feat(api): enrichir GET /books et series avec filtres et pagination

- fix(auth): parse_prefix supporte les préfixes de token contenant '_'
- feat: GET /books expose reading_status, reading_current_page, reading_last_read_at
- feat: GET /books accepte ?reading_status=unread,reading (CSV multi-valeur)
- feat: SeriesItem expose books_read_count pour dériver le statut de lecture
- feat: GET /libraries/:id/series accepte ?reading_status=unread,reading
- feat: BooksPage et SeriesPage exposent total (count matchant les filtres)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/api/src/auth.rs

@@ -94,11 +94,15 @@ async fn authenticate(state: &AppState, token: &str) -> Result<Scope, ApiError>
 }
 
 fn parse_prefix(token: &str) -> Option<&str> {
-    let mut parts = token.split('_');
-    let namespace = parts.next()?;
-    let prefix = parts.next()?;
-    let secret = parts.next()?;
-    if namespace != "stl" || secret.is_empty() || prefix.len() < 6 {
+    // Format: stl_{8-char prefix}_{secret}
+    // Base64 URL_SAFE peut contenir '_', donc on ne peut pas splitter aveuglément
+    let rest = token.strip_prefix("stl_")?;
+    if rest.len() < 10 {
+        // 8 (prefix) + 1 ('_') + 1 (secret min)
+        return None;
+    }
+    let prefix = &rest[..8];
+    if rest.as_bytes().get(8) != Some(&b'_') {
         return None;
     }
     Some(prefix)