Move schema_migrations table creation from Go code into 000.sql

The schema_migrations table definition now lives in
internal/database/schema/000.sql instead of being hardcoded as an
inline SQL string in database.go. A bootstrap step checks
sqlite_master for the table and applies 000.sql when it is missing.
Existing databases that already have the table (created by older
inline code) get version 000 back-filled so the normal migration
loop skips the file.

Also deduplicates the migration logic: both the Database.runMigrations
method and the exported ApplyMigrations helper now delegate to a single
applyMigrations function.

Adds database_test.go with tests for fresh migration, idempotency,
bootstrap on a fresh DB, and backwards compatibility with legacy DBs.

README.md

@@ -67,10 +67,7 @@ hosts require an HMAC-SHA256 signature.
 #### Signature Specification
 
 Signatures use HMAC-SHA256 and include an expiration timestamp to
-prevent replay attacks. Signatures are **exact match only**: every
+prevent replay attacks.
-component (host, path, query, dimensions, format, expiration) must
-match exactly what was signed. No suffix matching, wildcard matching,
-or partial matching is supported.
 
 **Signed data format** (colon-separated):
 

cmd/pixad/main.go

@@ -17,7 +17,10 @@ import (
 	"sneak.berlin/go/pixa/internal/server"
 )
 
-var Version string //nolint:gochecknoglobals // set by ldflags
+var (
+	Appname = "pixad" //nolint:gochecknoglobals // set by ldflags
+	Version string    //nolint:gochecknoglobals // set by ldflags
+)
 
 var configPath string //nolint:gochecknoglobals // cobra flag
 
@@ -37,6 +40,7 @@ func main() {
 }
 
 func run(_ *cobra.Command, _ []string) {
+	globals.Appname = Appname
 	globals.Version = Version
 
 	// Set config path in environment if specified via flag

internal/database/database.go

@@ -9,7 +9,6 @@ import (
 	"log/slog"
 	"path/filepath"
 	"sort"
-	"strconv"
 	"strings"
 
 	"go.uber.org/fx"
@@ -24,7 +23,7 @@ var schemaFS embed.FS
 
 // bootstrapVersion is the migration that creates the schema_migrations
 // table itself. It is applied before the normal migration loop.
-const bootstrapVersion = 0
+const bootstrapVersion = "000"
 
 // Params defines dependencies for Database.
 type Params struct {
@@ -43,40 +42,35 @@ type Database struct {
 // ParseMigrationVersion extracts the numeric version prefix from a migration
 // filename. Filenames must follow the pattern "<version>.sql" or
 // "<version>_<description>.sql", where version is a zero-padded numeric
-// string (e.g. "001", "002"). Returns the version as an integer and an
+// string (e.g. "001", "002"). Returns the version string and an error if
-// error if the filename does not match the expected pattern.
+// the filename does not match the expected pattern.
-func ParseMigrationVersion(filename string) (int, error) {
+func ParseMigrationVersion(filename string) (string, error) {
 	name := strings.TrimSuffix(filename, filepath.Ext(filename))
 	if name == "" {
-		return 0, fmt.Errorf("invalid migration filename %q: empty name", filename)
+		return "", fmt.Errorf("invalid migration filename %q: empty name", filename)
 	}
 
 	// Split on underscore to separate version from description.
 	// If there's no underscore, the entire stem is the version.
-	versionStr := name
+	version := name
 	if idx := strings.IndexByte(name, '_'); idx >= 0 {
-		versionStr = name[:idx]
+		version = name[:idx]
 	}
 
-	if versionStr == "" {
+	if version == "" {
-		return 0, fmt.Errorf("invalid migration filename %q: empty version prefix", filename)
+		return "", fmt.Errorf("invalid migration filename %q: empty version prefix", filename)
 	}
 
 	// Validate the version is purely numeric.
-	for _, ch := range versionStr {
+	for _, ch := range version {
 		if ch < '0' || ch > '9' {
-			return 0, fmt.Errorf(
+			return "", fmt.Errorf(
 				"invalid migration filename %q: version %q contains non-numeric character %q",
-				filename, versionStr, string(ch),
+				filename, version, string(ch),
 			)
 		}
 	}
 
-	version, err := strconv.Atoi(versionStr)
-	if err != nil {
-		return 0, fmt.Errorf("invalid migration filename %q: %w", filename, err)
-	}
-
 	return version, nil
 }
 
@@ -154,7 +148,9 @@ func collectMigrations() ([]string, error) {
 }
 
 // bootstrapMigrationsTable ensures the schema_migrations table exists
-// by applying 000.sql if the table is missing.
+// by applying 000.sql directly. For databases that already have the
+// table (created by older code), it records version "000" for
+// consistency.
 func bootstrapMigrationsTable(ctx context.Context, db *sql.DB, log *slog.Logger) error {
 	var tableExists int
 
@@ -166,9 +162,47 @@ func bootstrapMigrationsTable(ctx context.Context, db *sql.DB, log *slog.Logger)
 	}
 
 	if tableExists > 0 {
+		return ensureBootstrapVersionRecorded(ctx, db, log)
+	}
+
+	return applyBootstrapMigration(ctx, db, log)
+}
+
+// ensureBootstrapVersionRecorded checks whether version "000" is already
+// recorded in an existing schema_migrations table and inserts it if not.
+func ensureBootstrapVersionRecorded(ctx context.Context, db *sql.DB, log *slog.Logger) error {
+	var recorded int
+
+	err := db.QueryRowContext(ctx,
+		"SELECT COUNT(*) FROM schema_migrations WHERE version = ?",
+		bootstrapVersion,
+	).Scan(&recorded)
+	if err != nil {
+		return fmt.Errorf("failed to check bootstrap migration status: %w", err)
+	}
+
+	if recorded > 0 {
 		return nil
 	}
 
+	_, err = db.ExecContext(ctx,
+		"INSERT INTO schema_migrations (version) VALUES (?)",
+		bootstrapVersion,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to record bootstrap migration: %w", err)
+	}
+
+	if log != nil {
+		log.Info("recorded bootstrap migration for existing table", "version", bootstrapVersion)
+	}
+
+	return nil
+}
+
+// applyBootstrapMigration reads and executes 000.sql to create the
+// schema_migrations table on a fresh database.
+func applyBootstrapMigration(ctx context.Context, db *sql.DB, log *slog.Logger) error {
 	content, err := schemaFS.ReadFile("schema/000.sql")
 	if err != nil {
 		return fmt.Errorf("failed to read bootstrap migration 000.sql: %w", err)
@@ -183,6 +217,18 @@ func bootstrapMigrationsTable(ctx context.Context, db *sql.DB, log *slog.Logger)
 		return fmt.Errorf("failed to apply bootstrap migration: %w", err)
 	}
 
+	_, err = db.ExecContext(ctx,
+		"INSERT INTO schema_migrations (version) VALUES (?)",
+		bootstrapVersion,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to record bootstrap migration: %w", err)
+	}
+
+	if log != nil {
+		log.Info("bootstrap migration applied successfully", "version", bootstrapVersion)
+	}
+
 	return nil
 }
 

internal/database/database_test.go

@@ -26,33 +26,33 @@ func TestParseMigrationVersion(t *testing.T) {
 	tests := []struct {
 		name     string
 		filename string
-		want     int
+		want     string
 		wantErr  bool
 	}{
 		{
 			name:     "version only",
 			filename: "001.sql",
-			want:     1,
+			want:     "001",
 		},
 		{
 			name:     "version with description",
 			filename: "001_initial_schema.sql",
-			want:     1,
+			want:     "001",
 		},
 		{
 			name:     "multi-digit version",
 			filename: "042_add_indexes.sql",
-			want:     42,
+			want:     "042",
 		},
 		{
 			name:     "long version number",
 			filename: "00001_long_prefix.sql",
-			want:     1,
+			want:     "00001",
 		},
 		{
 			name:     "description with multiple underscores",
 			filename: "003_add_user_auth_tables.sql",
-			want:     3,
+			want:     "003",
 		},
 		{
 			name:     "empty filename",
@@ -81,7 +81,7 @@ func TestParseMigrationVersion(t *testing.T) {
 			got, err := ParseMigrationVersion(tt.filename)
 			if tt.wantErr {
 				if err == nil {
-					t.Errorf("ParseMigrationVersion(%q) expected error, got %d", tt.filename, got)
+					t.Errorf("ParseMigrationVersion(%q) expected error, got %q", tt.filename, got)
 				}
 
 				return
@@ -94,7 +94,7 @@ func TestParseMigrationVersion(t *testing.T) {
 			}
 
 			if got != tt.want {
-				t.Errorf("ParseMigrationVersion(%q) = %d, want %d", tt.filename, got, tt.want)
+				t.Errorf("ParseMigrationVersion(%q) = %q, want %q", tt.filename, got, tt.want)
 			}
 		})
 	}
@@ -109,16 +109,16 @@ func TestApplyMigrations_CreatesSchemaAndTables(t *testing.T) {
 	}
 
 	// The schema_migrations table must exist and contain at least
-	// version 0 (the bootstrap) and 1 (the initial schema).
+	// version "000" (the bootstrap) and "001" (the initial schema).
 	rows, err := db.Query("SELECT version FROM schema_migrations ORDER BY version")
 	if err != nil {
 		t.Fatalf("failed to query schema_migrations: %v", err)
 	}
 	defer rows.Close()
 
-	var versions []int
+	var versions []string
 	for rows.Next() {
-		var v int
+		var v string
 		if err := rows.Scan(&v); err != nil {
 			t.Fatalf("failed to scan version: %v", err)
 		}
@@ -134,12 +134,12 @@ func TestApplyMigrations_CreatesSchemaAndTables(t *testing.T) {
 		t.Fatalf("expected at least 2 migrations recorded, got %d: %v", len(versions), versions)
 	}
 
-	if versions[0] != 0 {
+	if versions[0] != "000" {
-		t.Errorf("first recorded migration = %d, want %d", versions[0], 0)
+		t.Errorf("first recorded migration = %q, want %q", versions[0], "000")
 	}
 
-	if versions[1] != 1 {
+	if versions[1] != "001" {
-		t.Errorf("second recorded migration = %d, want %d", versions[1], 1)
+		t.Errorf("second recorded migration = %q, want %q", versions[1], "001")
 	}
 
 	// Verify that the application tables created by 001.sql exist.
@@ -176,13 +176,13 @@ func TestApplyMigrations_Idempotent(t *testing.T) {
 	// Verify no duplicate rows in schema_migrations.
 	var count int
 
-	err := db.QueryRow("SELECT COUNT(*) FROM schema_migrations WHERE version = 0").Scan(&count)
+	err := db.QueryRow("SELECT COUNT(*) FROM schema_migrations WHERE version = '000'").Scan(&count)
 	if err != nil {
-		t.Fatalf("failed to count version 0 rows: %v", err)
+		t.Fatalf("failed to count 000 rows: %v", err)
 	}
 
 	if count != 1 {
-		t.Errorf("expected exactly 1 row for version 0, got %d", count)
+		t.Errorf("expected exactly 1 row for version 000, got %d", count)
 	}
 }
 
@@ -208,17 +208,72 @@ func TestBootstrapMigrationsTable_FreshDatabase(t *testing.T) {
 		t.Fatalf("schema_migrations table not created")
 	}
 
-	// Version 0 must be recorded.
+	// Version "000" must be recorded.
 	var recorded int
 
 	err = db.QueryRow(
-		"SELECT COUNT(*) FROM schema_migrations WHERE version = 0",
+		"SELECT COUNT(*) FROM schema_migrations WHERE version = '000'",
 	).Scan(&recorded)
 	if err != nil {
 		t.Fatalf("failed to check version: %v", err)
 	}
 
 	if recorded != 1 {
-		t.Errorf("expected version 0 to be recorded, got count %d", recorded)
+		t.Errorf("expected version 000 to be recorded, got count %d", recorded)
+	}
+}
+
+func TestBootstrapMigrationsTable_ExistingTableBackwardsCompat(t *testing.T) {
+	db := openTestDB(t)
+	ctx := context.Background()
+
+	// Simulate an older database that created the table via inline SQL
+	// (without recording version "000").
+	_, err := db.Exec(`
+		CREATE TABLE schema_migrations (
+			version TEXT PRIMARY KEY,
+			applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+		)
+	`)
+	if err != nil {
+		t.Fatalf("failed to create legacy table: %v", err)
+	}
+
+	// Insert a fake migration to prove the table already existed.
+	_, err = db.Exec("INSERT INTO schema_migrations (version) VALUES ('001')")
+	if err != nil {
+		t.Fatalf("failed to insert legacy version: %v", err)
+	}
+
+	if err := bootstrapMigrationsTable(ctx, db, nil); err != nil {
+		t.Fatalf("bootstrapMigrationsTable failed: %v", err)
+	}
+
+	// Version "000" must now be recorded.
+	var recorded int
+
+	err = db.QueryRow(
+		"SELECT COUNT(*) FROM schema_migrations WHERE version = '000'",
+	).Scan(&recorded)
+	if err != nil {
+		t.Fatalf("failed to check version: %v", err)
+	}
+
+	if recorded != 1 {
+		t.Errorf("expected version 000 to be recorded for legacy DB, got count %d", recorded)
+	}
+
+	// The existing "001" row must still be there.
+	var legacyCount int
+
+	err = db.QueryRow(
+		"SELECT COUNT(*) FROM schema_migrations WHERE version = '001'",
+	).Scan(&legacyCount)
+	if err != nil {
+		t.Fatalf("failed to check legacy version: %v", err)
+	}
+
+	if legacyCount != 1 {
+		t.Errorf("legacy version 001 row missing after bootstrap")
 	}
 }

internal/database/schema/000.sql

@@ -1,9 +1,9 @@
 -- Migration 000: Schema migrations tracking table
--- Applied as a bootstrap step before the normal migration loop.
+-- This must be the first migration applied. The bootstrap logic in
+-- database.go applies it directly (bypassing the normal migration
+-- loop) when the schema_migrations table does not yet exist.
 
 CREATE TABLE IF NOT EXISTS schema_migrations (
-    version INTEGER PRIMARY KEY,
+    version TEXT PRIMARY KEY,
     applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
-
-INSERT OR IGNORE INTO schema_migrations (version) VALUES (0);

internal/globals/globals.go

@@ -5,10 +5,11 @@ import (
 	"go.uber.org/fx"
 )
 
-const appname = "pixad"
+// Build-time variables populated from main() via ldflags.
-
+var (
-// Version is populated from main() via ldflags.
+	Appname string //nolint:gochecknoglobals // set from main
-var Version string //nolint:gochecknoglobals // set from main
+	Version string //nolint:gochecknoglobals // set from main
+)
 
 // Globals holds application-wide constants.
 type Globals struct {
@@ -19,7 +20,7 @@ type Globals struct {
 // New creates a new Globals instance from build-time variables.
 func New(_ fx.Lifecycle) (*Globals, error) {
 	return &Globals{
-		Appname: appname,
+		Appname: Appname,
 		Version: Version,
 	}, nil
 }

internal/imgcache/imgcache.go

@@ -199,6 +199,36 @@ type FetchResult struct {
 	TLSCipherSuite string
 }
 
+// Processor handles image transformation (resize, format conversion)
+type Processor interface {
+	// Process transforms an image according to the request
+	Process(ctx context.Context, input io.Reader, req *ImageRequest) (*ProcessResult, error)
+	// SupportedInputFormats returns MIME types this processor can read
+	SupportedInputFormats() []string
+	// SupportedOutputFormats returns formats this processor can write
+	SupportedOutputFormats() []ImageFormat
+}
+
+// ProcessResult contains the result of image processing
+type ProcessResult struct {
+	// Content is the processed image data
+	Content io.ReadCloser
+	// ContentLength is the size in bytes
+	ContentLength int64
+	// ContentType is the MIME type of the output
+	ContentType string
+	// Width is the output image width
+	Width int
+	// Height is the output image height
+	Height int
+	// InputWidth is the original image width before processing
+	InputWidth int
+	// InputHeight is the original image height before processing
+	InputHeight int
+	// InputFormat is the detected input format (e.g., "jpeg", "png")
+	InputFormat string
+}
+
 // Storage handles persistent storage of cached content
 type Storage interface {
 	// Store saves content and returns its hash

internal/imgcache/processor.go

@@ -1,5 +1,4 @@
-// Package imageprocessor provides image format conversion and resizing using libvips.
+package imgcache
-package imageprocessor
 
 import (
 	"bytes"
@@ -23,133 +22,38 @@ func initVips() {
 	})
 }
 
-// Format represents supported output image formats.
-type Format string
-
-// Supported image output formats.
-const (
-	FormatOriginal Format = "orig"
-	FormatJPEG     Format = "jpeg"
-	FormatPNG      Format = "png"
-	FormatWebP     Format = "webp"
-	FormatAVIF     Format = "avif"
-	FormatGIF      Format = "gif"
-)
-
-// FitMode represents how to fit an image into requested dimensions.
-type FitMode string
-
-// Supported image fit modes.
-const (
-	FitCover   FitMode = "cover"
-	FitContain FitMode = "contain"
-	FitFill    FitMode = "fill"
-	FitInside  FitMode = "inside"
-	FitOutside FitMode = "outside"
-)
-
-// ErrInvalidFitMode is returned when an invalid fit mode is provided.
-var ErrInvalidFitMode = errors.New("invalid fit mode")
-
-// Size represents requested image dimensions.
-type Size struct {
-	Width  int
-	Height int
-}
-
-// Request holds the parameters for image processing.
-type Request struct {
-	Size    Size
-	Format  Format
-	Quality int
-	FitMode FitMode
-}
-
-// Result contains the output of image processing.
-type Result struct {
-	// Content is the processed image data.
-	Content io.ReadCloser
-	// ContentLength is the size in bytes.
-	ContentLength int64
-	// ContentType is the MIME type of the output.
-	ContentType string
-	// Width is the output image width.
-	Width int
-	// Height is the output image height.
-	Height int
-	// InputWidth is the original image width before processing.
-	InputWidth int
-	// InputHeight is the original image height before processing.
-	InputHeight int
-	// InputFormat is the detected input format (e.g., "jpeg", "png").
-	InputFormat string
-}
-
 // MaxInputDimension is the maximum allowed width or height for input images.
 // Images larger than this are rejected to prevent DoS via decompression bombs.
 const MaxInputDimension = 8192
 
-// DefaultMaxInputBytes is the default maximum input size in bytes (50 MiB).
-// This matches the default upstream fetcher limit.
-const DefaultMaxInputBytes = 50 << 20
-
 // ErrInputTooLarge is returned when input image dimensions exceed MaxInputDimension.
 var ErrInputTooLarge = errors.New("input image dimensions exceed maximum")
 
-// ErrInputDataTooLarge is returned when the raw input data exceeds the configured byte limit.
-var ErrInputDataTooLarge = errors.New("input data exceeds maximum allowed size")
-
 // ErrUnsupportedOutputFormat is returned when the requested output format is not supported.
 var ErrUnsupportedOutputFormat = errors.New("unsupported output format")
 
-// ImageProcessor implements image transformation using libvips via govips.
+// ImageProcessor implements the Processor interface using libvips via govips.
-type ImageProcessor struct {
+type ImageProcessor struct{}
-	maxInputBytes int64
-}
 
-// Params holds configuration for creating an ImageProcessor.
+// NewImageProcessor creates a new image processor.
-// Zero values use sensible defaults (MaxInputBytes defaults to DefaultMaxInputBytes).
+func NewImageProcessor() *ImageProcessor {
-type Params struct {
-	// MaxInputBytes is the maximum allowed input size in bytes.
-	// If <= 0, DefaultMaxInputBytes is used.
-	MaxInputBytes int64
-}
-
-// New creates a new image processor with the given parameters.
-// A zero-value Params{} uses sensible defaults.
-func New(params Params) *ImageProcessor {
 	initVips()
 
-	maxInputBytes := params.MaxInputBytes
+	return &ImageProcessor{}
-	if maxInputBytes <= 0 {
-		maxInputBytes = DefaultMaxInputBytes
-	}
-
-	return &ImageProcessor{
-		maxInputBytes: maxInputBytes,
-	}
 }
 
 // Process transforms an image according to the request.
 func (p *ImageProcessor) Process(
 	_ context.Context,
 	input io.Reader,
-	req *Request,
+	req *ImageRequest,
-) (*Result, error) {
+) (*ProcessResult, error) {
-	// Read input with a size limit to prevent unbounded memory consumption.
+	// Read input
-	// We read at most maxInputBytes+1 so we can detect if the input exceeds
+	data, err := io.ReadAll(input)
-	// the limit without consuming additional memory.
-	limited := io.LimitReader(input, p.maxInputBytes+1)
-
-	data, err := io.ReadAll(limited)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read input: %w", err)
 	}
 
-	if int64(len(data)) > p.maxInputBytes {
-		return nil, ErrInputDataTooLarge
-	}
-
 	// Decode image
 	img, err := vips.NewImageFromBuffer(data)
 	if err != nil {
@@ -205,10 +109,10 @@ func (p *ImageProcessor) Process(
 		return nil, fmt.Errorf("failed to encode: %w", err)
 	}
 
-	return &Result{
+	return &ProcessResult{
 		Content:       io.NopCloser(bytes.NewReader(output)),
 		ContentLength: int64(len(output)),
-		ContentType:   FormatToMIME(outputFormat),
+		ContentType:   ImageFormatToMIME(outputFormat),
 		Width:         img.Width(),
 		Height:        img.Height(),
 		InputWidth:    origWidth,
@@ -220,17 +124,17 @@ func (p *ImageProcessor) Process(
 // SupportedInputFormats returns MIME types this processor can read.
 func (p *ImageProcessor) SupportedInputFormats() []string {
 	return []string{
-		"image/jpeg",
+		string(MIMETypeJPEG),
-		"image/png",
+		string(MIMETypePNG),
-		"image/gif",
+		string(MIMETypeGIF),
-		"image/webp",
+		string(MIMETypeWebP),
-		"image/avif",
+		string(MIMETypeAVIF),
 	}
 }
 
 // SupportedOutputFormats returns formats this processor can write.
-func (p *ImageProcessor) SupportedOutputFormats() []Format {
+func (p *ImageProcessor) SupportedOutputFormats() []ImageFormat {
-	return []Format{
+	return []ImageFormat{
 		FormatJPEG,
 		FormatPNG,
 		FormatGIF,
@@ -239,24 +143,6 @@ func (p *ImageProcessor) SupportedOutputFormats() []Format {
 	}
 }
 
-// FormatToMIME converts a Format to its MIME type string.
-func FormatToMIME(format Format) string {
-	switch format {
-	case FormatJPEG:
-		return "image/jpeg"
-	case FormatPNG:
-		return "image/png"
-	case FormatWebP:
-		return "image/webp"
-	case FormatGIF:
-		return "image/gif"
-	case FormatAVIF:
-		return "image/avif"
-	default:
-		return "application/octet-stream"
-	}
-}
-
 // detectFormat returns the format string from a vips image.
 func (p *ImageProcessor) detectFormat(img *vips.ImageRef) string {
 	format := img.Format()
@@ -285,6 +171,7 @@ func (p *ImageProcessor) resize(img *vips.ImageRef, width, height int, fit FitMo
 
 	case FitContain:
 		// Resize to fit within dimensions, maintaining aspect ratio
+		// Calculate target dimensions maintaining aspect ratio
 		imgW, imgH := img.Width(), img.Height()
 		scaleW := float64(width) / float64(imgW)
 		scaleH := float64(height) / float64(imgH)
@@ -295,7 +182,7 @@ func (p *ImageProcessor) resize(img *vips.ImageRef, width, height int, fit FitMo
 		return img.Thumbnail(newW, newH, vips.InterestingNone)
 
 	case FitFill:
-		// Resize to exact dimensions (may distort)
+		// Resize to exact dimensions (may distort) - use ThumbnailWithSize with Force
 		return img.ThumbnailWithSize(width, height, vips.InterestingNone, vips.SizeForce)
 
 	case FitInside:
@@ -331,7 +218,7 @@ func (p *ImageProcessor) resize(img *vips.ImageRef, width, height int, fit FitMo
 const defaultQuality = 85
 
 // encode encodes an image to the specified format.
-func (p *ImageProcessor) encode(img *vips.ImageRef, format Format, quality int) ([]byte, error) {
+func (p *ImageProcessor) encode(img *vips.ImageRef, format ImageFormat, quality int) ([]byte, error) {
 	if quality <= 0 {
 		quality = defaultQuality
 	}
@@ -379,8 +266,8 @@ func (p *ImageProcessor) encode(img *vips.ImageRef, format Format, quality int)
 	return output, nil
 }
 
-// formatFromString converts a format string to Format.
+// formatFromString converts a format string to ImageFormat.
-func (p *ImageProcessor) formatFromString(format string) Format {
+func (p *ImageProcessor) formatFromString(format string) ImageFormat {
 	switch format {
 	case "jpeg":
 		return FormatJPEG

internal/imgcache/processor_test.go

@@ -1,4 +1,4 @@
-package imageprocessor
+package imgcache
 
 import (
 	"bytes"
@@ -70,36 +70,13 @@ func createTestPNG(t *testing.T, width, height int) []byte {
 	return buf.Bytes()
 }
 
-// detectMIME is a minimal magic-byte detector for test assertions.
-func detectMIME(data []byte) string {
-	if len(data) >= 3 && data[0] == 0xFF && data[1] == 0xD8 && data[2] == 0xFF {
-		return "image/jpeg"
-	}
-	if len(data) >= 8 && string(data[:8]) == "\x89PNG\r\n\x1a\n" {
-		return "image/png"
-	}
-	if len(data) >= 4 && string(data[:4]) == "GIF8" {
-		return "image/gif"
-	}
-	if len(data) >= 12 && string(data[:4]) == "RIFF" && string(data[8:12]) == "WEBP" {
-		return "image/webp"
-	}
-	if len(data) >= 12 && string(data[4:8]) == "ftyp" {
-		brand := string(data[8:12])
-		if brand == "avif" || brand == "avis" {
-			return "image/avif"
-		}
-	}
-	return ""
-}
-
 func TestImageProcessor_ResizeJPEG(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 800, 600)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 400, Height: 300},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -130,19 +107,23 @@ func TestImageProcessor_ResizeJPEG(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/jpeg" {
+	if err != nil {
-		t.Errorf("Output format = %v, want image/jpeg", mime)
+		t.Fatalf("DetectFormat() error = %v", err)
+	}
+
+	if mime != MIMETypeJPEG {
+		t.Errorf("Output format = %v, want %v", mime, MIMETypeJPEG)
 	}
 }
 
 func TestImageProcessor_ConvertToPNG(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 200, Height: 150},
 		Format:  FormatPNG,
 		FitMode: FitCover,
@@ -159,19 +140,23 @@ func TestImageProcessor_ConvertToPNG(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/png" {
+	if err != nil {
-		t.Errorf("Output format = %v, want image/png", mime)
+		t.Fatalf("DetectFormat() error = %v", err)
+	}
+
+	if mime != MIMETypePNG {
+		t.Errorf("Output format = %v, want %v", mime, MIMETypePNG)
 	}
 }
 
 func TestImageProcessor_OriginalSize(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 640, 480)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 0, Height: 0}, // Original size
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -194,14 +179,14 @@ func TestImageProcessor_OriginalSize(t *testing.T) {
 }
 
 func TestImageProcessor_FitContain(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// 800x400 image (2:1 aspect) into 400x400 box with contain
 	// Should result in 400x200 (maintaining aspect ratio)
 	input := createTestJPEG(t, 800, 400)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 400, Height: 400},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -221,14 +206,14 @@ func TestImageProcessor_FitContain(t *testing.T) {
 }
 
 func TestImageProcessor_ProportionalScale_WidthOnly(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// 800x600 image, request width=400 height=0
 	// Should scale proportionally to 400x300
 	input := createTestJPEG(t, 800, 600)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 400, Height: 0},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -251,14 +236,14 @@ func TestImageProcessor_ProportionalScale_WidthOnly(t *testing.T) {
 }
 
 func TestImageProcessor_ProportionalScale_HeightOnly(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// 800x600 image, request width=0 height=300
 	// Should scale proportionally to 400x300
 	input := createTestJPEG(t, 800, 600)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 0, Height: 300},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -281,12 +266,12 @@ func TestImageProcessor_ProportionalScale_HeightOnly(t *testing.T) {
 }
 
 func TestImageProcessor_ProcessPNG(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestPNG(t, 400, 300)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 200, Height: 150},
 		Format:  FormatPNG,
 		FitMode: FitCover,
@@ -307,8 +292,13 @@ func TestImageProcessor_ProcessPNG(t *testing.T) {
 	}
 }
 
+func TestImageProcessor_ImplementsInterface(t *testing.T) {
+	// Verify ImageProcessor implements Processor interface
+	var _ Processor = (*ImageProcessor)(nil)
+}
+
 func TestImageProcessor_SupportedFormats(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 
 	inputFormats := proc.SupportedInputFormats()
 	if len(inputFormats) == 0 {
@@ -322,14 +312,14 @@ func TestImageProcessor_SupportedFormats(t *testing.T) {
 }
 
 func TestImageProcessor_RejectsOversizedInput(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// Create an image that exceeds MaxInputDimension (e.g., 10000x100)
 	// This should be rejected before processing to prevent DoS
 	input := createTestJPEG(t, 10000, 100)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 100},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -347,13 +337,13 @@ func TestImageProcessor_RejectsOversizedInput(t *testing.T) {
 }
 
 func TestImageProcessor_RejectsOversizedInputHeight(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// Create an image with oversized height
 	input := createTestJPEG(t, 100, 10000)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 100},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -371,13 +361,14 @@ func TestImageProcessor_RejectsOversizedInputHeight(t *testing.T) {
 }
 
 func TestImageProcessor_AcceptsMaxDimensionInput(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// Create an image at exactly MaxInputDimension - should be accepted
+	// Using smaller dimensions to keep test fast
 	input := createTestJPEG(t, MaxInputDimension, 100)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 100},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -392,12 +383,12 @@ func TestImageProcessor_AcceptsMaxDimensionInput(t *testing.T) {
 }
 
 func TestImageProcessor_EncodeWebP(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 75},
 		Format:  FormatWebP,
 		Quality: 80,
@@ -416,9 +407,13 @@ func TestImageProcessor_EncodeWebP(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/webp" {
+	if err != nil {
-		t.Errorf("Output format = %v, want image/webp", mime)
+		t.Fatalf("DetectFormat() error = %v", err)
+	}
+
+	if mime != MIMETypeWebP {
+		t.Errorf("Output format = %v, want %v", mime, MIMETypeWebP)
 	}
 
 	// Verify dimensions
@@ -431,7 +426,7 @@ func TestImageProcessor_EncodeWebP(t *testing.T) {
 }
 
 func TestImageProcessor_DecodeAVIF(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	// Load test AVIF file
@@ -441,7 +436,7 @@ func TestImageProcessor_DecodeAVIF(t *testing.T) {
 	}
 
 	// Request resize and convert to JPEG
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 2, Height: 2},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -460,84 +455,23 @@ func TestImageProcessor_DecodeAVIF(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/jpeg" {
-		t.Errorf("Output format = %v, want image/jpeg", mime)
-	}
-}
-
-func TestImageProcessor_RejectsOversizedInputData(t *testing.T) {
-	// Create a processor with a very small byte limit
-	const limit = 1024
-	proc := New(Params{MaxInputBytes: limit})
-	ctx := context.Background()
-
-	// Create a valid JPEG that exceeds the byte limit
-	input := createTestJPEG(t, 800, 600) // will be well over 1 KiB
-	if int64(len(input)) <= limit {
-		t.Fatalf("test JPEG must exceed %d bytes, got %d", limit, len(input))
-	}
-
-	req := &Request{
-		Size:    Size{Width: 100, Height: 75},
-		Format:  FormatJPEG,
-		Quality: 85,
-		FitMode: FitCover,
-	}
-
-	_, err := proc.Process(ctx, bytes.NewReader(input), req)
-	if err == nil {
-		t.Fatal("Process() should reject input exceeding maxInputBytes")
-	}
-
-	if err != ErrInputDataTooLarge {
-		t.Errorf("Process() error = %v, want ErrInputDataTooLarge", err)
-	}
-}
-
-func TestImageProcessor_AcceptsInputWithinLimit(t *testing.T) {
-	// Create a small image and set limit well above its size
-	input := createTestJPEG(t, 10, 10)
-	limit := int64(len(input)) * 10 // 10× headroom
-
-	proc := New(Params{MaxInputBytes: limit})
-	ctx := context.Background()
-
-	req := &Request{
-		Size:    Size{Width: 10, Height: 10},
-		Format:  FormatJPEG,
-		Quality: 85,
-		FitMode: FitCover,
-	}
-
-	result, err := proc.Process(ctx, bytes.NewReader(input), req)
 	if err != nil {
-		t.Fatalf("Process() error = %v, want nil", err)
+		t.Fatalf("DetectFormat() error = %v", err)
-	}
-	defer result.Content.Close()
 	}
 
-func TestImageProcessor_DefaultMaxInputBytes(t *testing.T) {
+	if mime != MIMETypeJPEG {
-	// Passing 0 should use the default
+		t.Errorf("Output format = %v, want %v", mime, MIMETypeJPEG)
-	proc := New(Params{})
-	if proc.maxInputBytes != DefaultMaxInputBytes {
-		t.Errorf("maxInputBytes = %d, want %d", proc.maxInputBytes, DefaultMaxInputBytes)
-	}
-
-	// Passing negative should also use the default
-	proc = New(Params{MaxInputBytes: -1})
-	if proc.maxInputBytes != DefaultMaxInputBytes {
-		t.Errorf("maxInputBytes = %d, want %d", proc.maxInputBytes, DefaultMaxInputBytes)
 	}
 }
 
 func TestImageProcessor_EncodeAVIF(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor()
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 75},
 		Format:  FormatAVIF,
 		Quality: 85,
@@ -556,9 +490,13 @@ func TestImageProcessor_EncodeAVIF(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/avif" {
+	if err != nil {
-		t.Errorf("Output format = %v, want image/avif", mime)
+		t.Fatalf("DetectFormat() error = %v", err)
+	}
+
+	if mime != MIMETypeAVIF {
+		t.Errorf("Output format = %v, want %v", mime, MIMETypeAVIF)
 	}
 
 	// Verify dimensions

internal/imgcache/service.go

@@ -11,19 +11,17 @@ import (
 	"time"
 
 	"github.com/dustin/go-humanize"
-	"sneak.berlin/go/pixa/internal/imageprocessor"
 )
 
 // Service implements the ImageCache interface, orchestrating cache, fetcher, and processor.
 type Service struct {
 	cache     *Cache
 	fetcher   Fetcher
-	processor       *imageprocessor.ImageProcessor
+	processor Processor
 	signer    *Signer
 	whitelist *HostWhitelist
 	log       *slog.Logger
 	allowHTTP bool
-	maxResponseSize int64
 }
 
 // ServiceConfig holds configuration for the image service.
@@ -52,17 +50,15 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 		return nil, errors.New("signing key is required")
 	}
 
-	// Resolve fetcher config for defaults
-	fetcherCfg := cfg.FetcherConfig
-	if fetcherCfg == nil {
-		fetcherCfg = DefaultFetcherConfig()
-	}
-
 	// Use custom fetcher if provided, otherwise create HTTP fetcher
 	var fetcher Fetcher
 	if cfg.Fetcher != nil {
 		fetcher = cfg.Fetcher
 	} else {
+		fetcherCfg := cfg.FetcherConfig
+		if fetcherCfg == nil {
+			fetcherCfg = DefaultFetcherConfig()
+		}
 		fetcher = NewHTTPFetcher(fetcherCfg)
 	}
 
@@ -78,17 +74,14 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 		allowHTTP = cfg.FetcherConfig.AllowHTTP
 	}
 
-	maxResponseSize := fetcherCfg.MaxResponseSize
-
 	return &Service{
 		cache:     cfg.Cache,
 		fetcher:   fetcher,
-		processor:       imageprocessor.New(imageprocessor.Params{MaxInputBytes: maxResponseSize}),
+		processor: NewImageProcessor(),
 		signer:    signer,
 		whitelist: NewHostWhitelist(cfg.Whitelist),
 		log:       log,
 		allowHTTP: allowHTTP,
-		maxResponseSize: maxResponseSize,
 	}, nil
 }
 
@@ -153,40 +146,6 @@ func (s *Service) Get(ctx context.Context, req *ImageRequest) (*ImageResponse, e
 	return response, nil
 }
 
-// loadCachedSource attempts to load source content from cache, returning nil
-// if the cached data is unavailable or exceeds maxResponseSize.
-func (s *Service) loadCachedSource(contentHash ContentHash) []byte {
-	reader, err := s.cache.GetSourceContent(contentHash)
-	if err != nil {
-		s.log.Warn("failed to load cached source, fetching", "error", err)
-
-		return nil
-	}
-
-	// Bound the read to maxResponseSize to prevent unbounded memory use
-	// from unexpectedly large cached files.
-	limited := io.LimitReader(reader, s.maxResponseSize+1)
-	data, err := io.ReadAll(limited)
-	_ = reader.Close()
-
-	if err != nil {
-		s.log.Warn("failed to read cached source, fetching", "error", err)
-
-		return nil
-	}
-
-	if int64(len(data)) > s.maxResponseSize {
-		s.log.Warn("cached source exceeds max response size, discarding",
-			"hash", contentHash,
-			"max_bytes", s.maxResponseSize,
-		)
-
-		return nil
-	}
-
-	return data
-}
-
 // processFromSourceOrFetch processes an image, using cached source content if available.
 func (s *Service) processFromSourceOrFetch(
 	ctx context.Context,
@@ -203,8 +162,22 @@ func (s *Service) processFromSourceOrFetch(
 	var fetchBytes int64
 
 	if contentHash != "" {
+		// We have cached source - load it
 		s.log.Debug("using cached source", "hash", contentHash)
-		sourceData = s.loadCachedSource(contentHash)
+
+		reader, err := s.cache.GetSourceContent(contentHash)
+		if err != nil {
+			s.log.Warn("failed to load cached source, fetching", "error", err)
+			// Fall through to fetch
+		} else {
+			sourceData, err = io.ReadAll(reader)
+			_ = reader.Close()
+
+			if err != nil {
+				s.log.Warn("failed to read cached source, fetching", "error", err)
+				// Fall through to fetch
+			}
+		}
 	}
 
 	// Fetch from upstream if we don't have source data or it's empty
@@ -301,14 +274,7 @@ func (s *Service) processAndStore(
 	// Process the image
 	processStart := time.Now()
 
-	processReq := &imageprocessor.Request{
+	processResult, err := s.processor.Process(ctx, bytes.NewReader(sourceData), req)
-		Size:    imageprocessor.Size{Width: req.Size.Width, Height: req.Size.Height},
-		Format:  imageprocessor.Format(req.Format),
-		Quality: req.Quality,
-		FitMode: imageprocessor.FitMode(req.FitMode),
-	}
-
-	processResult, err := s.processor.Process(ctx, bytes.NewReader(sourceData), processReq)
 	if err != nil {
 		return nil, fmt.Errorf("image processing failed: %w", err)
 	}

internal/imgcache/service_test.go

@@ -151,74 +151,6 @@ func TestService_Get_NonWhitelistedHost_InvalidSignature(t *testing.T) {
 	}
 }
 
-// TestService_ValidateRequest_SignatureExactHostMatch verifies that
-// ValidateRequest enforces exact host matching for signatures. A
-// signature for one host must not verify for a different host, even
-// if they share a domain suffix.
-func TestService_ValidateRequest_SignatureExactHostMatch(t *testing.T) {
-	signingKey := "test-signing-key-must-be-32-chars"
-	svc, _ := SetupTestService(t,
-		WithSigningKey(signingKey),
-		WithNoWhitelist(),
-	)
-
-	signer := NewSigner(signingKey)
-
-	// Sign a request for "cdn.example.com"
-	signedReq := &ImageRequest{
-		SourceHost: "cdn.example.com",
-		SourcePath: "/photos/cat.jpg",
-		Size:       Size{Width: 50, Height: 50},
-		Format:     FormatJPEG,
-		Quality:    85,
-		FitMode:    FitCover,
-		Expires:    time.Now().Add(time.Hour),
-	}
-	signedReq.Signature = signer.Sign(signedReq)
-
-	// The original request should pass validation
-	t.Run("exact host passes", func(t *testing.T) {
-		err := svc.ValidateRequest(signedReq)
-		if err != nil {
-			t.Errorf("ValidateRequest() exact host failed: %v", err)
-		}
-	})
-
-	// Try to reuse the signature with different hosts
-	tests := []struct {
-		name string
-		host string
-	}{
-		{"parent domain", "example.com"},
-		{"sibling subdomain", "images.example.com"},
-		{"deeper subdomain", "a.cdn.example.com"},
-		{"evil suffix domain", "cdn.example.com.evil.com"},
-		{"prefixed host", "evilcdn.example.com"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name+" rejected", func(t *testing.T) {
-			req := &ImageRequest{
-				SourceHost:  tt.host,
-				SourcePath:  signedReq.SourcePath,
-				SourceQuery: signedReq.SourceQuery,
-				Size:        signedReq.Size,
-				Format:      signedReq.Format,
-				Quality:     signedReq.Quality,
-				FitMode:     signedReq.FitMode,
-				Expires:     signedReq.Expires,
-				Signature:   signedReq.Signature,
-			}
-
-			err := svc.ValidateRequest(req)
-			if err == nil {
-				t.Errorf("ValidateRequest() should reject signature for host %q (signed for %q)",
-					tt.host, signedReq.SourceHost)
-			}
-		})
-	}
-}
-
 func TestService_Get_InvalidFile(t *testing.T) {
 	svc, fixtures := SetupTestService(t)
 	ctx := context.Background()

internal/imgcache/signature.go

@@ -43,11 +43,6 @@ func (s *Signer) Sign(req *ImageRequest) string {
 }
 
 // Verify checks if the signature on the request is valid and not expired.
-// Signatures are exact-match only: every component of the signed data
-// (host, path, query, dimensions, format, expiration) must match exactly.
-// No suffix matching, wildcard matching, or partial matching is supported.
-// A signature for "cdn.example.com" will NOT verify for "example.com" or
-// "other.cdn.example.com", and vice versa.
 func (s *Signer) Verify(req *ImageRequest) error {
 	// Check expiration first
 	if req.Expires.IsZero() {
@@ -71,8 +66,6 @@ func (s *Signer) Verify(req *ImageRequest) error {
 
 // buildSignatureData creates the string to be signed.
 // Format: "host:path:query:width:height:format:expiration"
-// All components are used verbatim (exact match). No normalization,
-// suffix matching, or wildcard expansion is performed.
 func (s *Signer) buildSignatureData(req *ImageRequest) string {
 	return fmt.Sprintf("%s:%s:%s:%d:%d:%s:%d",
 		req.SourceHost,

internal/imgcache/signature_test.go

@@ -152,178 +152,6 @@ func TestSigner_Verify(t *testing.T) {
 	}
 }
 
-// TestSigner_Verify_ExactMatchOnly verifies that signatures enforce exact
-// matching on every URL component. No suffix matching, wildcard matching,
-// or partial matching is supported.
-func TestSigner_Verify_ExactMatchOnly(t *testing.T) {
-	signer := NewSigner("test-secret-key")
-
-	// Base request that we'll sign, then tamper with individual fields.
-	baseReq := func() *ImageRequest {
-		req := &ImageRequest{
-			SourceHost:  "cdn.example.com",
-			SourcePath:  "/photos/cat.jpg",
-			SourceQuery: "token=abc",
-			Size:        Size{Width: 800, Height: 600},
-			Format:      FormatWebP,
-			Expires:     time.Now().Add(1 * time.Hour),
-		}
-		req.Signature = signer.Sign(req)
-
-		return req
-	}
-
-	tests := []struct {
-		name   string
-		tamper func(req *ImageRequest)
-	}{
-		{
-			name: "parent domain does not match subdomain",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try example.com
-				req.SourceHost = "example.com"
-			},
-		},
-		{
-			name: "subdomain does not match parent domain",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try images.cdn.example.com
-				req.SourceHost = "images.cdn.example.com"
-			},
-		},
-		{
-			name: "sibling subdomain does not match",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try images.example.com
-				req.SourceHost = "images.example.com"
-			},
-		},
-		{
-			name: "host with suffix appended does not match",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try cdn.example.com.evil.com
-				req.SourceHost = "cdn.example.com.evil.com"
-			},
-		},
-		{
-			name: "host with prefix does not match",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try evilcdn.example.com
-				req.SourceHost = "evilcdn.example.com"
-			},
-		},
-		{
-			name: "different path does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourcePath = "/photos/dog.jpg"
-			},
-		},
-		{
-			name: "path suffix does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourcePath = "/photos/cat.jpg/extra"
-			},
-		},
-		{
-			name: "path prefix does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourcePath = "/other/photos/cat.jpg"
-			},
-		},
-		{
-			name: "different query does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourceQuery = "token=xyz"
-			},
-		},
-		{
-			name: "added query does not match empty query",
-			tamper: func(req *ImageRequest) {
-				req.SourceQuery = "extra=1"
-			},
-		},
-		{
-			name: "removed query does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourceQuery = ""
-			},
-		},
-		{
-			name: "different width does not match",
-			tamper: func(req *ImageRequest) {
-				req.Size.Width = 801
-			},
-		},
-		{
-			name: "different height does not match",
-			tamper: func(req *ImageRequest) {
-				req.Size.Height = 601
-			},
-		},
-		{
-			name: "different format does not match",
-			tamper: func(req *ImageRequest) {
-				req.Format = FormatPNG
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := baseReq()
-			tt.tamper(req)
-
-			err := signer.Verify(req)
-			if err != ErrSignatureInvalid {
-				t.Errorf("Verify() = %v, want %v", err, ErrSignatureInvalid)
-			}
-		})
-	}
-
-	// Verify the unmodified base request still passes
-	t.Run("unmodified request passes", func(t *testing.T) {
-		req := baseReq()
-		if err := signer.Verify(req); err != nil {
-			t.Errorf("Verify() unmodified request failed: %v", err)
-		}
-	})
-}
-
-// TestSigner_Sign_ExactHostInData verifies that Sign uses the exact host
-// string in the signature data, producing different signatures for
-// suffix-related hosts.
-func TestSigner_Sign_ExactHostInData(t *testing.T) {
-	signer := NewSigner("test-secret-key")
-
-	hosts := []string{
-		"cdn.example.com",
-		"example.com",
-		"images.example.com",
-		"images.cdn.example.com",
-		"cdn.example.com.evil.com",
-	}
-
-	sigs := make(map[string]string)
-
-	for _, host := range hosts {
-		req := &ImageRequest{
-			SourceHost:  host,
-			SourcePath:  "/photos/cat.jpg",
-			SourceQuery: "",
-			Size:        Size{Width: 800, Height: 600},
-			Format:      FormatWebP,
-			Expires:     time.Unix(1704067200, 0),
-		}
-
-		sig := signer.Sign(req)
-		if existing, ok := sigs[sig]; ok {
-			t.Errorf("hosts %q and %q produced the same signature", existing, host)
-		}
-
-		sigs[sig] = host
-	}
-}
-
 func TestSigner_DifferentKeys(t *testing.T) {
 	signer1 := NewSigner("secret-key-1")
 	signer2 := NewSigner("secret-key-2")