feat: incremental crawl mode with seed-completion gate (0.33.0)

Daemon now auto-detects mode per source: Backfill until the first full walk records `seed_completed:<source>` in `crawler_state`, then Incremental (newest-first, stops after N consecutive Unchanged upserts). `CRAWLER_MODE` overrides to a fixed mode; CLI rejects `auto` since it has no pre-run DB state. `Source::discover` returns a lazy `DiscoverWalk` so Incremental can break out mid-walk without prefetching pages. The drop pass and seed marker are now gated on a true full walk — fixes a latent soft-drop of the index tail under partial sweeps. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 06:41:16 +02:00
19 changed files with 152 additions and 522 deletions
--- a/.gitea/README.md
+++ b/.gitea/README.md
@@ -1,71 +0,0 @@
 # Gitea Actions
 The [`deploy`](workflows/deploy.yml) workflow runs on every push to `main`
 (and via manual `workflow_dispatch`). It tests, builds, pushes the images
 to a private registry, and rolls the stack over by SSH on the target host.
 ## Required secrets
 Set under *Repo Settings → Actions → Secrets*:
 | Name                 | Example                  | Purpose                                                          |
 | -------------------- | ------------------------ | ---------------------------------------------------------------- |
 | `REGISTRY_URL`       | `registry.example.com`   | Registry host. No scheme, no trailing slash.                     |
 | `REGISTRY_USERNAME`  | `mangalord-ci`           | `docker login` user.                                             |
 | `REGISTRY_PASSWORD`  | `<token>`                | `docker login` token/password.                                   |
 | `SSH_HOST`           | `mangalord.example.com`  | Deploy target hostname/IP.                                       |
 | `SSH_USER`           | `deploy`                 | SSH user on the target (must be in the `docker` group).          |
 | `SSH_PRIVATE_KEY`    | `-----BEGIN OPENSSH...`  | Private key authorised in the target user's `authorized_keys`.   |
 | `SSH_PORT`           | `22`                     | Optional. Defaults to `22` if unset.                             |
 ## Required variables
 Set under *Repo Settings → Actions → Variables* (not secrets — they appear
 in logs):
 | Name          | Example                  | Purpose                                                                |
 | ------------- | ------------------------ | ---------------------------------------------------------------------- |
 | `DEPLOY_PATH` | `/srv/mangalord`         | Directory on target holding `docker-compose.yml`, `.env`, and the prod overlay. |
 ## One-time host setup
 The workflow assumes the deploy target already has:
 1. Docker + Docker Compose v2 installed and the `SSH_USER` in the `docker` group.
 2. `$DEPLOY_PATH/docker-compose.yml` (copy of the repo's [docker-compose.yml](../docker-compose.yml)).
 3. `$DEPLOY_PATH/docker-compose.prod.yml` (copy of the repo's [docker-compose.prod.yml](../docker-compose.prod.yml)).
 4. `$DEPLOY_PATH/.env` populated from [.env.example](../.env.example) with production values (real `POSTGRES_PASSWORD`, `COOKIE_SECURE=true`, etc.).
 Bootstrap once:
 ```bash
 ssh deploy@mangalord.example.com
 sudo mkdir -p /srv/mangalord && sudo chown deploy:deploy /srv/mangalord
 cd /srv/mangalord
 # place docker-compose.yml, docker-compose.prod.yml, and .env here
 ```
 The first workflow run will pull the images, bring the stack up, and run
 the embedded migrations on startup.
 ## Image tags
 Every push produces three tags per image:
 - `mangalord-{backend,frontend}:latest`
 - `mangalord-{backend,frontend}:<git-sha>` — used by the deploy job; lets
  you pin a deploy to a specific commit
 - `mangalord-{backend,frontend}:<version>` — the version from
  [backend/Cargo.toml](../backend/Cargo.toml) (verified in lockstep with
  [frontend/package.json](../frontend/package.json))
 ## Rollback
 SSH to the target, set `IMAGE_TAG` to a previous commit SHA, and re-up:
 ```bash
 cd /srv/mangalord
 export REGISTRY_URL=registry.example.com
 export IMAGE_TAG=<previous-sha>
 docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
 ```
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -1,144 +0,0 @@
 name: deploy
 on:
  push:
    branches: [main]
  workflow_dispatch:
 jobs:
  test-backend:
    runs-on: ubuntu-latest
    container:
      image: rust:1-slim
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_USER: mangalord
          POSTGRES_PASSWORD: mangalord
          POSTGRES_DB: mangalord
        options: >-
          --health-cmd "pg_isready -U mangalord"
          --health-interval 5s
          --health-timeout 5s
          --health-retries 10
    env:
      DATABASE_URL: postgres://mangalord:mangalord@postgres:5432/mangalord
    steps:
      - uses: actions/checkout@v4
      - name: Install build deps
        run: |
          apt-get update
          apt-get install -y --no-install-recommends pkg-config libssl-dev ca-certificates
      - name: Cache cargo registry and target
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            backend/target
          key: cargo-${{ runner.os }}-${{ hashFiles('backend/Cargo.lock') }}
          restore-keys: |
            cargo-${{ runner.os }}-
      - name: cargo test
        working-directory: backend
        run: cargo test --locked
  test-frontend:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: npm
          cache-dependency-path: frontend/package-lock.json
      - name: npm ci
        working-directory: frontend
        run: npm ci
      - name: vitest
        working-directory: frontend
        run: npm test
  build-and-push:
    runs-on: ubuntu-latest
    needs: [test-backend, test-frontend]
    outputs:
      image_tag: ${{ steps.meta.outputs.image_tag }}
      version: ${{ steps.meta.outputs.version }}
    steps:
      - uses: actions/checkout@v4
      - name: Resolve image tags
        id: meta
        run: |
          version="$(grep -m1 '^version' backend/Cargo.toml | cut -d'"' -f2)"
          frontend_version="$(grep -m1 '"version"' frontend/package.json | cut -d'"' -f4)"
          if [ "$version" != "$frontend_version" ]; then
            echo "Version mismatch: backend=$version frontend=$frontend_version" >&2
            exit 1
          fi
          echo "image_tag=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
          echo "version=${version}" >> "$GITHUB_OUTPUT"
      - uses: docker/setup-buildx-action@v3
      - name: docker login
        uses: docker/login-action@v3
        with:
          registry: ${{ secrets.REGISTRY_URL }}
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      - name: Build & push backend
        uses: docker/build-push-action@v5
        with:
          context: ./backend
          push: true
          tags: |
            ${{ secrets.REGISTRY_URL }}/mangalord-backend:latest
            ${{ secrets.REGISTRY_URL }}/mangalord-backend:${{ steps.meta.outputs.image_tag }}
            ${{ secrets.REGISTRY_URL }}/mangalord-backend:${{ steps.meta.outputs.version }}
          cache-from: type=gha,scope=backend
          cache-to: type=gha,mode=max,scope=backend
      - name: Build & push frontend
        uses: docker/build-push-action@v5
        with:
          context: ./frontend
          push: true
          tags: |
            ${{ secrets.REGISTRY_URL }}/mangalord-frontend:latest
            ${{ secrets.REGISTRY_URL }}/mangalord-frontend:${{ steps.meta.outputs.image_tag }}
            ${{ secrets.REGISTRY_URL }}/mangalord-frontend:${{ steps.meta.outputs.version }}
          cache-from: type=gha,scope=frontend
          cache-to: type=gha,mode=max,scope=frontend
  deploy:
    runs-on: ubuntu-latest
    needs: build-and-push
    steps:
      - name: SSH deploy
        uses: appleboy/ssh-action@v1.0.3
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          port: ${{ secrets.SSH_PORT || 22 }}
          envs: REGISTRY_URL,REGISTRY_USERNAME,REGISTRY_PASSWORD,IMAGE_TAG,DEPLOY_PATH
          script_stop: true
          script: |
            set -euo pipefail
            cd "$DEPLOY_PATH"
            echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin
            export REGISTRY_URL IMAGE_TAG
            docker compose -f docker-compose.yml -f docker-compose.prod.yml pull
            docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
            docker image prune -f
            docker logout "$REGISTRY_URL"
        env:
          REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
          IMAGE_TAG: ${{ needs.build-and-push.outputs.image_tag }}
          DEPLOY_PATH: ${{ vars.DEPLOY_PATH }}
--- a/backend/Cargo.lock
+++ b/backend/Cargo.lock
@@ -1470,7 +1470,7 @@ checksum = "c41e0c4fef86961ac6d6f8a82609f55f31b05e4fce149ac5710e439df7619ba4"
 [[package]]
 name = "mangalord"
-version = "0.34.0"
+version = "0.33.0"
 dependencies = [
 "anyhow",
 "argon2",
--- a/backend/Cargo.toml
+++ b/backend/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mangalord"
-version = "0.34.0"
+version = "0.33.0"
 edition = "2021"
 default-run = "mangalord"
--- a/backend/src/api/bookmarks.rs
+++ b/backend/src/api/bookmarks.rs
@@ -67,7 +67,14 @@ async fn create(
    // the foreign-key violation collapse into a generic 500.
    repo::manga::get(&state.db, input.manga_id).await?;
    if let Some(chapter_id) = input.chapter_id {
-        if !repo::chapter::belongs_to_manga(&state.db, chapter_id, input.manga_id).await? {
+        let exists: Option<(Uuid,)> = sqlx::query_as(
            "SELECT id FROM chapters WHERE id = $1 AND manga_id = $2",
        )
        .bind(chapter_id)
        .bind(input.manga_id)
        .fetch_optional(&state.db)
        .await?;
        if exists.is_none() {
            return Err(AppError::NotFound);
        }
    }
--- a/backend/src/app.rs
+++ b/backend/src/app.rs
@@ -304,9 +304,18 @@ impl ChapterDispatcher for RealChapterDispatcher {
                chapter_id,
                source_chapter_key: _,
            } => {
-                let row = repo::chapter::dispatch_target(&self.db, chapter_id)
+                // Look up manga_id + source_url for this chapter.
-                    .await
+                let row: Option<(uuid::Uuid, String)> = sqlx::query_as(
-                    .context("look up chapter for dispatch")?;
+                    "SELECT c.manga_id, cs.source_url \
                       FROM chapters c \
                       JOIN chapter_sources cs ON cs.chapter_id = c.id \
                      WHERE c.id = $1 \
                      LIMIT 1",
                )
                .bind(chapter_id)
                .fetch_optional(&self.db)
                .await
                .context("look up chapter for dispatch")?;
                let Some((manga_id, source_url)) = row else {
                    // Chapter (or its source row) is gone — ack done.
                    return Ok(SyncOutcome::Skipped);
--- a/backend/src/crawler/daemon.rs
+++ b/backend/src/crawler/daemon.rs
@@ -317,10 +317,14 @@ impl WorkerContext {
        // (because a force-refetch race or a job that was re-enqueued
        // after a previous one finished), ack done without re-fetching.
        if let JobPayload::SyncChapterContent { chapter_id, .. } = &lease.payload {
-            let page_count = crate::repo::chapter::page_count(&self.pool, *chapter_id)
+            let page_count: Option<i32> = sqlx::query_scalar(
-                .await
+                "SELECT page_count FROM chapters WHERE id = $1",
-                .ok()
+            )
-                .flatten();
+            .bind(chapter_id)
            .fetch_optional(&self.pool)
            .await
            .ok()
            .flatten();
            if matches!(page_count, Some(n) if n > 0) {
                let _ = jobs::ack_done(&self.pool, lease.id).await;
                return;
--- a/backend/src/crawler/mod.rs
+++ b/backend/src/crawler/mod.rs
@@ -24,4 +24,3 @@ pub mod pipeline;
 pub mod rate_limit;
 pub mod session;
 pub mod source;
 pub mod url_utils;
--- a/backend/src/crawler/pipeline.rs
+++ b/backend/src/crawler/pipeline.rs
@@ -427,7 +427,11 @@ async fn download_and_store_cover(
    Ok(())
 }
-use crate::crawler::url_utils::origin_of;
+fn origin_of(url: &str) -> Option<String> {
    let (scheme, rest) = url.split_once("://")?;
    let host = rest.split('/').next()?;
    Some(format!("{scheme}://{host}"))
 }
 #[cfg(test)]
 mod tests {
--- a/backend/src/crawler/rate_limit.rs
+++ b/backend/src/crawler/rate_limit.rs
@@ -98,9 +98,15 @@ impl HostRateLimiters {
    }
 }
-// `host_of` was duplicated across session/rate_limit/pipeline; the
+/// Extract the host (no port) from a URL string. Returns `None` for
-// canonical version now lives in `crawler::url_utils`.
+/// inputs without a `scheme://host` shape — those would never have
-use crate::crawler::url_utils::host_of;
+/// reached the network layer anyway.
 fn host_of(url: &str) -> Option<String> {
    let after_scheme = url.split_once("://")?.1;
    let host_with_port = after_scheme.split('/').next()?;
    let host = host_with_port.rsplit_once(':').map_or(host_with_port, |(h, _)| h);
    (!host.is_empty()).then(|| host.to_ascii_lowercase())
 }
 #[cfg(test)]
 mod tests {
--- a/backend/src/crawler/session.rs
+++ b/backend/src/crawler/session.rs
@@ -42,9 +42,36 @@ pub enum SessionProbe {
    Transient,
 }
-/// Re-export so existing callers keep working after the helper moved
+/// Compute the cookie domain (e.g. `.example.com`) from a start URL.
-/// to `crawler::url_utils`. The body lives there.
+/// The leading dot makes the cookie cover every subdomain — the source
-pub use crate::crawler::url_utils::registrable_domain;
+/// often redirects between `www.` and other prefixes mid-crawl, and a
 /// host-only cookie would silently drop on the cross-subdomain hop.
 ///
 /// Caveat: this takes the last two dot-labels, which is wrong for
 /// multi-part TLDs (`.co.uk`, `.com.br` would resolve to `.co.uk` and
 /// attach to every site on `.co.uk`). For those, the operator should
 /// override via `CRAWLER_COOKIE_DOMAIN` rather than relying on this
 /// function — pulling in the Public Suffix List for one knob isn't
 /// worth it yet.
 pub fn registrable_domain(url: &str) -> Option<String> {
    let after_scheme = url.split_once("://")?.1;
    let host_with_port = after_scheme.split('/').next()?;
    let host = host_with_port
        .rsplit_once(':')
        .map_or(host_with_port, |(h, _)| h)
        .to_ascii_lowercase();
    if host.is_empty() {
        return None;
    }
    let labels: Vec<&str> = host.split('.').filter(|l| !l.is_empty()).collect();
    if labels.len() < 2 {
        // Bare hostname (e.g. `localhost`) — return as-is, no leading
        // dot. Setting `.localhost` as cookie domain is invalid.
        return Some(host);
    }
    let registrable = &labels[labels.len() - 2..];
    Some(format!(".{}", registrable.join(".")))
 }
 /// Inject the PHPSESSID cookie into the browser's cookie store for the
 /// catalog domain. Must be called before any navigation that depends on
@@ -165,8 +192,44 @@ async fn fetch_probe_html(browser: &Browser, probe_url: &str) -> anyhow::Result<
 mod tests {
    use super::*;
-    // registrable_domain tests live in crawler::url_utils now —
+    #[test]
-    // it's the canonical home for that helper.
+    fn registrable_domain_strips_subdomain() {
        assert_eq!(
            registrable_domain("https://www.target-site.com/manga/foo/").as_deref(),
            Some(".target-site.com")
        );
        assert_eq!(
            registrable_domain("https://m.example.org").as_deref(),
            Some(".example.org")
        );
    }
    #[test]
    fn registrable_domain_keeps_two_label_host() {
        assert_eq!(
            registrable_domain("https://example.com/").as_deref(),
            Some(".example.com")
        );
    }
    #[test]
    fn registrable_domain_handles_port() {
        assert_eq!(
            registrable_domain("http://www.foo.bar:8080/x").as_deref(),
            Some(".foo.bar")
        );
    }
    #[test]
    fn registrable_domain_bare_hostname_no_leading_dot() {
        // .localhost would be invalid as a cookie Domain.
        assert_eq!(registrable_domain("http://localhost:5173").as_deref(), Some("localhost"));
    }
    #[test]
    fn registrable_domain_returns_none_for_garbage() {
        assert!(registrable_domain("not a url").is_none());
    }
    #[test]
    fn classify_probe_ok_when_logo_and_avatar_present() {
--- a/backend/src/crawler/url_utils.rs
+++ b/backend/src/crawler/url_utils.rs
@@ -1,194 +0,0 @@
 //! Centralised URL helpers for the crawler subsystem.
 //!
 //! Three near-identical hand-rolled URL parsers used to live in
 //! `crawler::session`, `crawler::rate_limit`, and `crawler::pipeline`
 //! respectively, each with subtly different edge-case behaviour
 //! around port handling and IPv6 literals. They're consolidated here
 //! so the divergence can't drift again.
 //!
 //! The hand-rolled implementations are kept intentionally — they
 //! preserve the exact semantics every existing test pins. A future
 //! refactor can switch to `reqwest::Url` if it can be done without
 //! changing those semantics.
 /// Lowercased host (no port). Returns `None` for inputs without a
 /// `scheme://host` shape — those would never have reached the network
 /// layer anyway. Used by the per-host rate limiter as its bucket key.
 ///
 /// IPv6 literals are kept in their `[::1]` bracketed form so the
 /// `rsplit_once(':')` port-stripping logic doesn't split inside the
 /// address (e.g. `https://[::1]/foo` used to return `"[:"` because
 /// the rightmost `:` is inside the literal). Buckets keyed by
 /// `[::1]` vs `::1` are still uniquely-per-host; the brackets are
 /// cosmetic.
 pub fn host_of(url: &str) -> Option<String> {
    let after_scheme = url.split_once("://")?.1;
    let host_with_port = after_scheme.split('/').next()?;
    let host = if host_with_port.starts_with('[') {
        // IPv6 literal: keep through the closing bracket. There may
        // be a trailing `:port` after `]`; strip only that.
        match host_with_port.rfind(']') {
            Some(end) => &host_with_port[..=end],
            None => host_with_port,
        }
    } else {
        // Hostnames and IPv4 literals: trailing `:port` (if any) is
        // after the last `:`.
        host_with_port
            .rsplit_once(':')
            .map_or(host_with_port, |(h, _)| h)
    };
    (!host.is_empty()).then(|| host.to_ascii_lowercase())
 }
 /// `scheme://host` with no path or port stripping. Used by the metadata
 /// pass to seed `sources.base_url` from `CRAWLER_START_URL`.
 pub fn origin_of(url: &str) -> Option<String> {
    let (scheme, rest) = url.split_once("://")?;
    let host = rest.split('/').next()?;
    Some(format!("{scheme}://{host}"))
 }
 /// Approximate registrable-domain calculation: take the last two
 /// dot-labels of the host, prefix with `.`. Used to set a parent-
 /// domain cookie so the catalog's `www.` / `m.` redirects don't drop
 /// the cookie mid-crawl.
 ///
 /// Caveat: wrong for multi-part TLDs (`.co.uk`, `.com.br`). The
 /// operator can override via `CRAWLER_COOKIE_DOMAIN`; pulling in the
 /// Public Suffix List for one knob isn't worth it yet.
 ///
 /// Bare hostnames (e.g. `localhost`) return the host as-is, with no
 /// leading dot — setting `.localhost` as a cookie domain is invalid.
 /// IPv6 literals (e.g. `[::1]`) are returned bracketed and unchanged;
 /// the browser will reject them as a cookie `Domain` anyway, but the
 /// representation stays sensible. Same `starts_with('[')` branch as
 /// [`host_of`] for consistent IPv6 handling across the module.
 pub fn registrable_domain(url: &str) -> Option<String> {
    let after_scheme = url.split_once("://")?.1;
    let host_with_port = after_scheme.split('/').next()?;
    let host_str = if host_with_port.starts_with('[') {
        // IPv6 literal: keep through the closing bracket; an optional
        // `:port` follows `]`.
        match host_with_port.rfind(']') {
            Some(end) => &host_with_port[..=end],
            None => host_with_port,
        }
    } else {
        host_with_port
            .rsplit_once(':')
            .map_or(host_with_port, |(h, _)| h)
    };
    let host = host_str.to_ascii_lowercase();
    if host.is_empty() {
        return None;
    }
    let labels: Vec<&str> = host.split('.').filter(|l| !l.is_empty()).collect();
    if labels.len() < 2 {
        return Some(host);
    }
    let registrable = &labels[labels.len() - 2..];
    Some(format!(".{}", registrable.join(".")))
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn host_of_strips_port_and_lowercases() {
        assert_eq!(
            host_of("https://CDN.Example.com:443/x").as_deref(),
            Some("cdn.example.com")
        );
        assert_eq!(host_of("http://localhost/").as_deref(), Some("localhost"));
        assert_eq!(host_of("not a url"), None);
    }
    #[test]
    fn host_of_keeps_bracketed_ipv6_literal_intact() {
        // Regression: the old impl rsplit_once(':')'d the IPv6 address,
        // returning "[:" instead of "[::1]". A real IPv6 source would
        // silently get a wrong rate-limit bucket key.
        assert_eq!(host_of("https://[::1]/").as_deref(), Some("[::1]"));
        assert_eq!(host_of("https://[::1]:8080/").as_deref(), Some("[::1]"));
        assert_eq!(
            host_of("https://[2001:db8::1]/foo").as_deref(),
            Some("[2001:db8::1]")
        );
        assert_eq!(
            host_of("https://[2001:db8::1]:443/foo").as_deref(),
            Some("[2001:db8::1]")
        );
    }
    #[test]
    fn origin_of_returns_scheme_and_host() {
        assert_eq!(
            origin_of("https://example.com/some/path?q=1").as_deref(),
            Some("https://example.com")
        );
        assert_eq!(origin_of("garbage"), None);
    }
    #[test]
    fn registrable_domain_strips_subdomain() {
        assert_eq!(
            registrable_domain("https://www.target-site.com/manga/foo/").as_deref(),
            Some(".target-site.com")
        );
        assert_eq!(
            registrable_domain("https://m.example.org").as_deref(),
            Some(".example.org")
        );
    }
    #[test]
    fn registrable_domain_keeps_two_label_host() {
        assert_eq!(
            registrable_domain("https://example.com/").as_deref(),
            Some(".example.com")
        );
    }
    #[test]
    fn registrable_domain_handles_port() {
        assert_eq!(
            registrable_domain("http://www.foo.bar:8080/x").as_deref(),
            Some(".foo.bar")
        );
    }
    #[test]
    fn registrable_domain_bare_hostname_no_leading_dot() {
        assert_eq!(
            registrable_domain("http://localhost:5173").as_deref(),
            Some("localhost")
        );
    }
    #[test]
    fn registrable_domain_returns_none_for_garbage() {
        assert!(registrable_domain("not a url").is_none());
    }
    #[test]
    fn registrable_domain_keeps_bracketed_ipv6_literal_intact() {
        // Symmetric with host_of's IPv6 fix. The cookie-domain code
        // won't accept an IP as a `Domain` value, but the function
        // should at least return a sensible representation rather
        // than the truncated `"[:"` the old port-stripper produced.
        assert_eq!(
            registrable_domain("https://[::1]/").as_deref(),
            Some("[::1]")
        );
        assert_eq!(
            registrable_domain("https://[::1]:8080/").as_deref(),
            Some("[::1]")
        );
        assert_eq!(
            registrable_domain("https://[2001:db8::1]/foo").as_deref(),
            Some("[2001:db8::1]")
        );
    }
 }
--- a/backend/src/repo/author.rs
+++ b/backend/src/repo/author.rs
@@ -99,11 +99,6 @@ pub async fn list(
 /// Atomically replace the set of authors on a manga. Caller passes a
 /// `&mut PgConnection` (`&mut *tx` works) so the delete+upserts run in
 /// one transaction with whatever called us.
 ///
 /// Note: `crawler::repo::sync_authors` does a similar replace with the
 /// same semantics on names. The duplication is intentional — handler
 /// callers want the `Vec<AuthorRef>` for the API response; the
 /// crawler doesn't need it and stays inside its own transaction.
 pub async fn set_for_manga(
    conn: &mut PgConnection,
    manga_id: Uuid,
--- a/backend/src/repo/bookmark.rs
+++ b/backend/src/repo/bookmark.rs
@@ -29,9 +29,9 @@ pub async fn create(
    match result {
        Ok(b) => Ok(b),
-        Err(sqlx::Error::Database(ref db_err)) if db_err.is_unique_violation() => Err(
+        Err(e) if is_unique_violation(&e) => Err(AppError::Conflict(
-            AppError::Conflict("bookmark already exists for this manga/chapter".into()),
+            "bookmark already exists for this manga/chapter".into(),
-        ),
+        )),
        Err(e) => Err(AppError::Database(e)),
    }
 }
@@ -97,3 +97,10 @@ pub async fn delete(pool: &PgPool, id: Uuid) -> AppResult<()> {
    Ok(())
 }
 fn is_unique_violation(err: &sqlx::Error) -> bool {
    if let sqlx::Error::Database(db_err) = err {
        db_err.code().as_deref() == Some("23505")
    } else {
        false
    }
 }
--- a/backend/src/repo/chapter.rs
+++ b/backend/src/repo/chapter.rs
@@ -4,7 +4,7 @@ use sqlx::{PgExecutor, PgPool};
 use uuid::Uuid;
 use crate::domain::Chapter;
-use crate::error::AppResult;
+use crate::error::{AppError, AppResult};
 pub async fn list_for_manga(
    pool: &PgPool,
@@ -62,9 +62,10 @@ pub async fn find_by_id_in_manga(
 ///
 /// Chapter identity is the row UUID; the same (manga_id, number)
 /// combination can repeat (multiple translations, re-uploads). The
-/// 0013 migration dropped the (manga_id, number) UNIQUE, so duplicate
+/// `is_unique_violation` branch below is a defensive holdover from
-/// inserts succeed by design. If a future migration re-adds any
+/// 0001's (manga_id, number) UNIQUE — it can no longer fire under
-/// uniqueness, surface a 409 by adding a unique-violation arm here.
+/// normal operation, but we surface a clean 409 if a future migration
 /// re-adds any chapter uniqueness.
 pub async fn create<'e, E: PgExecutor<'e>>(
    executor: E,
    manga_id: Uuid,
@@ -72,7 +73,7 @@ pub async fn create<'e, E: PgExecutor<'e>>(
    title: Option<&str>,
    uploaded_by: Option<Uuid>,
 ) -> AppResult<Chapter> {
-    let row = sqlx::query_as::<_, Chapter>(
+    let result = sqlx::query_as::<_, Chapter>(
        r#"
        INSERT INTO chapters (manga_id, number, title, uploaded_by)
        VALUES ($1, $2, $3, $4)
@@ -84,58 +85,15 @@ pub async fn create<'e, E: PgExecutor<'e>>(
    .bind(title)
    .bind(uploaded_by)
    .fetch_one(executor)
-    .await?;
+    .await;
    Ok(row)
 }
-/// Cross-link guard for `POST /bookmarks`: the bookmarks FK accepts
+    match result {
-/// any valid chapter id, but a chapter must belong to the bookmark's
+        Ok(c) => Ok(c),
-/// manga or the bookmark would dangle on a foreign manga. Handlers
+        Err(e) if is_unique_violation(&e) => Err(AppError::Conflict(format!(
-/// call this before the insert and surface `NotFound` when it
+            "chapter {number} conflicts with an existing chapter for this manga"
-/// returns `false`.
+        ))),
-pub async fn belongs_to_manga(
+        Err(e) => Err(AppError::Database(e)),
-    pool: &PgPool,
+    }
    chapter_id: Uuid,
    manga_id: Uuid,
 ) -> AppResult<bool> {
    let (exists,): (bool,) = sqlx::query_as(
        "SELECT EXISTS(SELECT 1 FROM chapters WHERE id = $1 AND manga_id = $2)",
    )
    .bind(chapter_id)
    .bind(manga_id)
    .fetch_one(pool)
    .await?;
    Ok(exists)
 }
 /// Read just the page_count for a chapter. Used by the crawler
 /// daemon's consumer-side dedup safety net so it can ack-done a job
 /// whose chapter has already been fetched by a racing worker.
 pub async fn page_count(pool: &PgPool, id: Uuid) -> sqlx::Result<Option<i32>> {
    sqlx::query_scalar("SELECT page_count FROM chapters WHERE id = $1")
        .bind(id)
        .fetch_optional(pool)
        .await
 }
 /// Look up the manga_id + most recent source_url for a chapter. Used
 /// by the daemon's chapter dispatcher to resolve the URL it needs to
 /// hand to `content::sync_chapter_content`. Returns `None` if the
 /// chapter (or its source row) is gone.
 pub async fn dispatch_target(
    pool: &PgPool,
    chapter_id: Uuid,
 ) -> sqlx::Result<Option<(Uuid, String)>> {
    sqlx::query_as(
        "SELECT c.manga_id, cs.source_url \
           FROM chapters c \
           JOIN chapter_sources cs ON cs.chapter_id = c.id \
          WHERE c.id = $1 \
          LIMIT 1",
    )
    .bind(chapter_id)
    .fetch_optional(pool)
    .await
 }
 pub async fn set_page_count<'e, E: PgExecutor<'e>>(
@@ -151,3 +109,10 @@ pub async fn set_page_count<'e, E: PgExecutor<'e>>(
    Ok(())
 }
 fn is_unique_violation(err: &sqlx::Error) -> bool {
    if let sqlx::Error::Database(db_err) = err {
        db_err.code().as_deref() == Some("23505")
    } else {
        false
    }
 }
--- a/backend/src/repo/genre.rs
+++ b/backend/src/repo/genre.rs
@@ -61,11 +61,6 @@ pub async fn load_for_mangas(
 /// FK constraint would reject them, so we filter upstream rather than
 /// surface a 500 here. (The API layer validates the set against
 /// `list_all` first.)
 ///
 /// Note: `crawler::repo::sync_genres` does a similar replace, but by
 /// *name* and with auto-create of unseen genres — the crawler can't
 /// validate against the curated vocabulary on its own. Both paths are
 /// intentional; don't merge them without preserving that semantic.
 pub async fn set_for_manga(
    conn: &mut PgConnection,
    manga_id: Uuid,
--- a/backend/src/repo/user.rs
+++ b/backend/src/repo/user.rs
@@ -21,7 +21,7 @@ pub async fn create(pool: &PgPool, username: &str, password_hash: &str) -> AppRe
    match result {
        Ok(user) => Ok(user),
-        Err(sqlx::Error::Database(ref db_err)) if db_err.is_unique_violation() => {
+        Err(e) if is_unique_violation(&e) => {
            Err(AppError::Conflict("username is already taken".into()))
        }
        Err(e) => Err(AppError::Database(e)),
@@ -56,3 +56,10 @@ pub async fn find_by_id(pool: &PgPool, id: Uuid) -> AppResult<Option<User>> {
    Ok(row)
 }
 fn is_unique_violation(err: &sqlx::Error) -> bool {
    if let sqlx::Error::Database(db_err) = err {
        db_err.code().as_deref() == Some("23505")
    } else {
        false
    }
 }
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -1,22 +0,0 @@
 # Production overlay: layer on top of docker-compose.yml on the deploy
 # host so the backend and frontend run from pre-built registry images
 # instead of building locally.
 #
 #   docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
 #
 # REGISTRY_URL and IMAGE_TAG are injected by .gitea/workflows/deploy.yml
 # at deploy time. IMAGE_TAG defaults to `latest` so a manual
 # `docker compose ... up -d` on the host still works.
 services:
  backend:
    build: !reset null
    image: ${REGISTRY_URL}/mangalord-backend:${IMAGE_TAG:-latest}
    pull_policy: always
    restart: unless-stopped
  frontend:
    build: !reset null
    image: ${REGISTRY_URL}/mangalord-frontend:${IMAGE_TAG:-latest}
    pull_policy: always
    restart: unless-stopped
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "mangalord-frontend",
-  "version": "0.34.0",
+  "version": "0.33.0",
  "private": true,
  "type": "module",
  "scripts": {