From c7d90314fdc741208c526a52ff06e903130e2b98 Mon Sep 17 00:00:00 2001 From: sneak Date: Mon, 6 Jul 2026 20:35:48 +0200 Subject: [PATCH] Update TODO.md --- TODO.md | 101 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 50 insertions(+), 51 deletions(-) diff --git a/TODO.md b/TODO.md index 0f8fbf4..8c9c81c 100644 --- a/TODO.md +++ b/TODO.md @@ -1,65 +1,64 @@ -# Pixa 1.0 TODO +# Status -Remaining tasks sorted by priority for a working 1.0 release. +pre-1.0. No git tags. Full policy file set is present, but make check +fails on main with 10 gosec lint findings, so main is not green. -## P0: Critical for 1.0 +# Next Step -### Image Processing -- [x] Add WebP encoding support (currently returns error) -- [ ] Add AVIF encoding support (currently returns error) +Fix the 10 gosec findings so make check passes on main. Fix each issue +properly (no blanket nolint suppressions) and confirm lint, tests, and +CI are green. This restores the main-always-green policy. -### Manual Testing (verify auth/encrypted URLs work) -- [ ] Manual test: visit `/`, see login form -- [ ] Manual test: enter wrong key, see error -- [ ] Manual test: enter correct signing key, see generator form -- [ ] Manual test: generate encrypted URL, verify it works -- [ ] Manual test: wait for expiration or use short TTL, verify expired URL returns 410 -- [ ] Manual test: logout, verify redirected to login +# Completed Steps -### Cache Management -- [ ] Implement cache size management/eviction (prevent disk from filling up) +- 2026-02-25: Docker arm64 build fixed via architecture detection for + golangci-lint download (#16) +- 2026-02-25: full repo policy compliance pass (#14): LICENSE, + REPO_POLICIES.md, .editorconfig, Gitea Actions CI workflow, Docker + images pinned by hash, README restructured to policy sections, hooks + Makefile target, golangci-lint errors resolved +- 2026-02-20: stale local dev config files removed (#12) +- 2026-02-09: correctness fixes: negative cache checked in Service.Get() + before upstream fetch (#8); Stats() column scanning and HitRate + computation corrected (#9) +- 2026-02-08: AllowHTTP propagated to SourceURL() scheme selection (#6) +- WebP encoding support added (P0 item, checked off in TODO) +- 2026-01-08: initial implementation with Makefile and TODO checklist -### Configuration -- [ ] Validate configuration on startup (fail fast on bad config) +# Future Steps -## P1: Important for Production +Compliance: -### Security -- [ ] Implement blocked networks configuration (extend SSRF protection) -- [ ] Add rate limiting global concurrent fetches (prevent resource exhaustion) +- After the gosec fix lands, verify CI runs make check green on main -### Image Processing -- [ ] Implement EXIF/metadata stripping (privacy) +P0, critical for 1.0 (from existing TODO.md): -## P2: Nice to Have +- Add AVIF encoding support (currently returns error) +- Manual test pass for auth and encrypted URLs: + - visit /, see login form + - wrong key shows error; correct signing key shows generator form + - generated encrypted URL works + - expired URL (short TTL) returns 410 + - logout redirects to login +- Implement cache size management and eviction (prevent disk fill) +- Validate configuration on startup (fail fast on bad config) -### Security -- [ ] Implement referer blacklist -- [ ] Add rate limiting per-IP -- [ ] Add rate limiting per-origin +P1, important for production: -### HTTP Response Handling -- [ ] Implement Last-Modified headers -- [ ] Implement Vary header for content negotiation -- [ ] Implement X-Request-ID propagation +- Blocked networks configuration (extend SSRF protection) +- Rate limit global concurrent fetches (resource exhaustion) +- EXIF/metadata stripping (privacy) -### Additional Endpoints -- [ ] Implement auto-format selection (format=auto based on Accept header) +P2, nice to have: -### Configuration -- [ ] Add all configuration options from README -- [ ] Implement environment variable overrides -- [ ] Implement YAML config file support - -### Operational -- [ ] Implement Sentry error reporting (optional) -- [ ] Add comprehensive request logging -- [ ] Add performance metrics (Prometheus) -- [ ] Write integration tests for image proxy flow -- [ ] Write load tests to verify 1-5k req/s target - -### Documentation -- [ ] Document configuration options -- [ ] Document API endpoints -- [ ] Document deployment guide -- [ ] Add example nginx/caddy reverse proxy config +- Referer blacklist; per-IP and per-origin rate limiting +- Last-Modified headers; Vary header; X-Request-ID propagation +- Auto-format selection (format=auto based on Accept header) +- All configuration options from README; env var overrides; YAML config + file support +- Sentry error reporting (optional); comprehensive request logging; + Prometheus metrics +- Integration tests for the image proxy flow; load tests for the + 1-5k req/s target +- Docs: configuration options, API endpoints, deployment guide, example + nginx/caddy reverse proxy config