test: add failing tests for removing suffix matching from whitelist

Suffix matching (.example.com matching subdomains) should not be
supported. Whitelist entries should be exact host matches only.
Leading dots should be stripped and treated as exact matches.

internal/imgcache/whitelist_test.go

@@ -31,41 +31,47 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			want:     false,
 		},
 		{
-			name:     "suffix match",
+			name:     "dot prefix does not enable suffix matching",
 			patterns: []string{".example.com"},
 			testURL:  "https://cdn.example.com/image.jpg",
-			want:     true,
+			want:     false,
 		},
 		{
-			name:     "suffix match deep subdomain",
+			name:     "dot prefix does not match deep subdomain",
 			patterns: []string{".example.com"},
 			testURL:  "https://cdn.images.example.com/image.jpg",
-			want:     true,
+			want:     false,
 		},
 		{
-			name:     "suffix match apex domain",
+			name:     "dot prefix stripped matches apex domain exactly",
 			patterns: []string{".example.com"},
 			testURL:  "https://example.com/image.jpg",
 			want:     true,
 		},
 		{
-			name:     "suffix match not found",
+			name:     "dot prefix does not match unrelated domain",
 			patterns: []string{".example.com"},
 			testURL:  "https://notexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "suffix match partial not allowed",
+			name:     "dot prefix does not match partial domain",
 			patterns: []string{".example.com"},
 			testURL:  "https://fakeexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "multiple patterns",
+			name:     "multiple patterns exact only",
-			patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
+			patterns: []string{"cdn.example.com", "photos.images.org", "static.test.net"},
 			testURL:  "https://photos.images.org/image.jpg",
 			want:     true,
 		},
+		{
+			name:     "multiple patterns no suffix match",
+			patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
+			testURL:  "https://photos.images.org/image.jpg",
+			want:     false,
+		},
 		{
 			name:     "empty whitelist",
 			patterns: []string{},
@@ -90,6 +96,12 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			testURL:  "https://cdn.example.com/image.jpg",
 			want:     true,
 		},
+		{
+			name:     "whitespace dot prefix stripped matches exactly",
+			patterns: []string{"  .other.com  "},
+			testURL:  "https://other.com/image.jpg",
+			want:     true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -139,6 +151,11 @@ func TestHostWhitelist_IsEmpty(t *testing.T) {
 			patterns: []string{"example.com"},
 			want:     false,
 		},
+		{
+			name:     "dot prefix entry still counts",
+			patterns: []string{".example.com"},
+			want:     false,
+		},
 	}
 
 	for _, tt := range tests {
@@ -168,7 +185,7 @@ func TestHostWhitelist_Count(t *testing.T) {
 			want:     3,
 		},
 		{
-			name:     "suffix hosts only",
+			name:     "dot prefix hosts treated as exact",
 			patterns: []string{".a.com", ".b.com"},
 			want:     2,
 		},
@@ -177,6 +194,11 @@ func TestHostWhitelist_Count(t *testing.T) {
 			patterns: []string{"exact.com", ".suffix.com"},
 			want:     2,
 		},
+		{
+			name:     "dot prefix deduplicates with exact",
+			patterns: []string{"example.com", ".example.com"},
+			want:     1,
+		},
 	}
 
 	for _, tt := range tests {