feat: multipart manga + chapter uploads with magic-byte MIME sniff

POST /api/v1/mangas and POST /api/v1/mangas/{id}/chapters now accept
multipart/form-data, gated by CurrentUser:

- /mangas: required `metadata` part (NewManga JSON) + optional `cover`
  image part.
- /mangas/{id}/chapters: required `metadata` (NewChapter JSON) + one or
  more `page` parts ordered by arrival. Returns 404 if the parent manga
  doesn't exist, 409 on duplicate (manga_id, number).

MIME is sniffed via the `infer` crate (magic bytes), not the
client-supplied filename or Content-Type. Whitelist:
jpeg / png / webp / gif / avif. Anything else → 415
unsupported_media_type. The stored key's extension is derived from the
sniffed type so a "page1.png" that's actually a JPEG lands as `.jpg`.

Size cap is two-layer:
- Request body cap (config.max_request_bytes, default 200 MiB) enforced
  by axum's DefaultBodyLimit before the handler sees the request.
- Per-image-part cap (config.max_file_bytes, default 20 MiB) enforced
  after reading the part, so a single oversized image can't pass even
  if the total request fits.

Storage keys follow the layout documented in CLAUDE.md:
- mangas/{manga_id}/cover.{ext}
- mangas/{manga_id}/chapters/{chapter_id}/pages/{nnnn}.{ext} (1-indexed).

AppError grows PayloadTooLarge/UnsupportedMediaType/ValidationFailed
(413 / 415 / 422). ValidationFailed carries a `details` JSON object the
client can use to highlight bad fields (e.g. {"title":"required"}).
Top-level matching in code() stays exhaustive.

Backend coverage in tests/api_uploads.rs (10 cases):
- create_manga_with_cover_stores_image — file is reachable via
  /api/v1/files/{key} with the right Content-Type.
- create_manga_without_cover_leaves_path_null.
- create_manga_rejects_non_image_cover_with_415 — PDF claimed as png.
- create_manga_rejects_oversized_cover_with_413.
- create_chapter_with_pages_stores_each — extension derived from
  sniffed MIME, files reachable in arrival order.
- create_chapter_rejects_when_no_pages_with_422 — details.page set.
- create_chapter_rejects_renamed_non_image_page → 415.
- create_chapter_returns_409_on_duplicate_number.
- create_chapter_requires_authentication → 401.
- create_chapter_under_unknown_manga_is_404.

Existing tests/api_mangas.rs is migrated to multipart; the create
response is now 201 Created. tests/common::MultipartBuilder builds the
body by hand so the test crate stays free of HTTP-client deps.

Frontend lib/api/mangas.ts: createManga now sends FormData (metadata +
optional cover Blob). Browser fills in the boundary header automatically.
Vitest asserts the FormData structure via FileReader (jsdom doesn't
implement Blob.text()).

E2E tests wait for the post-hydration nav-login link before
interacting with the login form, fixing a flake where pre-hydration
clicks would submit via the browser default and bypass our handler.

Lockstep version bump to 0.5.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/upload/mod.rs

@@ -0,0 +1,92 @@
+//! Shared helpers for multipart upload handlers.
+//!
+//! `parse_image` enforces the per-file size cap, sniffs the MIME by
+//! magic bytes (not by the client-supplied Content-Type or filename),
+//! and rejects anything outside the jpeg / png / webp / gif / avif
+//! whitelist with 415. Filename and extension never reach the storage
+//! key — we derive both from the sniffed type.
+
+use crate::error::{AppError, AppResult};
+
+#[derive(Debug, Clone)]
+pub struct UploadedImage {
+    pub bytes: Vec<u8>,
+    pub mime: &'static str,
+    pub ext: &'static str,
+}
+
+pub fn parse_image(bytes: Vec<u8>, max_size: usize, field_name: &str) -> AppResult<UploadedImage> {
+    if bytes.len() > max_size {
+        return Err(AppError::PayloadTooLarge(format!(
+            "{field_name} exceeds {max_size}-byte cap"
+        )));
+    }
+    let kind = infer::get(&bytes).ok_or_else(|| {
+        AppError::UnsupportedMediaType(format!("{field_name}: unrecognised image format"))
+    })?;
+    let (mime, ext) = match kind.mime_type() {
+        "image/jpeg" => ("image/jpeg", "jpg"),
+        "image/png" => ("image/png", "png"),
+        "image/webp" => ("image/webp", "webp"),
+        "image/gif" => ("image/gif", "gif"),
+        "image/avif" => ("image/avif", "avif"),
+        other => {
+            return Err(AppError::UnsupportedMediaType(format!(
+                "{field_name}: unsupported image type {other}"
+            )));
+        }
+    };
+    Ok(UploadedImage { bytes, mime, ext })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn png_bytes() -> Vec<u8> {
+        // PNG magic + minimum padding so infer can identify it.
+        vec![0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 0, 0, 0, 0]
+    }
+
+    fn jpeg_bytes() -> Vec<u8> {
+        vec![0xff, 0xd8, 0xff, 0xe0, 0, 0x10, b'J', b'F', b'I', b'F', 0, 0]
+    }
+
+    fn pdf_bytes() -> Vec<u8> {
+        b"%PDF-1.4\n%\xc4\xe5".to_vec()
+    }
+
+    #[test]
+    fn accepts_png() {
+        let img = parse_image(png_bytes(), 1024, "cover").unwrap();
+        assert_eq!(img.mime, "image/png");
+        assert_eq!(img.ext, "png");
+    }
+
+    #[test]
+    fn accepts_jpeg() {
+        let img = parse_image(jpeg_bytes(), 1024, "cover").unwrap();
+        assert_eq!(img.mime, "image/jpeg");
+        assert_eq!(img.ext, "jpg");
+    }
+
+    #[test]
+    fn rejects_non_image_with_unsupported_media_type() {
+        let err = parse_image(pdf_bytes(), 1024, "cover").unwrap_err();
+        assert!(matches!(err, AppError::UnsupportedMediaType(_)));
+        assert_eq!(err.code(), "unsupported_media_type");
+    }
+
+    #[test]
+    fn rejects_garbage_with_unsupported_media_type() {
+        let err = parse_image(b"just some text".to_vec(), 1024, "cover").unwrap_err();
+        assert!(matches!(err, AppError::UnsupportedMediaType(_)));
+    }
+
+    #[test]
+    fn rejects_oversized() {
+        let err = parse_image(png_bytes(), 4, "cover").unwrap_err();
+        assert!(matches!(err, AppError::PayloadTooLarge(_)));
+        assert_eq!(err.code(), "payload_too_large");
+    }
+}