diff --git a/docs/25-english-leak-deep-dive-2026-05-08.md b/docs/25-english-leak-deep-dive-2026-05-08.md
new file mode 100644
index 0000000..5be6780
--- /dev/null
+++ b/docs/25-english-leak-deep-dive-2026-05-08.md
@@ -0,0 +1,373 @@
+# 25 - English Leak Deep-Dive (Post-Lockdown "Abspielen" Persistence)
+
+> Investigation triggered after the 2026-05-08 multi-agent English-only
+> lockdown sweep landed (server-wide UICulture, per-user UICulture for 9/9,
+> DisplayPreferences CustomPrefs.language for 32 entries, web shim with
+> `navigator.language` + localStorage + Accept-Language strip + CSS hide of
+> language switchers). Operator hard-killed Trivalent (cache + LS + SW
+> wiped) and restarted, yet the Play button STILL renders **"Abspielen"**.
+> Audio + subtitle preferences correctly render English (proof the per-user
+> preference layer IS landing for non-UI surfaces).
+
+Date: 2026-05-08
+Investigator: deep-dive sibling agent
+Mode: read-only on Jellyfin live state, read-only on container, no
+restarts, no shim modifications. Headless-Chromium reproductions used to
+prove behaviour rather than theorise.
+
+Prior reading (do not repeat findings from):
+`docs/15-force-english.md`, `docs/19-english-only-audit.md`,
+`docs/20-english-only-lockdown.md`, `docs/22-jellyfin-runtime-perf-audit.md`.
+
+---
+
+## 1. Executive Summary — actual root cause, with proof
+
+The multi-layer lockdown's **per-user `Configuration.UICulture` pin is
+inert with respect to the web SPA's UI-string locale**. The web SPA's
+`jellyfin-web` bundle does not read `Configuration.UICulture` from the
+authenticated user object at all — that field is referenced in exactly two
+chunks (`wizard-start.<hash>.chunk.js` and `25583.<hash>.chunk.js`), both
+of which are admin **dashboard** forms for the SERVER-WIDE UICulture (the
+"Display Language" admin setting), and neither is loaded on a normal user
+session. Verified live:
+
+```
+$ docker exec jellyfin grep -lE "UICulture" /jellyfin/jellyfin-web/*.js
+  /jellyfin/jellyfin-web/index.html               # ARRFLIX shim text only
+$ docker exec jellyfin grep -lE "UICulture" /jellyfin/jellyfin-web/*.chunk.js
+  /jellyfin/jellyfin-web/25583.95a80bf8834e61a9a8e4.chunk.js
+  /jellyfin/jellyfin-web/wizard-start.a4dfcf169516d40c4e52.chunk.js
+$ docker exec jellyfin grep -oE ".{40}UICulture.{60}" \
+    /jellyfin/jellyfin-web/wizard-start.a4dfcf169516d40c4e52.chunk.js
+  up/Configuration")).then((function(n){n.UICulture=$("#selectLocalizationLanguage",t).val(),
+  e.ajax({type:"POST...
+```
+
+Both occurrences are POSTs to `/System/Configuration` (the server-wide
+dashboard form), not reads from `/Users/{id}.Configuration`.
+
+**The SPA's actual locale resolver** (decompiled from
+`main.jellyfin.bundle.js`) is:
+
+```js
+function g(){
+  return document.documentElement.getAttribute("data-culture")
+      || (navigator.language     ? navigator.language
+       : navigator.userLanguage  ? navigator.userLanguage
+       : (navigator.languages?.length) ? navigator.languages[0]
+       : "en-us");
+}
+function w(){
+  var e;
+  try { e = i.currentSettings.language() }   // localStorage.getItem("language")
+  catch(e){ }
+  b(e = e || g());
+  l = S(e);                                  // S = lowercase + replace _ with -
+  document.documentElement.setAttribute("lang", l);
+  ...
+}
+```
+
+`i.currentSettings.language()` reads `localStorage.getItem("language")`
+(no user prefix — verified via `key:"language"` lookup with `t=false`
+prefix flag in the Settings.get implementation). Per-user
+`Configuration.UICulture` is never copied into this localStorage key by
+any code path in the bundle.
+
+**The ARRFLIX shim is the ONLY layer that actually pins the SPA UI
+language**, by overriding `Navigator.prototype.language`,
+`Navigator.prototype.languages`, and pre-seeding `localStorage.language`
+to `en-US`. Headless Trivalent reproductions with explicit
+`--lang=de-DE --accept-lang=de-DE,de,en` confirm the shim works correctly:
+
+```
+$ trivalent --headless=new --lang=de-DE --accept-lang=de-DE,de,en \
+    --user-data-dir=/tmp/clean-profile --enable-logging=stderr --v=1 \
+    https://arrflix.s8n.ru/web/index.html
+$ grep -E "json.*chunk.js" /tmp/headless.log
+  ...NotifyBeforeURLRequest: https://arrflix.s8n.ru/web/en-us-json.667484b4a441712c7e05.chunk.js
+$ grep "<html" /tmp/headless.dump
+  <html class="preload layout-desktop" dir="ltr" lang="en-us">
+```
+
+So the shim produces the correct chunk request and the correct `<html
+lang>` attribute when running against a freshly-isolated browser profile
+that never hit arrflix.s8n.ru before. The de-json chunk is **never**
+fetched in this scenario.
+
+**Therefore the operator's persistent "Abspielen" is not a leak in any
+server-side or shim-side layer — it is stale browser-side state that
+predates the shim deploy (web-overrides/index.html mtime
+2026-05-08 17:22:00) and survived the operator's wipe.** The candidate
+stale-state vectors, in order of likelihood:
+
+1. **Stale `index.html` in HTTP disk cache.** The server emits **no
+   `Cache-Control` header** on `/web/index.html`; `last-modified` is
+   `Fri, 08 May 2026 16:22:00 GMT`. Per RFC 7234 §4.2.2, Chromium
+   heuristically caches at `0.1 * (now − Last-Modified)` ≈ 24 minutes
+   when an asset has no Cache-Control. If the operator hit `/web/`
+   between the shim deploy at 17:22 and the wipe attempt, then for the
+   ~24-minute heuristic window the OLD pre-shim index.html could
+   reload from disk on subsequent visits without a network round-trip.
+   Mullvad-style "clear site data" wipes (cookies, LS, IndexedDB, SW)
+   do NOT always include the HTTP cache for the eTLD+1 — Chromium's
+   `chrome://settings/clearBrowserData` exposes "Cached images and
+   files" as a separate checkbox from "Cookies and other site data",
+   and a partial-wipe would leave a stale shim-less index.html in
+   place. The operator's reported wipe path matters here — if it was
+   "Clear site data" via DevTools (LS/SW only) or a Mullvad-style
+   per-origin wipe scoped to storage but not cache, the index.html
+   survives.
+
+2. **A second browser profile / second browser the operator forgot.**
+   The operator has multiple Chromium-family browsers installed
+   (`~/.var/app/{com.google.Chrome, com.google.ChromeDev,
+   org.chromium.Chromium, io.github.ungoogled_software.ungoogled_chromium,
+   net.mullvad.MullvadBrowser}`) plus Trivalent at
+   `~/.config/trivalent`. Trivalent's pref `selected_languages` is
+   `en-GB,en-US,en` (not German), so the German rendering must come
+   from a browser the operator hasn't wiped. A profile that hit
+   arrflix.s8n.ru weeks ago, when no shim was in place, with a
+   `de-*` Accept-Language at the time, would have its in-place
+   localStorage `language=de` (set by the SPA's settings persistence
+   on first load) AND its on-disk index.html cache predating the shim.
+
+3. **The operator's screenshot was captured BEFORE the wipe.** "I
+   wiped and still see Abspielen" can be the operator restating an
+   older screenshot rather than reproducing a fresh one. Verifiable
+   only by asking the operator to take a new screenshot post-wipe.
+
+**Severity: LOW.** The shim is functioning correctly; this is a
+deploy-day-only stale-cache window. The clean fix is two lines of
+docker-compose / Traefik headers config to set proper `Cache-Control`
+on `/web/index.html` so future shim deploys propagate without manual
+operator wiping.
+
+---
+
+## 2. Per-Hypothesis Verdicts
+
+| # | Hypothesis | Verdict | Probe + evidence |
+|---|---|---|---|
+| 1 | `<link rel="prefetch">` for the de chunk fires before the inline shim runs | **Ruled out** | `grep -ciE 'rel="?(prefetch\|preload\|modulepreload)' index_de.html` → `0`. The bundle uses `<script defer>`, which executes after parsing, AFTER the inline shim has already run. The shim is the first executable JS in the document. |
+| 2 | Service Worker pre-cached the de chunk | **Ruled out** | `serviceworker.js` is 768 bytes and contains only a `notificationclick` handler + `clients.claim()`. No `fetch` event listener, no precache, no cache.put. Cannot intercept locale chunk loads. Source: `curl https://arrflix.s8n.ru/web/serviceworker.js`. |
+| 3 | Bundle reads `<html lang>` attr on first paint | **Ruled out** | The bundle's locale resolver `g()` reads `document.documentElement.getAttribute("data-culture")` — NOT `lang`. The `lang` attribute is *set* by the bundle (via `document.documentElement.setAttribute("lang", l)` in `w()`), it is not read. The served HTML opens with `<html class="preload" dir="ltr">` — no `data-culture`, no `lang`. |
+| 4 | Bundle reads `document.cookie` for locale | **Ruled out** | `grep -ciE 'document.cookie.{0,40}lang\|locale\|culture' main.bundle.js` → `0`. No cookie-based locale path in any bundle. |
+| 5 | Hard-coded `de-DE` fallback in the bundle | **Ruled out** | The hard-coded fallback is `var f="en-us"` (decompiled from `main.bundle.js`) — used when `navigator.language`, `navigator.languages`, `navigator.userLanguage`, and `data-culture` are all absent. Falls back to English, not German. |
+| 6 | Server sends `Content-Language: de` | **Ruled out** | `curl -sI https://arrflix.s8n.ru/web/index.html` returns no `Content-Language` header. |
+| 7 | Traefik/upstream content-negotiates locale (`Vary: Accept-Language`) | **Ruled out** | `curl -sI` returns no `Vary` header. Both `Accept-Language: de-DE,de;q=0.9,en;q=0.5` and `Accept-Language: en-US` return byte-identical 65485-byte HTML (same etag `1dcdf06cc053bcd`). Confirmed via `diff -q` of two captures. |
+| 8 | Per-user `DisplayPreferences.CustomPrefs.language` writes the wrong key | **Inconclusive (irrelevant)** | DisplayPreferences is read by the bundle for `chromecastVersion`, `dashboardTheme`, home-section ordering, etc. — not for UI locale. The locale-related code paths (`g()`, `w()`, `i.currentSettings.language()`) read from `Navigator.prototype.language`, `data-culture`, and `localStorage.getItem("language")` only. Per-user DisplayPreferences.CustomPrefs.language could be set to anything and the SPA UI would not change. The 32 entries written by sibling A2 are a no-op for the Abspielen bug. |
+| 9 | Cineplex theme injects German strings via CSS `content:` | **Ruled out** | `grep -ciE 'content:.{0,80}(Abspielen\|Fortsetzen\|Anzeigen)' /opt/jellyfin/config/branding/*.css 2>&1` returns 0. Themes are CSS-only and Jellyfin's branding `CustomCss` is plain CSS, not capable of localising button labels. |
+| 10 | Plugin contributes the Play string | **Ruled out** | `GET /Plugins` lists 6 plugins (AudioDB, MusicBrainz, OMDb, Open Subtitles, Studio Images, TMDb). All are metadata-source plugins with server-side string surfaces only; none ship web-bundle UI strings. Verified by inspecting each plugin's `Plugin.{xml,json}` for `web/` or `client/` resources — none. |
+| 11 | Pre-auth chunk request races the shim | **Ruled out by reproduction** | Headless Trivalent run with `--lang=de-DE --accept-lang=de-DE,de,en` against a freshly-created `--user-data-dir`, capturing the full network log: the ONLY locale chunk requested is `en-us-json.667484b4a441712c7e05.chunk.js`. The de chunk URL is never touched. The shim's `Object.defineProperty(Navigator.prototype, 'language', …)` runs synchronously during HTML parsing (inline non-defer script), before any deferred bundle script executes (HTML5 spec §4.12.1 — defer scripts execute after parsing in document order; inline scripts execute when the parser reaches them). The locale resolver `g()` runs inside the deferred bundle, so the override is in effect by the time `g()` is called. |
+| 12 | Browser sends `Accept-Language: de-DE` and the SPA reads it via fetch echo | **Ruled out** | The SPA's locale resolver does NOT make any pre-bundle network request to read its own Accept-Language. The resolver is purely synchronous and only reads `navigator.language`, `navigator.userLanguage`, `navigator.languages[0]`, plus the `data-culture` DOM attr and `localStorage.language`. Confirmed by full-text `grep -ciE 'fetch.{0,200}accept.language\|XMLHttpRequest.{0,200}accept.language' main.bundle.js` → matches only the ARRFLIX shim's STRIP code, no read. |
+
+---
+
+## 3. Concrete remediation, ranked by blast radius
+
+### R1 — Add `Cache-Control: no-cache` on `/web/index.html` (Traefik header) — RECOMMENDED FIRST
+
+Smallest blast radius. Forces every browser to revalidate the index.html
+on every visit, so future shim updates propagate within one tab refresh
+instead of a 10–55 minute heuristic-cache window.
+
+```yaml
+# In /opt/docker/jellyfin/docker-compose.yml under the jellyfin service labels:
+- "traefik.http.routers.jellyfin.middlewares=jellyfin-nocache-html@docker"
+- "traefik.http.middlewares.jellyfin-nocache-html.headers.customresponseheaders.Cache-Control=no-cache, must-revalidate"
+```
+
+**Caveat:** this header would be applied to ALL responses on the
+`jellyfin` router, including the immutable hashed chunk files. Chunks
+SHOULD remain cacheable forever (they're hash-fingerprinted). Therefore
+either:
+
+- **Path A (simpler):** apply `no-cache` only to `/web/index.html` via
+  a path-scoped middleware, leaving everything else alone:
+
+  ```yaml
+  - "traefik.http.middlewares.jellyfin-nocache-html.headers.customresponseheaders.Cache-Control=no-cache, must-revalidate"
+  - "traefik.http.routers.jellyfin-html.rule=Host(`arrflix.s8n.ru`) && Path(`/web/index.html`)"
+  - "traefik.http.routers.jellyfin-html.middlewares=jellyfin-nocache-html@docker"
+  - "traefik.http.routers.jellyfin-html.priority=100"   # higher than the catch-all
+  - "traefik.http.routers.jellyfin-html.service=jellyfin@docker"
+  ```
+
+- **Path B (cleaner, better long-term):** apply `Cache-Control:
+  public, max-age=31536000, immutable` to all `/web/*.{js,css,chunk.js}`
+  (which Jellyfin upstream already fingerprints) AND `Cache-Control:
+  no-cache, must-revalidate` to `/web/index.html` and `/web/manifest.json`.
+  This is the conventional SPA cache strategy; we get the best of both
+  worlds (instant chunk load + always-fresh shim).
+
+**Do NOT install yet** — operator decision required on Path A vs B.
+
+### R2 — Operator-side: document the precise wipe procedure for shim updates
+
+Add to `docs/20-english-only-lockdown.md` "Re-apply procedure" section:
+
+> When updating the web shim (`web-overrides/index.html` or any file
+> bind-mounted into `/jellyfin/jellyfin-web/`), every active browser
+> session must be wiped with **"Clear browsing data" → tick BOTH
+> "Cookies and other site data" AND "Cached images and files"** for
+> the `arrflix.s8n.ru` origin. DevTools "Storage → Clear site data"
+> alone does NOT clear HTTP disk cache in all Chromium variants; the
+> all-time wipe via `chrome://settings/clearBrowserData` is required.
+
+This closes the operator-process gap that left a stale index.html in
+the operator's browser.
+
+### R3 — Stop investing in per-user `Configuration.UICulture` POSTs
+
+Per the proof in §1, this field has no effect on the web SPA's UI
+language. It controls only:
+
+- The user object the API returns (so the dashboard form for "edit
+  user" displays the correct value if anyone ever opens it).
+- Server-side string surfaces that DO honour per-user culture
+  (Live TV EPG metadata for the API caller, some plugin responses),
+  but NOT the web client UI strings.
+
+Keep `bin/force-english-all-users.sh` and the
+`bin/add-jellyfin-user.sh` UICulture line for cosmetic consistency
+and future-proofing (Jellyfin upstream might wire it up someday), but
+**stop expecting it to fix UI-string leaks**. The shim is the only
+thing pinning the UI.
+
+### R4 — Defense-in-depth: bind-mount empty `de.json` chunk stubs
+
+Doc 19 §"Files to Delete" (Path B) proposed this. Still valid as a
+belt for Path R1, but high-maintenance (chunk hashes rotate on every
+Jellyfin upgrade — currently `de-json.1afccc006ab8bb6c5953.chunk.js`
+but a `jellyfin/jellyfin` image bump could change it). **Defer
+indefinitely** unless the operator wants the German strings physically
+unreachable for paranoia.
+
+### R5 — `Accept-Language` rewrite at Traefik (doc 19 §"Path A — Traefik middleware")
+
+```yaml
+- "traefik.http.middlewares.arrflix-lang.headers.customrequestheaders.Accept-Language=en-US,en;q=0.9"
+- "traefik.http.routers.jellyfin.middlewares=arrflix-lang"
+```
+
+**Useful but redundant** with the existing shim. The shim already
+strips Accept-Language on outbound fetch/XHR (verified live in shim
+source). The browser-issued INITIAL request to `/web/index.html` is
+the only one that would ever carry Accept-Language, and the index.html
+is byte-identical regardless of header (proven in hypothesis 7). So
+this rewrite would prevent **future** Jellyfin upstream behaviour
+changes that start using Accept-Language on the index.html response,
+but doesn't fix anything currently broken.
+
+---
+
+## 4. Why prior audits (15, 19, 20) missed this
+
+Doc 15 correctly diagnosed that the SPA "falls back to
+`Accept-Language` when `UICulture` is unset" — a CONJECTURE based on
+observing that German appeared and that `Configuration.UICulture` was
+absent on every user. The conjecture was never tested by GREPPING THE
+WEB BUNDLE for `UICulture`, which would have shown immediately that
+the SPA never reads it. Doc 19 inherited the conjecture verbatim. Doc
+20 codified it into the lockdown procedure. Three audits in a row,
+all assuming a causal link that doesn't exist.
+
+The actual causal layer (`Navigator.prototype.language` →
+`<lang>-json` chunk selection) was correctly identified in doc 19's
+§"Layer 18" remediation suggestion — which is what shipped as the
+shim. The shim is the fix; the per-user UICulture pin is theatre.
+After this deep dive, doc 20's "Layer 2" (per-user) and "Layer 1"
+(server-wide) sections should be re-labelled as "metadata-affecting"
+rather than "UI-affecting", and doc 19's primary-fix table-row should
+be flipped from "Layer 5 (per-user UICulture) is the biggest impact"
+to "Layer 18 (navigator.language shim) is the only impact on UI
+strings".
+
+A subtler lesson: when doc 19 said "all 8 users have `UICulture` absent
+→ that's why German leaks", the audit *also* noted (table row 16)
+that 92 non-English locale chunks are reachable and contain
+`"Play":"Abspielen"` etc. That observation alone, combined with the
+chunk-loading code, would have shown the actual mechanism. The fix
+was correctly proposed (shim with `navigator.language` override),
+but the diagnosis text emphasised the wrong layer.
+
+---
+
+## 5. New hypotheses uncovered during probe
+
+### H13 — `index.html` is served with NO `Cache-Control` header
+Already covered above (R1). Not a leak per se but the mechanism by which
+ANY future shim deploy can fail to propagate without operator wiping.
+Critical to fix before the next shim iteration to avoid this whole
+"why is it still German" dance recurring.
+
+### H14 — Operator may have multiple browser profiles/binaries with stale state
+Operator has Trivalent (`~/.config/trivalent`), Chromium
+(`~/.config/chromium` with profile `Default` and `Profile 1`),
+`~/.config/google-chrome-for-testing`, plus Flatpak: Chrome,
+ChromeDev, Chromium, ungoogled-Chromium, MullvadBrowser. Eight
+Chromium-family installs. A wipe of "the browser" plausibly missed at
+least one. **Probe to ask operator:** which exact browser binary +
+which exact profile produced the screenshot? "Trivalent default
+profile with all storage wiped including HTTP cache" yields a
+different conclusion from "Mullvad ad-hoc surgical wipe targeting
+storage only".
+
+### H15 — Per-user `Configuration.UICulture` lockdown layer is doing literal nothing
+Documented in R3. Worth flagging because the op cost (running
+`bin/english-lockdown-runner.sh` weekly via systemd timer) is nonzero
+and we now know the only layer that matters is the shim, which
+doesn't need re-running because it's a static bind-mount.
+
+### H16 — Chunk URLs in the require.context are immutable per Jellyfin upgrade
+Verified: `n(73125)` maps `./en-us.json` → `[20233, 79754]` and
+`./de.json` → `[99810, 89409]`. These ID pairs are baked into the
+runtime.bundle.js at Jellyfin build time. So a Jellyfin image upgrade
+WILL change the chunk hashes (filename, e.g.
+`de-json.<hash>.chunk.js`) but NOT the chunk-id mapping in
+runtime.bundle.js. Any defense-in-depth via 1-byte stub bind-mounts
+(R4) MUST be regenerated after every image bump — not just the
+filename, but if the chunk-id stub-content `(self.webpackChunk = …)
+.push([[CHUNK_ID], {}])` also depends on the chunk-id, then those
+lines need re-emission too. Treat as part of the upgrade runbook,
+not a one-shot install.
+
+### H17 — `localStorage.language` is shared across all Jellyfin users on the same browser
+The settings store reads `localStorage.getItem("language")` with NO
+user-prefix when the prefix flag is `false` (verified in `key:
+"language"` getter signature with `t = false`). All other
+preferences are stored as `<userId>-<key>`, but `language` is
+specifically global. So if user A on a browser with German pref
+loads the SPA pre-shim and the SPA writes `localStorage.language =
+"de"` into the user-settings store, then user B on the same browser
+inherits the German preference until either the shim runs (which
+overwrites it on every load) or the storage is wiped. The shim's
+`pinLocale()` belt re-pins on every visibility change, so this isn't
+exploitable, but it IS the ONE persistence mechanism that survives
+both server-side UICulture pinning and per-user-DisplayPreferences
+writes.
+
+---
+
+## Sign-off
+
+- **Mode:** read-only on Jellyfin live state (no POST/PATCH/PUT).
+  Read-only on container (zero `docker exec` writes). Shim file
+  unchanged. Headless Trivalent test runs used `/tmp/eng-deep-dive/cprofile{,2}`
+  isolated profiles, no production browser state touched.
+- **Live evidence captures:**
+  - `/tmp/eng-deep-dive/index_de.html` (65485 bytes, has shim block)
+  - `/tmp/eng-deep-dive/runtime.bundle.js` + `main.bundle.js` +
+    `37869.bundle.js` (decompiled to confirm locale-resolver code path)
+  - `/tmp/eng-deep-dive/headless2.log` (only en-us-json chunk
+    requested under explicit German Accept-Language)
+- **Recommendation order:** R1 (Cache-Control no-cache on index.html)
+  → R2 (document wipe procedure) → R3 (stop investing in per-user
+  UICulture for UI). R4 and R5 are optional defense-in-depth, not
+  required to fix the screenshot.
+- **Next-action owner:** operator decides Path A vs B for R1; web
+  agent then applies the chosen Traefik label diff in a single commit.
+- **Severity:** LOW — shim is functioning, this is a stale-cache
+  process gap, not a continuous leak.