v1.1.0-beta.035 - feat(library): series download button, Smart Match provider IDs, server-side download permission enforcement
⬇️ Library quality-of-life
- Smart Match suggestion cards now show the provider series/volume ID as a monospace chip — the tooltip names the ID type (ComicVine Volume vs. Metron Series) for verifying a match before accepting
- New Download Series button on the series page downloads every issue file sequentially with live progress (Downloading 7/28), delivering original .cbz files with no server-side memory cost — visible only to admins and users with the download permission
🔒 Security: download permission enforced server-side
- /api/library/download previously relied on UI gating alone — any authenticated user who knew a file path could fetch files directly
- The route now resolves the session and requires ADMIN role or canDownload=true, using a fresh DB lookup so revoking the permission takes effect immediately rather than on JWT refresh
- Existing library-root path validation unchanged and still applies after the permission gate; OPDS downloads unaffected (separate route, already enforced its own canDownload check)
✅ Verification
- tsc clean; vitest 184/184 across 59 files
- New test coverage: download permission matrix (no session → 401, unprivileged user → 403, permitted user and admin pass through, path traversal still rejected for admins)