This commit is contained in:
101
TODO.md
101
TODO.md
@@ -1,65 +1,64 @@
|
|||||||
# Pixa 1.0 TODO
|
# Status
|
||||||
|
|
||||||
Remaining tasks sorted by priority for a working 1.0 release.
|
pre-1.0. No git tags. Full policy file set is present, but make check
|
||||||
|
fails on main with 10 gosec lint findings, so main is not green.
|
||||||
|
|
||||||
## P0: Critical for 1.0
|
# Next Step
|
||||||
|
|
||||||
### Image Processing
|
Fix the 10 gosec findings so make check passes on main. Fix each issue
|
||||||
- [x] Add WebP encoding support (currently returns error)
|
properly (no blanket nolint suppressions) and confirm lint, tests, and
|
||||||
- [ ] Add AVIF encoding support (currently returns error)
|
CI are green. This restores the main-always-green policy.
|
||||||
|
|
||||||
### Manual Testing (verify auth/encrypted URLs work)
|
# Completed Steps
|
||||||
- [ ] Manual test: visit `/`, see login form
|
|
||||||
- [ ] Manual test: enter wrong key, see error
|
|
||||||
- [ ] Manual test: enter correct signing key, see generator form
|
|
||||||
- [ ] Manual test: generate encrypted URL, verify it works
|
|
||||||
- [ ] Manual test: wait for expiration or use short TTL, verify expired URL returns 410
|
|
||||||
- [ ] Manual test: logout, verify redirected to login
|
|
||||||
|
|
||||||
### Cache Management
|
- 2026-02-25: Docker arm64 build fixed via architecture detection for
|
||||||
- [ ] Implement cache size management/eviction (prevent disk from filling up)
|
golangci-lint download (#16)
|
||||||
|
- 2026-02-25: full repo policy compliance pass (#14): LICENSE,
|
||||||
|
REPO_POLICIES.md, .editorconfig, Gitea Actions CI workflow, Docker
|
||||||
|
images pinned by hash, README restructured to policy sections, hooks
|
||||||
|
Makefile target, golangci-lint errors resolved
|
||||||
|
- 2026-02-20: stale local dev config files removed (#12)
|
||||||
|
- 2026-02-09: correctness fixes: negative cache checked in Service.Get()
|
||||||
|
before upstream fetch (#8); Stats() column scanning and HitRate
|
||||||
|
computation corrected (#9)
|
||||||
|
- 2026-02-08: AllowHTTP propagated to SourceURL() scheme selection (#6)
|
||||||
|
- WebP encoding support added (P0 item, checked off in TODO)
|
||||||
|
- 2026-01-08: initial implementation with Makefile and TODO checklist
|
||||||
|
|
||||||
### Configuration
|
# Future Steps
|
||||||
- [ ] Validate configuration on startup (fail fast on bad config)
|
|
||||||
|
|
||||||
## P1: Important for Production
|
Compliance:
|
||||||
|
|
||||||
### Security
|
- After the gosec fix lands, verify CI runs make check green on main
|
||||||
- [ ] Implement blocked networks configuration (extend SSRF protection)
|
|
||||||
- [ ] Add rate limiting global concurrent fetches (prevent resource exhaustion)
|
|
||||||
|
|
||||||
### Image Processing
|
P0, critical for 1.0 (from existing TODO.md):
|
||||||
- [ ] Implement EXIF/metadata stripping (privacy)
|
|
||||||
|
|
||||||
## P2: Nice to Have
|
- Add AVIF encoding support (currently returns error)
|
||||||
|
- Manual test pass for auth and encrypted URLs:
|
||||||
|
- visit /, see login form
|
||||||
|
- wrong key shows error; correct signing key shows generator form
|
||||||
|
- generated encrypted URL works
|
||||||
|
- expired URL (short TTL) returns 410
|
||||||
|
- logout redirects to login
|
||||||
|
- Implement cache size management and eviction (prevent disk fill)
|
||||||
|
- Validate configuration on startup (fail fast on bad config)
|
||||||
|
|
||||||
### Security
|
P1, important for production:
|
||||||
- [ ] Implement referer blacklist
|
|
||||||
- [ ] Add rate limiting per-IP
|
|
||||||
- [ ] Add rate limiting per-origin
|
|
||||||
|
|
||||||
### HTTP Response Handling
|
- Blocked networks configuration (extend SSRF protection)
|
||||||
- [ ] Implement Last-Modified headers
|
- Rate limit global concurrent fetches (resource exhaustion)
|
||||||
- [ ] Implement Vary header for content negotiation
|
- EXIF/metadata stripping (privacy)
|
||||||
- [ ] Implement X-Request-ID propagation
|
|
||||||
|
|
||||||
### Additional Endpoints
|
P2, nice to have:
|
||||||
- [ ] Implement auto-format selection (format=auto based on Accept header)
|
|
||||||
|
|
||||||
### Configuration
|
- Referer blacklist; per-IP and per-origin rate limiting
|
||||||
- [ ] Add all configuration options from README
|
- Last-Modified headers; Vary header; X-Request-ID propagation
|
||||||
- [ ] Implement environment variable overrides
|
- Auto-format selection (format=auto based on Accept header)
|
||||||
- [ ] Implement YAML config file support
|
- All configuration options from README; env var overrides; YAML config
|
||||||
|
file support
|
||||||
### Operational
|
- Sentry error reporting (optional); comprehensive request logging;
|
||||||
- [ ] Implement Sentry error reporting (optional)
|
Prometheus metrics
|
||||||
- [ ] Add comprehensive request logging
|
- Integration tests for the image proxy flow; load tests for the
|
||||||
- [ ] Add performance metrics (Prometheus)
|
1-5k req/s target
|
||||||
- [ ] Write integration tests for image proxy flow
|
- Docs: configuration options, API endpoints, deployment guide, example
|
||||||
- [ ] Write load tests to verify 1-5k req/s target
|
nginx/caddy reverse proxy config
|
||||||
|
|
||||||
### Documentation
|
|
||||||
- [ ] Document configuration options
|
|
||||||
- [ ] Document API endpoints
|
|
||||||
- [ ] Document deployment guide
|
|
||||||
- [ ] Add example nginx/caddy reverse proxy config
|
|
||||||
|
|||||||
Reference in New Issue
Block a user