chore: remove local dev config files

Remove config.yaml and config.dev.yml (local development configs with
hardcoded keys that shouldn't be committed). config.example.yml remains
as the canonical example config. Added removed files to .gitignore.

.gitignore

@@ -18,3 +18,7 @@ vendor/
 # Data
 /data/
 *.sqlite3
+
+# Local dev configs
+config.yaml
+config.dev.yml

config.dev.yml

@@ -1,11 +0,0 @@
-# Development config for local Docker testing
-signing_key: "dev-signing-key-minimum-32-chars!"
-debug: true
-allow_http: true
-whitelist_hosts:
-  - localhost
-  - s3.sneak.cloud
-  - static.sneak.cloud
-  - sneak.berlin
-  - github.com
-  - user-images.githubusercontent.com

config.yaml

@@ -1,10 +0,0 @@
-debug: true
-port: 8080
-state_dir: ./data
-signing_key: "test-signing-key-for-development-only"
-whitelist_hosts:
-  - "*.example.com"
-  - "images.unsplash.com"
-  - "picsum.photos"
-  - "s3.sneak.cloud"
-allow_http: false

internal/imgcache/imgcache.go

@@ -79,11 +79,18 @@ type ImageRequest struct {
 	Signature string
 	// Expires is the signature expiration timestamp
 	Expires time.Time
+	// AllowHTTP indicates whether HTTP (non-TLS) is allowed for this request
+	AllowHTTP bool
 }
 
-// SourceURL returns the full upstream URL to fetch
+// SourceURL returns the full upstream URL to fetch.
+// Uses http:// scheme when AllowHTTP is true, otherwise https://.
 func (r *ImageRequest) SourceURL() string {
-	url := "https://" + r.SourceHost + r.SourcePath
+	scheme := "https"
+	if r.AllowHTTP {
+		scheme = "http"
+	}
+	url := scheme + "://" + r.SourceHost + r.SourcePath
 	if r.SourceQuery != "" {
 		url += "?" + r.SourceQuery
 	}

internal/imgcache/service.go

@@ -21,6 +21,7 @@ type Service struct {
 	signer    *Signer
 	whitelist *HostWhitelist
 	log       *slog.Logger
+	allowHTTP bool
 }
 
 // ServiceConfig holds configuration for the image service.
@@ -68,6 +69,11 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 		log = slog.Default()
 	}
 
+	allowHTTP := false
+	if cfg.FetcherConfig != nil {
+		allowHTTP = cfg.FetcherConfig.AllowHTTP
+	}
+
 	return &Service{
 		cache:     cfg.Cache,
 		fetcher:   fetcher,
@@ -75,6 +81,7 @@ func NewService(cfg *ServiceConfig) (*Service, error) {
 		signer:    signer,
 		whitelist: NewHostWhitelist(cfg.Whitelist),
 		log:       log,
+		allowHTTP: allowHTTP,
 	}, nil
 }
 
@@ -83,6 +90,9 @@ var ErrNegativeCached = errors.New("request is in negative cache (recently faile
 
 // Get retrieves a processed image, fetching and processing if necessary.
 func (s *Service) Get(ctx context.Context, req *ImageRequest) (*ImageResponse, error) {
+	// Propagate AllowHTTP setting to the request
+	req.AllowHTTP = s.allowHTTP
+
 	// Check negative cache first - skip fetching for recently-failed URLs
 	negHit, err := s.cache.checkNegativeCache(ctx, req)
 	if err != nil {

internal/imgcache/sourceurl_test.go

@@ -0,0 +1,44 @@
+package imgcache
+
+import "testing"
+
+func TestImageRequest_SourceURL_DefaultHTTPS(t *testing.T) {
+	req := &ImageRequest{
+		SourceHost:  "cdn.example.com",
+		SourcePath:  "/photos/cat.jpg",
+		SourceQuery: "v=2",
+	}
+
+	got := req.SourceURL()
+	want := "https://cdn.example.com/photos/cat.jpg?v=2"
+	if got != want {
+		t.Errorf("SourceURL() = %q, want %q", got, want)
+	}
+}
+
+func TestImageRequest_SourceURL_AllowHTTP(t *testing.T) {
+	req := &ImageRequest{
+		SourceHost: "localhost:8080",
+		SourcePath: "/photos/cat.jpg",
+		AllowHTTP:  true,
+	}
+
+	got := req.SourceURL()
+	want := "http://localhost:8080/photos/cat.jpg"
+	if got != want {
+		t.Errorf("SourceURL() = %q, want %q", got, want)
+	}
+}
+
+func TestImageRequest_SourceURL_AllowHTTPFalse(t *testing.T) {
+	req := &ImageRequest{
+		SourceHost: "cdn.example.com",
+		SourcePath: "/img.jpg",
+		AllowHTTP:  false,
+	}
+
+	got := req.SourceURL()
+	if got != "https://cdn.example.com/img.jpg" {
+		t.Errorf("SourceURL() = %q, want https scheme", got)
+	}
+}