bound imageprocessor.Process input read to prevent unbounded memory use

ImageProcessor.Process used io.ReadAll without a size limit, allowing
arbitrarily large inputs to exhaust memory. Add a configurable
maxInputBytes limit (default 50 MiB, matching the fetcher limit) and
reject inputs that exceed it with ErrInputDataTooLarge.

Also bound the cached source content read in the service layer to
prevent unexpectedly large cached files from consuming unbounded memory.

Extracted loadCachedSource helper to reduce nesting complexity.

README.md

@@ -67,10 +67,7 @@ hosts require an HMAC-SHA256 signature.
 #### Signature Specification
 
 Signatures use HMAC-SHA256 and include an expiration timestamp to
-prevent replay attacks. Signatures are **exact match only**: every
+prevent replay attacks.
-component (host, path, query, dimensions, format, expiration) must
-match exactly what was signed. No suffix matching, wildcard matching,
-or partial matching is supported.
 
 **Signed data format** (colon-separated):
 

cmd/pixad/main.go

@@ -17,7 +17,10 @@ import (
 	"sneak.berlin/go/pixa/internal/server"
 )
 
-var Version string //nolint:gochecknoglobals // set by ldflags
+var (
+	Appname = "pixad" //nolint:gochecknoglobals // set by ldflags
+	Version string    //nolint:gochecknoglobals // set by ldflags
+)
 
 var configPath string //nolint:gochecknoglobals // cobra flag
 
@@ -37,6 +40,7 @@ func main() {
 }
 
 func run(_ *cobra.Command, _ []string) {
+	globals.Appname = Appname
 	globals.Version = Version
 
 	// Set config path in environment if specified via flag

internal/database/database.go

@@ -9,7 +9,6 @@ import (
 	"log/slog"
 	"path/filepath"
 	"sort"
-	"strconv"
 	"strings"
 
 	"go.uber.org/fx"
@@ -22,10 +21,6 @@ import (
 //go:embed schema/*.sql
 var schemaFS embed.FS
 
-// bootstrapVersion is the migration that creates the schema_migrations
-// table itself. It is applied before the normal migration loop.
-const bootstrapVersion = 0
-
 // Params defines dependencies for Database.
 type Params struct {
 	fx.In
@@ -40,46 +35,6 @@ type Database struct {
 	config *config.Config
 }
 
-// ParseMigrationVersion extracts the numeric version prefix from a migration
-// filename. Filenames must follow the pattern "<version>.sql" or
-// "<version>_<description>.sql", where version is a zero-padded numeric
-// string (e.g. "001", "002"). Returns the version as an integer and an
-// error if the filename does not match the expected pattern.
-func ParseMigrationVersion(filename string) (int, error) {
-	name := strings.TrimSuffix(filename, filepath.Ext(filename))
-	if name == "" {
-		return 0, fmt.Errorf("invalid migration filename %q: empty name", filename)
-	}
-
-	// Split on underscore to separate version from description.
-	// If there's no underscore, the entire stem is the version.
-	versionStr := name
-	if idx := strings.IndexByte(name, '_'); idx >= 0 {
-		versionStr = name[:idx]
-	}
-
-	if versionStr == "" {
-		return 0, fmt.Errorf("invalid migration filename %q: empty version prefix", filename)
-	}
-
-	// Validate the version is purely numeric.
-	for _, ch := range versionStr {
-		if ch < '0' || ch > '9' {
-			return 0, fmt.Errorf(
-				"invalid migration filename %q: version %q contains non-numeric character %q",
-				filename, versionStr, string(ch),
-			)
-		}
-	}
-
-	version, err := strconv.Atoi(versionStr)
-	if err != nil {
-		return 0, fmt.Errorf("invalid migration filename %q: %w", filename, err)
-	}
-
-	return version, nil
-}
-
 // New creates a new Database instance.
 func New(lc fx.Lifecycle, params Params) (*Database, error) {
 	s := &Database{
@@ -129,87 +84,43 @@ func (s *Database) connect(ctx context.Context) error {
 	s.db = db
 	s.log.Info("database connected")
 
-	return ApplyMigrations(ctx, s.db, s.log)
+	return s.runMigrations(ctx)
 }
 
-// collectMigrations reads the embedded schema directory and returns
+func (s *Database) runMigrations(ctx context.Context) error {
-// migration filenames sorted lexicographically.
+	// Create migrations tracking table
-func collectMigrations() ([]string, error) {
+	_, err := s.db.ExecContext(ctx, `
+		CREATE TABLE IF NOT EXISTS schema_migrations (
+			version TEXT PRIMARY KEY,
+			applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+		)
+	`)
+	if err != nil {
+		return fmt.Errorf("failed to create migrations table: %w", err)
+	}
+
+	// Get list of migration files
 	entries, err := schemaFS.ReadDir("schema")
 	if err != nil {
-		return nil, fmt.Errorf("failed to read schema directory: %w", err)
+		return fmt.Errorf("failed to read schema directory: %w", err)
 	}
 
+	// Sort migration files by name (001.sql, 002.sql, etc.)
 	var migrations []string
-
 	for _, entry := range entries {
 		if !entry.IsDir() && strings.HasSuffix(entry.Name(), ".sql") {
 			migrations = append(migrations, entry.Name())
 		}
 	}
-
 	sort.Strings(migrations)
 
-	return migrations, nil
+	// Apply each migration that hasn't been applied yet
-}
-
-// bootstrapMigrationsTable ensures the schema_migrations table exists
-// by applying 000.sql if the table is missing.
-func bootstrapMigrationsTable(ctx context.Context, db *sql.DB, log *slog.Logger) error {
-	var tableExists int
-
-	err := db.QueryRowContext(ctx,
-		"SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='schema_migrations'",
-	).Scan(&tableExists)
-	if err != nil {
-		return fmt.Errorf("failed to check for migrations table: %w", err)
-	}
-
-	if tableExists > 0 {
-		return nil
-	}
-
-	content, err := schemaFS.ReadFile("schema/000.sql")
-	if err != nil {
-		return fmt.Errorf("failed to read bootstrap migration 000.sql: %w", err)
-	}
-
-	if log != nil {
-		log.Info("applying bootstrap migration", "version", bootstrapVersion)
-	}
-
-	_, err = db.ExecContext(ctx, string(content))
-	if err != nil {
-		return fmt.Errorf("failed to apply bootstrap migration: %w", err)
-	}
-
-	return nil
-}
-
-// ApplyMigrations applies all pending migrations to db. An optional logger
-// may be provided for informational output; pass nil for silent operation.
-// This is exported so tests can apply the real schema without the full fx
-// lifecycle.
-func ApplyMigrations(ctx context.Context, db *sql.DB, log *slog.Logger) error {
-	if err := bootstrapMigrationsTable(ctx, db, log); err != nil {
-		return err
-	}
-
-	migrations, err := collectMigrations()
-	if err != nil {
-		return err
-	}
-
 	for _, migration := range migrations {
-		version, parseErr := ParseMigrationVersion(migration)
+		version := strings.TrimSuffix(migration, filepath.Ext(migration))
-		if parseErr != nil {
-			return parseErr
-		}
 
-		// Check if already applied.
+		// Check if already applied
 		var count int
-
+		err := s.db.QueryRowContext(ctx,
-		err := db.QueryRowContext(ctx,
 			"SELECT COUNT(*) FROM schema_migrations WHERE version = ?",
 			version,
 		).Scan(&count)
@@ -218,40 +129,34 @@ func ApplyMigrations(ctx context.Context, db *sql.DB, log *slog.Logger) error {
 		}
 
 		if count > 0 {
-			if log != nil {
+			s.log.Debug("migration already applied", "version", version)
-				log.Debug("migration already applied", "version", version)
-			}
 
 			continue
 		}
 
-		// Read and apply migration.
+		// Read and apply migration
-		content, readErr := schemaFS.ReadFile(filepath.Join("schema", migration))
+		content, err := schemaFS.ReadFile(filepath.Join("schema", migration))
-		if readErr != nil {
+		if err != nil {
-			return fmt.Errorf("failed to read migration %s: %w", migration, readErr)
+			return fmt.Errorf("failed to read migration %s: %w", migration, err)
 		}
 
-		if log != nil {
+		s.log.Info("applying migration", "version", version)
-			log.Info("applying migration", "version", version)
+
+		_, err = s.db.ExecContext(ctx, string(content))
+		if err != nil {
+			return fmt.Errorf("failed to apply migration %s: %w", migration, err)
 		}
 
-		_, execErr := db.ExecContext(ctx, string(content))
+		// Record migration as applied
-		if execErr != nil {
+		_, err = s.db.ExecContext(ctx,
-			return fmt.Errorf("failed to apply migration %s: %w", migration, execErr)
-		}
-
-		// Record migration as applied.
-		_, recErr := db.ExecContext(ctx,
 			"INSERT INTO schema_migrations (version) VALUES (?)",
 			version,
 		)
-		if recErr != nil {
+		if err != nil {
-			return fmt.Errorf("failed to record migration %s: %w", migration, recErr)
+			return fmt.Errorf("failed to record migration %s: %w", migration, err)
 		}
 
-		if log != nil {
+		s.log.Info("migration applied successfully", "version", version)
-			log.Info("migration applied successfully", "version", version)
-		}
 	}
 
 	return nil
@@ -261,3 +166,77 @@ func ApplyMigrations(ctx context.Context, db *sql.DB, log *slog.Logger) error {
 func (s *Database) DB() *sql.DB {
 	return s.db
 }
+
+// ApplyMigrations applies all migrations to the given database.
+// This is useful for testing where you want to use the real schema
+// without the full fx lifecycle.
+func ApplyMigrations(db *sql.DB) error {
+	ctx := context.Background()
+
+	// Create migrations tracking table
+	_, err := db.ExecContext(ctx, `
+		CREATE TABLE IF NOT EXISTS schema_migrations (
+			version TEXT PRIMARY KEY,
+			applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+		)
+	`)
+	if err != nil {
+		return fmt.Errorf("failed to create migrations table: %w", err)
+	}
+
+	// Get list of migration files
+	entries, err := schemaFS.ReadDir("schema")
+	if err != nil {
+		return fmt.Errorf("failed to read schema directory: %w", err)
+	}
+
+	// Sort migration files by name (001.sql, 002.sql, etc.)
+	var migrations []string
+	for _, entry := range entries {
+		if !entry.IsDir() && strings.HasSuffix(entry.Name(), ".sql") {
+			migrations = append(migrations, entry.Name())
+		}
+	}
+	sort.Strings(migrations)
+
+	// Apply each migration that hasn't been applied yet
+	for _, migration := range migrations {
+		version := strings.TrimSuffix(migration, filepath.Ext(migration))
+
+		// Check if already applied
+		var count int
+		err := db.QueryRowContext(ctx,
+			"SELECT COUNT(*) FROM schema_migrations WHERE version = ?",
+			version,
+		).Scan(&count)
+		if err != nil {
+			return fmt.Errorf("failed to check migration status: %w", err)
+		}
+
+		if count > 0 {
+			continue
+		}
+
+		// Read and apply migration
+		content, err := schemaFS.ReadFile(filepath.Join("schema", migration))
+		if err != nil {
+			return fmt.Errorf("failed to read migration %s: %w", migration, err)
+		}
+
+		_, err = db.ExecContext(ctx, string(content))
+		if err != nil {
+			return fmt.Errorf("failed to apply migration %s: %w", migration, err)
+		}
+
+		// Record migration as applied
+		_, err = db.ExecContext(ctx,
+			"INSERT INTO schema_migrations (version) VALUES (?)",
+			version,
+		)
+		if err != nil {
+			return fmt.Errorf("failed to record migration %s: %w", migration, err)
+		}
+	}
+
+	return nil
+}

internal/database/database_test.go

@@ -1,224 +0,0 @@
-package database
-
-import (
-	"context"
-	"database/sql"
-	"testing"
-
-	_ "modernc.org/sqlite" // SQLite driver registration
-)
-
-// openTestDB returns a fresh in-memory SQLite database.
-func openTestDB(t *testing.T) *sql.DB {
-	t.Helper()
-
-	db, err := sql.Open("sqlite", ":memory:")
-	if err != nil {
-		t.Fatalf("failed to open test db: %v", err)
-	}
-
-	t.Cleanup(func() { db.Close() })
-
-	return db
-}
-
-func TestParseMigrationVersion(t *testing.T) {
-	tests := []struct {
-		name     string
-		filename string
-		want     int
-		wantErr  bool
-	}{
-		{
-			name:     "version only",
-			filename: "001.sql",
-			want:     1,
-		},
-		{
-			name:     "version with description",
-			filename: "001_initial_schema.sql",
-			want:     1,
-		},
-		{
-			name:     "multi-digit version",
-			filename: "042_add_indexes.sql",
-			want:     42,
-		},
-		{
-			name:     "long version number",
-			filename: "00001_long_prefix.sql",
-			want:     1,
-		},
-		{
-			name:     "description with multiple underscores",
-			filename: "003_add_user_auth_tables.sql",
-			want:     3,
-		},
-		{
-			name:     "empty filename",
-			filename: ".sql",
-			wantErr:  true,
-		},
-		{
-			name:     "leading underscore",
-			filename: "_description.sql",
-			wantErr:  true,
-		},
-		{
-			name:     "non-numeric version",
-			filename: "abc_migration.sql",
-			wantErr:  true,
-		},
-		{
-			name:     "mixed alphanumeric version",
-			filename: "001a_migration.sql",
-			wantErr:  true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := ParseMigrationVersion(tt.filename)
-			if tt.wantErr {
-				if err == nil {
-					t.Errorf("ParseMigrationVersion(%q) expected error, got %d", tt.filename, got)
-				}
-
-				return
-			}
-
-			if err != nil {
-				t.Errorf("ParseMigrationVersion(%q) unexpected error: %v", tt.filename, err)
-
-				return
-			}
-
-			if got != tt.want {
-				t.Errorf("ParseMigrationVersion(%q) = %d, want %d", tt.filename, got, tt.want)
-			}
-		})
-	}
-}
-
-func TestApplyMigrations_CreatesSchemaAndTables(t *testing.T) {
-	db := openTestDB(t)
-	ctx := context.Background()
-
-	if err := ApplyMigrations(ctx, db, nil); err != nil {
-		t.Fatalf("ApplyMigrations failed: %v", err)
-	}
-
-	// The schema_migrations table must exist and contain at least
-	// version 0 (the bootstrap) and 1 (the initial schema).
-	rows, err := db.Query("SELECT version FROM schema_migrations ORDER BY version")
-	if err != nil {
-		t.Fatalf("failed to query schema_migrations: %v", err)
-	}
-	defer rows.Close()
-
-	var versions []int
-	for rows.Next() {
-		var v int
-		if err := rows.Scan(&v); err != nil {
-			t.Fatalf("failed to scan version: %v", err)
-		}
-
-		versions = append(versions, v)
-	}
-
-	if err := rows.Err(); err != nil {
-		t.Fatalf("row iteration error: %v", err)
-	}
-
-	if len(versions) < 2 {
-		t.Fatalf("expected at least 2 migrations recorded, got %d: %v", len(versions), versions)
-	}
-
-	if versions[0] != 0 {
-		t.Errorf("first recorded migration = %d, want %d", versions[0], 0)
-	}
-
-	if versions[1] != 1 {
-		t.Errorf("second recorded migration = %d, want %d", versions[1], 1)
-	}
-
-	// Verify that the application tables created by 001.sql exist.
-	for _, table := range []string{"source_content", "source_metadata", "output_content", "request_cache", "negative_cache", "cache_stats"} {
-		var count int
-
-		err := db.QueryRow(
-			"SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name=?",
-			table,
-		).Scan(&count)
-		if err != nil {
-			t.Fatalf("failed to check for table %s: %v", table, err)
-		}
-
-		if count != 1 {
-			t.Errorf("table %s does not exist after migrations", table)
-		}
-	}
-}
-
-func TestApplyMigrations_Idempotent(t *testing.T) {
-	db := openTestDB(t)
-	ctx := context.Background()
-
-	if err := ApplyMigrations(ctx, db, nil); err != nil {
-		t.Fatalf("first ApplyMigrations failed: %v", err)
-	}
-
-	// Running a second time must succeed without errors.
-	if err := ApplyMigrations(ctx, db, nil); err != nil {
-		t.Fatalf("second ApplyMigrations failed: %v", err)
-	}
-
-	// Verify no duplicate rows in schema_migrations.
-	var count int
-
-	err := db.QueryRow("SELECT COUNT(*) FROM schema_migrations WHERE version = 0").Scan(&count)
-	if err != nil {
-		t.Fatalf("failed to count version 0 rows: %v", err)
-	}
-
-	if count != 1 {
-		t.Errorf("expected exactly 1 row for version 0, got %d", count)
-	}
-}
-
-func TestBootstrapMigrationsTable_FreshDatabase(t *testing.T) {
-	db := openTestDB(t)
-	ctx := context.Background()
-
-	if err := bootstrapMigrationsTable(ctx, db, nil); err != nil {
-		t.Fatalf("bootstrapMigrationsTable failed: %v", err)
-	}
-
-	// schema_migrations table must exist.
-	var tableCount int
-
-	err := db.QueryRow(
-		"SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='schema_migrations'",
-	).Scan(&tableCount)
-	if err != nil {
-		t.Fatalf("failed to check for table: %v", err)
-	}
-
-	if tableCount != 1 {
-		t.Fatalf("schema_migrations table not created")
-	}
-
-	// Version 0 must be recorded.
-	var recorded int
-
-	err = db.QueryRow(
-		"SELECT COUNT(*) FROM schema_migrations WHERE version = 0",
-	).Scan(&recorded)
-	if err != nil {
-		t.Fatalf("failed to check version: %v", err)
-	}
-
-	if recorded != 1 {
-		t.Errorf("expected version 0 to be recorded, got count %d", recorded)
-	}
-}

internal/database/schema/000.sql

@@ -1,9 +0,0 @@
--- Migration 000: Schema migrations tracking table
--- Applied as a bootstrap step before the normal migration loop.
-
-CREATE TABLE IF NOT EXISTS schema_migrations (
-    version INTEGER PRIMARY KEY,
-    applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
-);
-
-INSERT OR IGNORE INTO schema_migrations (version) VALUES (0);

internal/globals/globals.go

@@ -5,10 +5,11 @@ import (
 	"go.uber.org/fx"
 )
 
-const appname = "pixad"
+// Build-time variables populated from main() via ldflags.
-
+var (
-// Version is populated from main() via ldflags.
+	Appname string //nolint:gochecknoglobals // set from main
-var Version string //nolint:gochecknoglobals // set from main
+	Version string //nolint:gochecknoglobals // set from main
+)
 
 // Globals holds application-wide constants.
 type Globals struct {
@@ -19,7 +20,7 @@ type Globals struct {
 // New creates a new Globals instance from build-time variables.
 func New(_ fx.Lifecycle) (*Globals, error) {
 	return &Globals{
-		Appname: appname,
+		Appname: Appname,
 		Version: Version,
 	}, nil
 }

internal/handlers/handlers_test.go

@@ -82,7 +82,7 @@ func setupTestDB(t *testing.T) *sql.DB {
 		t.Fatalf("failed to open test db: %v", err)
 	}
 
-	if err := database.ApplyMigrations(context.Background(), db, nil); err != nil {
+	if err := database.ApplyMigrations(db); err != nil {
 		t.Fatalf("failed to apply migrations: %v", err)
 	}
 

internal/imgcache/imgcache.go

@@ -199,6 +199,36 @@ type FetchResult struct {
 	TLSCipherSuite string
 }
 
+// Processor handles image transformation (resize, format conversion)
+type Processor interface {
+	// Process transforms an image according to the request
+	Process(ctx context.Context, input io.Reader, req *ImageRequest) (*ProcessResult, error)
+	// SupportedInputFormats returns MIME types this processor can read
+	SupportedInputFormats() []string
+	// SupportedOutputFormats returns formats this processor can write
+	SupportedOutputFormats() []ImageFormat
+}
+
+// ProcessResult contains the result of image processing
+type ProcessResult struct {
+	// Content is the processed image data
+	Content io.ReadCloser
+	// ContentLength is the size in bytes
+	ContentLength int64
+	// ContentType is the MIME type of the output
+	ContentType string
+	// Width is the output image width
+	Width int
+	// Height is the output image height
+	Height int
+	// InputWidth is the original image width before processing
+	InputWidth int
+	// InputHeight is the original image height before processing
+	InputHeight int
+	// InputFormat is the detected input format (e.g., "jpeg", "png")
+	InputFormat string
+}
+
 // Storage handles persistent storage of cached content
 type Storage interface {
 	// Store saves content and returns its hash

internal/imgcache/processor.go

@@ -1,5 +1,4 @@
-// Package imageprocessor provides image format conversion and resizing using libvips.
+package imgcache
-package imageprocessor
 
 import (
 	"bytes"
@@ -23,68 +22,6 @@ func initVips() {
 	})
 }
 
-// Format represents supported output image formats.
-type Format string
-
-// Supported image output formats.
-const (
-	FormatOriginal Format = "orig"
-	FormatJPEG     Format = "jpeg"
-	FormatPNG      Format = "png"
-	FormatWebP     Format = "webp"
-	FormatAVIF     Format = "avif"
-	FormatGIF      Format = "gif"
-)
-
-// FitMode represents how to fit an image into requested dimensions.
-type FitMode string
-
-// Supported image fit modes.
-const (
-	FitCover   FitMode = "cover"
-	FitContain FitMode = "contain"
-	FitFill    FitMode = "fill"
-	FitInside  FitMode = "inside"
-	FitOutside FitMode = "outside"
-)
-
-// ErrInvalidFitMode is returned when an invalid fit mode is provided.
-var ErrInvalidFitMode = errors.New("invalid fit mode")
-
-// Size represents requested image dimensions.
-type Size struct {
-	Width  int
-	Height int
-}
-
-// Request holds the parameters for image processing.
-type Request struct {
-	Size    Size
-	Format  Format
-	Quality int
-	FitMode FitMode
-}
-
-// Result contains the output of image processing.
-type Result struct {
-	// Content is the processed image data.
-	Content io.ReadCloser
-	// ContentLength is the size in bytes.
-	ContentLength int64
-	// ContentType is the MIME type of the output.
-	ContentType string
-	// Width is the output image width.
-	Width int
-	// Height is the output image height.
-	Height int
-	// InputWidth is the original image width before processing.
-	InputWidth int
-	// InputHeight is the original image height before processing.
-	InputHeight int
-	// InputFormat is the detected input format (e.g., "jpeg", "png").
-	InputFormat string
-}
-
 // MaxInputDimension is the maximum allowed width or height for input images.
 // Images larger than this are rejected to prevent DoS via decompression bombs.
 const MaxInputDimension = 8192
@@ -102,25 +39,16 @@ var ErrInputDataTooLarge = errors.New("input data exceeds maximum allowed size")
 // ErrUnsupportedOutputFormat is returned when the requested output format is not supported.
 var ErrUnsupportedOutputFormat = errors.New("unsupported output format")
 
-// ImageProcessor implements image transformation using libvips via govips.
+// ImageProcessor implements the Processor interface using libvips via govips.
 type ImageProcessor struct {
 	maxInputBytes int64
 }
 
-// Params holds configuration for creating an ImageProcessor.
+// NewImageProcessor creates a new image processor with the given maximum input
-// Zero values use sensible defaults (MaxInputBytes defaults to DefaultMaxInputBytes).
+// size in bytes. If maxInputBytes is <= 0, DefaultMaxInputBytes is used.
-type Params struct {
+func NewImageProcessor(maxInputBytes int64) *ImageProcessor {
-	// MaxInputBytes is the maximum allowed input size in bytes.
-	// If <= 0, DefaultMaxInputBytes is used.
-	MaxInputBytes int64
-}
-
-// New creates a new image processor with the given parameters.
-// A zero-value Params{} uses sensible defaults.
-func New(params Params) *ImageProcessor {
 	initVips()
 
-	maxInputBytes := params.MaxInputBytes
 	if maxInputBytes <= 0 {
 		maxInputBytes = DefaultMaxInputBytes
 	}
@@ -134,8 +62,8 @@ func New(params Params) *ImageProcessor {
 func (p *ImageProcessor) Process(
 	_ context.Context,
 	input io.Reader,
-	req *Request,
+	req *ImageRequest,
-) (*Result, error) {
+) (*ProcessResult, error) {
 	// Read input with a size limit to prevent unbounded memory consumption.
 	// We read at most maxInputBytes+1 so we can detect if the input exceeds
 	// the limit without consuming additional memory.
@@ -205,10 +133,10 @@ func (p *ImageProcessor) Process(
 		return nil, fmt.Errorf("failed to encode: %w", err)
 	}
 
-	return &Result{
+	return &ProcessResult{
 		Content:       io.NopCloser(bytes.NewReader(output)),
 		ContentLength: int64(len(output)),
-		ContentType:   FormatToMIME(outputFormat),
+		ContentType:   ImageFormatToMIME(outputFormat),
 		Width:         img.Width(),
 		Height:        img.Height(),
 		InputWidth:    origWidth,
@@ -220,17 +148,17 @@ func (p *ImageProcessor) Process(
 // SupportedInputFormats returns MIME types this processor can read.
 func (p *ImageProcessor) SupportedInputFormats() []string {
 	return []string{
-		"image/jpeg",
+		string(MIMETypeJPEG),
-		"image/png",
+		string(MIMETypePNG),
-		"image/gif",
+		string(MIMETypeGIF),
-		"image/webp",
+		string(MIMETypeWebP),
-		"image/avif",
+		string(MIMETypeAVIF),
 	}
 }
 
 // SupportedOutputFormats returns formats this processor can write.
-func (p *ImageProcessor) SupportedOutputFormats() []Format {
+func (p *ImageProcessor) SupportedOutputFormats() []ImageFormat {
-	return []Format{
+	return []ImageFormat{
 		FormatJPEG,
 		FormatPNG,
 		FormatGIF,
@@ -239,24 +167,6 @@ func (p *ImageProcessor) SupportedOutputFormats() []Format {
 	}
 }
 
-// FormatToMIME converts a Format to its MIME type string.
-func FormatToMIME(format Format) string {
-	switch format {
-	case FormatJPEG:
-		return "image/jpeg"
-	case FormatPNG:
-		return "image/png"
-	case FormatWebP:
-		return "image/webp"
-	case FormatGIF:
-		return "image/gif"
-	case FormatAVIF:
-		return "image/avif"
-	default:
-		return "application/octet-stream"
-	}
-}
-
 // detectFormat returns the format string from a vips image.
 func (p *ImageProcessor) detectFormat(img *vips.ImageRef) string {
 	format := img.Format()
@@ -285,6 +195,7 @@ func (p *ImageProcessor) resize(img *vips.ImageRef, width, height int, fit FitMo
 
 	case FitContain:
 		// Resize to fit within dimensions, maintaining aspect ratio
+		// Calculate target dimensions maintaining aspect ratio
 		imgW, imgH := img.Width(), img.Height()
 		scaleW := float64(width) / float64(imgW)
 		scaleH := float64(height) / float64(imgH)
@@ -295,7 +206,7 @@ func (p *ImageProcessor) resize(img *vips.ImageRef, width, height int, fit FitMo
 		return img.Thumbnail(newW, newH, vips.InterestingNone)
 
 	case FitFill:
-		// Resize to exact dimensions (may distort)
+		// Resize to exact dimensions (may distort) - use ThumbnailWithSize with Force
 		return img.ThumbnailWithSize(width, height, vips.InterestingNone, vips.SizeForce)
 
 	case FitInside:
@@ -331,7 +242,7 @@ func (p *ImageProcessor) resize(img *vips.ImageRef, width, height int, fit FitMo
 const defaultQuality = 85
 
 // encode encodes an image to the specified format.
-func (p *ImageProcessor) encode(img *vips.ImageRef, format Format, quality int) ([]byte, error) {
+func (p *ImageProcessor) encode(img *vips.ImageRef, format ImageFormat, quality int) ([]byte, error) {
 	if quality <= 0 {
 		quality = defaultQuality
 	}
@@ -379,8 +290,8 @@ func (p *ImageProcessor) encode(img *vips.ImageRef, format Format, quality int)
 	return output, nil
 }
 
-// formatFromString converts a format string to Format.
+// formatFromString converts a format string to ImageFormat.
-func (p *ImageProcessor) formatFromString(format string) Format {
+func (p *ImageProcessor) formatFromString(format string) ImageFormat {
 	switch format {
 	case "jpeg":
 		return FormatJPEG

internal/imgcache/processor_test.go

@@ -1,4 +1,4 @@
-package imageprocessor
+package imgcache
 
 import (
 	"bytes"
@@ -70,36 +70,13 @@ func createTestPNG(t *testing.T, width, height int) []byte {
 	return buf.Bytes()
 }
 
-// detectMIME is a minimal magic-byte detector for test assertions.
-func detectMIME(data []byte) string {
-	if len(data) >= 3 && data[0] == 0xFF && data[1] == 0xD8 && data[2] == 0xFF {
-		return "image/jpeg"
-	}
-	if len(data) >= 8 && string(data[:8]) == "\x89PNG\r\n\x1a\n" {
-		return "image/png"
-	}
-	if len(data) >= 4 && string(data[:4]) == "GIF8" {
-		return "image/gif"
-	}
-	if len(data) >= 12 && string(data[:4]) == "RIFF" && string(data[8:12]) == "WEBP" {
-		return "image/webp"
-	}
-	if len(data) >= 12 && string(data[4:8]) == "ftyp" {
-		brand := string(data[8:12])
-		if brand == "avif" || brand == "avis" {
-			return "image/avif"
-		}
-	}
-	return ""
-}
-
 func TestImageProcessor_ResizeJPEG(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 800, 600)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 400, Height: 300},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -130,19 +107,23 @@ func TestImageProcessor_ResizeJPEG(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/jpeg" {
+	if err != nil {
-		t.Errorf("Output format = %v, want image/jpeg", mime)
+		t.Fatalf("DetectFormat() error = %v", err)
+	}
+
+	if mime != MIMETypeJPEG {
+		t.Errorf("Output format = %v, want %v", mime, MIMETypeJPEG)
 	}
 }
 
 func TestImageProcessor_ConvertToPNG(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 200, Height: 150},
 		Format:  FormatPNG,
 		FitMode: FitCover,
@@ -159,19 +140,23 @@ func TestImageProcessor_ConvertToPNG(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/png" {
+	if err != nil {
-		t.Errorf("Output format = %v, want image/png", mime)
+		t.Fatalf("DetectFormat() error = %v", err)
+	}
+
+	if mime != MIMETypePNG {
+		t.Errorf("Output format = %v, want %v", mime, MIMETypePNG)
 	}
 }
 
 func TestImageProcessor_OriginalSize(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 640, 480)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 0, Height: 0}, // Original size
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -194,14 +179,14 @@ func TestImageProcessor_OriginalSize(t *testing.T) {
 }
 
 func TestImageProcessor_FitContain(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	// 800x400 image (2:1 aspect) into 400x400 box with contain
 	// Should result in 400x200 (maintaining aspect ratio)
 	input := createTestJPEG(t, 800, 400)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 400, Height: 400},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -221,14 +206,14 @@ func TestImageProcessor_FitContain(t *testing.T) {
 }
 
 func TestImageProcessor_ProportionalScale_WidthOnly(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	// 800x600 image, request width=400 height=0
 	// Should scale proportionally to 400x300
 	input := createTestJPEG(t, 800, 600)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 400, Height: 0},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -251,14 +236,14 @@ func TestImageProcessor_ProportionalScale_WidthOnly(t *testing.T) {
 }
 
 func TestImageProcessor_ProportionalScale_HeightOnly(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	// 800x600 image, request width=0 height=300
 	// Should scale proportionally to 400x300
 	input := createTestJPEG(t, 800, 600)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 0, Height: 300},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -281,12 +266,12 @@ func TestImageProcessor_ProportionalScale_HeightOnly(t *testing.T) {
 }
 
 func TestImageProcessor_ProcessPNG(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	input := createTestPNG(t, 400, 300)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 200, Height: 150},
 		Format:  FormatPNG,
 		FitMode: FitCover,
@@ -307,8 +292,13 @@ func TestImageProcessor_ProcessPNG(t *testing.T) {
 	}
 }
 
+func TestImageProcessor_ImplementsInterface(t *testing.T) {
+	// Verify ImageProcessor implements Processor interface
+	var _ Processor = (*ImageProcessor)(nil)
+}
+
 func TestImageProcessor_SupportedFormats(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 
 	inputFormats := proc.SupportedInputFormats()
 	if len(inputFormats) == 0 {
@@ -322,14 +312,14 @@ func TestImageProcessor_SupportedFormats(t *testing.T) {
 }
 
 func TestImageProcessor_RejectsOversizedInput(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	// Create an image that exceeds MaxInputDimension (e.g., 10000x100)
 	// This should be rejected before processing to prevent DoS
 	input := createTestJPEG(t, 10000, 100)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 100},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -347,13 +337,13 @@ func TestImageProcessor_RejectsOversizedInput(t *testing.T) {
 }
 
 func TestImageProcessor_RejectsOversizedInputHeight(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	// Create an image with oversized height
 	input := createTestJPEG(t, 100, 10000)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 100},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -371,13 +361,14 @@ func TestImageProcessor_RejectsOversizedInputHeight(t *testing.T) {
 }
 
 func TestImageProcessor_AcceptsMaxDimensionInput(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	// Create an image at exactly MaxInputDimension - should be accepted
+	// Using smaller dimensions to keep test fast
 	input := createTestJPEG(t, MaxInputDimension, 100)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 100},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -392,12 +383,12 @@ func TestImageProcessor_AcceptsMaxDimensionInput(t *testing.T) {
 }
 
 func TestImageProcessor_EncodeWebP(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 75},
 		Format:  FormatWebP,
 		Quality: 80,
@@ -416,9 +407,13 @@ func TestImageProcessor_EncodeWebP(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/webp" {
+	if err != nil {
-		t.Errorf("Output format = %v, want image/webp", mime)
+		t.Fatalf("DetectFormat() error = %v", err)
+	}
+
+	if mime != MIMETypeWebP {
+		t.Errorf("Output format = %v, want %v", mime, MIMETypeWebP)
 	}
 
 	// Verify dimensions
@@ -431,7 +426,7 @@ func TestImageProcessor_EncodeWebP(t *testing.T) {
 }
 
 func TestImageProcessor_DecodeAVIF(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	// Load test AVIF file
@@ -441,7 +436,7 @@ func TestImageProcessor_DecodeAVIF(t *testing.T) {
 	}
 
 	// Request resize and convert to JPEG
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 2, Height: 2},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -460,16 +455,20 @@ func TestImageProcessor_DecodeAVIF(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/jpeg" {
+	if err != nil {
-		t.Errorf("Output format = %v, want image/jpeg", mime)
+		t.Fatalf("DetectFormat() error = %v", err)
+	}
+
+	if mime != MIMETypeJPEG {
+		t.Errorf("Output format = %v, want %v", mime, MIMETypeJPEG)
 	}
 }
 
 func TestImageProcessor_RejectsOversizedInputData(t *testing.T) {
 	// Create a processor with a very small byte limit
 	const limit = 1024
-	proc := New(Params{MaxInputBytes: limit})
+	proc := NewImageProcessor(limit)
 	ctx := context.Background()
 
 	// Create a valid JPEG that exceeds the byte limit
@@ -478,7 +477,7 @@ func TestImageProcessor_RejectsOversizedInputData(t *testing.T) {
 		t.Fatalf("test JPEG must exceed %d bytes, got %d", limit, len(input))
 	}
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 75},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -500,10 +499,10 @@ func TestImageProcessor_AcceptsInputWithinLimit(t *testing.T) {
 	input := createTestJPEG(t, 10, 10)
 	limit := int64(len(input)) * 10 // 10× headroom
 
-	proc := New(Params{MaxInputBytes: limit})
+	proc := NewImageProcessor(limit)
 	ctx := context.Background()
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 10, Height: 10},
 		Format:  FormatJPEG,
 		Quality: 85,
@@ -519,25 +518,25 @@ func TestImageProcessor_AcceptsInputWithinLimit(t *testing.T) {
 
 func TestImageProcessor_DefaultMaxInputBytes(t *testing.T) {
 	// Passing 0 should use the default
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	if proc.maxInputBytes != DefaultMaxInputBytes {
 		t.Errorf("maxInputBytes = %d, want %d", proc.maxInputBytes, DefaultMaxInputBytes)
 	}
 
 	// Passing negative should also use the default
-	proc = New(Params{MaxInputBytes: -1})
+	proc = NewImageProcessor(-1)
 	if proc.maxInputBytes != DefaultMaxInputBytes {
 		t.Errorf("maxInputBytes = %d, want %d", proc.maxInputBytes, DefaultMaxInputBytes)
 	}
 }
 
 func TestImageProcessor_EncodeAVIF(t *testing.T) {
-	proc := New(Params{})
+	proc := NewImageProcessor(0)
 	ctx := context.Background()
 
 	input := createTestJPEG(t, 200, 150)
 
-	req := &Request{
+	req := &ImageRequest{
 		Size:    Size{Width: 100, Height: 75},
 		Format:  FormatAVIF,
 		Quality: 85,
@@ -556,9 +555,13 @@ func TestImageProcessor_EncodeAVIF(t *testing.T) {
 		t.Fatalf("failed to read result: %v", err)
 	}
 
-	mime := detectMIME(data)
+	mime, err := DetectFormat(data)
-	if mime != "image/avif" {
+	if err != nil {
-		t.Errorf("Output format = %v, want image/avif", mime)
+		t.Fatalf("DetectFormat() error = %v", err)
+	}
+
+	if mime != MIMETypeAVIF {
+		t.Errorf("Output format = %v, want %v", mime, MIMETypeAVIF)
 	}
 
 	// Verify dimensions

internal/imgcache/service.go

@@ -11,14 +11,13 @@ import (
 	"time"
 
 	"github.com/dustin/go-humanize"
-	"sneak.berlin/go/pixa/internal/imageprocessor"
 )
 
 // Service implements the ImageCache interface, orchestrating cache, fetcher, and processor.
 type Service struct {
 	cache           *Cache
 	fetcher         Fetcher
-	processor       *imageprocessor.ImageProcessor
+	processor       Processor
 	signer          *Signer
 	whitelist       *HostWhitelist
 	log             *slog.Logger
@@ -83,7 +82,7 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 	return &Service{
 		cache:           cfg.Cache,
 		fetcher:         fetcher,
-		processor:       imageprocessor.New(imageprocessor.Params{MaxInputBytes: maxResponseSize}),
+		processor:       NewImageProcessor(maxResponseSize),
 		signer:          signer,
 		whitelist:       NewHostWhitelist(cfg.Whitelist),
 		log:             log,
@@ -301,14 +300,7 @@ func (s *Service) processAndStore(
 	// Process the image
 	processStart := time.Now()
 
-	processReq := &imageprocessor.Request{
+	processResult, err := s.processor.Process(ctx, bytes.NewReader(sourceData), req)
-		Size:    imageprocessor.Size{Width: req.Size.Width, Height: req.Size.Height},
-		Format:  imageprocessor.Format(req.Format),
-		Quality: req.Quality,
-		FitMode: imageprocessor.FitMode(req.FitMode),
-	}
-
-	processResult, err := s.processor.Process(ctx, bytes.NewReader(sourceData), processReq)
 	if err != nil {
 		return nil, fmt.Errorf("image processing failed: %w", err)
 	}

internal/imgcache/service_test.go

@@ -151,74 +151,6 @@ func TestService_Get_NonWhitelistedHost_InvalidSignature(t *testing.T) {
 	}
 }
 
-// TestService_ValidateRequest_SignatureExactHostMatch verifies that
-// ValidateRequest enforces exact host matching for signatures. A
-// signature for one host must not verify for a different host, even
-// if they share a domain suffix.
-func TestService_ValidateRequest_SignatureExactHostMatch(t *testing.T) {
-	signingKey := "test-signing-key-must-be-32-chars"
-	svc, _ := SetupTestService(t,
-		WithSigningKey(signingKey),
-		WithNoWhitelist(),
-	)
-
-	signer := NewSigner(signingKey)
-
-	// Sign a request for "cdn.example.com"
-	signedReq := &ImageRequest{
-		SourceHost: "cdn.example.com",
-		SourcePath: "/photos/cat.jpg",
-		Size:       Size{Width: 50, Height: 50},
-		Format:     FormatJPEG,
-		Quality:    85,
-		FitMode:    FitCover,
-		Expires:    time.Now().Add(time.Hour),
-	}
-	signedReq.Signature = signer.Sign(signedReq)
-
-	// The original request should pass validation
-	t.Run("exact host passes", func(t *testing.T) {
-		err := svc.ValidateRequest(signedReq)
-		if err != nil {
-			t.Errorf("ValidateRequest() exact host failed: %v", err)
-		}
-	})
-
-	// Try to reuse the signature with different hosts
-	tests := []struct {
-		name string
-		host string
-	}{
-		{"parent domain", "example.com"},
-		{"sibling subdomain", "images.example.com"},
-		{"deeper subdomain", "a.cdn.example.com"},
-		{"evil suffix domain", "cdn.example.com.evil.com"},
-		{"prefixed host", "evilcdn.example.com"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name+" rejected", func(t *testing.T) {
-			req := &ImageRequest{
-				SourceHost:  tt.host,
-				SourcePath:  signedReq.SourcePath,
-				SourceQuery: signedReq.SourceQuery,
-				Size:        signedReq.Size,
-				Format:      signedReq.Format,
-				Quality:     signedReq.Quality,
-				FitMode:     signedReq.FitMode,
-				Expires:     signedReq.Expires,
-				Signature:   signedReq.Signature,
-			}
-
-			err := svc.ValidateRequest(req)
-			if err == nil {
-				t.Errorf("ValidateRequest() should reject signature for host %q (signed for %q)",
-					tt.host, signedReq.SourceHost)
-			}
-		})
-	}
-}
-
 func TestService_Get_InvalidFile(t *testing.T) {
 	svc, fixtures := SetupTestService(t)
 	ctx := context.Background()

internal/imgcache/signature.go

@@ -43,11 +43,6 @@ func (s *Signer) Sign(req *ImageRequest) string {
 }
 
 // Verify checks if the signature on the request is valid and not expired.
-// Signatures are exact-match only: every component of the signed data
-// (host, path, query, dimensions, format, expiration) must match exactly.
-// No suffix matching, wildcard matching, or partial matching is supported.
-// A signature for "cdn.example.com" will NOT verify for "example.com" or
-// "other.cdn.example.com", and vice versa.
 func (s *Signer) Verify(req *ImageRequest) error {
 	// Check expiration first
 	if req.Expires.IsZero() {
@@ -71,8 +66,6 @@ func (s *Signer) Verify(req *ImageRequest) error {
 
 // buildSignatureData creates the string to be signed.
 // Format: "host:path:query:width:height:format:expiration"
-// All components are used verbatim (exact match). No normalization,
-// suffix matching, or wildcard expansion is performed.
 func (s *Signer) buildSignatureData(req *ImageRequest) string {
 	return fmt.Sprintf("%s:%s:%s:%d:%d:%s:%d",
 		req.SourceHost,

internal/imgcache/signature_test.go

@@ -152,178 +152,6 @@ func TestSigner_Verify(t *testing.T) {
 	}
 }
 
-// TestSigner_Verify_ExactMatchOnly verifies that signatures enforce exact
-// matching on every URL component. No suffix matching, wildcard matching,
-// or partial matching is supported.
-func TestSigner_Verify_ExactMatchOnly(t *testing.T) {
-	signer := NewSigner("test-secret-key")
-
-	// Base request that we'll sign, then tamper with individual fields.
-	baseReq := func() *ImageRequest {
-		req := &ImageRequest{
-			SourceHost:  "cdn.example.com",
-			SourcePath:  "/photos/cat.jpg",
-			SourceQuery: "token=abc",
-			Size:        Size{Width: 800, Height: 600},
-			Format:      FormatWebP,
-			Expires:     time.Now().Add(1 * time.Hour),
-		}
-		req.Signature = signer.Sign(req)
-
-		return req
-	}
-
-	tests := []struct {
-		name   string
-		tamper func(req *ImageRequest)
-	}{
-		{
-			name: "parent domain does not match subdomain",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try example.com
-				req.SourceHost = "example.com"
-			},
-		},
-		{
-			name: "subdomain does not match parent domain",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try images.cdn.example.com
-				req.SourceHost = "images.cdn.example.com"
-			},
-		},
-		{
-			name: "sibling subdomain does not match",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try images.example.com
-				req.SourceHost = "images.example.com"
-			},
-		},
-		{
-			name: "host with suffix appended does not match",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try cdn.example.com.evil.com
-				req.SourceHost = "cdn.example.com.evil.com"
-			},
-		},
-		{
-			name: "host with prefix does not match",
-			tamper: func(req *ImageRequest) {
-				// Signed for cdn.example.com, try evilcdn.example.com
-				req.SourceHost = "evilcdn.example.com"
-			},
-		},
-		{
-			name: "different path does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourcePath = "/photos/dog.jpg"
-			},
-		},
-		{
-			name: "path suffix does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourcePath = "/photos/cat.jpg/extra"
-			},
-		},
-		{
-			name: "path prefix does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourcePath = "/other/photos/cat.jpg"
-			},
-		},
-		{
-			name: "different query does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourceQuery = "token=xyz"
-			},
-		},
-		{
-			name: "added query does not match empty query",
-			tamper: func(req *ImageRequest) {
-				req.SourceQuery = "extra=1"
-			},
-		},
-		{
-			name: "removed query does not match",
-			tamper: func(req *ImageRequest) {
-				req.SourceQuery = ""
-			},
-		},
-		{
-			name: "different width does not match",
-			tamper: func(req *ImageRequest) {
-				req.Size.Width = 801
-			},
-		},
-		{
-			name: "different height does not match",
-			tamper: func(req *ImageRequest) {
-				req.Size.Height = 601
-			},
-		},
-		{
-			name: "different format does not match",
-			tamper: func(req *ImageRequest) {
-				req.Format = FormatPNG
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := baseReq()
-			tt.tamper(req)
-
-			err := signer.Verify(req)
-			if err != ErrSignatureInvalid {
-				t.Errorf("Verify() = %v, want %v", err, ErrSignatureInvalid)
-			}
-		})
-	}
-
-	// Verify the unmodified base request still passes
-	t.Run("unmodified request passes", func(t *testing.T) {
-		req := baseReq()
-		if err := signer.Verify(req); err != nil {
-			t.Errorf("Verify() unmodified request failed: %v", err)
-		}
-	})
-}
-
-// TestSigner_Sign_ExactHostInData verifies that Sign uses the exact host
-// string in the signature data, producing different signatures for
-// suffix-related hosts.
-func TestSigner_Sign_ExactHostInData(t *testing.T) {
-	signer := NewSigner("test-secret-key")
-
-	hosts := []string{
-		"cdn.example.com",
-		"example.com",
-		"images.example.com",
-		"images.cdn.example.com",
-		"cdn.example.com.evil.com",
-	}
-
-	sigs := make(map[string]string)
-
-	for _, host := range hosts {
-		req := &ImageRequest{
-			SourceHost:  host,
-			SourcePath:  "/photos/cat.jpg",
-			SourceQuery: "",
-			Size:        Size{Width: 800, Height: 600},
-			Format:      FormatWebP,
-			Expires:     time.Unix(1704067200, 0),
-		}
-
-		sig := signer.Sign(req)
-		if existing, ok := sigs[sig]; ok {
-			t.Errorf("hosts %q and %q produced the same signature", existing, host)
-		}
-
-		sigs[sig] = host
-	}
-}
-
 func TestSigner_DifferentKeys(t *testing.T) {
 	signer1 := NewSigner("secret-key-1")
 	signer2 := NewSigner("secret-key-2")

internal/imgcache/stats_test.go

@@ -16,7 +16,7 @@ func setupStatsTestDB(t *testing.T) *sql.DB {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err := database.ApplyMigrations(context.Background(), db, nil); err != nil {
+	if err := database.ApplyMigrations(db); err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(func() { db.Close() })

internal/imgcache/testutil_test.go

@@ -2,7 +2,6 @@ package imgcache
 
 import (
 	"bytes"
-	"context"
 	"database/sql"
 	"image"
 	"image/color"
@@ -194,7 +193,7 @@ func setupServiceTestDB(t *testing.T) *sql.DB {
 	}
 
 	// Use the real production schema via migrations
-	if err := database.ApplyMigrations(context.Background(), db, nil); err != nil {
+	if err := database.ApplyMigrations(db); err != nil {
 		t.Fatalf("failed to apply migrations: %v", err)
 	}