Added
- Arr-compatible queue endpoint for Harpoon integrations (#370) —
GET /api/queuereturns a Sonarr/Radarr-style queue payload withtotalRecords, queue records, livesize/sizeleft, downloader status, client name, remote download ID, protocol, optional pagination, and sorting. The existingGET /api/v1/queueUI response remains unchanged. - Author detail search-all-wanted action (#410) — the Author Detail page now has a Search all wanted button that queues searches for that author's monitored wanted books, disables itself when there is nothing searchable, and surfaces bulk-search errors inline. Author bulk search now also skips unmonitored wanted books so explicit per-book unmonitor decisions are respected.
- Startup configuration validation (#430) — Bindery now validates its configuration on startup and logs actionable warnings for known conflict patterns (conflicting audiobook dir, invalid URLs, non-existent paths). Does not block startup; surfaces problems early before they cause silent failures at runtime.
- Configurable login rate-limit thresholds (#428) —
BINDERY_RATE_LIMIT_MAX_FAILURES(default 5) andBINDERY_RATE_LIMIT_WINDOW_MINUTES(default 15) let operators tune the per-IP brute-force lockout without recompiling.
Fixed
- OpenLibrary search results restored (#408) — the deprecated
/search.jsonendpoint (which began returning HTTP 500) is replaced by/authors/{id}/works.jsonas the primary works source with/searchdemoted to enrichment. Series data now comes from the primary call so fewer round-trips are needed. - Audiobook routing now respects
BINDERY_AUDIOBOOK_DIR(#421) — per-author ebook root folders were incorrectly applied to audiobook destinations; audiobooks now always route to the dedicated audiobook directory and ignore the ebook root. - Audiobook directory visible in Settings UI (#420) — the audiobook storage path is now displayed in Settings → General alongside the library directory.
- API-key requests exempt from CSRF middleware (#424) — external tools such as Harpoon that authenticate via X-Api-Key header were receiving 403 on
POST /api/queue; API-key-authenticated requests now bypassRequireXRequestedWithandRequireCSRFTokenchecks while browser-session requests remain protected. - Torrent hash case sensitivity (#425) — torrent hashes are now lowercased on assignment, preventing hash-not-found mismatches when clients return mixed-case identifiers.
- Transmission error states now surface in queue (#426) — integer status codes 16 and 32 (error / isolated-error) are now recognised and translated to
TrackedDownloadStatus: Warning, so stuck Transmission downloads appear in the queue instead of silently stalling. - CSV author import skips header row (#419) — CSV imports with a header row no longer create a spurious author entry from column names.
- qBittorrent hash detection no longer filtered by category (#418) — the category filter on the hash detection poll was a spurious race condition that prevented hashes from being recorded on redirect URLs; the filter is removed.
- Credential normalization silent clear fixed (#422) —
normalizeClientCredentialStoragenow applies the samelegacyCredentialURLBaseguard as the read path, preventing a bareurl_basewith noapi_keyfrom being silently migrated intousernameon write. - Library scanner series matching now runs in production — the scanner is wired to the series repository at startup; filename-based series/position matching now runs during normal library scans.
- qBittorrent and Transmission URL Base preserved on read — legacy credential hydration no longer clears real reverse-proxy URL Base values (e.g.
/qbit) — only old credential-as-url_base rows are migrated.