Update TODO.md
All checks were successful
check / check (push) Successful in 1m58s

This commit is contained in:
2026-07-06 20:35:48 +02:00
parent 811c210b09
commit c7d90314fd

101
TODO.md
View File

@@ -1,65 +1,64 @@
# Pixa 1.0 TODO
# Status
Remaining tasks sorted by priority for a working 1.0 release.
pre-1.0. No git tags. Full policy file set is present, but make check
fails on main with 10 gosec lint findings, so main is not green.
## P0: Critical for 1.0
# Next Step
### Image Processing
- [x] Add WebP encoding support (currently returns error)
- [ ] Add AVIF encoding support (currently returns error)
Fix the 10 gosec findings so make check passes on main. Fix each issue
properly (no blanket nolint suppressions) and confirm lint, tests, and
CI are green. This restores the main-always-green policy.
### Manual Testing (verify auth/encrypted URLs work)
- [ ] Manual test: visit `/`, see login form
- [ ] Manual test: enter wrong key, see error
- [ ] Manual test: enter correct signing key, see generator form
- [ ] Manual test: generate encrypted URL, verify it works
- [ ] Manual test: wait for expiration or use short TTL, verify expired URL returns 410
- [ ] Manual test: logout, verify redirected to login
# Completed Steps
### Cache Management
- [ ] Implement cache size management/eviction (prevent disk from filling up)
- 2026-02-25: Docker arm64 build fixed via architecture detection for
golangci-lint download (#16)
- 2026-02-25: full repo policy compliance pass (#14): LICENSE,
REPO_POLICIES.md, .editorconfig, Gitea Actions CI workflow, Docker
images pinned by hash, README restructured to policy sections, hooks
Makefile target, golangci-lint errors resolved
- 2026-02-20: stale local dev config files removed (#12)
- 2026-02-09: correctness fixes: negative cache checked in Service.Get()
before upstream fetch (#8); Stats() column scanning and HitRate
computation corrected (#9)
- 2026-02-08: AllowHTTP propagated to SourceURL() scheme selection (#6)
- WebP encoding support added (P0 item, checked off in TODO)
- 2026-01-08: initial implementation with Makefile and TODO checklist
### Configuration
- [ ] Validate configuration on startup (fail fast on bad config)
# Future Steps
## P1: Important for Production
Compliance:
### Security
- [ ] Implement blocked networks configuration (extend SSRF protection)
- [ ] Add rate limiting global concurrent fetches (prevent resource exhaustion)
- After the gosec fix lands, verify CI runs make check green on main
### Image Processing
- [ ] Implement EXIF/metadata stripping (privacy)
P0, critical for 1.0 (from existing TODO.md):
## P2: Nice to Have
- Add AVIF encoding support (currently returns error)
- Manual test pass for auth and encrypted URLs:
- visit /, see login form
- wrong key shows error; correct signing key shows generator form
- generated encrypted URL works
- expired URL (short TTL) returns 410
- logout redirects to login
- Implement cache size management and eviction (prevent disk fill)
- Validate configuration on startup (fail fast on bad config)
### Security
- [ ] Implement referer blacklist
- [ ] Add rate limiting per-IP
- [ ] Add rate limiting per-origin
P1, important for production:
### HTTP Response Handling
- [ ] Implement Last-Modified headers
- [ ] Implement Vary header for content negotiation
- [ ] Implement X-Request-ID propagation
- Blocked networks configuration (extend SSRF protection)
- Rate limit global concurrent fetches (resource exhaustion)
- EXIF/metadata stripping (privacy)
### Additional Endpoints
- [ ] Implement auto-format selection (format=auto based on Accept header)
P2, nice to have:
### Configuration
- [ ] Add all configuration options from README
- [ ] Implement environment variable overrides
- [ ] Implement YAML config file support
### Operational
- [ ] Implement Sentry error reporting (optional)
- [ ] Add comprehensive request logging
- [ ] Add performance metrics (Prometheus)
- [ ] Write integration tests for image proxy flow
- [ ] Write load tests to verify 1-5k req/s target
### Documentation
- [ ] Document configuration options
- [ ] Document API endpoints
- [ ] Document deployment guide
- [ ] Add example nginx/caddy reverse proxy config
- Referer blacklist; per-IP and per-origin rate limiting
- Last-Modified headers; Vary header; X-Request-ID propagation
- Auto-format selection (format=auto based on Accept header)
- All configuration options from README; env var overrides; YAML config
file support
- Sentry error reporting (optional); comprehensive request logging;
Prometheus metrics
- Integration tests for the image proxy flow; load tests for the
1-5k req/s target
- Docs: configuration options, API endpoints, deployment guide, example
nginx/caddy reverse proxy config