new-usemame/Calibre-Web-NextGen v4.0.146

v4.0.146 — annotation CRUD + Kobo sync optimizations + Hardcover/HTTPS hardening

on GitHub

What's new

docker pull ghcr.io/new-usemame/calibre-web-nextgen:v4.0.146

(or :latest)

Web reader gets two-way highlights (#349)

Select text in the epub reader, pick a color, add a note — the highlight saves, paints as an overlay, and persists across reloads. Click an existing highlight to recolor, edit the note, or delete it. If you have Hardcover syncing on, web-reader highlights fan out to Hardcover the same way Kobo and KOReader highlights already do.

The companion KOReader plugin (cwasync.koplugin) gains a KoboReader.sqlite write provider so highlights you make in the web reader render in the stock Kobo reader on a synced device. Verified end-to-end against a real KoboReader.sqlite (1,771 device highlights) and Nickel rendering on real hardware. Phase 3 (server→stock-Nickel wifi push) is not in this release — it didn't survive hardware testing.

The "Sync highlights" toggle in the KOReader plugin is experimental and ships default-off. Flip it on once you're comfortable with the round-trip.

Kobo sync is noticeably faster (#350, backport of CWA #1344 by @shavitmichael)

Roughly 15 seconds saved per Kobo sync round on first-time-device syncs, with the savings repeated on each paginated round. Four tightenings: kepub conversion is no longer done at auth-token-generation time (it now happens on demand when a Kobo actually requests /download/<id>/kepub); KoboSyncState row writes don't block the sync read; metadata tables are eager-loaded so the serializer doesn't fan out into per-book lazy loads; a single downloadUrl per book replaces the EPUB+EPUB3+KEPUB fallback (Kobo handles the EPUB fallback if conversion fails).

Hardcover auto-fetch + HTTPS persistence + TLS-aware healthcheck (#356, community contribution by @sarsey-walker)

Three operator-facing fixes bundled together:

• Hardcover auto-fetch stability. Long Hardcover scans no longer fail with detached-ORM-instance errors or contaminate the global web-request session — the task now works in single-book scopes inside a background worker thread that never touches the global session.
• "Use via HTTPS" actually saves now. The admin toggle existed but wasn't being persisted by the Basic Configuration save handler. Saving it now writes the value AND applies the secure-cookie flags to the running process so the change takes effect without a restart.
• No more HTTP-on-HTTPS healthcheck spam. When you serve HTTPS directly with a cert/key, the container healthcheck now probes https:// instead of http://, eliminating the Gevent SSL Error: HTTP_REQUEST warnings in your logs. Falls back to http:// automatically when no cert/key is configured.

Kobo handshake invariants now source-pinned (#339)

Six source-inspection regression pins for the no-account (fully local) Kobo sync path on firmware 4.45+. Catches a future refactor that would silently drop the oauth_host local rewrite or break the /oauth/.well-known/openid-configuration discovery route. Test-only — no behavior change.

Capture artifacts no longer reachable by git add . (#338)

.playwright-mcp/ is now in .gitignore so Playwright MCP page snapshots (which can include credentials open in the browser at capture time) cannot be accidentally committed.

Credits

Thanks @shavitmichael for the Kobo sync optimization cherry-pick (originally CWA #1344) and @sarsey-walker for the Hardcover + HTTPS bundle.