Update TODO.md
All checks were successful
check / check (push) Successful in 1m58s

This commit is contained in:
2026-07-06 20:35:48 +02:00
parent 811c210b09
commit c7d90314fd

101
TODO.md
View File

@@ -1,65 +1,64 @@
# Pixa 1.0 TODO # Status
Remaining tasks sorted by priority for a working 1.0 release. pre-1.0. No git tags. Full policy file set is present, but make check
fails on main with 10 gosec lint findings, so main is not green.
## P0: Critical for 1.0 # Next Step
### Image Processing Fix the 10 gosec findings so make check passes on main. Fix each issue
- [x] Add WebP encoding support (currently returns error) properly (no blanket nolint suppressions) and confirm lint, tests, and
- [ ] Add AVIF encoding support (currently returns error) CI are green. This restores the main-always-green policy.
### Manual Testing (verify auth/encrypted URLs work) # Completed Steps
- [ ] Manual test: visit `/`, see login form
- [ ] Manual test: enter wrong key, see error
- [ ] Manual test: enter correct signing key, see generator form
- [ ] Manual test: generate encrypted URL, verify it works
- [ ] Manual test: wait for expiration or use short TTL, verify expired URL returns 410
- [ ] Manual test: logout, verify redirected to login
### Cache Management - 2026-02-25: Docker arm64 build fixed via architecture detection for
- [ ] Implement cache size management/eviction (prevent disk from filling up) golangci-lint download (#16)
- 2026-02-25: full repo policy compliance pass (#14): LICENSE,
REPO_POLICIES.md, .editorconfig, Gitea Actions CI workflow, Docker
images pinned by hash, README restructured to policy sections, hooks
Makefile target, golangci-lint errors resolved
- 2026-02-20: stale local dev config files removed (#12)
- 2026-02-09: correctness fixes: negative cache checked in Service.Get()
before upstream fetch (#8); Stats() column scanning and HitRate
computation corrected (#9)
- 2026-02-08: AllowHTTP propagated to SourceURL() scheme selection (#6)
- WebP encoding support added (P0 item, checked off in TODO)
- 2026-01-08: initial implementation with Makefile and TODO checklist
### Configuration # Future Steps
- [ ] Validate configuration on startup (fail fast on bad config)
## P1: Important for Production Compliance:
### Security - After the gosec fix lands, verify CI runs make check green on main
- [ ] Implement blocked networks configuration (extend SSRF protection)
- [ ] Add rate limiting global concurrent fetches (prevent resource exhaustion)
### Image Processing P0, critical for 1.0 (from existing TODO.md):
- [ ] Implement EXIF/metadata stripping (privacy)
## P2: Nice to Have - Add AVIF encoding support (currently returns error)
- Manual test pass for auth and encrypted URLs:
- visit /, see login form
- wrong key shows error; correct signing key shows generator form
- generated encrypted URL works
- expired URL (short TTL) returns 410
- logout redirects to login
- Implement cache size management and eviction (prevent disk fill)
- Validate configuration on startup (fail fast on bad config)
### Security P1, important for production:
- [ ] Implement referer blacklist
- [ ] Add rate limiting per-IP
- [ ] Add rate limiting per-origin
### HTTP Response Handling - Blocked networks configuration (extend SSRF protection)
- [ ] Implement Last-Modified headers - Rate limit global concurrent fetches (resource exhaustion)
- [ ] Implement Vary header for content negotiation - EXIF/metadata stripping (privacy)
- [ ] Implement X-Request-ID propagation
### Additional Endpoints P2, nice to have:
- [ ] Implement auto-format selection (format=auto based on Accept header)
### Configuration - Referer blacklist; per-IP and per-origin rate limiting
- [ ] Add all configuration options from README - Last-Modified headers; Vary header; X-Request-ID propagation
- [ ] Implement environment variable overrides - Auto-format selection (format=auto based on Accept header)
- [ ] Implement YAML config file support - All configuration options from README; env var overrides; YAML config
file support
### Operational - Sentry error reporting (optional); comprehensive request logging;
- [ ] Implement Sentry error reporting (optional) Prometheus metrics
- [ ] Add comprehensive request logging - Integration tests for the image proxy flow; load tests for the
- [ ] Add performance metrics (Prometheus) 1-5k req/s target
- [ ] Write integration tests for image proxy flow - Docs: configuration options, API endpoints, deployment guide, example
- [ ] Write load tests to verify 1-5k req/s target nginx/caddy reverse proxy config
### Documentation
- [ ] Document configuration options
- [ ] Document API endpoints
- [ ] Document deployment guide
- [ ] Add example nginx/caddy reverse proxy config