Books

https://code.bas.es/arne/books last activity · 6m

Ideas

idea Move Kobo sync snapshot building out of the request path
issue #23 Auth model for Kobo reading-services endpoints (annotations)
Future implementation spec for annotation sync over the Kobo reading_services_host endpoints will need an auth model. Documenting the proposed approach here so the spec can reference it.

Observed from the annotations research spike

The Kobo device sends annotation traffic with a Kobo-cloud-issued Bearer JWT in the Authorization header. Example claims (captured via nc :5001):
```
{
  "iss": "https://auth.kobobooks.com",
  "aud": ["https://auth.kobobooks.com/resources", "profileauth", "public_api"],
  "client_id": "nickel",
  "kobo_user_id": "7081525b-05f9-4cbf-91e8-c93f936d17f6",
  "scope": ["openid", "profile", "kobo_profile", "public_api_authenticated", ...],
  "nbf": 1776709922,
  "exp": 1776713522
}
```
The JWT itself rotates (~1 hour expiry). The kobo_user_id claim inside it is stable for the account.

Proposed auth model

Trust-on-first-use on the kobo_user_id claim, mirroring the existing first-login-owner pattern (#19):
1. On first request to a reading-services endpoint, base64-decode the JWT payload (no signature verification — we can't, Kobo holds the signing key).
2. Extract kobo_user_id.
3. Persist as the server's bound Kobo user.
4. On subsequent requests, decode again and reject any JWT whose kobo_user_id differs from the bound value.
Surface: /api/UserStorage/*, /api/v3/content/*, plus whatever else the annotations spec ends up owning.

Why not validate the JWT signature

The JWT is signed with a Kobo-cloud key. We're a self-hosted replacement for Kobo cloud; we intentionally don't have Kobo's key and can't check it. TOFU on the user ID is the closest available analogue.

Related
- Annotations research spike findings: docs/superpowers/specs/2026-04-20-kobo-annotations-spike-design.md (pending writeup at docs/kobo-annotations-spike-findings.md)
- First-login owner pattern: #19
See on code.bas.es →
issue #17 EditPost: file rename leaves DB and disk inconsistent on partial failure
`internal/web/handler.go` `EditPost` does the metadata UPDATE before the file rename. If the rename fails (typically because `book.FilePath` in the DB has drifted from disk), the user sees an error but the metadata write has already committed. Subsequent edits hit the same stale path and re-error.

Concrete repro from prod: book #110 had `file_path = "Scott, James C.;/Seeing Like a State.epub"` in DB while the actual file lived at `James C. Scott/Seeing Like a State.epub` (presumably from an earlier rename that updated DB but failed mid-way, or a manual move). Editing the author to "James C. Scott" then triggered:

``` file rename failed: open /opt/books/library/Scott, James C.;/Seeing Like a State.epub: no such file or directory ```

Two things worth doing:
1. Defensive rename. When `lib.Rename` finds the source missing AND the computed destination already exists, treat it as a successful no-op and let the handler update `file_path`/`cover_path` to match. (Risky if the destination collision is unrelated — collision-free naming uses " (2)" suffixing, so this case strongly suggests prior rename to the same path.)
2. Atomic metadata + rename. Don't commit the metadata UPDATE until the file rename succeeds, OR rollback the metadata change when rename fails. Today the partial-failure window leaves DB ahead of disk and every subsequent edit re-errors.
Workaround for stuck rows: `UPDATE books SET file_path='', cover_path='' WHERE id=` directly against SQLite.

See on code.bas.es →
issue #11 Sync drift: no recovery when Kobo loses books server thinks are delivered
Symptoms

Books are shelved on the server and marked delivered=1 in the latest sync session, but absent from the Kobo's library. Reproduced today: 2/12 shelved books missing on device.

Root cause

internal/kobo/sync.go (line ~173) marks books delivered without emitting any envelope when their meta_rev and file_hash match the previous session — the "already there, nothing to do" fast path.

If the Kobo's local DB lost a book (manual delete on device, factory reset, sync interruption, swap to new device), the server has no signal of the drift and never re-sends. The book is stuck in a "server thinks delivered, device doesn't have it" state with no recovery path.

Workaround (confirmed working)

On the shelf page: unshelve the missing book → sync from Kobo → reshelve → sync again. Forces removed→added envelopes.

Possible fixes
- Reset-sync action per device — single button on /shelf next to "Regenerate". Deletes all sync sessions for the device; next sync rebuilds from scratch (every shelved book goes through added → NewEntitlement). Low risk, fixes drift in one shot.
- Per-book "Re-send to Kobo" action — more granular, but more UI weight.
- Inferred-library debug view — log what the Kobo touches (covers, downloads, StateGet/StatePut) and surface "last seen by Kobo" per book. Half-picture (unopened books after initial sync are invisible), but useful telemetry. Would fit naturally on the errata page as another diagnostic.
Out of scope (Kobo protocol limit)

The storefront API has no way to query what books the Kobo currently holds. Only the device's local KoboReader.sqlite (USB-only) is authoritative.

Why not now

Workaround is acceptable. Errata page is the natural home if/when we build a diagnostic view.

See on code.bas.es →

Design

design 2026-04-10-reading-room.md

History

2026-04-24

07:44 Per-book reading stats on the book page
Surface per-book reading stats that Nickel already pushes via PUT /v1/library/{id}/state, rendered as additional rows in the book page's .book-marginalia. Also captures three currently-dropped StatusInfo fields and starts an append-only reading-state event log for future historical views.

Summary
- Data model: migration 007 adds times_started_reading, last_time_started_reading, last_time_finished columns to reading_state; creates reading_state_events table with one row per meaningful PUT.
- Capture: PUT /v1/library/{id}/state now persists the three StatusInfo fields; GET echoes them back.
- UI: /book/{uuid} shows status, time spent reading, time to finish, times opened, started reading, finished, and last read — each only when the underlying field has a value. Books without a reading_state row are unchanged.
- Event log: populated but not queried; enables "minutes per day" / "books finished over time" style graphs without a future schema change.
Scope boundaries
- No aggregate views (total time, streaks, charts) — deferred.
- No invented metrics beyond what the Kobo sync API exposes.
- No multi-device aggregation — single device assumed; GetLatestReadingState picks the most recent row across devices.
- /v1/analytics/event bodies still accept-and-drop — reading-session telemetry channel left for a potential future investigation.
Spec + plan
- Spec: docs/superpowers/specs/2026-04-20-stats-dashboard-design.md
- Plan: docs/superpowers/plans/2026-04-20-stats-dashboard.md
Test plan
- [ ] go test ./... green.
- [ ] Visit /book/{uuid} for a book with a reading_state row — new rows render (status, time spent, time to finish, times opened, last read).
- [ ] Visit /book/{uuid} for a book without one — marginalia unchanged from before this PR.
- [ ] Deploy the binary to abase and trigger a sync from the Kobo; confirm reading_state now has times_started_reading populated and reading_state_events starts accumulating rows.
See on code.bas.es →

2026-04-20

19:14 Kobo annotations research spike (yes-feasible, w/ docs corrections)
Research spike into whether Kobo annotation sync is reachable via the /api/kobo/* sync API. Yes, feasible — wire shapes captured for the three observed reading-services endpoints. Follow-up implementation spec is a separate sub-project; auth model tracked in #23.

Summary
- Spec: docs/superpowers/specs/2026-04-20-kobo-annotations-spike-design.md
- Plan: docs/superpowers/plans/2026-04-20-kobo-annotations-spike.md
- Findings: docs/kobo-annotations-spike-findings.md — methodology + results + wire-shape tables + recommendation.
Key discoveries
- Annotation sync runs in Nickel when the device is signed in to a Kobo cloud account. Traffic goes to reading_services_host (default readingservices.kobo.com) with a Kobo-cloud-issued Bearer JWT.
- Three endpoints observed + characterised: POST /api/v3/content/checkforchanges, PATCH /api/v3/content/{bookID}/annotations, GET /api/UserStorage/Metadata.
- Nickel treats reading_services_host as host-only (path component discarded), so requests arrive at server root — not under api_endpoint's prefix.
- nc :5001 was the tool that unstuck the spike after passive catch-all + probe stubs both yielded null results.
Docs corrections (spin-off)

Two claims in docs/kobo-api.md that the spike proved wrong, now corrected in the same PR:
1. Automatic host rewriting is storeapi-specific, not universal.
2. Init write-back is selective, not universal — only a subset of Resources keys get persisted.
Plus a new Chapter 3 subsection documenting reading_services_host's host-only quirk.

Infrastructure aftermath
- Permanent: low-noise slog.Info("unknown kobo endpoint", ...) drift detector in the catch-all.
- Removed at teardown: transcript recorder, probe handlers, spike env vars, reading-services + notebooks init overrides, broadened catch-alls.
Test plan
- [ ] Read the findings doc; confirm wire shapes match your mental model.
- [ ] Read the docs corrections in docs/kobo-api.md (diff against the merged docs/kobo-api from #22).
- [ ] Verify go test ./... green on this branch.
- [ ] Verify abase server runs the teardown build cleanly (no transcript infrastructure, no spike env vars). Already deployed.
- [ ] Confirm the device's normal library sync still works end-to-end — spike cleanup should be invisible to Nickel.
Follow-ups
- Issue #23 — auth model (TOFU on kobo_user_id) for reading-services endpoints.
- Implementation spec for annotation sync — separate sub-project, separate branch.
See on code.bas.es →
09:14 docs: refactor Kobo API findings into a reference document
Summary
- Replace docs/kobo-api-findings.md (chronological field notes) with docs/kobo-api.md — a reference-shaped document for external self-hosters documenting the Kobo sync protocol.
- Single file, six chapters: Overview, Debugging, Conventions, Endpoint reference (one subsection per route, uniform template), Known failure modes, References. Appendix on device-side KoboReader.sqlite state. Contributing footer with three lightweight maintenance conventions.
- Every route in internal/kobo/handler.go now has a subsection with Implementation, Called by, Purpose, Request, Response, Quirks, and Reference implementations fields.
- README.md links updated to point at the new file.
- Spec at docs/superpowers/specs/2026-04-20-kobo-api-docs-refactor-design.md; implementation plan at docs/superpowers/plans/2026-04-20-kobo-api-docs-refactor.md.
Test plan
- [ ] Render docs/kobo-api.md in a markdown viewer — ToC links resolve, code fences close, Chapter 5 anchor links jump to the correct Chapter 4 subsections.
- [ ] Verify every route in internal/kobo/handler.go has a matching subsection (expected: 19 H4 endpoint headings).
- [ ] Spot-check that the documented request/response shapes match the handler code for at least /v1/initialization, /v1/library/sync, /v1/library/{id}/metadata, /v1/analytics/gettests, and the download endpoint.
- [ ] Verify docs/kobo-api-findings.md is gone and README.md no longer links to it.
See on code.bas.es →

2026-04-14

11:44 First-login owner
Summary
- Replace required BOOKS_OIDC_OWNER_SUB with first-login-wins ownership claim
- New settings key/value table (migration 006); ClaimOwnerSub uses INSERT ... ON CONFLICT DO NOTHING
- *Auth caches the owner in an atomic.Pointer[string], loaded in New and refreshed by the OIDC callback
- Recovery is manual SQLite edit + restart (no admin API)
Test plan
- [x] go test ./... passes
- [ ] On a.bas.es: install books, log in via Pocket ID first, confirm shelf/admin views work
- [ ] Verify a second OIDC user logging in is treated as user (not owner)
See on code.bas.es →
11:44 Fix sha256 verification in Basefile install task
The install task was downloading the binary directly to /usr/local/bin/books, so sha256sum -c (which looks up filenames listed in the manifest) couldn't find a match and exited 1. Download to the versioned name first, verify, then install.

See on code.bas.es →
11:44 Export env vars in /etc/conf.d/books
OpenRC sources conf.d but doesn't export — prefix each line with export so the daemon actually receives BOOKS_OIDC_ISSUER, BOOKS_PUBLIC_URL, etc. Without this the service crashes on start with 'BOOKS_OIDC_ISSUER is required'.

See on code.bas.es →
08:44 Add Basefile and release script for bases deployment
Summary
- New Basefile describing books as an Alpine+OpenRC service for bases
- Install task curls a prebuilt release asset from code.bas.es
- OIDC env vars renamed via setup.auth.env to match what books reads
- New scripts/release.sh cross-compiles linux/amd64, tags, pushes, and uploads the binary via tea
Test plan
- [ ] Run scripts/release.sh v0.1.0 and verify the asset lands on code.bas.es
- [ ] bases install on a.bas.es with BOOKS_OIDC_OWNER_SUB filled in
- [ ] Confirm the service starts via OpenRC and responds on books.a.bas.es
See on code.bas.es →

show earlier entries

2026-04-13

14:01 Small fixes: dimmer progress bar, series search
- Progress bar background uses color-mix(--margin 50%, --paper-soft) so the leaf-coloured fill stands out more against the page rule lines.
- store.SearchBooks matches series in addition to title and author.
Closes #15.

See on code.bas.es →
13:46 htmx: shelve toggle, library search, header sign-in
Summary
- Spec: docs/superpowers/specs/2026-04-13-htmx-shelve-search-design.md
- Vendors htmx 4 as a static asset; loads it from base.html.
- Library search: debounced, fragment-swap on input via htmx.
- Shelve toggle on book detail page: htmx-driven partial swap.
- Shelf page rows: htmx delete swap removes the row inline.
- Header: visible sign-in / sign-out link for visitors and users.
Test plan
- [ ] go test ./... green
- [ ] Manual: type into the library search box; grid updates without reload, URL updates.
- [ ] Manual: shelve / unshelve from book detail page; toggle button updates inline.
- [ ] Manual: remove a book from the shelf page; row vanishes inline.
- [ ] Manual: log out; verify "sign in" link appears in header.
See on code.bas.es →
12:31 Admin API: typed /api/admin/* surface
Summary
- Spec: docs/superpowers/specs/2026-04-13-admin-api-design.md
- Implements the typed /api/admin/* surface that replaces direct-SQLite metadata edits.
- New package internal/adminapi; new store methods in internal/store/admin.go.
Test plan
- [ ] go test ./... green
- [ ] Manual smoke: curl -H "Authorization: Bearer $BOOKS_ADMIN_TOKEN" $PUBLIC/api/admin/books?q=tolkien
- [ ] Verify PATCH diff response shape on a real book
- [ ] Verify 404 on /api/admin/* when BOOKS_ADMIN_TOKEN is unset
See on code.bas.es →
11:46 Auth boundary: public reads, owner mutations, admin API tier
Summary

First of three roadmap changes (auth boundary, admin API, htmx). Splits the site into five auth tiers:
- visitor — library, book detail, author, series are now public
- user — any OIDC-authenticated identity can download /file/{uuid}
- owner — shelve/edit/delete/upload/errata require the owner sub
- kobo — existing token-in-URL flow untouched
- admin — new /api/admin/* surface behind Authorization: Bearer $BOOKS_ADMIN_TOKEN (placeholder endpoints; real operations land in spec 2)
Specs and roadmap notes live in docs/superpowers/.

Test plan
- [ ] Visit https://books.fismen.no in a private window → library loads without login
- [ ] Log in and confirm shelf, edit, upload, delete still work
- [ ] curl /api/admin/books → 401
- [ ] curl -H "Authorization: Bearer \$BOOKS_ADMIN" /api/admin/books → 404 (placeholder)
See on code.bas.es →
09:01 Add author and series pages
Summary
- Author names and series names are now clickable links throughout the UI
- /author?name=... shows all books by that author
- /series?name=... shows all books in a series, ordered by series index
Test plan
- [ ] Click an author name on the library page — should show their books
- [ ] Click a series tag on the library page — should show the series
- [ ] Click author/series on the book detail page
- [ ] Verify multi-author bylines link each author separately
🤖 Generated with Claude Code

See on code.bas.es →
08:46 Shelf progress and book metadata
Summary
- Reading progress shown on shelf entries and book page as a hair-thin leaf-green fore-edge rule
- New --leaf semantic color token reserved for reading state
- New book metadata fields: read_state (unread/reading/read, manual with Kobo auto-promotion at ≥95%), first_published_year, goodreads_url
- Shelf now sorts reading-first (by progress desc), then unread, then read
Design spec: docs/superpowers/specs/2026-04-13-shelf-progress-and-metadata-design.md Implementation plan: docs/superpowers/plans/2026-04-13-shelf-progress-and-metadata.md

Test plan
- [ ] Verify shelf shows progress rule with correct fill for books with Kobo progress
- [ ] Verify shelf sort order: reading (by progress desc) → unread → read
- [ ] Edit form: set read state, first published year, goodreads URL on a book; verify persistence and display
- [ ] Book page: verify goodreads arrow link opens externally
🤖 Generated with Claude Code

See on code.bas.es →

2026-04-12

13:31 Kobo: progress tracking and kepubify
Summary
- Store and emit ContentSourceProgressPercent for Kobo reading progress
- Kepubify epub files at download time for proper Kobo rendering
Test plan
- [ ] Verify Kobo sync picks up reading progress
- [ ] Verify downloaded epubs are kepubified
🤖 Generated with Claude Code

See on code.bas.es →

2026-04-11

21:46 Library curation + navigation: delete, upload, site header, kobo removal fix
Summary

Implements the full curation spec from docs/superpowers/specs/2026-04-11-curation-and-nav-design.md: delete books from the web UI, upload books through a header action, and replace the corner dropdown with a thin top-bar nav. Plus an incidental but necessary Kobo bug fix that the delete flow would otherwise trip.

Twenty small commits, one per plan task (with two gofmt fixups along the way), closed out through Tasks 1–18 of docs/superpowers/plans/2026-04-11-curation-and-nav.md. Full go test ./... green across all nine packages. Final full-branch code review completed against the spec — one Important finding (EXDEV safety in library.Archive/Restore) was addressed inline in the last commit.

What you get
- Delete books from the UI. Book detail page has a two-click inline-confirm delete book button. First click arms it in stamp red with a "really?" prefix; second click within 5s commits. No modal. Soft-delete: the row stays (so Kobo removal tracking can still find the entitlement UUID), the files move to <BOOKS_DATA_DIR>/archived-books/<hash>.<ext>, the book auto-unshelves in the same DB transaction.
- Upload books from the header. + upload action in the site header opens a hidden file picker, POSTs the .epub to /upload, runs it through the same importer pipeline as the inbox watcher, and lands on the new book's detail page. Uploading a file whose hash matches a previously-archived book restores the original row from the archive instead of creating a duplicate — the book's ID, UUID, and all metadata survive the round-trip. 50 MB cap enforced before ParseMultipartForm is called.
- Thin site header. Corner dropdown is gone. Every page now carries a top-aligned shelf · library · errata nav with an active-state stamp underline, plus the upload action on the right. Active page is driven by the existing PageData.Section field. The ← library back link on the book detail page went away with it — the library tab in the header now serves that role.
- Kobo removal bug fix. buildRemovedEntitlement used to synthesize a fake UUID via uuidFromInt(bookID). In the pre-delete world this never mattered — nothing ever routed a book through the removed branch after we'd previously delivered a real UUID. The moment delete-of-a-shelved-book ships, every removal envelope would carry a UUID Nickel never saw, and the device would silently fail to forget the book. Fixed by a new store.GetBookByIDIncludingDeleted method that survives the WHERE deleted_at IS NULL filter, plus changing buildRemovedEntitlement(book) to read book.UUID via entitlementID. uuidFromInt deleted as dead code. Regression test pinned.
- Flash messages. Short one-string messages after redirects ("deleted X", "already imported as Y"). One documented deviation from the spec: the spec called for an HMAC-signed cookie, but the auth package has no signing key and adding one for a single string was over-engineering. Instead, flashes travel through a ?flash=<url-encoded> query parameter on the redirect target. html/template auto-escapes on render (" in the test assertions proves it), the flash clears on the next navigation when the URL no longer carries the parameter, and an explicit test asserts the XSS-safe rendering path. Single-user tool, minimal surface area, no new crypto.
What's not in this PR (deliberate)
- No bulk delete.
- No visible archive view — restore is by re-upload (detected via file hash).
- No drag-and-drop upload. Explicitly cut during brainstorming; the header button is the whole upload UX.
- No hard delete / GC of archived files.
- No orphan cleanup on book_authors / device_removals / reading_state / kobo_sync_session_books — those rows stay put and the Kobo delta still handles them correctly.
File structure

Plan-compliant: new handlers (delete.go, upload.go) are their own files in internal/web/, test files (delete_test.go, upload_test.go, flash_test.go, roundtrip_test.go) similarly split. No monster-file growth.

Test plan
- [x] go test ./... — all 9 packages pass
- [x] go build ./... — clean
- [x] gofmt -l — clean on every touched file (two fixup commits for drift along the way)
- [x] TDD-style tests for every task (failing test → implementation → passing test → commit)
- [x] End-to-end round-trip test: upload → delete → re-upload → restore to the same row, library file back in place, archive cleared
- [x] Final full-branch code review (superpowers:code-reviewer subagent) — one Important finding addressed inline in the last commit
- [ ] Smoke test on fismen: push the built binary to the books container, trigger a sync, walk through delete + upload + archive-restore end-to-end. The existing Assassins Quest row should survive the schema migration untouched.
Intended to be squash-merged. The 20 commits are a breadcrumb trail, not a curated history.

🤖 Generated with Claude Code

See on code.bas.es →
19:59 Curation + navigation: design system + spec
Summary

Sets up everything for the next implementation pass — library curation (delete + upload) and the navigation redesign — but stops short of touching any real handlers or store methods. Two commits:
1. Design system update (0307ac2) — reverses the earlier "there is no header, just a dropdown in the corner" decision. The new .site-header is a thin strip with three italic nav links on the left (shelf · library · errata, library as the default / route) and a + upload action on the right. Active-state is inked ink colour plus a thin stamp rule under the word. Mocks the inline delete-confirm button with both resting and armed states. Deletes the drag-and-drop dropzone concept we iterated on and then explicitly cut. Also fixes a small input bug: italic f was getting left-clipped in search inputs because the content box had zero inline padding — added 0.12em of inline-start padding across all text inputs. All changes live in design/ and are visible by opening design/index.html or design/preview/index.html in a browser. No backend code changes.
2. Design spec (13ad7be) — docs/superpowers/specs/2026-04-11-curation-and-nav-design.md. Covers the three features landing in the next PR: delete books (soft delete, row kept, files moved to <data dir>/archived-books/<hash>.<ext>, auto-unshelve on delete, inline 2-click confirm UI on the book detail page), upload books (+ upload button in the site header triggers a file picker, new file runs through the same importer pipeline as the inbox watcher, re-uploading an archived book restores it), and the site header itself. Also covers an incidental internal/kobo fix: buildRemovedEntitlement currently synthesizes a fake UUID via uuidFromInt, which delete-of-a-shelved-book would silently trip over — the spec resolves it via a new GetBookByIDIncludingDeleted store method so the removal envelope carries the book's real UUID.
The spec has a full self-review done; the open questions section is non-blocking.

What's in this PR
- Visual design for the three features, iterable in the browser at design/index.html and design/preview/*.html
- Written design spec at docs/superpowers/specs/2026-04-11-curation-and-nav-design.md
- No backend / store / importer / web handler changes — those come in the follow-up implementation PR
Test plan
- [x] design/preview/index.html opens in a browser, shows the new thin site header with + upload on the right, no dropzone wrapper
- [x] design/preview/book.html shows the delete button in resting and armed states
- [x] design/index.html component doc reflects the new header and no dropzone
- [x] Search input in the library preview no longer clips the italic f
- [ ] Spec review — read the spec and push back on anything that feels wrong before we write the implementation plan. Particularly worth a second look: the internal/kobo scope addition, the importer split of Import vs ImportFile, the flash cookie design, and the testing list
Intended to be squash-merged; the two commits are a breadcrumb trail, not a curated history.

🤖 Generated with Claude Code

See on code.bas.es →
19:14 Kobo sync: fix the download, restore series, clean up
Summary

When we last left this branch the Kobo was happily syncing metadata from books.fismen.no but quietly refusing to download any of the actual epubs — the device would fetch each book's metadata, think about it for half a second, and then move on without ever asking for the file. We'd been chasing half a dozen increasingly unlikely suspects for this (URL length, publisher sentinels, publication-date mapping, DRM fields, content-access endpoints) and had checkpointed the branch at 5882803 so we could start fresh.

It turned out to be a one-line shape mismatch. Nickel parses /v1/library/{id}/metadata as a JSON array and reads index [0]; we were sending the bare metadata object, so the indexed read came up empty and DownloadContentFileCommand silently finished without ever issuing the GET to DownloadUrls[0].Url. calibre-web already wraps that endpoint in a one-element list — we just missed it because a dict-vs-dict diff between the two bodies stripped the outer array and showed zero key differences. Matching calibre-web fixes downloads end-to-end, confirmed on the device via the nc 192.168.86.39 5001 Qt debug stream: ResumingDownloader::start → ResumingDownloader::finished on /api/kobo/{token}/download/{id}/kepub within 700 ms of the metadata fetch.

With the real root cause known, the branch also rolls back the pile of symptom-chasing workarounds from the earlier checkpoint:
- Series metadata is back. Books with a series now show the series name, number, and a stable id on the device, matching calibre-web's shape exactly (Number and NumberFloat as JSON numbers, Id as a UUIDv3 in the DNS namespace keyed on the series name).
- PublicationDate uses the book's added-at instant instead of a hardcoded 2020-01-01 stand-in.
- Three dead download-route aliases and the content_access_book stub are deleted. Nickel only ever calls the one URL we emit in DownloadUrls, and it works.
- A 140-line mimicCalibreWebSync diagnostic, a now-unused slugify helper, and several comments blaming the wrong fields are gone.
- docs/kobo-api-findings.md is updated with the rediscovery trap so the next session doesn't fall into the same hole: the "What doesn't work" section becomes "The metadata-shape gotcha," and the status table shows downloads working.
Also adds a new README.md (the repo didn't have one) with the minimum env vars needed to run the server and the one-line Kobo eReader.conf setup procedure for pointing a stock-firmware device at books — no SSH, no factory reset, no firmware modification.

Net diff: ~271 lines deleted, ~200 added, most of the additions being the new README. The actual behaviour change is ~10 lines in internal/kobo/metadata.go and sync.go.

Test plan
- [x] Downloads verified end-to-end against Libra Colour firmware 4.45.23646 via the nc :5001 Qt debug stream.
- [x] go build ./... && go vet ./... && go test ./internal/kobo/... all green.
- [ ] Freshly factory-reset Kobo: paste the api_endpoint from the README into Kobo eReader.conf, reboot, confirm first-run sync pulls and downloads the whole shelf cleanly.
Intended to be squash-merged; the individual commits on the branch are a breadcrumb trail, not a curated history.

🤖 Generated with Claude Code

See on code.bas.es →
12:14 Kobo sync API
Plan 3 of 4. The /api/kobo/{token}/v1/... HTTP surface that lets a stock-firmware Kobo Libra Color browse the shelf, download books, and push reading state. Wire shapes are taken verbatim from grimmory.

What's in here
- internal/kobo — Handler, requireToken middleware, snapshot builder + delta, sync token codec, Kobo 7-decimal timestamp codec, every JSON DTO, and one file per endpoint group
- internal/store — kobo_sync_sessions CRUD with auto-supersede, reading_state CRUD with per-field LastModified merge, device_removals CRUD, GetBookByID
- main.go — mounts the kobo router on the same ServeMux as the web router
Endpoints
- GET /v1/initialization (with x-kobo-apitoken: e30= header)
- POST /v1/auth/device (random per-call tokens, explicit Content-Length)
- GET /v1/library/sync (paginated 5/call, snapshot-based, x-kobo-synctoken round-trip)
- GET /v1/library/{uuid}/metadata
- GET /v1/library/{uuid}/state
- PUT /v1/library/{uuid}/state (merge by per-sub-object LastModified)
- DELETE /v1/library/{uuid} → device_removals
- GET /v1/books/{uuid}/download
- GET /v1/books/{uuid}/thumbnail/{w}/{h}/{greyscale}/image.jpg
- POST /v1/analytics/gettests (mandatory)
- POST /v1/analytics/event (mandatory)
- GET /v1/products/{id}/nextread[/rest...] (mandatory)
Out of scope (plan 4)
- deploy.sh, systemd unit, Caddy config
- Goroutine that calls DeleteOldKoboSyncSessions (function exists and is unit-tested, just not wired)
- Web UI for clearing device_removals (minor follow-up)
Fixes applied before PR
- Superseded session guard in LibrarySync — a stale sync token for a superseded session now starts a fresh session rather than walking the stale one
- nextread route now catches trailing sub-paths via {rest...} wildcard
Test plan
- [x] go test ./... -race clean across all 9 packages
- [x] Hands-off bootstrap fails fast at OIDC discovery
- [ ] Full smoke (you, after merge): paste the URL into your Libra Color's Kobo eReader.conf, trigger sync, confirm shelved books appear on the device, open one, let it read, confirm progress syncs back via /state
Known sharp edges
- Removed entitlements omit the BookMetadata block. Grimmory includes a minimal metadata block even for removals. The spec allows omission; real-device testing will confirm whether the Libra Color tolerates it.
- nextread matches both the exact path and /nextread/{rest...} — if the device sends something stranger the catch-all returns {} per plan 2's design.
Plan: docs/superpowers/plans/2026-04-11-kobo-sync.md

See on code.bas.es →
06:29 Library and shelf — opt-in Kobo sync subset
Plan 2.5 of 4. Introduces the library/shelf distinction so the user can be deliberate about what's on the Kobo.

What's in here
- Schema: books.shelved_at INTEGER (nullable). Non-null = on the shelf. Edited into 001_initial.sql directly since nothing's deployed.
- Store: ShelveBook, UnshelveBook, ShelvedBooks. All other SELECTs updated to include the new column.
- /kobo page renamed to /shelf; the page now lists shelved books first, then the Kobo register/regenerate UI below.
- Library list (/) shows every book and marks shelved ones with a small italic 'shelf' tag in oxblood.
- Book detail page gains a 'Shelve →' (or 'Remove from shelf →') action.
- Page-nav: library / shelf / errata.
- New routes: POST /book/{uuid}/shelve, POST /book/{uuid}/unshelve. Both gated by RequireSession + RequireOrigin.
- Spec updated.
Out of scope
- Plan 3: the Kobo sync API. The shelf is currently a flag that nothing reads — plan 3's snapshot algorithm will filter on `WHERE shelved_at IS NOT NULL`.
Test plan
- [x] go test ./... -race clean across all 8 packages
- [x] Hands-off bootstrap: bogus OIDC issuer fails at discovery, shelved_at migration applied cleanly
- [ ] Full smoke (you, after merge): drop a book, confirm it lands in / but not /shelf, click into book detail, hit Shelve, confirm it now shows on /shelf and the library list marks it
Notes
- Internal API paths keep /api/kobo/... (it's the Kobo's protocol, not ours). Only user-facing chrome talks about shelves.
- Default for new imports: off the shelf. You drop a file, it lands in the library, you decide whether to shelve it.
- Shelving doesn't bump updated_at — plan 3's snapshot diffing is presence-driven.
Plan: docs/superpowers/plans/2026-04-11-shelf.md

See on code.bas.es →
06:14 Web UI: library, book detail, edit, kobo, errata + OIDC + Reading Room design
Plan 2 of 4. Adds the human-facing surface of the books server, the Reading Room visual design, and switches the project to self-hosted Newsreader fonts so books never contacts an external server at runtime.

What's in here

Design — Reading Room

A literary, serif-only visual language. Single typeface (Newsreader) at every size and weight, ink on aged paper, no rectangular chrome, no buttons, no input boxes. Site nav is a single fixed dropdown in the top-right corner. Direction notes in design/specs/2026-04-10-reading-room.md; full design system at design/index.html with three preview pages under design/preview/. Newsreader fonts are self-hosted (six woff2 subsets, ~516 KB) and embedded into the binary.

Auth
- internal/auth — go-oidc/v3 verifier wrap, session lifecycle (create / lookup / sliding renewal / delete), RequireSession middleware, RequireOrigin CSRF guard
- Sessions table CRUD with sliding 30-day expiry; auto-renewed by middleware when past half-life
- Single allowed subject enforced both at exchange time and on every request
- Session cookie HttpOnly + Secure + SameSite=Lax; OAuth state cookie matches
Store additions
- sessions CRUD (CreateSession, GetSession, RenewSession, DeleteSession, DeleteExpiredSessions)
- devices CRUD (CreateDevice, ListDevices, GetDeviceByToken, GetDeviceByID, DeleteDevice, TouchDeviceLastSeen)
- books additions: GetBookByUUID, SearchBooks (LIKE on title and author, case-insensitive), UpdateBookMetadata (preserves file_path / file_hash / added_at / uuid)
Library additions
- Rename and RenameCover for metadata-edit-driven on-disk moves; cleans up empty author directories
Inbox additions
- ListErrata + RetryErratum for the errata page; retry rejects path traversal
Web
- internal/web — Handler, Renderer, base layout + 5 page templates (library, book, edit, kobo, errata)
- One file per page handler: library.go, book.go, edit.go, kobo.go, errata.go, auth.go, healthz.go (collapsed into handler.go)
- Byline parser/formatter for the editorial 'Smith, Jones & Brown' format, roundtrip-tested
- Cover and epub download served from disk via http.ServeFile, with safe Content-Disposition encoding
- Background goroutine cleans expired sessions hourly
main.go
- Embeds design/ via //go:embed, serves at /static/
- OIDC discovery at startup
- Mounts HTTP on 127.0.0.1:8090
- Signal-handled shutdown with 10-second drain
- Inbox watcher and session cleanup as background goroutines
Out of scope (plans 3-4)
- /api/kobo/{token}/v1/* sync endpoints (the kobo page generates URLs that 404 until plan 3)
- Snapshot algorithm and reading-state push/pull
- Deployment script, systemd unit, Caddy config
- Logout link in the page-nav (POST to /auth/logout works)
- Cover thumbnails on the library list (text-only for now)
- Templated error pages with incident IDs
Test plan
- [x] go test ./... clean across all 8 packages (config, store, library, epub, importer, inbox, auth, web)
- [x] go test -race ./... clean
- [x] Two startup error paths verified hands-off: missing config exits 1 fast, bogus OIDC issuer fails at discovery and exits 1
- [ ] Full smoke test (you, after merge): set BOOKS_OIDC_* against pocket-id, run, log in, drop a real epub, browse the library, edit metadata, register a Kobo, drop junk into inbox, retry from /errata
Known follow-ups (deferred)
- /api/kobo/* — entirely plan 3
- internal/store/devices.go: getDevice uses string concat for the WHERE column (constants only, no injection risk; cosmetic)
- humanTime returns 'last week' for everything 7-30 days old (cosmetic)
- Auth.Store() accessor is unused (dead code, harmless)
Plan: docs/superpowers/plans/2026-04-10-webui-auth.md Design spec: design/specs/2026-04-10-reading-room.md

See on code.bas.es →

2026-04-10

18:44 Foundation: importer pipeline + storage
First of four plans implementing the books server design at docs/superpowers/specs/2026-04-10-books-server-design.md. Delivers the foundation: a books Go binary that watches an inbox directory, parses dropped epubs, persists metadata in SQLite, and files them into a managed library tree under <author>/<title>.epub. No HTTP, no auth, no Kobo — those come in plans 2–4.

What's in here
- internal/config/ — env-based config loader (BOOKS_DATA_DIR plus three path overrides)
- internal/store/ — SQLite store with embedded migrations. Full 11-table schema applied up front (most tables empty until later plans). Typed CRUD for books and authors. MaxOpenConns(1) so the foreign_keys pragma actually applies to every query.
- internal/library/ — sanitised path components (handles /, \, :, control chars, whitespace, unicode), Place/WriteCover/Remove with os.Rename + EXDEV-style copy fallback. Atomic via .tmp rename.
- internal/epub/ — pure functional OPF parser. Bytes in via io.ReaderAt, Metadata struct + cover bytes out. Supports both EPUB2 (<meta name=\"cover\">) and EPUB3 (properties=\"cover-image\") cover declarations.
- internal/importer/ — orchestrates parse → upsert → place → set file path. Duplicate detection by file_hash runs before upsert so re-dropped files are deleted, not re-placed. Failed imports quarantined to inbox/.failed/<name> with sidecar .err.
- internal/inbox/ — startup scanner (filepath.WalkDir, skips .failed/ and hidden) + fsnotify watcher with size-stability debouncing.
- main.go — wires everything, signal handling, slog logging.
Out of scope (plans 2–4)
- Web UI, OIDC, sessions
- Device tokens, Kobo sync API
- Deployment script, systemd unit, Caddy config
Test plan
- [x] go test ./... and go test -race ./... clean across all packages
- [x] Manual smoke: drop a non-zip → moves to .failed/ with sidecar .err, server stays up
- [x] Manual smoke: drop a constructed epub ("The Smoke Test" / "Anne Author") → lands at library/Anne Author/The Smoke Test.epub
Known follow-ups (deferred to plan 2)
- N+1 in ListBooks flagged with TODO(plan-2)
- No tests for internal/inbox/watcher.go (fsnotify timing is fiddly)
- PRAGMA foreign_keys=1 is on but the junction tables lack REFERENCES clauses
- Orphan rows in authors when a book's author list is replaced
Plan: docs/superpowers/plans/2026-04-10-foundation.md.

See on code.bas.es →

Books

Ideas

Observed from the annotations research spike

Proposed auth model

Why not validate the JWT signature

Related

Symptoms

Root cause

Workaround (confirmed working)

Possible fixes

Out of scope (Kobo protocol limit)

Why not now

Design

History

Summary

Scope boundaries

Spec + plan

Test plan

Summary

Key discoveries

Docs corrections (spin-off)

Infrastructure aftermath

Test plan

Follow-ups

Summary

Test plan

Summary

Test plan

Summary

Test plan

Summary

Test plan

Summary

Test plan

Summary

Test plan

Summary

Test plan

Summary

Test plan

Summary

Test plan

Summary

What you get

What's not in this PR (deliberate)

File structure

Test plan

Summary

What's in this PR

Test plan

Summary

Test plan

What's in here

Endpoints

Out of scope (plan 4)

Fixes applied before PR

Test plan

Known sharp edges

What's in here

Out of scope

Test plan

Notes

What's in here

Design — Reading Room

Auth

Store additions

Library additions

Inbox additions

Web

main.go

Out of scope (plans 3-4)

Test plan

Known follow-ups (deferred)

What's in here

Out of scope (plans 2–4)

Test plan

Known follow-ups (deferred to plan 2)