feat: split Dockerfile into dedicated lint and build stages

- Add dedicated lint stage using pre-built golangci-lint v2.10.1 image
- Move fmt-check and lint from build stage to lint stage for faster feedback
- Remove manual golangci-lint binary download (now handled by lint image)
- Remove curl from build stage dependencies (no longer needed)
- Add COPY --from=lint dependency to force BuildKit to run lint stage
- Build stage now runs only tests and compilation

closes #20

Dockerfile

@@ -1,31 +1,32 @@
-# Lint stage
-# golangci/golangci-lint:v2.10.1-alpine, 2026-02-17
-FROM golangci/golangci-lint:v2.10.1-alpine@sha256:33bc6b6156d4c7da87175f187090019769903d04dd408833b83083ed214b0ddf AS lint
+# Lint stage — fast feedback on formatting and lint issues
+# golangci/golangci-lint:v2.10.1, 2026-03-01
+FROM golangci/golangci-lint@sha256:ea84d14c2fef724411be7dc45e09e6ef721d748315252b02df19a7e3113ee763 AS lint
 
-RUN apk add --no-cache make build-base vips-dev libheif-dev pkgconfig
+# Install CGO dependencies needed for static analysis of vips/libheif code
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libvips-dev \
+    libheif-dev \
+    pkg-config \
+    && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /src
-
-# Copy go mod files first for better layer caching
 COPY go.mod go.sum ./
 RUN go mod download
 
-# Copy source code
 COPY . .
 
-# Run formatting check and linter
 RUN make fmt-check
 RUN make lint
 
-# Build stage
+# Build stage — tests and compilation
 # golang:1.25.4-alpine, 2026-02-25
 FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder
 
-# Depend on lint stage passing
-COPY --from=lint /src/go.sum /dev/null
-
 ARG VERSION=dev
 
+# Force BuildKit to run the lint stage by creating a stage dependency
+COPY --from=lint /src/go.sum /dev/null
+
 # Install build dependencies for CGO image libraries
 RUN apk add --no-cache \
     build-base \

TODO.md

@@ -6,7 +6,7 @@ Remaining tasks sorted by priority for a working 1.0 release.
 
 ### Image Processing
 - [x] Add WebP encoding support (currently returns error)
-- [x] Add AVIF encoding support (implemented via govips)
+- [ ] Add AVIF encoding support (currently returns error)
 
 ### Manual Testing (verify auth/encrypted URLs work)
 - [ ] Manual test: visit `/`, see login form

internal/imgcache/processor.go

@@ -26,36 +26,20 @@ func initVips() {
 // Images larger than this are rejected to prevent DoS via decompression bombs.
 const MaxInputDimension = 8192
 
-// DefaultMaxInputBytes is the default maximum input size in bytes (50 MiB).
-// This matches the default upstream fetcher limit.
-const DefaultMaxInputBytes = 50 << 20
-
 // ErrInputTooLarge is returned when input image dimensions exceed MaxInputDimension.
 var ErrInputTooLarge = errors.New("input image dimensions exceed maximum")
 
-// ErrInputDataTooLarge is returned when the raw input data exceeds the configured byte limit.
-var ErrInputDataTooLarge = errors.New("input data exceeds maximum allowed size")
-
 // ErrUnsupportedOutputFormat is returned when the requested output format is not supported.
 var ErrUnsupportedOutputFormat = errors.New("unsupported output format")
 
 // ImageProcessor implements the Processor interface using libvips via govips.
-type ImageProcessor struct {
-	maxInputBytes int64
-}
+type ImageProcessor struct{}
 
-// NewImageProcessor creates a new image processor with the given maximum input
-// size in bytes. If maxInputBytes is <= 0, DefaultMaxInputBytes is used.
-func NewImageProcessor(maxInputBytes int64) *ImageProcessor {
+// NewImageProcessor creates a new image processor.
+func NewImageProcessor() *ImageProcessor {
 	initVips()
 
-	if maxInputBytes <= 0 {
-		maxInputBytes = DefaultMaxInputBytes
-	}
-
-	return &ImageProcessor{
-		maxInputBytes: maxInputBytes,
-	}
+	return &ImageProcessor{}
 }
 
 // Process transforms an image according to the request.
@@ -64,20 +48,12 @@ func (p *ImageProcessor) Process(
 	input io.Reader,
 	req *ImageRequest,
 ) (*ProcessResult, error) {
-	// Read input with a size limit to prevent unbounded memory consumption.
-	// We read at most maxInputBytes+1 so we can detect if the input exceeds
-	// the limit without consuming additional memory.
-	limited := io.LimitReader(input, p.maxInputBytes+1)
-
-	data, err := io.ReadAll(limited)
+	// Read input
+	data, err := io.ReadAll(input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read input: %w", err)
 	}
 
-	if int64(len(data)) > p.maxInputBytes {
-		return nil, ErrInputDataTooLarge
-	}
-
 	// Decode image
 	img, err := vips.NewImageFromBuffer(data)
 	if err != nil {

internal/imgcache/processor_test.go

@@ -71,7 +71,7 @@ func createTestPNG(t *testing.T, width, height int) []byte {
 }
 
 func TestImageProcessor_ResizeJPEG(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 800, 600)
@@ -118,7 +118,7 @@ func TestImageProcessor_ResizeJPEG(t *testing.T) {
 }
 
 func TestImageProcessor_ConvertToPNG(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
@@ -151,7 +151,7 @@ func TestImageProcessor_ConvertToPNG(t *testing.T) {
 }
 
 func TestImageProcessor_OriginalSize(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 640, 480)
@@ -179,7 +179,7 @@ func TestImageProcessor_OriginalSize(t *testing.T) {
 }
 
 func TestImageProcessor_FitContain(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// 800x400 image (2:1 aspect) into 400x400 box with contain
@@ -206,7 +206,7 @@ func TestImageProcessor_FitContain(t *testing.T) {
 }
 
 func TestImageProcessor_ProportionalScale_WidthOnly(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// 800x600 image, request width=400 height=0
@@ -236,7 +236,7 @@ func TestImageProcessor_ProportionalScale_WidthOnly(t *testing.T) {
 }
 
 func TestImageProcessor_ProportionalScale_HeightOnly(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// 800x600 image, request width=0 height=300
@@ -266,7 +266,7 @@ func TestImageProcessor_ProportionalScale_HeightOnly(t *testing.T) {
 }
 
 func TestImageProcessor_ProcessPNG(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestPNG(t, 400, 300)
@@ -298,7 +298,7 @@ func TestImageProcessor_ImplementsInterface(t *testing.T) {
 }
 
 func TestImageProcessor_SupportedFormats(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 
 	inputFormats := proc.SupportedInputFormats()
 	if len(inputFormats) == 0 {
@@ -312,7 +312,7 @@ func TestImageProcessor_SupportedFormats(t *testing.T) {
 }
 
 func TestImageProcessor_RejectsOversizedInput(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// Create an image that exceeds MaxInputDimension (e.g., 10000x100)
@@ -337,7 +337,7 @@ func TestImageProcessor_RejectsOversizedInput(t *testing.T) {
 }
 
 func TestImageProcessor_RejectsOversizedInputHeight(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// Create an image with oversized height
@@ -361,7 +361,7 @@ func TestImageProcessor_RejectsOversizedInputHeight(t *testing.T) {
 }
 
 func TestImageProcessor_AcceptsMaxDimensionInput(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// Create an image at exactly MaxInputDimension - should be accepted
@@ -383,7 +383,7 @@ func TestImageProcessor_AcceptsMaxDimensionInput(t *testing.T) {
 }
 
 func TestImageProcessor_EncodeWebP(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
@@ -426,7 +426,7 @@ func TestImageProcessor_EncodeWebP(t *testing.T) {
 }
 
 func TestImageProcessor_DecodeAVIF(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// Load test AVIF file
@@ -465,73 +465,8 @@ func TestImageProcessor_DecodeAVIF(t *testing.T) {
 	}
 }
 
-func TestImageProcessor_RejectsOversizedInputData(t *testing.T) {
-	// Create a processor with a very small byte limit
-	const limit = 1024
-	proc := NewImageProcessor(limit)
-	ctx := context.Background()
-
-	// Create a valid JPEG that exceeds the byte limit
-	input := createTestJPEG(t, 800, 600) // will be well over 1 KiB
-	if int64(len(input)) <= limit {
-		t.Fatalf("test JPEG must exceed %d bytes, got %d", limit, len(input))
-	}
-
-	req := &ImageRequest{
-		Size:    Size{Width: 100, Height: 75},
-		Format:  FormatJPEG,
-		Quality: 85,
-		FitMode: FitCover,
-	}
-
-	_, err := proc.Process(ctx, bytes.NewReader(input), req)
-	if err == nil {
-		t.Fatal("Process() should reject input exceeding maxInputBytes")
-	}
-
-	if err != ErrInputDataTooLarge {
-		t.Errorf("Process() error = %v, want ErrInputDataTooLarge", err)
-	}
-}
-
-func TestImageProcessor_AcceptsInputWithinLimit(t *testing.T) {
-	// Create a small image and set limit well above its size
-	input := createTestJPEG(t, 10, 10)
-	limit := int64(len(input)) * 10 // 10× headroom
-
-	proc := NewImageProcessor(limit)
-	ctx := context.Background()
-
-	req := &ImageRequest{
-		Size:    Size{Width: 10, Height: 10},
-		Format:  FormatJPEG,
-		Quality: 85,
-		FitMode: FitCover,
-	}
-
-	result, err := proc.Process(ctx, bytes.NewReader(input), req)
-	if err != nil {
-		t.Fatalf("Process() error = %v, want nil", err)
-	}
-	defer result.Content.Close()
-}
-
-func TestImageProcessor_DefaultMaxInputBytes(t *testing.T) {
-	// Passing 0 should use the default
-	proc := NewImageProcessor(0)
-	if proc.maxInputBytes != DefaultMaxInputBytes {
-		t.Errorf("maxInputBytes = %d, want %d", proc.maxInputBytes, DefaultMaxInputBytes)
-	}
-
-	// Passing negative should also use the default
-	proc = NewImageProcessor(-1)
-	if proc.maxInputBytes != DefaultMaxInputBytes {
-		t.Errorf("maxInputBytes = %d, want %d", proc.maxInputBytes, DefaultMaxInputBytes)
-	}
-}
-
 func TestImageProcessor_EncodeAVIF(t *testing.T) {
-	proc := NewImageProcessor(0)
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)

internal/imgcache/service.go

@@ -22,7 +22,6 @@ type Service struct {
 	whitelist *HostWhitelist
 	log       *slog.Logger
 	allowHTTP bool
-	maxResponseSize int64
 }
 
 // ServiceConfig holds configuration for the image service.
@@ -51,17 +50,15 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 		return nil, errors.New("signing key is required")
 	}
 
-	// Resolve fetcher config for defaults
-	fetcherCfg := cfg.FetcherConfig
-	if fetcherCfg == nil {
-		fetcherCfg = DefaultFetcherConfig()
-	}
-
 	// Use custom fetcher if provided, otherwise create HTTP fetcher
 	var fetcher Fetcher
 	if cfg.Fetcher != nil {
 		fetcher = cfg.Fetcher
 	} else {
+		fetcherCfg := cfg.FetcherConfig
+		if fetcherCfg == nil {
+			fetcherCfg = DefaultFetcherConfig()
+		}
 		fetcher = NewHTTPFetcher(fetcherCfg)
 	}
 
@@ -77,17 +74,14 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 		allowHTTP = cfg.FetcherConfig.AllowHTTP
 	}
 
-	maxResponseSize := fetcherCfg.MaxResponseSize
-
 	return &Service{
 		cache:     cfg.Cache,
 		fetcher:   fetcher,
-		processor:       NewImageProcessor(maxResponseSize),
+		processor: NewImageProcessor(),
 		signer:    signer,
 		whitelist: NewHostWhitelist(cfg.Whitelist),
 		log:       log,
 		allowHTTP: allowHTTP,
-		maxResponseSize: maxResponseSize,
 	}, nil
 }
 
@@ -152,40 +146,6 @@ func (s *Service) Get(ctx context.Context, req *ImageRequest) (*ImageResponse, e
 	return response, nil
 }
 
-// loadCachedSource attempts to load source content from cache, returning nil
-// if the cached data is unavailable or exceeds maxResponseSize.
-func (s *Service) loadCachedSource(contentHash ContentHash) []byte {
-	reader, err := s.cache.GetSourceContent(contentHash)
-	if err != nil {
-		s.log.Warn("failed to load cached source, fetching", "error", err)
-
-		return nil
-	}
-
-	// Bound the read to maxResponseSize to prevent unbounded memory use
-	// from unexpectedly large cached files.
-	limited := io.LimitReader(reader, s.maxResponseSize+1)
-	data, err := io.ReadAll(limited)
-	_ = reader.Close()
-
-	if err != nil {
-		s.log.Warn("failed to read cached source, fetching", "error", err)
-
-		return nil
-	}
-
-	if int64(len(data)) > s.maxResponseSize {
-		s.log.Warn("cached source exceeds max response size, discarding",
-			"hash", contentHash,
-			"max_bytes", s.maxResponseSize,
-		)
-
-		return nil
-	}
-
-	return data
-}
-
 // processFromSourceOrFetch processes an image, using cached source content if available.
 func (s *Service) processFromSourceOrFetch(
 	ctx context.Context,
@@ -202,8 +162,22 @@ func (s *Service) processFromSourceOrFetch(
 	var fetchBytes int64
 
 	if contentHash != "" {
+		// We have cached source - load it
 		s.log.Debug("using cached source", "hash", contentHash)
-		sourceData = s.loadCachedSource(contentHash)
+
+		reader, err := s.cache.GetSourceContent(contentHash)
+		if err != nil {
+			s.log.Warn("failed to load cached source, fetching", "error", err)
+			// Fall through to fetch
+		} else {
+			sourceData, err = io.ReadAll(reader)
+			_ = reader.Close()
+
+			if err != nil {
+				s.log.Warn("failed to read cached source, fetching", "error", err)
+				// Fall through to fetch
+			}
+		}
 	}
 
 	// Fetch from upstream if we don't have source data or it's empty

scripts/manual-test.sh

@@ -48,7 +48,7 @@ fi
 
 # Test 3: Wrong password shows error
 echo "--- Test 3: Login with wrong password ---"
-WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "key=wrong-key" -c "$COOKIE_JAR")
+WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "password=wrong-key" -c "$COOKIE_JAR")
 if echo "$WRONG_LOGIN" | grep -qi "invalid\|error\|incorrect\|wrong"; then
     pass "Wrong password shows error message"
 else
@@ -57,7 +57,7 @@ fi
 
 # Test 4: Correct password redirects to generator
 echo "--- Test 4: Login with correct signing key ---"
-curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 GENERATOR_PAGE=$(curl -sf "$BASE_URL/" -b "$COOKIE_JAR")
 if echo "$GENERATOR_PAGE" | grep -qi "generate\|url\|source\|logout"; then
     pass "Correct password shows generator page"
@@ -68,12 +68,12 @@ fi
 # Test 5: Generate encrypted URL
 echo "--- Test 5: Generate encrypted URL ---"
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "url=$TEST_IMAGE_URL" \
+    -d "source_url=$TEST_IMAGE_URL" \
     -d "width=800" \
     -d "height=600" \
     -d "format=jpeg" \
     -d "quality=85" \
-    -d "fit=cover" \
+    -d "fit_mode=cover" \
     -d "ttl=3600")
 if echo "$GEN_RESULT" | grep -q "/v1/e/"; then
     pass "Encrypted URL generated"
@@ -121,10 +121,10 @@ fi
 # Test 9: Generate short-TTL URL and verify expiration
 echo "--- Test 9: Expired URL returns 410 ---"
 # Login again
-curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 # Generate URL with 1 second TTL
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "url=$TEST_IMAGE_URL" \
+    -d "source_url=$TEST_IMAGE_URL" \
     -d "width=100" \
     -d "height=100" \
     -d "format=jpeg" \