diff --git a/TODO.md b/TODO.md
index f9d9086..86e6fa3 100644
--- a/TODO.md
+++ b/TODO.md
@@ -17,13 +17,13 @@ A single linear checklist of tasks to implement the complete pixa caching image
 - [x] Verify basic server starts and healthcheck works
 
 ## Core Image Proxy Features
-- [ ] Implement URL parsing for `/v1/image/<host>/<path>/<size>.<format>`
-- [ ] Implement upstream HTTP client with TLS verification
-- [ ] Implement SSRF protection (block private/internal IPs)
-- [ ] Implement source host whitelist checking
-- [ ] Implement HMAC-SHA256 signature generation
-- [ ] Implement HMAC-SHA256 signature verification
-- [ ] Implement signature expiration checking
+- [x] Implement URL parsing for `/v1/image/<host>/<path>/<size>.<format>`
+- [x] Implement upstream HTTP client with TLS verification
+- [x] Implement SSRF protection (block private/internal IPs)
+- [x] Implement source host whitelist checking
+- [x] Implement HMAC-SHA256 signature generation
+- [x] Implement HMAC-SHA256 signature verification
+- [x] Implement signature expiration checking
 - [ ] Implement upstream fetch with timeout and size limits
 - [ ] Implement Content-Type validation (whitelist MIME types)
 - [ ] Implement magic byte verification