feat: multipart manga + chapter uploads with magic-byte MIME sniff

POST /api/v1/mangas and POST /api/v1/mangas/{id}/chapters now accept
multipart/form-data, gated by CurrentUser:

- /mangas: required `metadata` part (NewManga JSON) + optional `cover`
  image part.
- /mangas/{id}/chapters: required `metadata` (NewChapter JSON) + one or
  more `page` parts ordered by arrival. Returns 404 if the parent manga
  doesn't exist, 409 on duplicate (manga_id, number).

MIME is sniffed via the `infer` crate (magic bytes), not the
client-supplied filename or Content-Type. Whitelist:
jpeg / png / webp / gif / avif. Anything else → 415
unsupported_media_type. The stored key's extension is derived from the
sniffed type so a "page1.png" that's actually a JPEG lands as `.jpg`.

Size cap is two-layer:
- Request body cap (config.max_request_bytes, default 200 MiB) enforced
  by axum's DefaultBodyLimit before the handler sees the request.
- Per-image-part cap (config.max_file_bytes, default 20 MiB) enforced
  after reading the part, so a single oversized image can't pass even
  if the total request fits.

Storage keys follow the layout documented in CLAUDE.md:
- mangas/{manga_id}/cover.{ext}
- mangas/{manga_id}/chapters/{chapter_id}/pages/{nnnn}.{ext} (1-indexed).

AppError grows PayloadTooLarge/UnsupportedMediaType/ValidationFailed
(413 / 415 / 422). ValidationFailed carries a `details` JSON object the
client can use to highlight bad fields (e.g. {"title":"required"}).
Top-level matching in code() stays exhaustive.

Backend coverage in tests/api_uploads.rs (10 cases):
- create_manga_with_cover_stores_image — file is reachable via
  /api/v1/files/{key} with the right Content-Type.
- create_manga_without_cover_leaves_path_null.
- create_manga_rejects_non_image_cover_with_415 — PDF claimed as png.
- create_manga_rejects_oversized_cover_with_413.
- create_chapter_with_pages_stores_each — extension derived from
  sniffed MIME, files reachable in arrival order.
- create_chapter_rejects_when_no_pages_with_422 — details.page set.
- create_chapter_rejects_renamed_non_image_page → 415.
- create_chapter_returns_409_on_duplicate_number.
- create_chapter_requires_authentication → 401.
- create_chapter_under_unknown_manga_is_404.

Existing tests/api_mangas.rs is migrated to multipart; the create
response is now 201 Created. tests/common::MultipartBuilder builds the
body by hand so the test crate stays free of HTTP-client deps.

Frontend lib/api/mangas.ts: createManga now sends FormData (metadata +
optional cover Blob). Browser fills in the boundary header automatically.
Vitest asserts the FormData structure via FileReader (jsdom doesn't
implement Blob.text()).

E2E tests wait for the post-hydration nav-login link before
interacting with the login form, fixing a flake where pre-hydration
clicks would submit via the browser default and bypass our handler.

Lockstep version bump to 0.5.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/api/chapters.rs

@@ -1,22 +1,34 @@
-//! Chapter list + get. Reads are public — anyone can browse a manga's
-//! table of contents and individual chapter metadata. Uploads land in
-//! feat/uploads under POST /api/v1/mangas/{id}/chapters.
+//! Chapter list + get + multipart upload.
+//!
+//! Reads are public. Uploads (POST) require auth and use the same
+//! multipart conventions as `POST /api/v1/mangas`:
+//! - `metadata` part (JSON) with `{ number, title? }`.
+//! - One or more `page` parts (images, ordered by arrival).
 
-use axum::extract::{Path, Query, State};
+use axum::extract::{Multipart, Path, Query, State};
+use axum::http::StatusCode;
 use axum::routing::get;
 use axum::{Json, Router};
 use serde::Deserialize;
+use serde_json::json;
 use uuid::Uuid;
 
+use crate::api::mangas::{next_field, read_field_bytes};
 use crate::api::pagination::PagedResponse;
 use crate::app::AppState;
+use crate::auth::extractor::CurrentUser;
 use crate::domain::Chapter;
-use crate::error::AppResult;
+use crate::domain::chapter::NewChapter;
+use crate::error::{AppError, AppResult};
 use crate::repo;
+use crate::upload::{parse_image, UploadedImage};
 
 pub fn routes() -> Router<AppState> {
     Router::new()
-        .route("/mangas/:manga_id/chapters", get(list))
+        .route(
+            "/mangas/:manga_id/chapters",
+            get(list).post(create),
+        )
         .route("/mangas/:manga_id/chapters/:number", get(get_one))
 }
 
@@ -37,8 +49,6 @@ async fn list(
     Path(manga_id): Path<Uuid>,
     Query(params): Query<ListParams>,
 ) -> AppResult<Json<PagedResponse<Chapter>>> {
-    // Surface 404 when the parent manga doesn't exist so an empty result
-    // can't be mistaken for "no chapters yet" on a real manga.
     repo::manga::get(&state.db, manga_id).await?;
 
     let limit = params.limit.clamp(1, 200);
@@ -54,6 +64,77 @@ async fn get_one(
     repo::manga::get(&state.db, manga_id).await?;
     let chapter = repo::chapter::find_by_manga_and_number(&state.db, manga_id, number)
         .await?
-        .ok_or(crate::error::AppError::NotFound)?;
+        .ok_or(AppError::NotFound)?;
     Ok(Json(chapter))
 }
+
+async fn create(
+    State(state): State<AppState>,
+    CurrentUser(_user): CurrentUser,
+    Path(manga_id): Path<Uuid>,
+    mut multipart: Multipart,
+) -> AppResult<(StatusCode, Json<Chapter>)> {
+    repo::manga::get(&state.db, manga_id).await?;
+
+    let mut metadata: Option<NewChapter> = None;
+    let mut pages: Vec<UploadedImage> = Vec::new();
+
+    while let Some(field) = next_field(&mut multipart).await? {
+        match field.name() {
+            Some("metadata") => {
+                let bytes = read_field_bytes(field).await?;
+                metadata =
+                    Some(serde_json::from_slice(&bytes).map_err(|e| {
+                        AppError::ValidationFailed {
+                            message: "metadata is not valid JSON".into(),
+                            details: json!({ "metadata": e.to_string() }),
+                        }
+                    })?);
+            }
+            Some("page") => {
+                let bytes = read_field_bytes(field).await?.to_vec();
+                let field_name = format!("page[{}]", pages.len());
+                pages.push(parse_image(bytes, state.upload.max_file_bytes, &field_name)?);
+            }
+            _ => continue,
+        }
+    }
+
+    let metadata = metadata.ok_or_else(|| AppError::ValidationFailed {
+        message: "metadata part is required".into(),
+        details: json!({ "metadata": "required" }),
+    })?;
+    if pages.is_empty() {
+        return Err(AppError::ValidationFailed {
+            message: "at least one page is required".into(),
+            details: json!({ "page": "at least one required" }),
+        });
+    }
+
+    let mut chapter = repo::chapter::create(
+        &state.db,
+        manga_id,
+        metadata.number,
+        metadata.title.as_deref(),
+    )
+    .await?;
+
+    for (idx, page) in pages.iter().enumerate() {
+        let nnnn = format!("{:04}", idx + 1);
+        let key = format!(
+            "mangas/{}/chapters/{}/pages/{}.{}",
+            manga_id, chapter.id, nnnn, page.ext
+        );
+        state.storage.put(&key, &page.bytes).await?;
+    }
+
+    let page_count = pages.len() as i32;
+    sqlx::query("UPDATE chapters SET page_count = $1 WHERE id = $2")
+        .bind(page_count)
+        .bind(chapter.id)
+        .execute(&state.db)
+        .await?;
+    chapter.page_count = page_count;
+
+    Ok((StatusCode::CREATED, Json(chapter)))
+}

backend/src/api/mangas.rs

@@ -1,7 +1,9 @@
-use axum::extract::{Path, Query, State};
+use axum::extract::{Multipart, Path, Query, State};
+use axum::http::StatusCode;
 use axum::routing::get;
 use axum::{Json, Router};
 use serde::Deserialize;
+use serde_json::json;
 use uuid::Uuid;
 
 use crate::api::pagination::PagedResponse;
@@ -10,6 +12,7 @@ use crate::auth::extractor::CurrentUser;
 use crate::domain::manga::{Manga, NewManga};
 use crate::error::{AppError, AppResult};
 use crate::repo;
+use crate::upload::{parse_image, UploadedImage};
 
 pub fn routes() -> Router<AppState> {
     Router::new()
@@ -53,13 +56,94 @@ async fn get_one(
     Ok(Json(repo::manga::get(&state.db, id).await?))
 }
 
+/// `POST /api/v1/mangas` is multipart/form-data. Parts:
+///
+/// - `metadata` (required): JSON body matching `NewManga`.
+/// - `cover` (optional): image bytes. MIME is sniffed from magic bytes
+///   (jpeg/png/webp/gif/avif); size capped at `upload.max_file_bytes`.
+///
+/// Anything else is ignored.
 async fn create(
     State(state): State<AppState>,
     CurrentUser(_user): CurrentUser,
-    Json(input): Json<NewManga>,
-) -> AppResult<Json<Manga>> {
-    if input.title.trim().is_empty() {
-        return Err(AppError::InvalidInput("title is required".into()));
+    mut multipart: Multipart,
+) -> AppResult<(StatusCode, Json<Manga>)> {
+    let mut metadata: Option<NewManga> = None;
+    let mut cover: Option<UploadedImage> = None;
+
+    while let Some(field) = next_field(&mut multipart).await? {
+        match field.name() {
+            Some("metadata") => {
+                let bytes = read_field_bytes(field).await?;
+                metadata = Some(parse_metadata_json(&bytes)?);
+            }
+            Some("cover") => {
+                let bytes = read_field_bytes(field).await?.to_vec();
+                cover = Some(parse_image(bytes, state.upload.max_file_bytes, "cover")?);
+            }
+            _ => continue,
+        }
+    }
+
+    let metadata = metadata.ok_or_else(|| AppError::ValidationFailed {
+        message: "metadata part is required".into(),
+        details: json!({ "metadata": "required" }),
+    })?;
+    validate_new_manga(&metadata)?;
+
+    let mut manga = repo::manga::create(&state.db, metadata).await?;
+
+    if let Some(img) = cover {
+        let key = format!("mangas/{}/cover.{}", manga.id, img.ext);
+        state.storage.put(&key, &img.bytes).await?;
+        sqlx::query("UPDATE mangas SET cover_image_path = $1, updated_at = now() WHERE id = $2")
+            .bind(&key)
+            .bind(manga.id)
+            .execute(&state.db)
+            .await?;
+        manga.cover_image_path = Some(key);
+    }
+
+    Ok((StatusCode::CREATED, Json(manga)))
+}
+
+fn validate_new_manga(input: &NewManga) -> AppResult<()> {
+    if input.title.trim().is_empty() {
+        return Err(AppError::ValidationFailed {
+            message: "title is required".into(),
+            details: json!({ "title": "required" }),
+        });
+    }
+    Ok(())
+}
+
+fn parse_metadata_json(bytes: &[u8]) -> AppResult<NewManga> {
+    serde_json::from_slice(bytes).map_err(|e| AppError::ValidationFailed {
+        message: "metadata is not valid JSON".into(),
+        details: json!({ "metadata": e.to_string() }),
+    })
+}
+
+pub(crate) async fn next_field(
+    multipart: &mut Multipart,
+) -> AppResult<Option<axum::extract::multipart::Field<'_>>> {
+    multipart
+        .next_field()
+        .await
+        .map_err(map_multipart_error)
+}
+
+pub(crate) async fn read_field_bytes(
+    field: axum::extract::multipart::Field<'_>,
+) -> AppResult<axum::body::Bytes> {
+    field.bytes().await.map_err(map_multipart_error)
+}
+
+fn map_multipart_error(e: axum::extract::multipart::MultipartError) -> AppError {
+    let status = e.status();
+    if status == StatusCode::PAYLOAD_TOO_LARGE {
+        AppError::PayloadTooLarge("upload exceeds the request size limit".into())
+    } else {
+        AppError::InvalidInput(format!("multipart parse error: {e}"))
     }
-    Ok(Json(repo::manga::create(&state.db, input).await?))
 }