Let me read the relevant files first.

Now let me implement the changes. I'll do the userscript blocklist and the API dedup in parallel.

1. Userscript: Add blocklist and size check

2. API: Add dedup check before insert

Now let me run the type check and lint in parallel.

Both pass cleanly. Now for the production cleanup — let me delete the 5 junk/duplicate rows.

0 rows deleted — the IDs may have already been cleaned up, or they might be slightly different. Let me check what's actually in prod.

The IDs are slightly different from the plan (UUIDs were truncated). Now I have the real IDs. Delete the 5 junk/duplicate rows (keep 3d3b0bac as the newer NYT article, delete d10e5f36).

All 5 junk/duplicate rows deleted. Now pull the 3 remaining good captures.

All done. Here's a summary of what was done:

Userscript changes (capture-tokens.ts):

• Added a blocklist that filters URLs containing /auth/, /session, and specific Substack iframe URLs
• Added a content size check (< 1KB) to catch empty iframes
• Shows a notification when a capture is skipped

API dedup (captures.ts):

• Before inserting, checks if the same URL was already captured by the same user
• Returns the existing capture ID with 200 instead of creating a duplicate

Production cleanup:

• Deleted 5 rows: 2 NYT auth prefetch pages, 2 Substack internal frames, 1 duplicate NYT article
• Pulled 3 remaining good captures to content/spring2026/readings/

The userscript uses @match *://*/* which means it's injected into every page the browser loads — including iframes embedded within the page you're actually reading.

When you click "Capture This Page" on a NYTimes article, Tampermonkey runs the capture handler in every frame where the script is active. So the main article fires a capture, but so do the invisible iframes that NYTimes and Substack embed for auth/tracking purposes (like myaccount.nytimes.com/auth/prefetch-assets). Each frame has its own document and location, so each one sends its own POST to the API independently.

That's why you got captures in pairs — the article plus its auth iframe, both captured at nearly the same timestamp (e.g., 00:41:12.384 and 00:41:12.537). The Substack frames (channel-frame, session-attribution-frame) came from reading the Hyperdimensional post the same way.

The blocklist now prevents these iframe captures client-side before they're sent, and the server-side dedup prevents duplicates if somehow two captures of the same URL still get through.

Good point — let me check what was pulled.

The captures look good content-wise. A few cleanup issues:

1. NYT article has Advertisement / SKIP ADVERTISEMENT junk at the top and bottom
2. NYT article slug is very long: opinion-americans-are-trying-to-stop-data-centers-because-they-can-t-stop-a-i-nytimes-2c47
3. All three have requiresAuth: true — the New Yorker and NYT are paywalled so that's correct, but the Substack (Hyperdimensional) is free

Let me also check if there's a pattern for existing reading slugs/frontmatter.

Here's what I see comparing the new captures to the existing readings:

Issues to clean up:

1. NYT data centers article — has Advertisement and SKIP ADVERTISEMENT junk at top (lines 10-13) and bottom (lines 153-155). The slug is also very long.

2. Missing frontmatter fields — the existing readings have date, readingTime, sourceDetail, and sometimes subtitle and authorUrl. The new captures only have title, slug, author, source, sourceUrl, and requiresAuth.

3. Hyperdimensional (Clawed) — requiresAuth: true but this is a free Substack post, should probably be false.

Want me to clean these up? Specifically:

• Strip the NYT ad junk from the data centers article
• Shorten that slug (e.g., data-centers-ai-regulation-nytimes-2c47)
• Set requiresAuth: false on the Hyperdimensional piece
• Add missing frontmatter fields (date, readingTime, etc.) to all three

Now rename the NYT file to match the new slug.

Now verify everything builds cleanly.

All clean. Here's what I fixed across the three captures:

• NYT data centers: Stripped Advertisement/SKIP ADVERTISEMENT junk from top and bottom, removed the newsletter intro line, dropped "Opinion |" from title, shortened slug to data-centers-ai-regulation-nytimes-2c47, renamed file to match
• Hyperdimensional (Clawed): Set requiresAuth: false since it's a free Substack
• All three: Added date, sourceDetail, and readingTime frontmatter to match existing reading conventions

No debug logging. The 3 new reading files should be added. Two logical commits — one for the API changes, one for the readings.

Two commits:

1. 408caec — API/userscript: junk filtering + deduplication
2. c1bfd83 — Three new readings (Cassidy/New Yorker, Ball/Hyperdimensional, Wallace-Wells/NYT)

Clean version bump across all packages, no debug logging. One commit.

Done — 69e293b bumps all packages to 2026.3.9.