Skip to content
mybibli
v1.7.1 · current

Your home library, properly cataloged.

mybibli is a self-hosted web app to catalog, locate, and loan your personal library. Barcode-first, multi-media, multi-role — and your data never leaves your network.

View on GitHub See the roadmap
8/9
epics done
~900
tests green
7
metadata providers
2
languages (EN/FR)
In the wild

Live in production.

Screenshots from the household NAS install that drives the project — same code that's on Docker Hub right now.

mybibli home page — search bar, genre filters, dashboard counters, and a recent-additions strip with cover thumbnails.
Home. Search, genre filters, dashboard counters and a recent-additions strip with cover thumbnails fetched through the metadata-provider chain.
mybibli locations page — hierarchical tree of rooms, bookcases and shelves with per-node volume counts and edit/delete affordances.
Locations. Configurable hierarchy (room → bookcase → shelf …) with per-node volume counts, inline create / edit / delete, and a barcode-on-shelf workflow.

More than a spreadsheet.

Built for collectors who want their library to actually work. Scan a barcode, find a book on a shelf, lend it to a friend — and see what's missing in a series.

Barcode-first cataloging

Scan an ISBN or EAN-13. Title metadata resolves asynchronously through a chain of seven providers — BnF, Google Books, Open Library, MusicBrainz, OMDb, TMDB, BDGest — with cover-image download.

Multi-media support

Books, BD/comics with multi-position omnibus volumes, audio releases, films and series — each typed correctly with the right provider chain selected automatically.

Series & gap detection

See which volumes are missing in your series at a glance. The dashboard surfaces "series with gaps" alongside Dewey-based browsing and a similar-titles section.

Storage-location tracking

Configurable hierarchy — room → shelf → row, or whatever fits your home. Each shelf gets a barcode; scan the shelf, scan the volume, done.

Loan management

Borrower CRUD, loan registration, automatic location restoration on return, admin-configurable overdue threshold, per-borrower history.

Multi-role access

Anonymous (read-only), Librarian (catalog + loans), Admin (everything). Session inactivity timeout with keep-alive toast. EN / FR language toggle, per-user.

Hardened by construction

Security that sleeps next to your front door.

Self-hosted means your home network. So mybibli is built defensively from day one — not as an afterthought.

  • CSP

    Strict Content Security Policy

    No unsafe-inline, no unsafe-eval. Every template — server-rendered or HTMX fragment — is audited for inline script and style attributes.

  • CSRF

    Per-session synchronizer token

    Constant-time compare on every state-changing request. Forms inject the token automatically; HTMX inherits via a small JS listener. Exempt-route allowlist is frozen and policed by tests.

  • Scanner-guard

    A USB barcode burst that arrives while a modal is open is intercepted at document-capture phase — no leakage into background scan fields, no accidental Cancel/Confirm activation.

  • Data stays at home

    No cloud sync, no telemetry, no analytics. Argon2 password hashing, HttpOnly + SameSite cookies, soft-delete with 30-day auto-purge.

Boring stack, on purpose.

Server-rendered HTML, type-checked templates, no SPA framework. The whole UI talks to the server with HTMX over the same routes that serve the pages.

Backend
Rust 2024 + Axum 0.8

Compiled binary, async tokio runtime, zero-cost middleware tower stack.

Database
MariaDB + SQLx 0.8

Compile-time query checking via the offline cache. Versioned migrations checked into the repo.

Templates
Askama 0.15

Compile-time type-checked Jinja-style templates. Auto HTML-escaping, no surprises.

Frontend
HTMX 2 + Tailwind 4

No build step beyond Tailwind. Server-rendered HTML; small ES modules where the UX needs it.

Auth
Sessions + Argon2

Cookie-based sessions, per-session CSRF synchronizer token, role-based access control.

i18n
rust-i18n

English + French today, key-by-key parity enforced by tests. New languages drop in as a single YAML file.

Testing
cargo + Playwright

~525 unit, ~95 DB integration, ~160 Playwright E2E across two CI lanes (seeded + wizard).

CI/CD
GitHub Actions

Rust tests + clippy + sqlx-prepare check, DB integration, Playwright E2E and wizard E2E — gated on every PR.

v1.7.1 is live.

v1.7.0 — "Reach more users, debug more easily" shipped German (#275) and Italian (#276) UI translations — the interface is now in four languages — and a persistent log directory with daily rotation (#301). v1.7.1 — "Finish 1.7.0 properly" closes the v1.7.0 gap (the admin runtime log-level UI #301 had advertised) and bundles four production-surfaced bugfixes — Health-tab probe timeout (#310), API-key permanent-delete 422 (#309), bulk cover-refetch silent no-op (#311), and DB pool exhaustion (#312). Log level now flips from /admin > System without a restart. New chapter 12 of the manual ("Operations & debugging") walks through tailing, log levels, structured-JSON parsing, and post-mortem grepping. Pre-built Docker images on Docker Hub.

Star on GitHub See the roadmap Browse issues