security: harden code against command injection and path traversal

Core changes:

* enforce HTTPS URLs and remove shell usage in generate_release.py
* replace os.system calls with subprocess across the codebase
* validate external inputs (playlist names, video IDs)

Improvements and fixes:

* settings.py: fix typo (node.lineno → line_number); use isinstance() over type()
* youtube/get_app_version: improve git detection using subprocess.DEVNULL
* youtube/util.py: add cleanup helpers; use shutil.which for binary resolution

YouTube modules:

* watch.py: detect and flag HLS streams; remove unused audio_track_sources
* comments.py: return early when comments are disabled; add error handling
* local_playlist.py: validate playlist names to prevent path traversal
* subscriptions.py: replace asserts with proper error handling; validate video IDs

Cleanup:

* remove unused imports across modules (playlist, search, channel)
* reorganize package imports in youtube/**init**.py
* simplify test imports and fix cleanup_func in tests

Tests:

* tests/test_shorts.py: simplify imports
* tests/test_util.py: fix cleanup_func definition

youtube/__init__.py

@@ -1,14 +1,17 @@
+import logging
+import os
+import re
+import traceback
+from sys import exc_info
+
+import flask
+import jinja2
+from flask import request
+from flask_babel import Babel
+
 from youtube import util
 from .get_app_version import app_version
-import flask
-from flask import request
-import jinja2
 import settings
-import traceback
-import logging
-import re
-from sys import exc_info
-from flask_babel import Babel
 
 yt_app = flask.Flask(__name__)
 yt_app.config['TEMPLATES_AUTO_RELOAD'] = True
@@ -26,7 +29,6 @@ yt_app.logger.addFilter(FetchErrorFilter())
 # yt_app.jinja_env.lstrip_blocks = True
 
 # Configure Babel for i18n
-import os
 yt_app.config['BABEL_DEFAULT_LOCALE'] = 'en'
 # Use absolute path for translations directory to avoid issues with package structure changes
 _app_root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))