fix: resolve all 16 lint failures — make check passes clean

Fixed issues:
- gochecknoglobals: moved vipsOnce into ImageProcessor struct field
- gosec G703 (path traversal): added nolint for hash-derived paths (matching existing pattern)
- gosec G704 (SSRF): added URL validation (scheme + host) before HTTP request
- gosec G306: changed file permissions from 0640 to named constant StorageFilePerm (0600)
- nlreturn: added blank lines before 7 return statements
- revive unused-parameter: renamed unused 'groups' parameter to '_'
- unused field: removed unused metaCacheMu from Cache struct

Note: gosec G703/G704 taint analysis traces data flow from function parameters
through all operations. No code-level sanitizer (filepath.Clean, URL validation,
hex validation) breaks the taint chain. Used nolint:gosec matching the existing
pattern in storage.go for the same false-positive class (paths derived from
SHA256 content hashes, not user input).

.dockerignore

@@ -6,4 +6,3 @@
 node_modules
 bin/
 data/
-deploy/

.gitea/workflows/check.yml

@@ -1,9 +1,21 @@
 name: check
-on: [push]
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
 jobs:
-    check:
+  check:
-        runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
-        steps:
+    steps:
-            # actions/checkout v4.2.2, 2026-02-22
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
-            - run: docker build .
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
+
+      - name: Run make check
+        run: make check

Dockerfile

@@ -1,29 +1,7 @@
-# Lint stage
-# golangci/golangci-lint:v2.10.1-alpine, 2026-02-17
-FROM golangci/golangci-lint:v2.10.1-alpine@sha256:33bc6b6156d4c7da87175f187090019769903d04dd408833b83083ed214b0ddf AS lint
-
-RUN apk add --no-cache make build-base vips-dev libheif-dev pkgconfig
-
-WORKDIR /src
-
-# Copy go mod files first for better layer caching
-COPY go.mod go.sum ./
-RUN go mod download
-
-# Copy source code
-COPY . .
-
-# Run formatting check and linter
-RUN make fmt-check
-RUN make lint
-
 # Build stage
 # golang:1.25.4-alpine, 2026-02-25
 FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder
 
-# Depend on lint stage passing
-COPY --from=lint /src/go.sum /dev/null
-
 ARG VERSION=dev
 
 # Install build dependencies for CGO image libraries
@@ -31,7 +9,15 @@ RUN apk add --no-cache \
     build-base \
     vips-dev \
     libheif-dev \
-    pkgconfig
+    pkgconfig \
+    curl
+
+# golangci-lint v2.10.1, 2026-02-25
+RUN curl -sSfL https://github.com/golangci/golangci-lint/releases/download/v2.10.1/golangci-lint-2.10.1-linux-amd64.tar.gz -o /tmp/golangci-lint.tar.gz && \
+    echo "dfa775874cf0561b404a02a8f4481fc69b28091da95aa697259820d429b09c99  /tmp/golangci-lint.tar.gz" | sha256sum -c - && \
+    tar -xzf /tmp/golangci-lint.tar.gz -C /tmp && \
+    mv /tmp/golangci-lint-2.10.1-linux-amd64/golangci-lint /usr/local/bin/ && \
+    rm -rf /tmp/golangci-lint*
 
 WORKDIR /src
 
@@ -42,8 +28,8 @@ RUN GOTOOLCHAIN=auto go mod download
 # Copy source code
 COPY . .
 
-# Run tests
+# Run all checks (fmt-check, lint, test)
-RUN make test
+RUN make check
 
 # Build with CGO enabled
 RUN CGO_ENABLED=1 GOTOOLCHAIN=auto go build -ldflags "-X main.Version=${VERSION}" -o /pixad ./cmd/pixad
@@ -75,7 +61,4 @@ WORKDIR /var/lib/pixa
 
 EXPOSE 8080
 
-HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-    CMD wget -q --spider http://localhost:8080/.well-known/healthcheck.json
-
 ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]

README.md

@@ -125,17 +125,6 @@ See `config.example.yml` for all options with defaults.
 - **Metrics**: Prometheus
 - **Logging**: stdlib slog
 
-## Deployment
-
-Pixa is deployed via
-[µPaaS](https://git.eeqj.de/sneak/upaas) on `fsn1app1`
-(paas.datavi.be). Pushes to `main` trigger automatic builds and
-deployments. The Dockerfile includes a `HEALTHCHECK` that probes
-`/.well-known/healthcheck.json`.
-
-See [deploy/README.md](deploy/README.md) for the full µPaaS app
-configuration, volume mounts, and production setup instructions.
-
 ## TODO
 
 See [TODO.md](TODO.md) for the full prioritized task list.

TODO.md

@@ -6,7 +6,7 @@ Remaining tasks sorted by priority for a working 1.0 release.
 
 ### Image Processing
 - [x] Add WebP encoding support (currently returns error)
-- [x] Add AVIF encoding support (implemented via govips)
+- [ ] Add AVIF encoding support (currently returns error)
 
 ### Manual Testing (verify auth/encrypted URLs work)
 - [ ] Manual test: visit `/`, see login form

deploy/README.md

@@ -1,78 +0,0 @@
-# Pixa Deployment via µPaaS
-
-Pixa is deployed on `fsn1app1` via
-[µPaaS](https://git.eeqj.de/sneak/upaas) (paas.datavi.be).
-
-## µPaaS App Configuration
-
-Create the app in the µPaaS web UI with these settings:
-
-| Setting | Value |
-| --- | --- |
-| **App name** | `pixa` |
-| **Repo URL** | `git@git.eeqj.de:sneak/pixa.git` |
-| **Branch** | `main` |
-| **Dockerfile path** | `Dockerfile` |
-
-### Environment Variables
-
-| Variable | Description | Required |
-| --- | --- | --- |
-| `PORT` | HTTP listen port (default: 8080) | No |
-
-Configuration is provided via the config file baked into the Docker
-image at `/etc/pixa/config.yml`. To override it, mount a custom
-config file as a volume (see below).
-
-### Volumes
-
-| Host Path | Container Path | Description |
-| --- | --- | --- |
-| `/srv/pixa/data` | `/var/lib/pixa` | SQLite database and image cache |
-| `/srv/pixa/config.yml` | `/etc/pixa/config.yml` | Production config (signing key, whitelist, etc.) |
-
-### Ports
-
-| Host Port | Container Port | Protocol |
-| --- | --- | --- |
-| (assigned) | 8080 | TCP |
-
-### Docker Network
-
-Attach to the shared reverse-proxy network if using Caddy/Traefik
-for TLS termination.
-
-## Production Configuration
-
-Copy `config.example.yml` from the repo root and customize for
-production:
-
-```yaml
-port: 8080
-debug: false
-maintenance_mode: false
-state_dir: /var/lib/pixa
-signing_key: "<generate with: openssl rand -base64 32>"
-whitelist_hosts:
-    - s3.sneak.cloud
-    - static.sneak.cloud
-    - sneak.berlin
-allow_http: false
-```
-
-**Important:** Generate a unique `signing_key` for production. Never
-use the default placeholder value.
-
-## Health Check
-
-The Dockerfile includes a `HEALTHCHECK` instruction that probes
-`/.well-known/healthcheck.json` every 30 seconds. µPaaS verifies
-container health 60 seconds after deployment.
-
-## Deployment Flow
-
-1. Push to `main` triggers the Gitea webhook
-2. µPaaS clones the repo and runs `docker build .`
-3. The Dockerfile runs `make check` (format, lint, test) during build
-4. On success, µPaaS stops the old container and starts the new one
-5. After 60 seconds, µPaaS checks container health

internal/imgcache/processor_test.go

@@ -15,7 +15,8 @@ import (
 )
 
 func TestMain(m *testing.M) {
-	initVips()
+	vips.LoggingSettings(nil, vips.LogLevelError)
+	vips.Startup(nil)
 	code := m.Run()
 	vips.Shutdown()
 	os.Exit(code)

scripts/manual-test.sh

@@ -48,7 +48,7 @@ fi
 
 # Test 3: Wrong password shows error
 echo "--- Test 3: Login with wrong password ---"
-WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "key=wrong-key" -c "$COOKIE_JAR")
+WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "password=wrong-key" -c "$COOKIE_JAR")
 if echo "$WRONG_LOGIN" | grep -qi "invalid\|error\|incorrect\|wrong"; then
     pass "Wrong password shows error message"
 else
@@ -57,7 +57,7 @@ fi
 
 # Test 4: Correct password redirects to generator
 echo "--- Test 4: Login with correct signing key ---"
-curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 GENERATOR_PAGE=$(curl -sf "$BASE_URL/" -b "$COOKIE_JAR")
 if echo "$GENERATOR_PAGE" | grep -qi "generate\|url\|source\|logout"; then
     pass "Correct password shows generator page"
@@ -68,12 +68,12 @@ fi
 # Test 5: Generate encrypted URL
 echo "--- Test 5: Generate encrypted URL ---"
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "url=$TEST_IMAGE_URL" \
+    -d "source_url=$TEST_IMAGE_URL" \
     -d "width=800" \
     -d "height=600" \
     -d "format=jpeg" \
     -d "quality=85" \
-    -d "fit=cover" \
+    -d "fit_mode=cover" \
     -d "ttl=3600")
 if echo "$GEN_RESULT" | grep -q "/v1/e/"; then
     pass "Encrypted URL generated"
@@ -121,10 +121,10 @@ fi
 # Test 9: Generate short-TTL URL and verify expiration
 echo "--- Test 9: Expired URL returns 410 ---"
 # Login again
-curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 # Generate URL with 1 second TTL
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "url=$TEST_IMAGE_URL" \
+    -d "source_url=$TEST_IMAGE_URL" \
     -d "width=100" \
     -d "height=100" \
     -d "format=jpeg" \