docs: update README and config to reflect exact-match-only whitelist

Remove suffix match documentation and config comments since whitelist
now only supports exact host matches.

.dockerignore

@@ -6,4 +6,3 @@
 node_modules
 bin/
 data/
-deploy/

Dockerfile

@@ -75,7 +75,4 @@ WORKDIR /var/lib/pixa
 
 EXPOSE 8080
 
-HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-    CMD wget -q --spider http://localhost:8080/.well-known/healthcheck.json
-
 ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]

README.md

@@ -98,9 +98,7 @@ expiration 1704067200:
 
 **Whitelist patterns:**
 
-- **Exact match**: `cdn.example.com` — matches only that host
-- **Suffix match**: `.example.com` — matches `cdn.example.com`,
-  `images.example.com`, and `example.com`
+- **Exact match only**: `cdn.example.com` — matches only that host
 
 ### Configuration
 
@@ -125,17 +123,6 @@ See `config.example.yml` for all options with defaults.
 - **Metrics**: Prometheus
 - **Logging**: stdlib slog
 
-## Deployment
-
-Pixa is deployed via
-[µPaaS](https://git.eeqj.de/sneak/upaas) on `fsn1app1`
-(paas.datavi.be). Pushes to `main` trigger automatic builds and
-deployments. The Dockerfile includes a `HEALTHCHECK` that probes
-`/.well-known/healthcheck.json`.
-
-See [deploy/README.md](deploy/README.md) for the full µPaaS app
-configuration, volume mounts, and production setup instructions.
-
 ## TODO
 
 See [TODO.md](TODO.md) for the full prioritized task list.

config.example.yml

@@ -13,8 +13,7 @@ state_dir: ./data
 # Generate with: openssl rand -base64 32
 signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
 
-# Hosts that don't require signatures
-# Use "." prefix for wildcard subdomain matching (e.g., ".example.com" matches "cdn.example.com")
+# Hosts that don't require signatures (exact match only)
 whitelist_hosts:
   - s3.sneak.cloud
   - static.sneak.cloud

deploy/README.md

@@ -1,78 +0,0 @@
-# Pixa Deployment via µPaaS
-
-Pixa is deployed on `fsn1app1` via
-[µPaaS](https://git.eeqj.de/sneak/upaas) (paas.datavi.be).
-
-## µPaaS App Configuration
-
-Create the app in the µPaaS web UI with these settings:
-
-| Setting | Value |
-| --- | --- |
-| **App name** | `pixa` |
-| **Repo URL** | `git@git.eeqj.de:sneak/pixa.git` |
-| **Branch** | `main` |
-| **Dockerfile path** | `Dockerfile` |
-
-### Environment Variables
-
-| Variable | Description | Required |
-| --- | --- | --- |
-| `PORT` | HTTP listen port (default: 8080) | No |
-
-Configuration is provided via the config file baked into the Docker
-image at `/etc/pixa/config.yml`. To override it, mount a custom
-config file as a volume (see below).
-
-### Volumes
-
-| Host Path | Container Path | Description |
-| --- | --- | --- |
-| `/srv/pixa/data` | `/var/lib/pixa` | SQLite database and image cache |
-| `/srv/pixa/config.yml` | `/etc/pixa/config.yml` | Production config (signing key, whitelist, etc.) |
-
-### Ports
-
-| Host Port | Container Port | Protocol |
-| --- | --- | --- |
-| (assigned) | 8080 | TCP |
-
-### Docker Network
-
-Attach to the shared reverse-proxy network if using Caddy/Traefik
-for TLS termination.
-
-## Production Configuration
-
-Copy `config.example.yml` from the repo root and customize for
-production:
-
-```yaml
-port: 8080
-debug: false
-maintenance_mode: false
-state_dir: /var/lib/pixa
-signing_key: "<generate with: openssl rand -base64 32>"
-whitelist_hosts:
-    - s3.sneak.cloud
-    - static.sneak.cloud
-    - sneak.berlin
-allow_http: false
-```
-
-**Important:** Generate a unique `signing_key` for production. Never
-use the default placeholder value.
-
-## Health Check
-
-The Dockerfile includes a `HEALTHCHECK` instruction that probes
-`/.well-known/healthcheck.json` every 30 seconds. µPaaS verifies
-container health 60 seconds after deployment.
-
-## Deployment Flow
-
-1. Push to `main` triggers the Gitea webhook
-2. µPaaS clones the repo and runs `docker build .`
-3. The Dockerfile runs `make check` (format, lint, test) during build
-4. On success, µPaaS stops the old container and starts the new one
-5. After 60 seconds, µPaaS checks container health

internal/imgcache/whitelist.go

@@ -6,22 +6,19 @@ import (
 )
 
 // HostWhitelist implements the Whitelist interface for checking allowed source hosts.
+// Only exact host matches are supported. Leading dots in patterns are stripped
+// (e.g. ".example.com" becomes an exact match for "example.com").
 type HostWhitelist struct {
-	// exactHosts contains hosts that must match exactly (e.g., "cdn.example.com")
-	exactHosts map[string]struct{}
-	// suffixHosts contains domain suffixes to match (e.g., ".example.com" matches "cdn.example.com")
-	suffixHosts []string
+	// hosts contains hosts that must match exactly (e.g., "cdn.example.com")
+	hosts map[string]struct{}
 }
 
 // NewHostWhitelist creates a whitelist from a list of host patterns.
-// Patterns starting with "." are treated as suffix matches.
-// Examples:
-//   - "cdn.example.com" - exact match only
-//   - ".example.com" - matches cdn.example.com, images.example.com, etc.
+// All patterns are treated as exact matches. Leading dots are stripped
+// for backwards compatibility (e.g. ".example.com" matches "example.com" only).
 func NewHostWhitelist(patterns []string) *HostWhitelist {
 	w := &HostWhitelist{
-		exactHosts:  make(map[string]struct{}),
-		suffixHosts: make([]string, 0),
+		hosts: make(map[string]struct{}),
 	}
 
 	for _, pattern := range patterns {
@@ -30,17 +27,22 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
 			continue
 		}
 
-		if strings.HasPrefix(pattern, ".") {
-			w.suffixHosts = append(w.suffixHosts, pattern)
-		} else {
-			w.exactHosts[pattern] = struct{}{}
+		// Strip leading dot — suffix matching is not supported.
+		// ".example.com" is treated as exact match for "example.com".
+		pattern = strings.TrimPrefix(pattern, ".")
+
+		if pattern == "" {
+			continue
 		}
+
+		w.hosts[pattern] = struct{}{}
 	}
 
 	return w
 }
 
 // IsWhitelisted checks if a URL's host is in the whitelist.
+// Only exact host matches are supported.
 func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 	if u == nil {
 		return false
@@ -51,32 +53,17 @@ func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 		return false
 	}
 
-	// Check exact match
-	if _, ok := w.exactHosts[host]; ok {
-		return true
-	}
+	_, ok := w.hosts[host]
 
-	// Check suffix match
-	for _, suffix := range w.suffixHosts {
-		if strings.HasSuffix(host, suffix) {
-			return true
-		}
-		// Also match if host equals the suffix without the leading dot
-		// e.g., pattern ".example.com" should match "example.com"
-		if host == strings.TrimPrefix(suffix, ".") {
-			return true
-		}
-	}
-
-	return false
+	return ok
 }
 
 // IsEmpty returns true if the whitelist has no entries.
 func (w *HostWhitelist) IsEmpty() bool {
-	return len(w.exactHosts) == 0 && len(w.suffixHosts) == 0
+	return len(w.hosts) == 0
 }
 
 // Count returns the total number of whitelist entries.
 func (w *HostWhitelist) Count() int {
-	return len(w.exactHosts) + len(w.suffixHosts)
+	return len(w.hosts)
 }

internal/imgcache/whitelist_test.go

@@ -31,41 +31,47 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			want:     false,
 		},
 		{
-			name:     "suffix match",
+			name:     "dot prefix does not enable suffix matching",
 			patterns: []string{".example.com"},
 			testURL:  "https://cdn.example.com/image.jpg",
-			want:     true,
+			want:     false,
 		},
 		{
-			name:     "suffix match deep subdomain",
+			name:     "dot prefix does not match deep subdomain",
 			patterns: []string{".example.com"},
 			testURL:  "https://cdn.images.example.com/image.jpg",
-			want:     true,
+			want:     false,
 		},
 		{
-			name:     "suffix match apex domain",
+			name:     "dot prefix stripped matches apex domain exactly",
 			patterns: []string{".example.com"},
 			testURL:  "https://example.com/image.jpg",
 			want:     true,
 		},
 		{
-			name:     "suffix match not found",
+			name:     "dot prefix does not match unrelated domain",
 			patterns: []string{".example.com"},
 			testURL:  "https://notexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "suffix match partial not allowed",
+			name:     "dot prefix does not match partial domain",
 			patterns: []string{".example.com"},
 			testURL:  "https://fakeexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "multiple patterns",
-			patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
+			name:     "multiple patterns exact only",
+			patterns: []string{"cdn.example.com", "photos.images.org", "static.test.net"},
 			testURL:  "https://photos.images.org/image.jpg",
 			want:     true,
 		},
+		{
+			name:     "multiple patterns no suffix match",
+			patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
+			testURL:  "https://photos.images.org/image.jpg",
+			want:     false,
+		},
 		{
 			name:     "empty whitelist",
 			patterns: []string{},
@@ -90,6 +96,12 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			testURL:  "https://cdn.example.com/image.jpg",
 			want:     true,
 		},
+		{
+			name:     "whitespace dot prefix stripped matches exactly",
+			patterns: []string{"  .other.com  "},
+			testURL:  "https://other.com/image.jpg",
+			want:     true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -139,6 +151,11 @@ func TestHostWhitelist_IsEmpty(t *testing.T) {
 			patterns: []string{"example.com"},
 			want:     false,
 		},
+		{
+			name:     "dot prefix entry still counts",
+			patterns: []string{".example.com"},
+			want:     false,
+		},
 	}
 
 	for _, tt := range tests {
@@ -168,7 +185,7 @@ func TestHostWhitelist_Count(t *testing.T) {
 			want:     3,
 		},
 		{
-			name:     "suffix hosts only",
+			name:     "dot prefix hosts treated as exact",
 			patterns: []string{".a.com", ".b.com"},
 			want:     2,
 		},
@@ -177,6 +194,11 @@ func TestHostWhitelist_Count(t *testing.T) {
 			patterns: []string{"exact.com", ".suffix.com"},
 			want:     2,
 		},
+		{
+			name:     "dot prefix deduplicates with exact",
+			patterns: []string{"example.com", ".example.com"},
+			want:     1,
+		},
 	}
 
 	for _, tt := range tests {