bugfix: second-pass audit follow-ups (N1-N4)

Four small follow-ups from the second-pass audit:

- N1: `manga_upload_rolls_back_when_cover_storage_fails` covers the
  manga-side of the transactional rollback path. The chapter case had
  a `FailingStorage` regression test already; this completes the
  symmetric pair. With fail-on-put-index=0, the cover put fails on
  the first call, the transaction aborts, and `SELECT count(*) FROM
  mangas WHERE title = 'Berserk'` is 0.

- N2: The SvelteKit proxy now catches network-layer failures from the
  upstream `fetch` (DNS / connection refused / TLS handshake) and
  returns a 502 with the standard error envelope
  (`code: 'upstream_unavailable'`) instead of letting SvelteKit's
  generic 500 HTML page through. `client.ts` can `.json()` the result
  cleanly so callers see a real ApiError with a meaningful code. The
  underlying cause is logged via `console.error` for the operator.
  Test in hooks.server.test.ts asserts the 502, the JSON envelope, and
  that `resolve` is not called (the proxy short-circuits).

- N3: `GET /api/v1/files/*key` now sets
  `X-Content-Type-Options: nosniff`. The upload-time magic-byte sniff
  is authoritative for what we declare as Content-Type; `nosniff`
  makes the contract explicit so older user-agents can't try to
  re-detect HTML/JS in a polyglot file that survived the sniff. Test
  in api_uploads.rs asserts the header.

- N4: The /bookmarks page used `{#if b.page}` to gate the "— page N"
  display, which falsy-elided a legitimate `page == 0`. Backend now
  rejects `page < 1` for new bookmarks (already shipped in 0.9.4),
  but any pre-0.9.4 row with page=0 still rendered without its
  number. Strengthened to `{#if b.page != null && b.page > 0}`.

Lockstep version bump to 0.10.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/Cargo.lock

@@ -1033,7 +1033,7 @@ checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
 [[package]]
 name = "mangalord"
-version = "0.9.4"
+version = "0.10.0"
 dependencies = [
  "anyhow",
  "argon2",

backend/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mangalord"
-version = "0.10.0"
+version = "0.10.1"
 edition = "2021"
 
 [lib]

backend/src/api/files.rs

@@ -7,7 +7,7 @@
 
 use axum::body::Body;
 use axum::extract::{Path, State};
-use axum::http::header;
+use axum::http::{header, HeaderName};
 use axum::response::{IntoResponse, Response};
 use axum::routing::get;
 use axum::Router;
@@ -27,9 +27,17 @@ async fn serve(State(state): State<AppState>, Path(key): Path<String>) -> AppRes
         Err(e) => return Err(e.into()),
     };
     let ct = content_type_for(&key);
+    // `nosniff` makes the contract explicit: the browser must trust the
+    // Content-Type we declared (and that the magic-byte sniff at upload
+    // time produced) instead of trying to detect HTML/JS in the body.
+    // Belt-and-braces vs. polyglot files that survive the upload sniff.
     let headers = [
         (header::CONTENT_TYPE, ct.to_string()),
         (header::CONTENT_LENGTH, file.size_bytes.to_string()),
+        (
+            HeaderName::from_static("x-content-type-options"),
+            "nosniff".to_string(),
+        ),
     ];
     Ok((headers, Body::from_stream(file.stream)).into_response())
 }

backend/tests/api_uploads.rs

@@ -162,6 +162,12 @@ async fn files_endpoint_streams_in_multiple_frames(pool: PgPool) {
         resp.headers().get(header::CONTENT_LENGTH).unwrap(),
         big.len().to_string().as_str()
     );
+    // Browsers must trust the declared Content-Type rather than sniff
+    // the body — the upload-time magic-byte check is authoritative.
+    assert_eq!(
+        resp.headers().get("x-content-type-options").unwrap(),
+        "nosniff"
+    );
 
     let mut body = resp.into_body();
     let mut frames = 0usize;
@@ -323,6 +329,41 @@ async fn create_chapter_requires_authentication(pool: PgPool) {
     assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
 }
 
+#[sqlx::test(migrations = "./migrations")]
+async fn manga_upload_rolls_back_when_cover_storage_fails(pool: PgPool) {
+    // First `put` call errors. The manga create handler is the only
+    // thing that hits storage here, so the cover put on the first
+    // request triggers the injected failure and the transaction must
+    // roll back.
+    let h = common::harness_with_failing_storage(pool.clone(), 0);
+    let (_, cookie) = common::register_user(&h.app).await;
+
+    let resp = h
+        .app
+        .oneshot(common::post_multipart_with_cookie(
+            "/api/v1/mangas",
+            MultipartBuilder::new()
+                .add_json("metadata", json!({ "title": "Berserk" }))
+                .add_file("cover", "cover.png", "image/png", &common::fake_png_bytes()),
+            &cookie,
+        ))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::INTERNAL_SERVER_ERROR);
+    let body = common::body_json(resp).await;
+    assert_eq!(body["error"]["code"], "internal_error");
+
+    // No manga row with that title — the INSERT inside the tx was
+    // rolled back when the cover put failed.
+    let (count,): (i64,) =
+        sqlx::query_as("SELECT count(*) FROM mangas WHERE title = $1")
+            .bind("Berserk")
+            .fetch_one(&pool)
+            .await
+            .unwrap();
+    assert_eq!(count, 0, "rolled-back manga must not persist");
+}
+
 #[sqlx::test(migrations = "./migrations")]
 async fn chapter_upload_rolls_back_when_storage_fails_mid_loop(pool: PgPool) {
     // Configure storage so the second `put` call (0-indexed: index 1)