feat: incremental crawl mode with seed-completion gate (0.33.0)

Daemon now auto-detects mode per source: Backfill until the first
full walk records `seed_completed:<source>` in `crawler_state`, then
Incremental (newest-first, stops after N consecutive Unchanged
upserts). `CRAWLER_MODE` overrides to a fixed mode; CLI rejects
`auto` since it has no pre-run DB state.

`Source::discover` returns a lazy `DiscoverWalk` so Incremental can
break out mid-walk without prefetching pages. The drop pass and seed
marker are now gated on a true full walk — fixes a latent soft-drop
of the index tail under partial sweeps.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/README.md

@@ -1,71 +0,0 @@
-# Gitea Actions
-
-The [`deploy`](workflows/deploy.yml) workflow runs on every push to `main`
-(and via manual `workflow_dispatch`). It tests, builds, pushes the images
-to a private registry, and rolls the stack over by SSH on the target host.
-
-## Required secrets
-
-Set under *Repo Settings → Actions → Secrets*:
-
-| Name                 | Example                  | Purpose                                                          |
-| -------------------- | ------------------------ | ---------------------------------------------------------------- |
-| `REGISTRY_URL`       | `registry.example.com`   | Registry host. No scheme, no trailing slash.                     |
-| `REGISTRY_USERNAME`  | `mangalord-ci`           | `docker login` user.                                             |
-| `REGISTRY_PASSWORD`  | `<token>`                | `docker login` token/password.                                   |
-| `SSH_HOST`           | `mangalord.example.com`  | Deploy target hostname/IP.                                       |
-| `SSH_USER`           | `deploy`                 | SSH user on the target (must be in the `docker` group).          |
-| `SSH_PRIVATE_KEY`    | `-----BEGIN OPENSSH...`  | Private key authorised in the target user's `authorized_keys`.   |
-| `SSH_PORT`           | `22`                     | Optional. Defaults to `22` if unset.                             |
-
-## Required variables
-
-Set under *Repo Settings → Actions → Variables* (not secrets — they appear
-in logs):
-
-| Name          | Example                  | Purpose                                                                |
-| ------------- | ------------------------ | ---------------------------------------------------------------------- |
-| `DEPLOY_PATH` | `/srv/mangalord`         | Directory on target holding `docker-compose.yml`, `.env`, and the prod overlay. |
-
-## One-time host setup
-
-The workflow assumes the deploy target already has:
-
-1. Docker + Docker Compose v2 installed and the `SSH_USER` in the `docker` group.
-2. `$DEPLOY_PATH/docker-compose.yml` (copy of the repo's [docker-compose.yml](../docker-compose.yml)).
-3. `$DEPLOY_PATH/docker-compose.prod.yml` (copy of the repo's [docker-compose.prod.yml](../docker-compose.prod.yml)).
-4. `$DEPLOY_PATH/.env` populated from [.env.example](../.env.example) with production values (real `POSTGRES_PASSWORD`, `COOKIE_SECURE=true`, etc.).
-
-Bootstrap once:
-
-```bash
-ssh deploy@mangalord.example.com
-sudo mkdir -p /srv/mangalord && sudo chown deploy:deploy /srv/mangalord
-cd /srv/mangalord
-# place docker-compose.yml, docker-compose.prod.yml, and .env here
-```
-
-The first workflow run will pull the images, bring the stack up, and run
-the embedded migrations on startup.
-
-## Image tags
-
-Every push produces three tags per image:
-
-- `mangalord-{backend,frontend}:latest`
-- `mangalord-{backend,frontend}:<git-sha>` — used by the deploy job; lets
-  you pin a deploy to a specific commit
-- `mangalord-{backend,frontend}:<version>` — the version from
-  [backend/Cargo.toml](../backend/Cargo.toml) (verified in lockstep with
-  [frontend/package.json](../frontend/package.json))
-
-## Rollback
-
-SSH to the target, set `IMAGE_TAG` to a previous commit SHA, and re-up:
-
-```bash
-cd /srv/mangalord
-export REGISTRY_URL=registry.example.com
-export IMAGE_TAG=<previous-sha>
-docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
-```

.gitea/workflows/deploy.yml

@@ -1,144 +0,0 @@
-name: deploy
-
-on:
-  push:
-    branches: [main]
-  workflow_dispatch:
-
-jobs:
-  test-backend:
-    runs-on: ubuntu-latest
-    container:
-      image: rust:1-slim
-    services:
-      postgres:
-        image: postgres:16-alpine
-        env:
-          POSTGRES_USER: mangalord
-          POSTGRES_PASSWORD: mangalord
-          POSTGRES_DB: mangalord
-        options: >-
-          --health-cmd "pg_isready -U mangalord"
-          --health-interval 5s
-          --health-timeout 5s
-          --health-retries 10
-    env:
-      DATABASE_URL: postgres://mangalord:mangalord@postgres:5432/mangalord
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install build deps
-        run: |
-          apt-get update
-          apt-get install -y --no-install-recommends pkg-config libssl-dev ca-certificates
-      - name: Cache cargo registry and target
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            backend/target
-          key: cargo-${{ runner.os }}-${{ hashFiles('backend/Cargo.lock') }}
-          restore-keys: |
-            cargo-${{ runner.os }}-
-      - name: cargo test
-        working-directory: backend
-        run: cargo test --locked
-
-  test-frontend:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: npm
-          cache-dependency-path: frontend/package-lock.json
-      - name: npm ci
-        working-directory: frontend
-        run: npm ci
-      - name: vitest
-        working-directory: frontend
-        run: npm test
-
-  build-and-push:
-    runs-on: ubuntu-latest
-    needs: [test-backend, test-frontend]
-    outputs:
-      image_tag: ${{ steps.meta.outputs.image_tag }}
-      version: ${{ steps.meta.outputs.version }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Resolve image tags
-        id: meta
-        run: |
-          version="$(grep -m1 '^version' backend/Cargo.toml | cut -d'"' -f2)"
-          frontend_version="$(grep -m1 '"version"' frontend/package.json | cut -d'"' -f4)"
-          if [ "$version" != "$frontend_version" ]; then
-            echo "Version mismatch: backend=$version frontend=$frontend_version" >&2
-            exit 1
-          fi
-          echo "image_tag=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
-
-      - uses: docker/setup-buildx-action@v3
-
-      - name: docker login
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ secrets.REGISTRY_URL }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-
-      - name: Build & push backend
-        uses: docker/build-push-action@v5
-        with:
-          context: ./backend
-          push: true
-          tags: |
-            ${{ secrets.REGISTRY_URL }}/mangalord-backend:latest
-            ${{ secrets.REGISTRY_URL }}/mangalord-backend:${{ steps.meta.outputs.image_tag }}
-            ${{ secrets.REGISTRY_URL }}/mangalord-backend:${{ steps.meta.outputs.version }}
-          cache-from: type=gha,scope=backend
-          cache-to: type=gha,mode=max,scope=backend
-
-      - name: Build & push frontend
-        uses: docker/build-push-action@v5
-        with:
-          context: ./frontend
-          push: true
-          tags: |
-            ${{ secrets.REGISTRY_URL }}/mangalord-frontend:latest
-            ${{ secrets.REGISTRY_URL }}/mangalord-frontend:${{ steps.meta.outputs.image_tag }}
-            ${{ secrets.REGISTRY_URL }}/mangalord-frontend:${{ steps.meta.outputs.version }}
-          cache-from: type=gha,scope=frontend
-          cache-to: type=gha,mode=max,scope=frontend
-
-  deploy:
-    runs-on: ubuntu-latest
-    needs: build-and-push
-    steps:
-      - name: SSH deploy
-        uses: appleboy/ssh-action@v1.0.3
-        with:
-          host: ${{ secrets.SSH_HOST }}
-          username: ${{ secrets.SSH_USER }}
-          key: ${{ secrets.SSH_PRIVATE_KEY }}
-          port: ${{ secrets.SSH_PORT || 22 }}
-          envs: REGISTRY_URL,REGISTRY_USERNAME,REGISTRY_PASSWORD,IMAGE_TAG,DEPLOY_PATH
-          script_stop: true
-          script: |
-            set -euo pipefail
-            cd "$DEPLOY_PATH"
-            echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin
-            export REGISTRY_URL IMAGE_TAG
-            docker compose -f docker-compose.yml -f docker-compose.prod.yml pull
-            docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
-            docker image prune -f
-            docker logout "$REGISTRY_URL"
-        env:
-          REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
-          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
-          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-          IMAGE_TAG: ${{ needs.build-and-push.outputs.image_tag }}
-          DEPLOY_PATH: ${{ vars.DEPLOY_PATH }}

backend/Cargo.lock

@@ -1470,7 +1470,7 @@ checksum = "c41e0c4fef86961ac6d6f8a82609f55f31b05e4fce149ac5710e439df7619ba4"
 
 [[package]]
 name = "mangalord"
-version = "0.34.1"
+version = "0.33.0"
 dependencies = [
  "anyhow",
  "argon2",

backend/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mangalord"
-version = "0.34.1"
+version = "0.33.0"
 edition = "2021"
 default-run = "mangalord"
 

backend/src/api/mangas.rs

@@ -196,14 +196,16 @@ async fn create(
 
 async fn update(
     State(state): State<AppState>,
-    CurrentUser(user): CurrentUser,
+    CurrentUser(_user): CurrentUser,
     Path(id): Path<Uuid>,
     Json(patch): Json<MangaPatch>,
 ) -> AppResult<Json<MangaDetail>> {
+    // TODO(auth): until uploaders are tracked (Phase 5), any signed-in
+    // user can edit any manga. Restrict to uploader + admin once that
+    // column lands.
     if !repo::manga::exists(&state.db, id).await? {
         return Err(AppError::NotFound);
     }
-    require_can_edit(&state, id, user.id).await?;
 
     if let Some(ref status) = patch.status {
         let trimmed = status.trim();
@@ -267,14 +269,16 @@ async fn update(
 /// `MangaDetail`.
 async fn put_cover(
     State(state): State<AppState>,
-    CurrentUser(user): CurrentUser,
+    CurrentUser(_user): CurrentUser,
     Path(id): Path<Uuid>,
     mut multipart: Multipart,
 ) -> AppResult<Json<MangaDetail>> {
+    // TODO(auth): until uploaders are tracked (Phase 5), any signed-in
+    // user can edit any manga's cover. Restrict to uploader + admin
+    // once that column lands.
     if !repo::manga::exists(&state.db, id).await? {
         return Err(AppError::NotFound);
     }
-    require_can_edit(&state, id, user.id).await?;
 
     let mut cover: Option<UploadedImage> = None;
     while let Some(field) = next_field(&mut multipart).await? {
@@ -316,13 +320,13 @@ async fn put_cover(
 /// with the unchanged detail.
 async fn delete_cover(
     State(state): State<AppState>,
-    CurrentUser(user): CurrentUser,
+    CurrentUser(_user): CurrentUser,
     Path(id): Path<Uuid>,
 ) -> AppResult<Json<MangaDetail>> {
+    // TODO(auth): same caveat as put_cover.
     if !repo::manga::exists(&state.db, id).await? {
         return Err(AppError::NotFound);
     }
-    require_can_edit(&state, id, user.id).await?;
     if let Some(key) = repo::manga::get(&state.db, id).await?.cover_image_path {
         match state.storage.delete(&key).await {
             Ok(()) | Err(StorageError::NotFound) => {}
@@ -409,30 +413,6 @@ fn validate_new_manga(input: &NewManga) -> AppResult<()> {
     Ok(())
 }
 
-/// Authorisation gate for manga mutations. The manga is assumed to
-/// exist (the caller runs [`repo::manga::exists`] first so a missing id
-/// surfaces as `NotFound`, not `Forbidden`).
-///
-/// Rule: a non-NULL `uploaded_by` must match the current user. Legacy
-/// rows with `uploaded_by IS NULL` (pre-migration-0011) are still
-/// editable by any signed-in user — there's nobody to gate on yet, and
-/// the historical-data note in 0011 acknowledges the gap. Once an
-/// admin role lands the NULL case can flip to admin-only.
-///
-/// Returns `Forbidden` (not `NotFound`) on owner mismatch — mangas
-/// are listable via `GET /mangas`, so existence isn't a secret and
-/// the more accurate 403 is fine. This deliberately differs from
-/// `repo::collection::require_owner`, which collapses both states to
-/// `NotFound` because collections are private to a user and existence
-/// itself is information worth hiding from non-owners.
-async fn require_can_edit(state: &AppState, manga_id: Uuid, user_id: Uuid) -> AppResult<()> {
-    match repo::manga::uploaded_by(&state.db, manga_id).await? {
-        Some(owner) if owner != user_id => Err(AppError::Forbidden),
-        // Some(owner) == user_id (good) or None (legacy row, no owner).
-        _ => Ok(()),
-    }
-}
-
 async fn validate_genre_ids(state: &AppState, ids: &[Uuid]) -> AppResult<()> {
     if ids.is_empty() {
         return Ok(());

backend/src/repo/manga.rs

@@ -281,17 +281,3 @@ pub async fn exists(pool: &PgPool, id: Uuid) -> AppResult<bool> {
             .await?;
     Ok(exists)
 }
-
-/// Returns the uploader's user id for a manga. `None` either when the
-/// manga doesn't exist or when the row predates the `uploaded_by`
-/// column (historical NULL — see migration 0011). Callers must
-/// distinguish "manga missing" via [`exists`] before relying on this
-/// to make an authz decision.
-pub async fn uploaded_by(pool: &PgPool, id: Uuid) -> AppResult<Option<Uuid>> {
-    let row: Option<(Option<Uuid>,)> =
-        sqlx::query_as("SELECT uploaded_by FROM mangas WHERE id = $1")
-            .bind(id)
-            .fetch_optional(pool)
-            .await?;
-    Ok(row.and_then(|(u,)| u))
-}

backend/tests/api_mangas_cover.rs

@@ -410,53 +410,3 @@ async fn delete_cover_404_on_unknown_id(pool: PgPool) {
         .unwrap();
     assert_eq!(resp.status(), StatusCode::NOT_FOUND);
 }
-
-/// Authz: PUT /mangas/:id/cover must be uploader-only.
-#[sqlx::test(migrations = "./migrations")]
-async fn put_cover_forbidden_for_non_uploader(pool: PgPool) {
-    let h = harness(pool);
-    let (_, owner_cookie) = register_user(&h.app).await;
-    let (_, intruder_cookie) = register_user(&h.app).await;
-
-    let manga =
-        create_manga_with_cover(&h.app, &owner_cookie, "Mine", None).await;
-    let id = id_of(&manga);
-
-    let resp = h
-        .app
-        .oneshot(put_multipart_with_cookie(
-            &format!("/api/v1/mangas/{id}/cover"),
-            cover_form(&fake_png_bytes()),
-            &intruder_cookie,
-        ))
-        .await
-        .unwrap();
-    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
-}
-
-/// Authz: DELETE /mangas/:id/cover must be uploader-only.
-#[sqlx::test(migrations = "./migrations")]
-async fn delete_cover_forbidden_for_non_uploader(pool: PgPool) {
-    let h = harness(pool);
-    let (_, owner_cookie) = register_user(&h.app).await;
-    let (_, intruder_cookie) = register_user(&h.app).await;
-
-    let manga = create_manga_with_cover(
-        &h.app,
-        &owner_cookie,
-        "Mine",
-        Some(("image/jpeg", &fake_jpeg_bytes())),
-    )
-    .await;
-    let id = id_of(&manga);
-
-    let resp = h
-        .app
-        .oneshot(delete_with_cookie(
-            &format!("/api/v1/mangas/{id}/cover"),
-            &intruder_cookie,
-        ))
-        .await
-        .unwrap();
-    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
-}

backend/tests/api_mangas_metadata.rs

@@ -566,78 +566,3 @@ async fn patch_requires_authentication(pool: PgPool) {
         .unwrap();
     assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
 }
-
-/// A signed-in user who didn't upload the manga must not be able to
-/// PATCH it. Without the uploader-gate this returned 200 — see
-/// REVIEW.md "manga PATCH / cover endpoints don't check ownership".
-#[sqlx::test(migrations = "./migrations")]
-async fn patch_forbidden_for_non_uploader(pool: PgPool) {
-    let h = common::harness(pool);
-    let (_, owner_cookie) = common::register_user(&h.app).await;
-    let (_, intruder_cookie) = common::register_user(&h.app).await;
-
-    let created = create_manga(&h.app, &owner_cookie, json!({ "title": "Mine" })).await;
-    let id = id_of(&created);
-
-    let resp = h
-        .app
-        .oneshot(common::patch_json_with_cookie(
-            &format!("/api/v1/mangas/{id}"),
-            json!({ "status": "completed" }),
-            &intruder_cookie,
-        ))
-        .await
-        .unwrap();
-    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
-}
-
-/// Owner can still edit their own manga (regression guard for the
-/// authz fix).
-#[sqlx::test(migrations = "./migrations")]
-async fn patch_allowed_for_uploader(pool: PgPool) {
-    let h = common::harness(pool);
-    let (_, cookie) = common::register_user(&h.app).await;
-    let created = create_manga(&h.app, &cookie, json!({ "title": "Owned" })).await;
-    let id = id_of(&created);
-    let resp = h
-        .app
-        .oneshot(common::patch_json_with_cookie(
-            &format!("/api/v1/mangas/{id}"),
-            json!({ "status": "completed" }),
-            &cookie,
-        ))
-        .await
-        .unwrap();
-    assert_eq!(resp.status(), StatusCode::OK);
-}
-
-/// Legacy rows with `uploaded_by IS NULL` (created before migration
-/// 0011) remain editable by any signed-in user. Without this carve-out
-/// the historical-data note in 0011 would be broken.
-#[sqlx::test(migrations = "./migrations")]
-async fn patch_allowed_on_legacy_null_uploader(pool: PgPool) {
-    let h = common::harness(pool.clone());
-    let (_, cookie) = common::register_user(&h.app).await;
-    let created = create_manga(&h.app, &cookie, json!({ "title": "Legacy" })).await;
-    let id = id_of(&created);
-
-    // Simulate a row uploaded before the column existed: clear
-    // uploaded_by directly via SQL.
-    sqlx::query("UPDATE mangas SET uploaded_by = NULL WHERE id = $1")
-        .bind(id)
-        .execute(&pool)
-        .await
-        .unwrap();
-
-    let (_, other_cookie) = common::register_user(&h.app).await;
-    let resp = h
-        .app
-        .oneshot(common::patch_json_with_cookie(
-            &format!("/api/v1/mangas/{id}"),
-            json!({ "status": "completed" }),
-            &other_cookie,
-        ))
-        .await
-        .unwrap();
-    assert_eq!(resp.status(), StatusCode::OK);
-}

docker-compose.prod.yml

@@ -1,22 +0,0 @@
-# Production overlay: layer on top of docker-compose.yml on the deploy
-# host so the backend and frontend run from pre-built registry images
-# instead of building locally.
-#
-#   docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
-#
-# REGISTRY_URL and IMAGE_TAG are injected by .gitea/workflows/deploy.yml
-# at deploy time. IMAGE_TAG defaults to `latest` so a manual
-# `docker compose ... up -d` on the host still works.
-
-services:
-  backend:
-    build: !reset null
-    image: ${REGISTRY_URL}/mangalord-backend:${IMAGE_TAG:-latest}
-    pull_policy: always
-    restart: unless-stopped
-
-  frontend:
-    build: !reset null
-    image: ${REGISTRY_URL}/mangalord-frontend:${IMAGE_TAG:-latest}
-    pull_policy: always
-    restart: unless-stopped

frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mangalord-frontend",
-  "version": "0.34.1",
+  "version": "0.33.0",
   "private": true,
   "type": "module",
   "scripts": {