library: spinner loader + hide native search clear button

[MaryWylde]

• Replace the plain "Loading…" text with the library Loader spinner, centered in the content area
• Hide WebKit's native search-cancel button so it no longer doubles up with the custom clear icon

[MaryWylde]

@claude, review this PR.

[claude]

Claude finished @MaryWylde's task in 3m 15s —— View job

---

PR Review

• Gather context and read changed files
• Review diff and key components
• Post full review findings

---

Scope vs. Description

The PR title and body describe two small changes (spinner loader, hide WebKit cancel button — covered by commit b886517, 3 files). The second commit (10f5619) is a separate, substantially larger feature: client-side search, full autofill for books/audio/video, a new TitleAutocomplete component, four API routes, responsive/mobile polish across a dozen components, and a detectSource utility — 42 files and 1617 additions. The PR body does not mention any of this. Worth either splitting the PR or at minimum updating the description so reviewers know what they're actually looking at.

---

Findings

Bug / Rule Violation

1. TitleAutocomplete/index.tsx violates barrel convention

src/components/library/molecules/TitleAutocomplete/index.tsx:1–2

export * from './TitleAutocomplete';
export * from './TitleAutocomplete.types';

Project rules (keepsimple skill + AGENTS.md) require:

• Barrel file named index.ts (not .tsx)
• Default export only: import TitleAutocomplete from './TitleAutocomplete'; export default TitleAutocomplete;
• Named exports in barrels are explicitly listed under "Never Do"

The AddObjectModal imports this as { TitleAutocomplete } — that named export path works, but it's inconsistent with every other component in the library. Fix this →

---

2. detectSource placed in the legacy utils/ directory

src/utils/library/detectSource.ts

AGENTS.md / keepsimple skill: "Put new utilities in src/lib/, not src/utils/ (legacy)."
This should live at src/lib/library/detectSource.ts. Fix this →

---

3. Hardcoded gendered pronoun in visitor toolbar

src/components/library/organisms/LibraryToolbar/LibraryToolbar.tsx:315

"along with an incredible playlist full of his favorite songs."

"his" is hardcoded regardless of library owner gender. Should be "their". Fix this →

---

Design / UX Questions

4. Search is owner-only — intentional?

LibraryToolbar.tsx:298–320 returns early with the visitor welcome banner for non-owners, so the search Input (rendered after that if (!isOwner) return) is never shown to visitors. A visitor browsing a large library can't search it. Worth confirming this is deliberate — it's an easy addition once confirmed.

---

5. langRestrict: 'en' silently drops non-English books

src/pages/api/library/autofill/book.ts:48–51

The comment acknowledges this is a bias toward English editions. The problem is it's silent — a user typing "Война и мир" gets zero suggestions with no explanation. The fallback to manual entry works, but a UX note or a retry without langRestrict when results are empty would help. Not a blocker, but worth tracking.

---

Security — Good Catches

The cover image proxy (src/pages/api/library/autofill/cover.ts) is well-hardened:

• SSRF guard: strict allowlist against an enumerated set of CDN hostnames
• Redirect re-check: isAllowed(upstream.url) re-validates after any redirect chain
• Content-type guard: rejects non-image/* responses
• Size limit: 5 MB cap consistent with the upload limit

API keys (GOOGLE_APIS_KEY, YOUTUBE_API_KEY) are server-only — no NEXT_PUBLIC_ prefix. Well done.

---

Minor / Nitpicks

6. as never casts in applySuggestion

AddObjectModal.tsx:213–222 — setValue('sourceUrl' as never, ...) extends a pre-existing workaround for RHF's discriminated-union limitation. Not new here but the new autofill code adds several more instances. A type ObjectWithUrl = VideoFormData | AudioFormData guard would eliminate them for the URL/source/duration fields.

7. No rate limiting on autofill routes

src/pages/api/library/autofill/*.ts — none of the four routes implement request rate limiting. A logged-in user could exhaust Google's quota rapidly. Acceptable for now given Google's own server-side quotas, but worth tracking as the feature usage scales.

8. detectSource fallback for unknown hosts returns SLD

src/utils/library/detectSource.ts:40–42 — podcasts.example.com → "Example". This works for known platforms but produces surprising source values for generic/obscure URLs (e.g. a Google Drive link would set Source to "Drive"). Returning undefined for unknown hosts and leaving Source blank might be less confusing than a guessed name.

---

What's Well Done

• Race condition handling in TitleAutocomplete is correct: a requestIdRef discards stale responses when a new query fires before the previous one returns.
• suppressQueryRef prevents re-opening the suggestion menu when the input value is updated programmatically via applySuggestion — a non-obvious subtlety handled correctly.
• fetchCoverFile is best-effort and never blocks the rest of applySuggestion from landing.
• The resequencing animation in Library.tsx uses requestAnimationFrame to reset and then re-apply the class, correctly replaying the animation on rapid re-saves.
• Cover proxy caching (Cache-Control: public, max-age=86400) warms the CDN and avoids redundant upstream fetches for the same thumbnail.

---

Summary

Three actionable items before merge: the barrel convention on TitleAutocomplete/index.tsx, the detectSource location, and the hardcoded "his" pronoun. The PR description mismatch isn't a code problem but should be updated so this doesn't land as a mystery diff in the git history. Everything security-sensitive (the cover proxy, key handling) is solid.