Merge branch 'main' into feature/migrations-table-schema-file

Closes #27

Signatures are per-URL only — this PR adds explicit tests and documentation enforcing that HMAC-SHA256 signatures verify against exact URLs only. No suffix matching, wildcard matching, or partial matching is supported.

## What this does NOT touch

**The host whitelist code (`whitelist.go`) is not modified.** This PR is exclusively about signature verification, per sneak's instructions on [issue #27](#27), [PR #32](#32), and [PR #35](#35).

## Changes

### `internal/imgcache/signature.go`
- Added documentation comments on `Verify()` and `buildSignatureData()` explicitly specifying that signatures are exact-match only — no suffix, wildcard, or partial matching

### `internal/imgcache/signature_test.go`
- **`TestSigner_Verify_ExactMatchOnly`**: 14 tamper cases verifying that modifying any signed component (host, path, query, dimensions, format) causes verification to fail. Host-specific cases include:
  - Parent domain (`example.com`) does not match subdomain signature (`cdn.example.com`)
  - Sibling subdomain (`images.example.com`) does not match
  - Deeper subdomain (`images.cdn.example.com`) does not match
  - Evil suffix domain (`cdn.example.com.evil.com`) does not match
  - Prefixed host (`evilcdn.example.com`) does not match
- **`TestSigner_Sign_ExactHostInData`**: Verifies that suffix-related hosts (`cdn.example.com`, `example.com`, `images.example.com`, etc.) all produce distinct signatures

### `internal/imgcache/service_test.go`
- **`TestService_ValidateRequest_SignatureExactHostMatch`**: Integration test through `ValidateRequest` verifying that a valid signature for `cdn.example.com` is rejected when presented with a different host (parent domain, sibling subdomain, deeper subdomain, evil suffix, prefixed host)

### `README.md`
- Updated Signature Specification section to explicitly document exact-match-only semantics

Co-authored-by: user <user@Mac.lan guest wan>
Reviewed-on: #40
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

.dockerignore

@@ -6,4 +6,3 @@
 node_modules
 bin/
 data/
-deploy/

Dockerfile

@@ -75,7 +75,4 @@ WORKDIR /var/lib/pixa
 
 EXPOSE 8080
 
-HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-    CMD wget -q --spider http://localhost:8080/.well-known/healthcheck.json
-
 ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]

README.md

@@ -67,7 +67,10 @@ hosts require an HMAC-SHA256 signature.
 #### Signature Specification
 
 Signatures use HMAC-SHA256 and include an expiration timestamp to
-prevent replay attacks.
+prevent replay attacks. Signatures are **exact match only**: every
+component (host, path, query, dimensions, format, expiration) must
+match exactly what was signed. No suffix matching, wildcard matching,
+or partial matching is supported.
 
 **Signed data format** (colon-separated):
 
@@ -125,17 +128,6 @@ See `config.example.yml` for all options with defaults.
 - **Metrics**: Prometheus
 - **Logging**: stdlib slog
 
-## Deployment
-
-Pixa is deployed via
-[µPaaS](https://git.eeqj.de/sneak/upaas) on `fsn1app1`
-(paas.datavi.be). Pushes to `main` trigger automatic builds and
-deployments. The Dockerfile includes a `HEALTHCHECK` that probes
-`/.well-known/healthcheck.json`.
-
-See [deploy/README.md](deploy/README.md) for the full µPaaS app
-configuration, volume mounts, and production setup instructions.
-
 ## TODO
 
 See [TODO.md](TODO.md) for the full prioritized task list.

cmd/pixad/main.go

@@ -17,10 +17,7 @@ import (
 	"sneak.berlin/go/pixa/internal/server"
 )
 
-var (
-	Appname = "pixad" //nolint:gochecknoglobals // set by ldflags
-	Version string    //nolint:gochecknoglobals // set by ldflags
-)
+var Version string //nolint:gochecknoglobals // set by ldflags
 
 var configPath string //nolint:gochecknoglobals // cobra flag
 
@@ -40,7 +37,6 @@ func main() {
 }
 
 func run(_ *cobra.Command, _ []string) {
-	globals.Appname = Appname
 	globals.Version = Version
 
 	// Set config path in environment if specified via flag

deploy/README.md

@@ -1,78 +0,0 @@
-# Pixa Deployment via µPaaS
-
-Pixa is deployed on `fsn1app1` via
-[µPaaS](https://git.eeqj.de/sneak/upaas) (paas.datavi.be).
-
-## µPaaS App Configuration
-
-Create the app in the µPaaS web UI with these settings:
-
-| Setting | Value |
-| --- | --- |
-| **App name** | `pixa` |
-| **Repo URL** | `git@git.eeqj.de:sneak/pixa.git` |
-| **Branch** | `main` |
-| **Dockerfile path** | `Dockerfile` |
-
-### Environment Variables
-
-| Variable | Description | Required |
-| --- | --- | --- |
-| `PORT` | HTTP listen port (default: 8080) | No |
-
-Configuration is provided via the config file baked into the Docker
-image at `/etc/pixa/config.yml`. To override it, mount a custom
-config file as a volume (see below).
-
-### Volumes
-
-| Host Path | Container Path | Description |
-| --- | --- | --- |
-| `/srv/pixa/data` | `/var/lib/pixa` | SQLite database and image cache |
-| `/srv/pixa/config.yml` | `/etc/pixa/config.yml` | Production config (signing key, whitelist, etc.) |
-
-### Ports
-
-| Host Port | Container Port | Protocol |
-| --- | --- | --- |
-| (assigned) | 8080 | TCP |
-
-### Docker Network
-
-Attach to the shared reverse-proxy network if using Caddy/Traefik
-for TLS termination.
-
-## Production Configuration
-
-Copy `config.example.yml` from the repo root and customize for
-production:
-
-```yaml
-port: 8080
-debug: false
-maintenance_mode: false
-state_dir: /var/lib/pixa
-signing_key: "<generate with: openssl rand -base64 32>"
-whitelist_hosts:
-    - s3.sneak.cloud
-    - static.sneak.cloud
-    - sneak.berlin
-allow_http: false
-```
-
-**Important:** Generate a unique `signing_key` for production. Never
-use the default placeholder value.
-
-## Health Check
-
-The Dockerfile includes a `HEALTHCHECK` instruction that probes
-`/.well-known/healthcheck.json` every 30 seconds. µPaaS verifies
-container health 60 seconds after deployment.
-
-## Deployment Flow
-
-1. Push to `main` triggers the Gitea webhook
-2. µPaaS clones the repo and runs `docker build .`
-3. The Dockerfile runs `make check` (format, lint, test) during build
-4. On success, µPaaS stops the old container and starts the new one
-5. After 60 seconds, µPaaS checks container health

internal/database/database.go

@@ -9,6 +9,7 @@ import (
 	"log/slog"
 	"path/filepath"
 	"sort"
+	"strconv"
 	"strings"
 
 	"go.uber.org/fx"
@@ -21,6 +22,10 @@ import (
 //go:embed schema/*.sql
 var schemaFS embed.FS
 
+// bootstrapVersion is the migration that creates the schema_migrations
+// table itself. It is applied before the normal migration loop.
+const bootstrapVersion = 0
+
 // Params defines dependencies for Database.
 type Params struct {
 	fx.In
@@ -35,6 +40,46 @@ type Database struct {
 	config *config.Config
 }
 
+// ParseMigrationVersion extracts the numeric version prefix from a migration
+// filename. Filenames must follow the pattern "<version>.sql" or
+// "<version>_<description>.sql", where version is a zero-padded numeric
+// string (e.g. "001", "002"). Returns the version as an integer and an
+// error if the filename does not match the expected pattern.
+func ParseMigrationVersion(filename string) (int, error) {
+	name := strings.TrimSuffix(filename, filepath.Ext(filename))
+	if name == "" {
+		return 0, fmt.Errorf("invalid migration filename %q: empty name", filename)
+	}
+
+	// Split on underscore to separate version from description.
+	// If there's no underscore, the entire stem is the version.
+	versionStr := name
+	if idx := strings.IndexByte(name, '_'); idx >= 0 {
+		versionStr = name[:idx]
+	}
+
+	if versionStr == "" {
+		return 0, fmt.Errorf("invalid migration filename %q: empty version prefix", filename)
+	}
+
+	// Validate the version is purely numeric.
+	for _, ch := range versionStr {
+		if ch < '0' || ch > '9' {
+			return 0, fmt.Errorf(
+				"invalid migration filename %q: version %q contains non-numeric character %q",
+				filename, versionStr, string(ch),
+			)
+		}
+	}
+
+	version, err := strconv.Atoi(versionStr)
+	if err != nil {
+		return 0, fmt.Errorf("invalid migration filename %q: %w", filename, err)
+	}
+
+	return version, nil
+}
+
 // New creates a new Database instance.
 func New(lc fx.Lifecycle, params Params) (*Database, error) {
 	s := &Database{
@@ -84,127 +129,86 @@ func (s *Database) connect(ctx context.Context) error {
 	s.db = db
 	s.log.Info("database connected")
 
-	return s.runMigrations(ctx)
+	return ApplyMigrations(ctx, s.db, s.log)
 }
 
-func (s *Database) runMigrations(ctx context.Context) error {
-	// Create migrations tracking table
-	_, err := s.db.ExecContext(ctx, `
-		CREATE TABLE IF NOT EXISTS schema_migrations (
-			version TEXT PRIMARY KEY,
-			applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
-		)
-	`)
-	if err != nil {
-		return fmt.Errorf("failed to create migrations table: %w", err)
-	}
-
-	// Get list of migration files
+// collectMigrations reads the embedded schema directory and returns
+// migration filenames sorted lexicographically.
+func collectMigrations() ([]string, error) {
 	entries, err := schemaFS.ReadDir("schema")
 	if err != nil {
-		return fmt.Errorf("failed to read schema directory: %w", err)
+		return nil, fmt.Errorf("failed to read schema directory: %w", err)
 	}
 
-	// Sort migration files by name (001.sql, 002.sql, etc.)
 	var migrations []string
+
 	for _, entry := range entries {
 		if !entry.IsDir() && strings.HasSuffix(entry.Name(), ".sql") {
 			migrations = append(migrations, entry.Name())
 		}
 	}
+
 	sort.Strings(migrations)
 
-	// Apply each migration that hasn't been applied yet
-	for _, migration := range migrations {
-		version := strings.TrimSuffix(migration, filepath.Ext(migration))
+	return migrations, nil
+}
 
-		// Check if already applied
-		var count int
-		err := s.db.QueryRowContext(ctx,
-			"SELECT COUNT(*) FROM schema_migrations WHERE version = ?",
-			version,
-		).Scan(&count)
-		if err != nil {
-			return fmt.Errorf("failed to check migration status: %w", err)
-		}
+// bootstrapMigrationsTable ensures the schema_migrations table exists
+// by applying 000.sql if the table is missing.
+func bootstrapMigrationsTable(ctx context.Context, db *sql.DB, log *slog.Logger) error {
+	var tableExists int
 
-		if count > 0 {
-			s.log.Debug("migration already applied", "version", version)
+	err := db.QueryRowContext(ctx,
+		"SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='schema_migrations'",
+	).Scan(&tableExists)
+	if err != nil {
+		return fmt.Errorf("failed to check for migrations table: %w", err)
+	}
 
-			continue
-		}
+	if tableExists > 0 {
+		return nil
+	}
 
-		// Read and apply migration
-		content, err := schemaFS.ReadFile(filepath.Join("schema", migration))
-		if err != nil {
-			return fmt.Errorf("failed to read migration %s: %w", migration, err)
-		}
+	content, err := schemaFS.ReadFile("schema/000.sql")
+	if err != nil {
+		return fmt.Errorf("failed to read bootstrap migration 000.sql: %w", err)
+	}
 
-		s.log.Info("applying migration", "version", version)
+	if log != nil {
+		log.Info("applying bootstrap migration", "version", bootstrapVersion)
+	}
 
-		_, err = s.db.ExecContext(ctx, string(content))
-		if err != nil {
-			return fmt.Errorf("failed to apply migration %s: %w", migration, err)
-		}
-
-		// Record migration as applied
-		_, err = s.db.ExecContext(ctx,
-			"INSERT INTO schema_migrations (version) VALUES (?)",
-			version,
-		)
-		if err != nil {
-			return fmt.Errorf("failed to record migration %s: %w", migration, err)
-		}
-
-		s.log.Info("migration applied successfully", "version", version)
+	_, err = db.ExecContext(ctx, string(content))
+	if err != nil {
+		return fmt.Errorf("failed to apply bootstrap migration: %w", err)
 	}
 
 	return nil
 }
 
-// DB returns the underlying sql.DB.
-func (s *Database) DB() *sql.DB {
-	return s.db
-}
+// ApplyMigrations applies all pending migrations to db. An optional logger
+// may be provided for informational output; pass nil for silent operation.
+// This is exported so tests can apply the real schema without the full fx
+// lifecycle.
+func ApplyMigrations(ctx context.Context, db *sql.DB, log *slog.Logger) error {
+	if err := bootstrapMigrationsTable(ctx, db, log); err != nil {
+		return err
+	}
 
-// ApplyMigrations applies all migrations to the given database.
-// This is useful for testing where you want to use the real schema
-// without the full fx lifecycle.
-func ApplyMigrations(db *sql.DB) error {
-	ctx := context.Background()
-
-	// Create migrations tracking table
-	_, err := db.ExecContext(ctx, `
-		CREATE TABLE IF NOT EXISTS schema_migrations (
-			version TEXT PRIMARY KEY,
-			applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
-		)
-	`)
+	migrations, err := collectMigrations()
 	if err != nil {
-		return fmt.Errorf("failed to create migrations table: %w", err)
+		return err
 	}
 
-	// Get list of migration files
-	entries, err := schemaFS.ReadDir("schema")
-	if err != nil {
-		return fmt.Errorf("failed to read schema directory: %w", err)
-	}
-
-	// Sort migration files by name (001.sql, 002.sql, etc.)
-	var migrations []string
-	for _, entry := range entries {
-		if !entry.IsDir() && strings.HasSuffix(entry.Name(), ".sql") {
-			migrations = append(migrations, entry.Name())
-		}
-	}
-	sort.Strings(migrations)
-
-	// Apply each migration that hasn't been applied yet
 	for _, migration := range migrations {
-		version := strings.TrimSuffix(migration, filepath.Ext(migration))
+		version, parseErr := ParseMigrationVersion(migration)
+		if parseErr != nil {
+			return parseErr
+		}
 
-		// Check if already applied
+		// Check if already applied.
 		var count int
+
 		err := db.QueryRowContext(ctx,
 			"SELECT COUNT(*) FROM schema_migrations WHERE version = ?",
 			version,
@@ -214,29 +218,46 @@ func ApplyMigrations(db *sql.DB) error {
 		}
 
 		if count > 0 {
+			if log != nil {
+				log.Debug("migration already applied", "version", version)
+			}
+
 			continue
 		}
 
-		// Read and apply migration
-		content, err := schemaFS.ReadFile(filepath.Join("schema", migration))
-		if err != nil {
-			return fmt.Errorf("failed to read migration %s: %w", migration, err)
+		// Read and apply migration.
+		content, readErr := schemaFS.ReadFile(filepath.Join("schema", migration))
+		if readErr != nil {
+			return fmt.Errorf("failed to read migration %s: %w", migration, readErr)
 		}
 
-		_, err = db.ExecContext(ctx, string(content))
-		if err != nil {
-			return fmt.Errorf("failed to apply migration %s: %w", migration, err)
+		if log != nil {
+			log.Info("applying migration", "version", version)
 		}
 
-		// Record migration as applied
-		_, err = db.ExecContext(ctx,
+		_, execErr := db.ExecContext(ctx, string(content))
+		if execErr != nil {
+			return fmt.Errorf("failed to apply migration %s: %w", migration, execErr)
+		}
+
+		// Record migration as applied.
+		_, recErr := db.ExecContext(ctx,
 			"INSERT INTO schema_migrations (version) VALUES (?)",
 			version,
 		)
-		if err != nil {
-			return fmt.Errorf("failed to record migration %s: %w", migration, err)
+		if recErr != nil {
+			return fmt.Errorf("failed to record migration %s: %w", migration, recErr)
+		}
+
+		if log != nil {
+			log.Info("migration applied successfully", "version", version)
 		}
 	}
 
 	return nil
 }
+
+// DB returns the underlying sql.DB.
+func (s *Database) DB() *sql.DB {
+	return s.db
+}

internal/database/database_test.go

@@ -0,0 +1,224 @@
+package database
+
+import (
+	"context"
+	"database/sql"
+	"testing"
+
+	_ "modernc.org/sqlite" // SQLite driver registration
+)
+
+// openTestDB returns a fresh in-memory SQLite database.
+func openTestDB(t *testing.T) *sql.DB {
+	t.Helper()
+
+	db, err := sql.Open("sqlite", ":memory:")
+	if err != nil {
+		t.Fatalf("failed to open test db: %v", err)
+	}
+
+	t.Cleanup(func() { db.Close() })
+
+	return db
+}
+
+func TestParseMigrationVersion(t *testing.T) {
+	tests := []struct {
+		name     string
+		filename string
+		want     int
+		wantErr  bool
+	}{
+		{
+			name:     "version only",
+			filename: "001.sql",
+			want:     1,
+		},
+		{
+			name:     "version with description",
+			filename: "001_initial_schema.sql",
+			want:     1,
+		},
+		{
+			name:     "multi-digit version",
+			filename: "042_add_indexes.sql",
+			want:     42,
+		},
+		{
+			name:     "long version number",
+			filename: "00001_long_prefix.sql",
+			want:     1,
+		},
+		{
+			name:     "description with multiple underscores",
+			filename: "003_add_user_auth_tables.sql",
+			want:     3,
+		},
+		{
+			name:     "empty filename",
+			filename: ".sql",
+			wantErr:  true,
+		},
+		{
+			name:     "leading underscore",
+			filename: "_description.sql",
+			wantErr:  true,
+		},
+		{
+			name:     "non-numeric version",
+			filename: "abc_migration.sql",
+			wantErr:  true,
+		},
+		{
+			name:     "mixed alphanumeric version",
+			filename: "001a_migration.sql",
+			wantErr:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseMigrationVersion(tt.filename)
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("ParseMigrationVersion(%q) expected error, got %d", tt.filename, got)
+				}
+
+				return
+			}
+
+			if err != nil {
+				t.Errorf("ParseMigrationVersion(%q) unexpected error: %v", tt.filename, err)
+
+				return
+			}
+
+			if got != tt.want {
+				t.Errorf("ParseMigrationVersion(%q) = %d, want %d", tt.filename, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestApplyMigrations_CreatesSchemaAndTables(t *testing.T) {
+	db := openTestDB(t)
+	ctx := context.Background()
+
+	if err := ApplyMigrations(ctx, db, nil); err != nil {
+		t.Fatalf("ApplyMigrations failed: %v", err)
+	}
+
+	// The schema_migrations table must exist and contain at least
+	// version 0 (the bootstrap) and 1 (the initial schema).
+	rows, err := db.Query("SELECT version FROM schema_migrations ORDER BY version")
+	if err != nil {
+		t.Fatalf("failed to query schema_migrations: %v", err)
+	}
+	defer rows.Close()
+
+	var versions []int
+	for rows.Next() {
+		var v int
+		if err := rows.Scan(&v); err != nil {
+			t.Fatalf("failed to scan version: %v", err)
+		}
+
+		versions = append(versions, v)
+	}
+
+	if err := rows.Err(); err != nil {
+		t.Fatalf("row iteration error: %v", err)
+	}
+
+	if len(versions) < 2 {
+		t.Fatalf("expected at least 2 migrations recorded, got %d: %v", len(versions), versions)
+	}
+
+	if versions[0] != 0 {
+		t.Errorf("first recorded migration = %d, want %d", versions[0], 0)
+	}
+
+	if versions[1] != 1 {
+		t.Errorf("second recorded migration = %d, want %d", versions[1], 1)
+	}
+
+	// Verify that the application tables created by 001.sql exist.
+	for _, table := range []string{"source_content", "source_metadata", "output_content", "request_cache", "negative_cache", "cache_stats"} {
+		var count int
+
+		err := db.QueryRow(
+			"SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name=?",
+			table,
+		).Scan(&count)
+		if err != nil {
+			t.Fatalf("failed to check for table %s: %v", table, err)
+		}
+
+		if count != 1 {
+			t.Errorf("table %s does not exist after migrations", table)
+		}
+	}
+}
+
+func TestApplyMigrations_Idempotent(t *testing.T) {
+	db := openTestDB(t)
+	ctx := context.Background()
+
+	if err := ApplyMigrations(ctx, db, nil); err != nil {
+		t.Fatalf("first ApplyMigrations failed: %v", err)
+	}
+
+	// Running a second time must succeed without errors.
+	if err := ApplyMigrations(ctx, db, nil); err != nil {
+		t.Fatalf("second ApplyMigrations failed: %v", err)
+	}
+
+	// Verify no duplicate rows in schema_migrations.
+	var count int
+
+	err := db.QueryRow("SELECT COUNT(*) FROM schema_migrations WHERE version = 0").Scan(&count)
+	if err != nil {
+		t.Fatalf("failed to count version 0 rows: %v", err)
+	}
+
+	if count != 1 {
+		t.Errorf("expected exactly 1 row for version 0, got %d", count)
+	}
+}
+
+func TestBootstrapMigrationsTable_FreshDatabase(t *testing.T) {
+	db := openTestDB(t)
+	ctx := context.Background()
+
+	if err := bootstrapMigrationsTable(ctx, db, nil); err != nil {
+		t.Fatalf("bootstrapMigrationsTable failed: %v", err)
+	}
+
+	// schema_migrations table must exist.
+	var tableCount int
+
+	err := db.QueryRow(
+		"SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='schema_migrations'",
+	).Scan(&tableCount)
+	if err != nil {
+		t.Fatalf("failed to check for table: %v", err)
+	}
+
+	if tableCount != 1 {
+		t.Fatalf("schema_migrations table not created")
+	}
+
+	// Version 0 must be recorded.
+	var recorded int
+
+	err = db.QueryRow(
+		"SELECT COUNT(*) FROM schema_migrations WHERE version = 0",
+	).Scan(&recorded)
+	if err != nil {
+		t.Fatalf("failed to check version: %v", err)
+	}
+
+	if recorded != 1 {
+		t.Errorf("expected version 0 to be recorded, got count %d", recorded)
+	}
+}

internal/database/schema/000.sql

@@ -0,0 +1,9 @@
+-- Migration 000: Schema migrations tracking table
+-- Applied as a bootstrap step before the normal migration loop.
+
+CREATE TABLE IF NOT EXISTS schema_migrations (
+    version INTEGER PRIMARY KEY,
+    applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+INSERT OR IGNORE INTO schema_migrations (version) VALUES (0);

internal/globals/globals.go

@@ -5,11 +5,10 @@ import (
 	"go.uber.org/fx"
 )
 
-// Build-time variables populated from main() via ldflags.
-var (
-	Appname string //nolint:gochecknoglobals // set from main
-	Version string //nolint:gochecknoglobals // set from main
-)
+const appname = "pixad"
+
+// Version is populated from main() via ldflags.
+var Version string //nolint:gochecknoglobals // set from main
 
 // Globals holds application-wide constants.
 type Globals struct {
@@ -20,7 +19,7 @@ type Globals struct {
 // New creates a new Globals instance from build-time variables.
 func New(_ fx.Lifecycle) (*Globals, error) {
 	return &Globals{
-		Appname: Appname,
+		Appname: appname,
 		Version: Version,
 	}, nil
 }

internal/handlers/handlers_test.go

@@ -82,7 +82,7 @@ func setupTestDB(t *testing.T) *sql.DB {
 		t.Fatalf("failed to open test db: %v", err)
 	}
 
-	if err := database.ApplyMigrations(db); err != nil {
+	if err := database.ApplyMigrations(context.Background(), db, nil); err != nil {
 		t.Fatalf("failed to apply migrations: %v", err)
 	}
 

internal/imageprocessor/imageprocessor.go

@@ -1,4 +1,5 @@
-package imgcache
+// Package imageprocessor provides image format conversion and resizing using libvips.
+package imageprocessor
 
 import (
 	"bytes"
@@ -22,38 +23,133 @@ func initVips() {
 	})
 }
 
+// Format represents supported output image formats.
+type Format string
+
+// Supported image output formats.
+const (
+	FormatOriginal Format = "orig"
+	FormatJPEG     Format = "jpeg"
+	FormatPNG      Format = "png"
+	FormatWebP     Format = "webp"
+	FormatAVIF     Format = "avif"
+	FormatGIF      Format = "gif"
+)
+
+// FitMode represents how to fit an image into requested dimensions.
+type FitMode string
+
+// Supported image fit modes.
+const (
+	FitCover   FitMode = "cover"
+	FitContain FitMode = "contain"
+	FitFill    FitMode = "fill"
+	FitInside  FitMode = "inside"
+	FitOutside FitMode = "outside"
+)
+
+// ErrInvalidFitMode is returned when an invalid fit mode is provided.
+var ErrInvalidFitMode = errors.New("invalid fit mode")
+
+// Size represents requested image dimensions.
+type Size struct {
+	Width  int
+	Height int
+}
+
+// Request holds the parameters for image processing.
+type Request struct {
+	Size    Size
+	Format  Format
+	Quality int
+	FitMode FitMode
+}
+
+// Result contains the output of image processing.
+type Result struct {
+	// Content is the processed image data.
+	Content io.ReadCloser
+	// ContentLength is the size in bytes.
+	ContentLength int64
+	// ContentType is the MIME type of the output.
+	ContentType string
+	// Width is the output image width.
+	Width int
+	// Height is the output image height.
+	Height int
+	// InputWidth is the original image width before processing.
+	InputWidth int
+	// InputHeight is the original image height before processing.
+	InputHeight int
+	// InputFormat is the detected input format (e.g., "jpeg", "png").
+	InputFormat string
+}
+
 // MaxInputDimension is the maximum allowed width or height for input images.
 // Images larger than this are rejected to prevent DoS via decompression bombs.
 const MaxInputDimension = 8192
 
+// DefaultMaxInputBytes is the default maximum input size in bytes (50 MiB).
+// This matches the default upstream fetcher limit.
+const DefaultMaxInputBytes = 50 << 20
+
 // ErrInputTooLarge is returned when input image dimensions exceed MaxInputDimension.
 var ErrInputTooLarge = errors.New("input image dimensions exceed maximum")
 
+// ErrInputDataTooLarge is returned when the raw input data exceeds the configured byte limit.
+var ErrInputDataTooLarge = errors.New("input data exceeds maximum allowed size")
+
 // ErrUnsupportedOutputFormat is returned when the requested output format is not supported.
 var ErrUnsupportedOutputFormat = errors.New("unsupported output format")
 
-// ImageProcessor implements the Processor interface using libvips via govips.
-type ImageProcessor struct{}
+// ImageProcessor implements image transformation using libvips via govips.
+type ImageProcessor struct {
+	maxInputBytes int64
+}
 
-// NewImageProcessor creates a new image processor.
-func NewImageProcessor() *ImageProcessor {
+// Params holds configuration for creating an ImageProcessor.
+// Zero values use sensible defaults (MaxInputBytes defaults to DefaultMaxInputBytes).
+type Params struct {
+	// MaxInputBytes is the maximum allowed input size in bytes.
+	// If <= 0, DefaultMaxInputBytes is used.
+	MaxInputBytes int64
+}
+
+// New creates a new image processor with the given parameters.
+// A zero-value Params{} uses sensible defaults.
+func New(params Params) *ImageProcessor {
 	initVips()
 
-	return &ImageProcessor{}
+	maxInputBytes := params.MaxInputBytes
+	if maxInputBytes <= 0 {
+		maxInputBytes = DefaultMaxInputBytes
+	}
+
+	return &ImageProcessor{
+		maxInputBytes: maxInputBytes,
+	}
 }
 
 // Process transforms an image according to the request.
 func (p *ImageProcessor) Process(
 	_ context.Context,
 	input io.Reader,
-	req *ImageRequest,
-) (*ProcessResult, error) {
-	// Read input
-	data, err := io.ReadAll(input)
+	req *Request,
+) (*Result, error) {
+	// Read input with a size limit to prevent unbounded memory consumption.
+	// We read at most maxInputBytes+1 so we can detect if the input exceeds
+	// the limit without consuming additional memory.
+	limited := io.LimitReader(input, p.maxInputBytes+1)
+
+	data, err := io.ReadAll(limited)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read input: %w", err)
 	}
 
+	if int64(len(data)) > p.maxInputBytes {
+		return nil, ErrInputDataTooLarge
+	}
+
 	// Decode image
 	img, err := vips.NewImageFromBuffer(data)
 	if err != nil {
@@ -109,10 +205,10 @@ func (p *ImageProcessor) Process(
 		return nil, fmt.Errorf("failed to encode: %w", err)
 	}
 
-	return &ProcessResult{
+	return &Result{
 		Content:       io.NopCloser(bytes.NewReader(output)),
 		ContentLength: int64(len(output)),
-		ContentType:   ImageFormatToMIME(outputFormat),
+		ContentType:   FormatToMIME(outputFormat),
 		Width:         img.Width(),
 		Height:        img.Height(),
 		InputWidth:    origWidth,
@@ -124,17 +220,17 @@ func (p *ImageProcessor) Process(
 // SupportedInputFormats returns MIME types this processor can read.
 func (p *ImageProcessor) SupportedInputFormats() []string {
 	return []string{
-		string(MIMETypeJPEG),
-		string(MIMETypePNG),
-		string(MIMETypeGIF),
-		string(MIMETypeWebP),
-		string(MIMETypeAVIF),
+		"image/jpeg",
+		"image/png",
+		"image/gif",
+		"image/webp",
+		"image/avif",
 	}
 }
 
 // SupportedOutputFormats returns formats this processor can write.
-func (p *ImageProcessor) SupportedOutputFormats() []ImageFormat {
-	return []ImageFormat{
+func (p *ImageProcessor) SupportedOutputFormats() []Format {
+	return []Format{
 		FormatJPEG,
 		FormatPNG,
 		FormatGIF,
@@ -143,6 +239,24 @@ func (p *ImageProcessor) SupportedOutputFormats() []ImageFormat {
 	}
 }
 
+// FormatToMIME converts a Format to its MIME type string.
+func FormatToMIME(format Format) string {
+	switch format {
+	case FormatJPEG:
+		return "image/jpeg"
+	case FormatPNG:
+		return "image/png"
+	case FormatWebP:
+		return "image/webp"
+	case FormatGIF:
+		return "image/gif"
+	case FormatAVIF:
+		return "image/avif"
+	default:
+		return "application/octet-stream"
+	}
+}
+
 // detectFormat returns the format string from a vips image.
 func (p *ImageProcessor) detectFormat(img *vips.ImageRef) string {
 	format := img.Format()
@@ -171,7 +285,6 @@ func (p *ImageProcessor) resize(img *vips.ImageRef, width, height int, fit FitMo
 
 	case FitContain:
 		// Resize to fit within dimensions, maintaining aspect ratio
-		// Calculate target dimensions maintaining aspect ratio
 		imgW, imgH := img.Width(), img.Height()
 		scaleW := float64(width) / float64(imgW)
 		scaleH := float64(height) / float64(imgH)
@@ -182,7 +295,7 @@ func (p *ImageProcessor) resize(img *vips.ImageRef, width, height int, fit FitMo
 		return img.Thumbnail(newW, newH, vips.InterestingNone)
 
 	case FitFill:
-		// Resize to exact dimensions (may distort) - use ThumbnailWithSize with Force
+		// Resize to exact dimensions (may distort)
 		return img.ThumbnailWithSize(width, height, vips.InterestingNone, vips.SizeForce)
 
 	case FitInside:
@@ -218,7 +331,7 @@ func (p *ImageProcessor) resize(img *vips.ImageRef, width, height int, fit FitMo
 const defaultQuality = 85
 
 // encode encodes an image to the specified format.
-func (p *ImageProcessor) encode(img *vips.ImageRef, format ImageFormat, quality int) ([]byte, error) {
+func (p *ImageProcessor) encode(img *vips.ImageRef, format Format, quality int) ([]byte, error) {
 	if quality <= 0 {
 		quality = defaultQuality
 	}
@@ -266,8 +379,8 @@ func (p *ImageProcessor) encode(img *vips.ImageRef, format ImageFormat, quality
 	return output, nil
 }
 
-// formatFromString converts a format string to ImageFormat.
-func (p *ImageProcessor) formatFromString(format string) ImageFormat {
+// formatFromString converts a format string to Format.
+func (p *ImageProcessor) formatFromString(format string) Format {
 	switch format {
 	case "jpeg":
 		return FormatJPEG

internal/imageprocessor/imageprocessor_test.go

@@ -1,4 +1,4 @@
-package imgcache
+package imageprocessor
 
 import (
 	"bytes"
@@ -70,13 +70,36 @@ func createTestPNG(t *testing.T, width, height int) []byte {
 	return buf.Bytes()
 }
 
+// detectMIME is a minimal magic-byte detector for test assertions.
+func detectMIME(data []byte) string {
+	if len(data) >= 3 && data[0] == 0xFF && data[1] == 0xD8 && data[2] == 0xFF {
+		return "image/jpeg"
+	}
+	if len(data) >= 8 && string(data[:8]) == "\x89PNG\r\n\x1a\n" {
+		return "image/png"
+	}
+	if len(data) >= 4 && string(data[:4]) == "GIF8" {
+		return "image/gif"
+	}
+	if len(data) >= 12 && string(data[:4]) == "RIFF" && string(data[8:12]) == "WEBP" {
+		return "image/webp"
+	}
+	if len(data) >= 12 && string(data[4:8]) == "ftyp" {
+		brand := string(data[8:12])
+		if brand == "avif" || brand == "avis" {
+			return "image/avif"
+		}
+	}
+	return ""
+}
+
 func TestImageProcessor_ResizeJPEG(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 800, 600)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 400, Height: 300},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -107,23 +130,19 @@ func TestImageProcessor_ResizeJPEG(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime, err := DetectFormat(data)
-	if err != nil {
-		t.Fatalf("DetectFormat() error = %v", err)
-	}
-
-	if mime != MIMETypeJPEG {
-		t.Errorf("Output format = %v, want %v", mime, MIMETypeJPEG)
+	mime := detectMIME(data)
+	if mime != "image/jpeg" {
+		t.Errorf("Output format = %v, want image/jpeg", mime)
 	}
 }
 
 func TestImageProcessor_ConvertToPNG(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 200, Height: 150},
 		Format:  FormatPNG,
 		FitMode: FitCover,
@@ -140,23 +159,19 @@ func TestImageProcessor_ConvertToPNG(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime, err := DetectFormat(data)
-	if err != nil {
-		t.Fatalf("DetectFormat() error = %v", err)
-	}
-
-	if mime != MIMETypePNG {
-		t.Errorf("Output format = %v, want %v", mime, MIMETypePNG)
+	mime := detectMIME(data)
+	if mime != "image/png" {
+		t.Errorf("Output format = %v, want image/png", mime)
 	}
 }
 
 func TestImageProcessor_OriginalSize(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 640, 480)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 0, Height: 0}, // Original size
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -179,14 +194,14 @@ func TestImageProcessor_OriginalSize(t *testing.T) {
 }
 
 func TestImageProcessor_FitContain(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	// 800x400 image (2:1 aspect) into 400x400 box with contain
 	// Should result in 400x200 (maintaining aspect ratio)
 	input := createTestJPEG(t, 800, 400)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 400, Height: 400},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -206,14 +221,14 @@ func TestImageProcessor_FitContain(t *testing.T) {
 }
 
 func TestImageProcessor_ProportionalScale_WidthOnly(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	// 800x600 image, request width=400 height=0
 	// Should scale proportionally to 400x300
 	input := createTestJPEG(t, 800, 600)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 400, Height: 0},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -236,14 +251,14 @@ func TestImageProcessor_ProportionalScale_WidthOnly(t *testing.T) {
 }
 
 func TestImageProcessor_ProportionalScale_HeightOnly(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	// 800x600 image, request width=0 height=300
 	// Should scale proportionally to 400x300
 	input := createTestJPEG(t, 800, 600)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 0, Height: 300},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -266,12 +281,12 @@ func TestImageProcessor_ProportionalScale_HeightOnly(t *testing.T) {
 }
 
 func TestImageProcessor_ProcessPNG(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	input := createTestPNG(t, 400, 300)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 200, Height: 150},
 		Format:  FormatPNG,
 		FitMode: FitCover,
@@ -292,13 +307,8 @@ func TestImageProcessor_ProcessPNG(t *testing.T) {
 	}
 }
 
-func TestImageProcessor_ImplementsInterface(t *testing.T) {
-	// Verify ImageProcessor implements Processor interface
-	var _ Processor = (*ImageProcessor)(nil)
-}
-
 func TestImageProcessor_SupportedFormats(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 
 	inputFormats := proc.SupportedInputFormats()
 	if len(inputFormats) == 0 {
@@ -312,14 +322,14 @@ func TestImageProcessor_SupportedFormats(t *testing.T) {
 }
 
 func TestImageProcessor_RejectsOversizedInput(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	// Create an image that exceeds MaxInputDimension (e.g., 10000x100)
 	// This should be rejected before processing to prevent DoS
 	input := createTestJPEG(t, 10000, 100)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 100, Height: 100},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -337,13 +347,13 @@ func TestImageProcessor_RejectsOversizedInput(t *testing.T) {
 }
 
 func TestImageProcessor_RejectsOversizedInputHeight(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	// Create an image with oversized height
 	input := createTestJPEG(t, 100, 10000)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 100, Height: 100},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -361,14 +371,13 @@ func TestImageProcessor_RejectsOversizedInputHeight(t *testing.T) {
 }
 
 func TestImageProcessor_AcceptsMaxDimensionInput(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	// Create an image at exactly MaxInputDimension - should be accepted
-	// Using smaller dimensions to keep test fast
 	input := createTestJPEG(t, MaxInputDimension, 100)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 100, Height: 100},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -383,12 +392,12 @@ func TestImageProcessor_AcceptsMaxDimensionInput(t *testing.T) {
 }
 
 func TestImageProcessor_EncodeWebP(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 100, Height: 75},
 		Format:  FormatWebP,
 		Quality: 80,
@@ -407,13 +416,9 @@ func TestImageProcessor_EncodeWebP(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime, err := DetectFormat(data)
-	if err != nil {
-		t.Fatalf("DetectFormat() error = %v", err)
-	}
-
-	if mime != MIMETypeWebP {
-		t.Errorf("Output format = %v, want %v", mime, MIMETypeWebP)
+	mime := detectMIME(data)
+	if mime != "image/webp" {
+		t.Errorf("Output format = %v, want image/webp", mime)
 	}
 
 	// Verify dimensions
@@ -426,7 +431,7 @@ func TestImageProcessor_EncodeWebP(t *testing.T) {
 }
 
 func TestImageProcessor_DecodeAVIF(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	// Load test AVIF file
@@ -436,7 +441,7 @@ func TestImageProcessor_DecodeAVIF(t *testing.T) {
 	}
 
 	// Request resize and convert to JPEG
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 2, Height: 2},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -455,23 +460,84 @@ func TestImageProcessor_DecodeAVIF(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime, err := DetectFormat(data)
-	if err != nil {
-		t.Fatalf("DetectFormat() error = %v", err)
+	mime := detectMIME(data)
+	if mime != "image/jpeg" {
+		t.Errorf("Output format = %v, want image/jpeg", mime)
+	}
+}
+
+func TestImageProcessor_RejectsOversizedInputData(t *testing.T) {
+	// Create a processor with a very small byte limit
+	const limit = 1024
+	proc := New(Params{MaxInputBytes: limit})
+	ctx := context.Background()
+
+	// Create a valid JPEG that exceeds the byte limit
+	input := createTestJPEG(t, 800, 600) // will be well over 1 KiB
+	if int64(len(input)) <= limit {
+		t.Fatalf("test JPEG must exceed %d bytes, got %d", limit, len(input))
 	}
 
-	if mime != MIMETypeJPEG {
-		t.Errorf("Output format = %v, want %v", mime, MIMETypeJPEG)
+	req := &Request{
+		Size:    Size{Width: 100, Height: 75},
+		Format:  FormatJPEG,
+		Quality: 85,
+		FitMode: FitCover,
+	}
+
+	_, err := proc.Process(ctx, bytes.NewReader(input), req)
+	if err == nil {
+		t.Fatal("Process() should reject input exceeding maxInputBytes")
+	}
+
+	if err != ErrInputDataTooLarge {
+		t.Errorf("Process() error = %v, want ErrInputDataTooLarge", err)
+	}
+}
+
+func TestImageProcessor_AcceptsInputWithinLimit(t *testing.T) {
+	// Create a small image and set limit well above its size
+	input := createTestJPEG(t, 10, 10)
+	limit := int64(len(input)) * 10 // 10× headroom
+
+	proc := New(Params{MaxInputBytes: limit})
+	ctx := context.Background()
+
+	req := &Request{
+		Size:    Size{Width: 10, Height: 10},
+		Format:  FormatJPEG,
+		Quality: 85,
+		FitMode: FitCover,
+	}
+
+	result, err := proc.Process(ctx, bytes.NewReader(input), req)
+	if err != nil {
+		t.Fatalf("Process() error = %v, want nil", err)
+	}
+	defer result.Content.Close()
+}
+
+func TestImageProcessor_DefaultMaxInputBytes(t *testing.T) {
+	// Passing 0 should use the default
+	proc := New(Params{})
+	if proc.maxInputBytes != DefaultMaxInputBytes {
+		t.Errorf("maxInputBytes = %d, want %d", proc.maxInputBytes, DefaultMaxInputBytes)
+	}
+
+	// Passing negative should also use the default
+	proc = New(Params{MaxInputBytes: -1})
+	if proc.maxInputBytes != DefaultMaxInputBytes {
+		t.Errorf("maxInputBytes = %d, want %d", proc.maxInputBytes, DefaultMaxInputBytes)
 	}
 }
 
 func TestImageProcessor_EncodeAVIF(t *testing.T) {
-	proc := NewImageProcessor()
+	proc := New(Params{})
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
 
-	req := &ImageRequest{
+	req := &Request{
 		Size:    Size{Width: 100, Height: 75},
 		Format:  FormatAVIF,
 		Quality: 85,
@@ -490,13 +556,9 @@ func TestImageProcessor_EncodeAVIF(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime, err := DetectFormat(data)
-	if err != nil {
-		t.Fatalf("DetectFormat() error = %v", err)
-	}
-
-	if mime != MIMETypeAVIF {
-		t.Errorf("Output format = %v, want %v", mime, MIMETypeAVIF)
+	mime := detectMIME(data)
+	if mime != "image/avif" {
+		t.Errorf("Output format = %v, want image/avif", mime)
 	}
 
 	// Verify dimensions

internal/imgcache/imgcache.go

@@ -199,36 +199,6 @@ type FetchResult struct {
 	TLSCipherSuite string
 }
 
-// Processor handles image transformation (resize, format conversion)
-type Processor interface {
-	// Process transforms an image according to the request
-	Process(ctx context.Context, input io.Reader, req *ImageRequest) (*ProcessResult, error)
-	// SupportedInputFormats returns MIME types this processor can read
-	SupportedInputFormats() []string
-	// SupportedOutputFormats returns formats this processor can write
-	SupportedOutputFormats() []ImageFormat
-}
-
-// ProcessResult contains the result of image processing
-type ProcessResult struct {
-	// Content is the processed image data
-	Content io.ReadCloser
-	// ContentLength is the size in bytes
-	ContentLength int64
-	// ContentType is the MIME type of the output
-	ContentType string
-	// Width is the output image width
-	Width int
-	// Height is the output image height
-	Height int
-	// InputWidth is the original image width before processing
-	InputWidth int
-	// InputHeight is the original image height before processing
-	InputHeight int
-	// InputFormat is the detected input format (e.g., "jpeg", "png")
-	InputFormat string
-}
-
 // Storage handles persistent storage of cached content
 type Storage interface {
 	// Store saves content and returns its hash

internal/imgcache/service.go

@@ -11,17 +11,19 @@ import (
 	"time"
 
 	"github.com/dustin/go-humanize"
+	"sneak.berlin/go/pixa/internal/imageprocessor"
 )
 
 // Service implements the ImageCache interface, orchestrating cache, fetcher, and processor.
 type Service struct {
-	cache     *Cache
-	fetcher   Fetcher
-	processor Processor
-	signer    *Signer
-	whitelist *HostWhitelist
-	log       *slog.Logger
-	allowHTTP bool
+	cache           *Cache
+	fetcher         Fetcher
+	processor       *imageprocessor.ImageProcessor
+	signer          *Signer
+	whitelist       *HostWhitelist
+	log             *slog.Logger
+	allowHTTP       bool
+	maxResponseSize int64
 }
 
 // ServiceConfig holds configuration for the image service.
@@ -50,15 +52,17 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 		return nil, errors.New("signing key is required")
 	}
 
+	// Resolve fetcher config for defaults
+	fetcherCfg := cfg.FetcherConfig
+	if fetcherCfg == nil {
+		fetcherCfg = DefaultFetcherConfig()
+	}
+
 	// Use custom fetcher if provided, otherwise create HTTP fetcher
 	var fetcher Fetcher
 	if cfg.Fetcher != nil {
 		fetcher = cfg.Fetcher
 	} else {
-		fetcherCfg := cfg.FetcherConfig
-		if fetcherCfg == nil {
-			fetcherCfg = DefaultFetcherConfig()
-		}
 		fetcher = NewHTTPFetcher(fetcherCfg)
 	}
 
@@ -74,14 +78,17 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 		allowHTTP = cfg.FetcherConfig.AllowHTTP
 	}
 
+	maxResponseSize := fetcherCfg.MaxResponseSize
+
 	return &Service{
-		cache:     cfg.Cache,
-		fetcher:   fetcher,
-		processor: NewImageProcessor(),
-		signer:    signer,
-		whitelist: NewHostWhitelist(cfg.Whitelist),
-		log:       log,
-		allowHTTP: allowHTTP,
+		cache:           cfg.Cache,
+		fetcher:         fetcher,
+		processor:       imageprocessor.New(imageprocessor.Params{MaxInputBytes: maxResponseSize}),
+		signer:          signer,
+		whitelist:       NewHostWhitelist(cfg.Whitelist),
+		log:             log,
+		allowHTTP:       allowHTTP,
+		maxResponseSize: maxResponseSize,
 	}, nil
 }
 
@@ -146,6 +153,40 @@ func (s *Service) Get(ctx context.Context, req *ImageRequest) (*ImageResponse, e
 	return response, nil
 }
 
+// loadCachedSource attempts to load source content from cache, returning nil
+// if the cached data is unavailable or exceeds maxResponseSize.
+func (s *Service) loadCachedSource(contentHash ContentHash) []byte {
+	reader, err := s.cache.GetSourceContent(contentHash)
+	if err != nil {
+		s.log.Warn("failed to load cached source, fetching", "error", err)
+
+		return nil
+	}
+
+	// Bound the read to maxResponseSize to prevent unbounded memory use
+	// from unexpectedly large cached files.
+	limited := io.LimitReader(reader, s.maxResponseSize+1)
+	data, err := io.ReadAll(limited)
+	_ = reader.Close()
+
+	if err != nil {
+		s.log.Warn("failed to read cached source, fetching", "error", err)
+
+		return nil
+	}
+
+	if int64(len(data)) > s.maxResponseSize {
+		s.log.Warn("cached source exceeds max response size, discarding",
+			"hash", contentHash,
+			"max_bytes", s.maxResponseSize,
+		)
+
+		return nil
+	}
+
+	return data
+}
+
 // processFromSourceOrFetch processes an image, using cached source content if available.
 func (s *Service) processFromSourceOrFetch(
 	ctx context.Context,
@@ -162,22 +203,8 @@ func (s *Service) processFromSourceOrFetch(
 	var fetchBytes int64
 
 	if contentHash != "" {
-		// We have cached source - load it
 		s.log.Debug("using cached source", "hash", contentHash)
-
-		reader, err := s.cache.GetSourceContent(contentHash)
-		if err != nil {
-			s.log.Warn("failed to load cached source, fetching", "error", err)
-			// Fall through to fetch
-		} else {
-			sourceData, err = io.ReadAll(reader)
-			_ = reader.Close()
-
-			if err != nil {
-				s.log.Warn("failed to read cached source, fetching", "error", err)
-				// Fall through to fetch
-			}
-		}
+		sourceData = s.loadCachedSource(contentHash)
 	}
 
 	// Fetch from upstream if we don't have source data or it's empty
@@ -274,7 +301,14 @@ func (s *Service) processAndStore(
 	// Process the image
 	processStart := time.Now()
 
-	processResult, err := s.processor.Process(ctx, bytes.NewReader(sourceData), req)
+	processReq := &imageprocessor.Request{
+		Size:    imageprocessor.Size{Width: req.Size.Width, Height: req.Size.Height},
+		Format:  imageprocessor.Format(req.Format),
+		Quality: req.Quality,
+		FitMode: imageprocessor.FitMode(req.FitMode),
+	}
+
+	processResult, err := s.processor.Process(ctx, bytes.NewReader(sourceData), processReq)
 	if err != nil {
 		return nil, fmt.Errorf("image processing failed: %w", err)
 	}

internal/imgcache/service_test.go

@@ -151,6 +151,74 @@ func TestService_Get_NonWhitelistedHost_InvalidSignature(t *testing.T) {
 	}
 }
 
+// TestService_ValidateRequest_SignatureExactHostMatch verifies that
+// ValidateRequest enforces exact host matching for signatures. A
+// signature for one host must not verify for a different host, even
+// if they share a domain suffix.
+func TestService_ValidateRequest_SignatureExactHostMatch(t *testing.T) {
+	signingKey := "test-signing-key-must-be-32-chars"
+	svc, _ := SetupTestService(t,
+		WithSigningKey(signingKey),
+		WithNoWhitelist(),
+	)
+
+	signer := NewSigner(signingKey)
+
+	// Sign a request for "cdn.example.com"
+	signedReq := &ImageRequest{
+		SourceHost: "cdn.example.com",
+		SourcePath: "/photos/cat.jpg",
+		Size:       Size{Width: 50, Height: 50},
+		Format:     FormatJPEG,
+		Quality:    85,
+		FitMode:    FitCover,
+		Expires:    time.Now().Add(time.Hour),
+	}
+	signedReq.Signature = signer.Sign(signedReq)
+
+	// The original request should pass validation
+	t.Run("exact host passes", func(t *testing.T) {
+		err := svc.ValidateRequest(signedReq)
+		if err != nil {
+			t.Errorf("ValidateRequest() exact host failed: %v", err)
+		}
+	})
+
+	// Try to reuse the signature with different hosts
+	tests := []struct {
+		name string
+		host string
+	}{
+		{"parent domain", "example.com"},
+		{"sibling subdomain", "images.example.com"},
+		{"deeper subdomain", "a.cdn.example.com"},
+		{"evil suffix domain", "cdn.example.com.evil.com"},
+		{"prefixed host", "evilcdn.example.com"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name+" rejected", func(t *testing.T) {
+			req := &ImageRequest{
+				SourceHost:  tt.host,
+				SourcePath:  signedReq.SourcePath,
+				SourceQuery: signedReq.SourceQuery,
+				Size:        signedReq.Size,
+				Format:      signedReq.Format,
+				Quality:     signedReq.Quality,
+				FitMode:     signedReq.FitMode,
+				Expires:     signedReq.Expires,
+				Signature:   signedReq.Signature,
+			}
+
+			err := svc.ValidateRequest(req)
+			if err == nil {
+				t.Errorf("ValidateRequest() should reject signature for host %q (signed for %q)",
+					tt.host, signedReq.SourceHost)
+			}
+		})
+	}
+}
+
 func TestService_Get_InvalidFile(t *testing.T) {
 	svc, fixtures := SetupTestService(t)
 	ctx := context.Background()

internal/imgcache/signature.go

@@ -43,6 +43,11 @@ func (s *Signer) Sign(req *ImageRequest) string {
 }
 
 // Verify checks if the signature on the request is valid and not expired.
+// Signatures are exact-match only: every component of the signed data
+// (host, path, query, dimensions, format, expiration) must match exactly.
+// No suffix matching, wildcard matching, or partial matching is supported.
+// A signature for "cdn.example.com" will NOT verify for "example.com" or
+// "other.cdn.example.com", and vice versa.
 func (s *Signer) Verify(req *ImageRequest) error {
 	// Check expiration first
 	if req.Expires.IsZero() {
@@ -66,6 +71,8 @@ func (s *Signer) Verify(req *ImageRequest) error {
 
 // buildSignatureData creates the string to be signed.
 // Format: "host:path:query:width:height:format:expiration"
+// All components are used verbatim (exact match). No normalization,
+// suffix matching, or wildcard expansion is performed.
 func (s *Signer) buildSignatureData(req *ImageRequest) string {
 	return fmt.Sprintf("%s:%s:%s:%d:%d:%s:%d",
 		req.SourceHost,

internal/imgcache/signature_test.go

@@ -152,6 +152,178 @@ func TestSigner_Verify(t *testing.T) {
 	}
 }
 
+// TestSigner_Verify_ExactMatchOnly verifies that signatures enforce exact
+// matching on every URL component. No suffix matching, wildcard matching,
+// or partial matching is supported.
+func TestSigner_Verify_ExactMatchOnly(t *testing.T) {
+	signer := NewSigner("test-secret-key")
+
+	// Base request that we'll sign, then tamper with individual fields.
+	baseReq := func() *ImageRequest {
+		req := &ImageRequest{
+			SourceHost:  "cdn.example.com",
+			SourcePath:  "/photos/cat.jpg",
+			SourceQuery: "token=abc",
+			Size:        Size{Width: 800, Height: 600},
+			Format:      FormatWebP,
+			Expires:     time.Now().Add(1 * time.Hour),
+		}
+		req.Signature = signer.Sign(req)
+
+		return req
+	}
+
+	tests := []struct {
+		name   string
+		tamper func(req *ImageRequest)
+	}{
+		{
+			name: "parent domain does not match subdomain",
+			tamper: func(req *ImageRequest) {
+				// Signed for cdn.example.com, try example.com
+				req.SourceHost = "example.com"
+			},
+		},
+		{
+			name: "subdomain does not match parent domain",
+			tamper: func(req *ImageRequest) {
+				// Signed for cdn.example.com, try images.cdn.example.com
+				req.SourceHost = "images.cdn.example.com"
+			},
+		},
+		{
+			name: "sibling subdomain does not match",
+			tamper: func(req *ImageRequest) {
+				// Signed for cdn.example.com, try images.example.com
+				req.SourceHost = "images.example.com"
+			},
+		},
+		{
+			name: "host with suffix appended does not match",
+			tamper: func(req *ImageRequest) {
+				// Signed for cdn.example.com, try cdn.example.com.evil.com
+				req.SourceHost = "cdn.example.com.evil.com"
+			},
+		},
+		{
+			name: "host with prefix does not match",
+			tamper: func(req *ImageRequest) {
+				// Signed for cdn.example.com, try evilcdn.example.com
+				req.SourceHost = "evilcdn.example.com"
+			},
+		},
+		{
+			name: "different path does not match",
+			tamper: func(req *ImageRequest) {
+				req.SourcePath = "/photos/dog.jpg"
+			},
+		},
+		{
+			name: "path suffix does not match",
+			tamper: func(req *ImageRequest) {
+				req.SourcePath = "/photos/cat.jpg/extra"
+			},
+		},
+		{
+			name: "path prefix does not match",
+			tamper: func(req *ImageRequest) {
+				req.SourcePath = "/other/photos/cat.jpg"
+			},
+		},
+		{
+			name: "different query does not match",
+			tamper: func(req *ImageRequest) {
+				req.SourceQuery = "token=xyz"
+			},
+		},
+		{
+			name: "added query does not match empty query",
+			tamper: func(req *ImageRequest) {
+				req.SourceQuery = "extra=1"
+			},
+		},
+		{
+			name: "removed query does not match",
+			tamper: func(req *ImageRequest) {
+				req.SourceQuery = ""
+			},
+		},
+		{
+			name: "different width does not match",
+			tamper: func(req *ImageRequest) {
+				req.Size.Width = 801
+			},
+		},
+		{
+			name: "different height does not match",
+			tamper: func(req *ImageRequest) {
+				req.Size.Height = 601
+			},
+		},
+		{
+			name: "different format does not match",
+			tamper: func(req *ImageRequest) {
+				req.Format = FormatPNG
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := baseReq()
+			tt.tamper(req)
+
+			err := signer.Verify(req)
+			if err != ErrSignatureInvalid {
+				t.Errorf("Verify() = %v, want %v", err, ErrSignatureInvalid)
+			}
+		})
+	}
+
+	// Verify the unmodified base request still passes
+	t.Run("unmodified request passes", func(t *testing.T) {
+		req := baseReq()
+		if err := signer.Verify(req); err != nil {
+			t.Errorf("Verify() unmodified request failed: %v", err)
+		}
+	})
+}
+
+// TestSigner_Sign_ExactHostInData verifies that Sign uses the exact host
+// string in the signature data, producing different signatures for
+// suffix-related hosts.
+func TestSigner_Sign_ExactHostInData(t *testing.T) {
+	signer := NewSigner("test-secret-key")
+
+	hosts := []string{
+		"cdn.example.com",
+		"example.com",
+		"images.example.com",
+		"images.cdn.example.com",
+		"cdn.example.com.evil.com",
+	}
+
+	sigs := make(map[string]string)
+
+	for _, host := range hosts {
+		req := &ImageRequest{
+			SourceHost:  host,
+			SourcePath:  "/photos/cat.jpg",
+			SourceQuery: "",
+			Size:        Size{Width: 800, Height: 600},
+			Format:      FormatWebP,
+			Expires:     time.Unix(1704067200, 0),
+		}
+
+		sig := signer.Sign(req)
+		if existing, ok := sigs[sig]; ok {
+			t.Errorf("hosts %q and %q produced the same signature", existing, host)
+		}
+
+		sigs[sig] = host
+	}
+}
+
 func TestSigner_DifferentKeys(t *testing.T) {
 	signer1 := NewSigner("secret-key-1")
 	signer2 := NewSigner("secret-key-2")

internal/imgcache/stats_test.go

@@ -16,7 +16,7 @@ func setupStatsTestDB(t *testing.T) *sql.DB {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err := database.ApplyMigrations(db); err != nil {
+	if err := database.ApplyMigrations(context.Background(), db, nil); err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(func() { db.Close() })

internal/imgcache/testutil_test.go

@@ -2,6 +2,7 @@ package imgcache
 
 import (
 	"bytes"
+	"context"
 	"database/sql"
 	"image"
 	"image/color"
@@ -193,7 +194,7 @@ func setupServiceTestDB(t *testing.T) *sql.DB {
 	}
 
 	// Use the real production schema via migrations
-	if err := database.ApplyMigrations(db); err != nil {
+	if err := database.ApplyMigrations(context.Background(), db, nil); err != nil {
 		t.Fatalf("failed to apply migrations: %v", err)
 	}