, unpicklable=False)
+            data += json.dumps({
+                "payload": base64.b64encode(json.dumps({
+                    "messageid": message_id,
+                    "data": "",
+                    "sequencenumber": 1,
+                    "endofmsg": True
+                }).encode("utf-8")).decode("utf-8"),
+                "signature": ""
+            })
+
+            try:
+                r = session.post(
+                    url=endpoint,
+                    data=data
+                )
+            except requests.HTTPError as e:
+                raise Exception(f"- Key exchange failed, response data is unexpected: {e.response.text}")
+
+            key_exchange = r.json()  # expecting no payloads, so this is fine
+            if "errordata" in key_exchange:
+                raise Exception("- Key exchange failed: " + json.loads(base64.b64decode(
+                    key_exchange["errordata"]
+                ).decode())["errormsg"])
+
+            # parse the crypto keys
+            key_response_data = json.JSONDecoder().decode(base64.b64decode(
+                key_exchange["headerdata"]
+            ).decode("utf-8"))["keyresponsedata"]
+
+            if key_response_data["scheme"] != str(scheme):
+                raise Exception("- Key exchange scheme mismatch occurred")
+
+            key_data = key_response_data["keydata"]
+            if scheme == KeyExchangeSchemes.Widevine:
+                if not msl_keys.cdm_session:
+                    raise Exception("- No CDM session available")
+                if not cdm:
+                    raise Exception("- No CDM available")
+                cdm.parse_license(msl_keys.cdm_session, key_data["cdmkeyresponse"])
+                keys = cdm.get_keys(msl_keys.cdm_session)
+                cls.log.info(f"Keys: {keys}")
+                encryption_key = MSL.get_widevine_key(
+                    kid=base64.b64decode(key_data["encryptionkeyid"]),
+                    keys=keys,
+                    permissions=["allow_encrypt", "allow_decrypt"]
+                )
+                msl_keys.encryption = encryption_key
+                cls.log.info(f"Encryption key: {encryption_key}")
+                sign = MSL.get_widevine_key(
+                    kid=base64.b64decode(key_data["hmackeyid"]),
+                    keys=keys,
+                    permissions=["allow_sign", "allow_signature_verify"]
+                )
+                cls.log.info(f"Sign key: {sign}")
+                msl_keys.sign = sign
+            
+            elif scheme == KeyExchangeSchemes.AsymmetricWrapped:
+                cipher_rsa = PKCS1_OAEP.new(msl_keys.rsa)
+                msl_keys.encryption = MSL.base64key_decode(
+                    json.JSONDecoder().decode(cipher_rsa.decrypt(
+                        base64.b64decode(key_data["encryptionkey"])
+                    ).decode("utf-8"))["k"]
+                )
+                msl_keys.sign = MSL.base64key_decode(
+                    json.JSONDecoder().decode(cipher_rsa.decrypt(
+                        base64.b64decode(key_data["hmackey"])
+                    ).decode("utf-8"))["k"]
+                )
+            
+            msl_keys.mastertoken = key_response_data["mastertoken"]
+
+            MSL.cache_keys(msl_keys, cache)
+            cls.log.info("MSL handshake successful")
+        return cls(
+            session=session,
+            endpoint=endpoint,
+            sender=sender,
+            keys=msl_keys,
+            message_id=message_id
+        )
+
+    @staticmethod
+    def load_cache_data(cacher: Cacher):
+        if not cacher or cacher == {}:
+            return None
+        # with open(msl_keys_path, encoding="utf-8") as fd:
+        #     msl_keys = jsonpickle.decode(fd.read())
+        msl_keys = cacher.data
+        if msl_keys.rsa:
+            # noinspection PyTypeChecker
+            # expects RsaKey, but is a string, this is because jsonpickle can't pickle RsaKey object
+            # so as a workaround it exports to PEM, and then when reading, it imports that PEM back
+            # to an RsaKey :)
+            msl_keys.rsa = RSA.importKey(msl_keys.rsa)
+        # If it's expired or close to, return None as it's unusable
+        if msl_keys.mastertoken and ((datetime.utcfromtimestamp(int(json.JSONDecoder().decode(
+                base64.b64decode(msl_keys.mastertoken["tokendata"]).decode("utf-8")
+        )["expiration"])) - datetime.now()).total_seconds() / 60 / 60) < 10:
+            return None
+        return msl_keys
+
+    @staticmethod
+    def cache_keys(msl_keys, cache: Cacher):
+        # os.makedirs(os.path.dirname(cache), exist_ok=True)
+        if msl_keys.rsa:
+            # jsonpickle can't pickle RsaKey objects :(
+            msl_keys.rsa = msl_keys.rsa.export_key()
+        # with open(cache, "w", encoding="utf-8") as fd:
+        #     fd.write()
+        cache.set(msl_keys)
+        if msl_keys.rsa:
+            # re-import now
+            msl_keys.rsa = RSA.importKey(msl_keys.rsa)
+
+    @staticmethod
+    def generate_msg_header(message_id, sender, is_handshake, userauthdata=None, keyrequestdata=None,
+                            compression="GZIP"):
+        """
+        The MSL header carries all MSL data used for entity and user authentication, message encryption
+        and verification, and service tokens. Portions of the MSL header are encrypted.
+        https://github.com/Netflix/msl/wiki/Messages#header-data
+
+        :param message_id: number against which payload chunks are bound to protect against replay.
+        :param sender: ESN
+        :param is_handshake: This flag is set true if the message is a handshake message and will not include any
+        payload chunks. It will include keyrequestdata.
+        :param userauthdata: UserAuthData
+        :param keyrequestdata: KeyRequestData
+        :param compression: Supported compression algorithms.
+
+        :return: The base64 encoded JSON String of the header
+        """
+        header_data = {
+            "messageid": message_id,
+            "renewable": True,  # MUST be True if is_handshake
+            "handshake": is_handshake,
+            "capabilities": {
+                "compressionalgos": [compression] if compression else [],
+                "languages": ["en-US"],  # bcp-47
+                "encoderformats": ["JSON"]
+            },
+            "timestamp": int(time.time()),
+            # undocumented or unused:
+            "sender": sender,
+            "nonreplayable": False,
+            "recipient": "Netflix",
+        }
+        if userauthdata:
+            header_data["userauthdata"] = userauthdata
+        if keyrequestdata:
+            header_data["keyrequestdata"] = [keyrequestdata]
+        return jsonpickle.encode(header_data, unpicklable=False)
+
+    @classmethod
+    def get_widevine_key(cls, kid, keys: list[Key], permissions):
+        cls.log.info(f"KID: {Key.kid_to_uuid(kid)}")
+        for key in keys:
+            # cls.log.info(f"KEY: {key.kid_to_uuid}")
+            if key.kid != Key.kid_to_uuid(kid):
+                continue
+            if key.type != "OPERATOR_SESSION":
+                cls.log.warning(f"Widevine Key Exchange: Wrong key type (not operator session) key {key}")
+                continue
+            if not set(permissions) <= set(key.permissions):
+                cls.log.warning(f"Widevine Key Exchange: Incorrect permissions, key {key}, needed perms {permissions}")
+                continue
+            return key.key
+        return None
+
+    def send_message(self, endpoint, params, application_data, userauthdata=None):
+        message = self.create_message(application_data, userauthdata)
+        res = self.session.post(url=endpoint, data=message, params=params)
+        header, payload_data = self.parse_message(res.text)
+        if "errordata" in header:
+            raise Exception(
+                "- MSL response message contains an error: {}".format(
+                    json.loads(base64.b64decode(header["errordata"].encode("utf-8")).decode("utf-8"))
+                )
+            )
+        return header, payload_data
+
+    def create_message(self, application_data, userauthdata=None):
+        self.message_id += 1  # new message must ue a new message id
+        headerdata = self.encrypt(self.generate_msg_header(
+            message_id=self.message_id,
+            sender=self.sender,
+            is_handshake=False,
+            userauthdata=userauthdata
+        ))
+
+        header = json.dumps({
+            "headerdata": base64.b64encode(headerdata.encode("utf-8")).decode("utf-8"),
+            "signature": self.sign(headerdata).decode("utf-8"),
+            "mastertoken": self.keys.mastertoken
+        })
+
+        payload_chunks = [self.encrypt(json.dumps({
+            "messageid": self.message_id,
+            "data": self.gzip_compress(json.dumps(application_data).encode("utf-8")).decode("utf-8"),
+            "compressionalgo": "GZIP",
+            "sequencenumber": 1,  # todo ; use sequence_number from master token instead?
+            "endofmsg": True
+        }))]
+
+        message = header
+        for payload_chunk in payload_chunks:
+            message += json.dumps({
+                "payload": base64.b64encode(payload_chunk.encode("utf-8")).decode("utf-8"),
+                "signature": self.sign(payload_chunk).decode("utf-8")
+            })
+
+        return message
+
+    def decrypt_payload_chunks(self, payload_chunks):
+        """
+        Decrypt and extract data from payload chunks
+
+        :param payload_chunks: List of payload chunks
+        :return: json object
+        """
+        raw_data = ""
+
+        for payload_chunk in payload_chunks:
+            # todo ; verify signature of payload_chunk["signature"] against payload_chunk["payload"]
+            # expecting base64-encoded json string
+            payload_chunk = json.loads(base64.b64decode(payload_chunk["payload"]).decode("utf-8"))
+            # decrypt the payload
+            payload_decrypted = AES.new(
+                key=self.keys.encryption,
+                mode=AES.MODE_CBC,
+                iv=base64.b64decode(payload_chunk["iv"])
+            ).decrypt(base64.b64decode(payload_chunk["ciphertext"]))
+            payload_decrypted = Padding.unpad(payload_decrypted, 16)
+            payload_decrypted = json.loads(payload_decrypted.decode("utf-8"))
+            # decode and uncompress data if compressed
+            payload_data = base64.b64decode(payload_decrypted["data"])
+            if payload_decrypted.get("compressionalgo") == "GZIP":
+                payload_data = zlib.decompress(payload_data, 16 + zlib.MAX_WBITS)
+            raw_data += payload_data.decode("utf-8")
+
+        data = json.loads(raw_data)
+        if "error" in data:
+            error = data["error"]
+            error_display = error.get("display")
+            error_detail = re.sub(r" \(E3-[^)]+\)", "", error.get("detail", ""))
+
+            if error_display:
+               self.log.critical(f"- {error_display}")
+            if error_detail:
+               self.log.critical(f"- {error_detail}")
+
+            if not (error_display or error_detail):
+                self.log.critical(f"- {error}")
+            raise Exception(f"- MSL response message contains an error: {error}")
+            # sys.exit(1)
+
+        return data["result"]
+
+    def parse_message(self, message):
+        """
+        Parse an MSL message into a header and list of payload chunks
+
+        :param message: MSL message
+        :returns: a 2-item tuple containing message and list of payload chunks if available
+        """
+        parsed_message = json.loads("[{}]".format(message.replace("}{", "},{")))
+
+        header = parsed_message[0]
+        encrypted_payload_chunks = parsed_message[1:] if len(parsed_message) > 1 else []
+        if encrypted_payload_chunks:
+            payload_chunks = self.decrypt_payload_chunks(encrypted_payload_chunks)
+        else:
+            payload_chunks = {}
+
+        return header, payload_chunks
+
+    @staticmethod
+    def gzip_compress(data):
+        out = BytesIO()
+        with gzip.GzipFile(fileobj=out, mode="w") as fd:
+            fd.write(data)
+        return base64.b64encode(out.getvalue())
+
+    @staticmethod
+    def base64key_decode(payload):
+        length = len(payload) % 4
+        if length == 2:
+            payload += "=="
+        elif length == 3:
+            payload += "="
+        elif length != 0:
+            raise ValueError("Invalid base64 string")
+        return base64.urlsafe_b64decode(payload.encode("utf-8"))
+
+    def encrypt(self, plaintext):
+        """
+        Encrypt the given Plaintext with the encryption key
+        :param plaintext:
+        :return: Serialized JSON String of the encryption Envelope
+        """
+        iv = get_random_bytes(16)
+        return json.dumps({
+            "ciphertext": base64.b64encode(
+                AES.new(
+                    self.keys.encryption,
+                    AES.MODE_CBC,
+                    iv
+                ).encrypt(
+                    Padding.pad(plaintext.encode("utf-8"), 16)
+                )
+            ).decode("utf-8"),
+            "keyid": "{}_{}".format(self.sender, json.loads(
+                base64.b64decode(self.keys.mastertoken["tokendata"]).decode("utf-8")
+            )["sequencenumber"]),
+            "sha256": "AA==",
+            "iv": base64.b64encode(iv).decode("utf-8")
+        })
+
+    def sign(self, text):
+        """
+        Calculates the HMAC signature for the given text with the current sign key and SHA256
+        :param text:
+        :return: Base64 encoded signature
+        """
+        return base64.b64encode(HMAC.new(self.keys.sign, text.encode("utf-8"), SHA256).digest())

unshackle/services/Netflix/MSL/schemes/EntityAuthentication.py

@@ -0,0 +1,59 @@
+from .. import EntityAuthenticationSchemes
+from ..MSLObject import MSLObject
+
+
+# noinspection PyPep8Naming
+class EntityAuthentication(MSLObject):
+    def __init__(self, scheme, authdata):
+        """
+        Data used to identify and authenticate the entity associated with a message.
+        https://github.com/Netflix/msl/wiki/Entity-Authentication-%28Configuration%29
+
+        :param scheme: Entity Authentication Scheme identifier
+        :param authdata: Entity Authentication data
+        """
+        self.scheme = str(scheme)
+        self.authdata = authdata
+
+    @classmethod
+    def Unauthenticated(cls, identity):
+        """
+        The unauthenticated entity authentication scheme does not provide encryption or authentication and only
+        identifies the entity. Therefore entity identities can be harvested and spoofed. The benefit of this
+        authentication scheme is that the entity has control over its identity. This may be useful if the identity is
+        derived from or related to other data, or if retaining the identity is desired across state resets or in the
+        event of MSL errors requiring entity re-authentication.
+        """
+        return cls(
+            scheme=EntityAuthenticationSchemes.Unauthenticated,
+            authdata={"identity": identity}
+        )
+
+    @classmethod
+    def Widevine(cls, devtype, keyrequest):
+        """
+        The Widevine entity authentication scheme is used by devices with the Widevine CDM. It does not provide
+        encryption or authentication and only identifies the entity. Therefore entity identities can be harvested
+        and spoofed. The entity identity is composed from the provided device type and Widevine key request data. The
+        Widevine CDM properties can be extracted from the key request data.
+
+        When coupled with the Widevine key exchange scheme, the entity identity can be cryptographically validated by
+        comparing the entity authentication key request data against the key exchange key request data.
+
+        Note that the local entity will not know its entity identity when using this scheme.
+
+        > Devtype
+
+        An arbitrary value identifying the device type the local entity wishes to assume. The data inside the Widevine
+        key request may be optionally used to validate the claimed device type.
+
+        :param devtype: Local entity device type
+        :param keyrequest: Widevine key request
+        """
+        return cls(
+            scheme=EntityAuthenticationSchemes.Widevine,
+            authdata={
+                "devtype": devtype,
+                "keyrequest": keyrequest
+            }
+        )

unshackle/services/Netflix/MSL/schemes/KeyExchangeRequest.py

@@ -0,0 +1,80 @@
+import base64
+
+from .. import KeyExchangeSchemes
+from ..MSLObject import MSLObject
+
+
+# noinspection PyPep8Naming
+class KeyExchangeRequest(MSLObject):
+    def __init__(self, scheme, keydata):
+        """
+        Session key exchange data from a requesting entity.
+        https://github.com/Netflix/msl/wiki/Key-Exchange-%28Configuration%29
+
+        :param scheme: Key Exchange Scheme identifier
+        :param keydata: Key Request data
+        """
+        self.scheme = str(scheme)
+        self.keydata = keydata
+
+    @classmethod
+    def AsymmetricWrapped(cls, keypairid, mechanism, publickey):
+        """
+        Asymmetric wrapped key exchange uses a generated ephemeral asymmetric key pair for key exchange. It will
+        typically be used when there is no other data or keys from which to base secure key exchange.
+
+        This mechanism provides perfect forward secrecy but does not guarantee that session keys will only be available
+        to the requesting entity if the requesting MSL stack has been modified to perform the operation on behalf of a
+        third party.
+
+        > Key Pair ID
+
+        The key pair ID is included as a sanity check.
+
+        > Mechanism & Public Key
+
+        The following mechanisms are associated public key formats are currently supported.
+
+            Field 	    Public  Key Format 	Description
+            RSA 	    SPKI 	RSA-OAEP    encrypt/decrypt
+            ECC 	    SPKI 	ECIES       encrypt/decrypt
+            JWEJS_RSA 	SPKI 	RSA-OAEP    JSON Web Encryption JSON Serialization
+            JWE_RSA 	SPKI 	RSA-OAEP    JSON Web Encryption Compact Serialization
+            JWK_RSA 	SPKI 	RSA-OAEP    JSON Web Key
+            JWK_RSAES 	SPKI 	RSA PKCS#1  JSON Web Key
+
+        :param keypairid: key pair ID
+        :param mechanism: asymmetric key type
+        :param publickey: public key
+        """
+        return cls(
+            scheme=KeyExchangeSchemes.AsymmetricWrapped,
+            keydata={
+                "keypairid": keypairid,
+                "mechanism": mechanism,
+                "publickey": base64.b64encode(publickey).decode("utf-8")
+            }
+        )
+
+    @classmethod
+    def Widevine(cls, keyrequest):
+        """
+        Google Widevine provides a secure key exchange mechanism. When requested the Widevine component will issue a
+        one-time use key request. The Widevine server library can be used to authenticate the request and return
+        randomly generated symmetric keys in a protected key response bound to the request and Widevine client library.
+        The key response also specifies the key identities, types and their permitted usage.
+
+        The Widevine key request also contains a model identifier and a unique device identifier with an expectation of
+        long-term persistence. These values are available from the Widevine client library and can be retrieved from
+        the key request by the Widevine server library.
+
+        The Widevine client library will protect the returned keys from inspection or misuse.
+
+        :param keyrequest: Base64-encoded Widevine CDM license challenge (PSSH: b'\x0A\x7A\x00\x6C\x38\x2B')
+        """
+        if not isinstance(keyrequest, str):
+            keyrequest = base64.b64encode(keyrequest).decode()
+        return cls(
+            scheme=KeyExchangeSchemes.Widevine,
+            keydata={"keyrequest": keyrequest}
+        )

unshackle/services/Netflix/MSL/schemes/UserAuthentication.py

@@ -0,0 +1,59 @@
+from ..MSLObject import MSLObject
+from . import UserAuthenticationSchemes
+
+
+# noinspection PyPep8Naming
+class UserAuthentication(MSLObject):
+    def __init__(self, scheme, authdata):
+        """
+        Data used to identify and authenticate the user associated with a message.
+        https://github.com/Netflix/msl/wiki/User-Authentication-%28Configuration%29
+
+        :param scheme: User Authentication Scheme identifier
+        :param authdata: User Authentication data
+        """
+        self.scheme = str(scheme)
+        self.authdata = authdata
+
+    @classmethod
+    def EmailPassword(cls, email, password):
+        """
+        Email and password is a standard user authentication scheme in wide use.
+
+        :param email: user email address
+        :param password: user password
+        """
+        return cls(
+            scheme=UserAuthenticationSchemes.EmailPassword,
+            authdata={
+                "email": email,
+                "password": password
+            }
+        )
+
+    @classmethod
+    def NetflixIDCookies(cls, netflixid, securenetflixid):
+        """
+        Netflix ID HTTP cookies are used when the user has previously logged in to a web site. Possession of the
+        cookies serves as proof of user identity, in the same manner as they do when communicating with the web site.
+
+        The Netflix ID cookie and Secure Netflix ID cookie are HTTP cookies issued by the Netflix web site after
+        subscriber login. The Netflix ID cookie is encrypted and identifies the subscriber and analogous to a
+        subscriber’s username. The Secure Netflix ID cookie is tied to a Netflix ID cookie and only sent over HTTPS
+        and analogous to a subscriber’s password.
+
+        In some cases the Netflix ID and Secure Netflix ID cookies will be unavailable to the MSL stack or application.
+        If either or both of the Netflix ID or Secure Netflix ID cookies are absent in the above data structure the
+        HTTP cookie headers will be queried for it; this is only acceptable when HTTPS is used as the underlying
+        transport protocol.
+
+        :param netflixid: Netflix ID cookie
+        :param securenetflixid: Secure Netflix ID cookie
+        """
+        return cls(
+            scheme=UserAuthenticationSchemes.NetflixIDCookies,
+            authdata={
+                "netflixid": netflixid,
+                "securenetflixid": securenetflixid
+            }
+        )

unshackle/services/Netflix/MSL/schemes/__init__.py

@@ -0,0 +1,24 @@
+from enum import Enum
+
+
+class Scheme(Enum):
+    def __str__(self):
+        return str(self.value)
+
+
+class EntityAuthenticationSchemes(Scheme):
+    """https://github.com/Netflix/msl/wiki/Entity-Authentication-%28Configuration%29"""
+    Unauthenticated = "NONE"
+    Widevine = "WIDEVINE"
+
+
+class UserAuthenticationSchemes(Scheme):
+    """https://github.com/Netflix/msl/wiki/User-Authentication-%28Configuration%29"""
+    EmailPassword = "EMAIL_PASSWORD"
+    NetflixIDCookies = "NETFLIXID"
+
+
+class KeyExchangeSchemes(Scheme):
+    """https://github.com/Netflix/msl/wiki/Key-Exchange-%28Configuration%29"""
+    AsymmetricWrapped = "ASYMMETRIC_WRAPPED"
+    Widevine = "WIDEVINE"

unshackle/unshackle.yaml

@@ -0,0 +1,259 @@
+# Group or Username to postfix to the end of all download filenames following a dash
+# tag: Kenzuya
+
+# Enable/disable tagging with group name (default: true)
+tag_group_name: true
+
+# Enable/disable tagging with IMDB/TMDB/TVDB details (default: true)
+tag_imdb_tmdb: true
+
+# Set terminal background color (custom option not in CONFIG.md)
+set_terminal_bg: false
+
+# Set file naming convention
+#  true for style - Prime.Suspect.S07E01.The.Final.Act.Part.One.1080p.ITV.WEB-DL.AAC2.0.H.264
+#  false for style - Prime Suspect S07E01 The Final Act - Part One
+scene_naming: false
+
+# Whether to include the year in series names for episodes and folders (default: true)
+#  true for style - Show Name (2023) S01E01 Episode Name
+#  false for style - Show Name S01E01 Episode Name
+series_year: false
+
+# Check for updates from GitHub repository on startup (default: true)
+update_checks: true
+
+# How often to check for updates, in hours (default: 24)
+update_check_interval: 24
+
+# Title caching configuration
+# Cache title metadata to reduce redundant API calls
+title_cache_enabled: true # Enable/disable title caching globally (default: true)
+title_cache_time: 1800 # Cache duration in seconds (default: 1800 = 30 minutes)
+title_cache_max_retention: 86400 # Maximum cache retention for fallback when API fails (default: 86400 = 24 hours)
+
+# Muxing configuration
+muxing:
+  set_title: true
+
+# Login credentials for each Service
+credentials:
+  # Direct credentials (no profile support)
+  EXAMPLE: email@example.com:password
+
+  # Per-profile credentials with default fallback
+  SERVICE_NAME:
+    default: default@email.com:password # Used when no -p/--profile is specified
+    profile1: user1@email.com:password1
+    profile2: user2@email.com:password2
+
+  # Per-profile credentials without default (requires -p/--profile)
+  SERVICE_NAME2:
+    john: john@example.com:johnspassword
+    jane: jane@example.com:janespassword
+
+  # You can also use list format for passwords with special characters
+  SERVICE_NAME3:
+    default: ["user@email.com", ":PasswordWith:Colons"]
+
+  Netflix:
+    default: ["ariel-prinsess828@ezweb.ne.jp", "AiNe892186"]
+    # default: ["pbgarena0838@gmail.com", "Andhika1978"]
+# Override default directories used across unshackle
+directories:
+  cache: Cache
+  # cookies: Cookies
+  dcsl: DCSL # Device Certificate Status List
+  downloads: Downloads
+  logs: Logs
+  temp: Temp
+  # wvds: WVDs
+  # Additional directories that can be configured:
+  # commands: Commands
+  # services:
+  #   - /path/to/services
+  #   - /other/path/to/services
+  # vaults: Vaults
+  # fonts: Fonts
+
+# Pre-define which Widevine or PlayReady device to use for each Service
+cdm:
+  # Global default CDM device (fallback for all services/profiles)
+  default: chromecdm
+
+  # Direct service-specific CDM
+  DIFFERENT_EXAMPLE: PRD_1
+
+  # Per-profile CDM configuration
+  EXAMPLE:
+    john_sd: chromecdm_903_l3 # Profile 'john_sd' uses Chrome CDM L3
+    jane_uhd: nexus_5_l1 # Profile 'jane_uhd' uses Nexus 5 L1
+    default: generic_android_l3 # Default CDM for this service
+
+# Use pywidevine Serve-compliant Remote CDMs
+remote_cdm:
+  - name: "chromecdm"
+    device_name: widevine
+    device_type: CHROME
+    system_id: 36586
+    security_level: 3
+    type: "decrypt_labs"
+    host: https://keyxtractor.decryptlabs.com
+    secret: 7547150416_41da0a32d6237d83_KeyXtractor_api_ext
+  - name: "android"
+    device_name: andorid
+    device_type: ANDROID
+    system_id: 8131
+    security_level: 1
+    type: "decrypt_labs"
+    host: https://keyxtractor.decryptlabs.com
+    secret: decrypt_labs_special_ultimate
+
+# Key Vaults store your obtained Content Encryption Keys (CEKs)
+# Use 'no_push: true' to prevent a vault from receiving pushed keys
+# while still allowing it to provide keys when requested
+key_vaults:
+  - type: SQLite
+    name: Local
+    path: key_store.db
+  - type: HTTP
+    name: "DRMLab Vault"
+    host: "https://api.drmlab.io/vault/"
+    username: "unshackle"
+    password: "gEX75q7I5YVkvgF5SUkcNd41IbGrDtTT"
+    api_mode: "json"
+  - type: HTTP
+    name: "Decrypt Labs - Key Vault"
+    api_mode: "decrypt_labs"
+    host: "https://keyvault.decryptlabs.com"
+    password: "7547150416_41da0a32d6237d83_KeyXtractor_api_ext"
+  # Additional vault types:
+  # - type: API
+  #   name: "Remote Vault"
+  #   uri: "https://key-vault.example.com"
+  #   token: "secret_token"
+  #   no_push: true  # This vault will only provide keys, not receive them
+  # - type: MySQL
+  #   name: "MySQL Vault"
+  #   host: "127.0.0.1"
+  #   port: 3306
+  #   database: vault
+  #   username: user
+  #   password: pass
+  #   no_push: false  # Default behavior - vault both provides and receives keys
+
+# Choose what software to use to download data
+downloader: aria2c
+# Options: requests | aria2c | curl_impersonate | n_m3u8dl_re
+# Can also be a mapping:
+# downloader:
+#   NF: requests
+#   AMZN: n_m3u8dl_re
+#   DSNP: n_m3u8dl_re
+#   default: requests
+
+# aria2c downloader configuration
+aria2c:
+  max_concurrent_downloads: 4
+  max_connection_per_server: 3
+  split: 5
+  file_allocation: falloc # none | prealloc | falloc | trunc
+
+# N_m3u8DL-RE downloader configuration
+n_m3u8dl_re:
+  thread_count: 16
+  ad_keyword: "advertisement"
+  use_proxy: true
+
+# curl_impersonate downloader configuration
+curl_impersonate:
+  browser: chrome120
+
+# Pre-define default options and switches of the dl command
+dl:
+  sub_format: srt
+  downloads: 4
+  workers: 16
+  lang:
+    - orig
+    - id
+  EXAMPLE:
+    bitrate: CBR
+
+# Chapter Name to use when exporting a Chapter without a Name
+chapter_fallback_name: "Chapter {j:02}"
+
+# Case-Insensitive dictionary of headers for all Services
+headers:
+  Accept-Language: "en-US,en;q=0.8"
+  User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36"
+
+# Override default filenames used across unshackle
+filenames:
+  log: "unshackle_{name}_{time}.log"
+  config: "config.yaml"
+  root_config: "unshackle.yaml"
+  chapters: "Chapters_{title}_{random}.txt"
+  subtitle: "Subtitle_{id}_{language}.srt"
+
+# API key for The Movie Database (TMDB)
+tmdb_api_key: "8f5c14ef648a0abdd262cf809e11fcd4"
+
+# conversion_method:
+# - auto (default): Smart routing - subby for WebVTT/SAMI, standard for others
+# - subby: Always use subby with advanced processing
+# - pycaption: Use only pycaption library (no SubtitleEdit, no subby)
+# - subtitleedit: Prefer SubtitleEdit when available, fall back to pycaption
+subtitle:
+  conversion_method: auto
+  sdh_method: auto
+
+# Configuration for pywidevine's serve functionality
+serve:
+  users:
+    secret_key_for_user:
+      devices:
+        - generic_nexus_4464_l3
+      username: user
+  # devices:
+  #   - '/path/to/device.wvd'
+
+# Configuration data for each Service
+services:
+  # Service-specific configuration goes here
+  # Profile-specific configurations can be nested under service names
+
+  # Example: with profile-specific device configs
+  EXAMPLE:
+    # Global service config
+    api_key: "service_api_key"
+
+    # Profile-specific device configurations
+    profiles:
+      john_sd:
+        device:
+          app_name: "AIV"
+          device_model: "SHIELD Android TV"
+      jane_uhd:
+        device:
+          app_name: "AIV"
+          device_model: "Fire TV Stick 4K"
+
+  # Example: Service with different regions per profile
+  SERVICE_NAME:
+    profiles:
+      us_account:
+        region: "US"
+        api_endpoint: "https://api.us.service.com"
+      uk_account:
+        region: "GB"
+        api_endpoint: "https://api.uk.service.com"
+
+# External proxy provider services
+proxy_providers:
+  basic:
+    SG:
+      - "http://127.0.0.1:6004"
+  surfsharkvpn:
+    username: SkyCBP7kH8KqxDwy5Qw36mQn # Service credentials from https://my.surfshark.com/vpn/manual-setup/main/openvpn
+    password: pcmewxKTNPvLENdbKJGh8Cgt # Service credentials (not your login password)