feat: split Dockerfile into dedicated lint and build stages

- Add dedicated lint stage using pre-built golangci-lint v2.10.1 image
- Move fmt-check and lint from build stage to lint stage for faster feedback
- Remove manual golangci-lint binary download (now handled by lint image)
- Remove curl from build stage dependencies (no longer needed)
- Add COPY --from=lint dependency to force BuildKit to run lint stage
- Build stage now runs only tests and compilation

closes #20

Dockerfile

@@ -1,31 +1,32 @@
-# Lint stage
+# Lint stage — fast feedback on formatting and lint issues
-# golangci/golangci-lint:v2.10.1-alpine, 2026-02-17
+# golangci/golangci-lint:v2.10.1, 2026-03-01
-FROM golangci/golangci-lint:v2.10.1-alpine@sha256:33bc6b6156d4c7da87175f187090019769903d04dd408833b83083ed214b0ddf AS lint
+FROM golangci/golangci-lint@sha256:ea84d14c2fef724411be7dc45e09e6ef721d748315252b02df19a7e3113ee763 AS lint
 
-RUN apk add --no-cache make build-base vips-dev libheif-dev pkgconfig
+# Install CGO dependencies needed for static analysis of vips/libheif code
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libvips-dev \
+    libheif-dev \
+    pkg-config \
+    && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /src
-
-# Copy go mod files first for better layer caching
 COPY go.mod go.sum ./
 RUN go mod download
 
-# Copy source code
 COPY . .
 
-# Run formatting check and linter
 RUN make fmt-check
 RUN make lint
 
-# Build stage
+# Build stage — tests and compilation
 # golang:1.25.4-alpine, 2026-02-25
 FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder
 
-# Depend on lint stage passing
-COPY --from=lint /src/go.sum /dev/null
-
 ARG VERSION=dev
 
+# Force BuildKit to run the lint stage by creating a stage dependency
+COPY --from=lint /src/go.sum /dev/null
+
 # Install build dependencies for CGO image libraries
 RUN apk add --no-cache \
     build-base \

README.md

@@ -96,10 +96,11 @@ expiration 1704067200:
 4. URL:
    `/v1/image/cdn.example.com/photos/cat.jpg/800x600.webp?sig=<base64url>&exp=1704067200`
 
-**Whitelist entries** are exact host matches only (e.g.
+**Whitelist patterns:**
-`cdn.example.com`). Suffix/wildcard matching is not supported —
+
-signatures are per-URL, so each allowed host must be listed
+- **Exact match**: `cdn.example.com` — matches only that host
-explicitly.
+- **Suffix match**: `.example.com` — matches `cdn.example.com`,
+  `images.example.com`, and `example.com`
 
 ### Configuration
 

TODO.md

@@ -6,7 +6,7 @@ Remaining tasks sorted by priority for a working 1.0 release.
 
 ### Image Processing
 - [x] Add WebP encoding support (currently returns error)
-- [x] Add AVIF encoding support (implemented via govips)
+- [ ] Add AVIF encoding support (currently returns error)
 
 ### Manual Testing (verify auth/encrypted URLs work)
 - [ ] Manual test: visit `/`, see login form

config.example.yml

@@ -13,7 +13,8 @@ state_dir: ./data
 # Generate with: openssl rand -base64 32
 signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
 
-# Hosts that don't require signatures (exact match only)
+# Hosts that don't require signatures
+# Use "." prefix for wildcard subdomain matching (e.g., ".example.com" matches "cdn.example.com")
 whitelist_hosts:
   - s3.sneak.cloud
   - static.sneak.cloud

internal/imgcache/whitelist.go

@@ -5,20 +5,23 @@ import (
 	"strings"
 )
 
-// HostWhitelist checks whether a source host is allowed without a signature.
+// HostWhitelist implements the Whitelist interface for checking allowed source hosts.
-// Only exact host matches are supported. Signatures are per-URL, so
-// wildcard/suffix matching is intentionally not provided.
 type HostWhitelist struct {
 	// exactHosts contains hosts that must match exactly (e.g., "cdn.example.com")
 	exactHosts map[string]struct{}
+	// suffixHosts contains domain suffixes to match (e.g., ".example.com" matches "cdn.example.com")
+	suffixHosts []string
 }
 
-// NewHostWhitelist creates a whitelist from a list of hostnames.
+// NewHostWhitelist creates a whitelist from a list of host patterns.
-// Each entry is treated as an exact host match. Leading dots are
+// Patterns starting with "." are treated as suffix matches.
-// stripped so that legacy ".example.com" entries become "example.com".
+// Examples:
+//   - "cdn.example.com" - exact match only
+//   - ".example.com" - matches cdn.example.com, images.example.com, etc.
 func NewHostWhitelist(patterns []string) *HostWhitelist {
 	w := &HostWhitelist{
 		exactHosts:  make(map[string]struct{}),
+		suffixHosts: make([]string, 0),
 	}
 
 	for _, pattern := range patterns {
@@ -27,11 +30,9 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
 			continue
 		}
 
-		// Strip leading dot — suffix matching is no longer supported;
+		if strings.HasPrefix(pattern, ".") {
-		// ".example.com" is normalised to "example.com" as an exact entry.
+			w.suffixHosts = append(w.suffixHosts, pattern)
-		pattern = strings.TrimPrefix(pattern, ".")
+		} else {
-
-		if pattern != "" {
 			w.exactHosts[pattern] = struct{}{}
 		}
 	}
@@ -39,7 +40,7 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
 	return w
 }
 
-// IsWhitelisted checks if a URL's host is in the whitelist (exact match only).
+// IsWhitelisted checks if a URL's host is in the whitelist.
 func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 	if u == nil {
 		return false
@@ -50,17 +51,32 @@ func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 		return false
 	}
 
-	_, ok := w.exactHosts[host]
+	// Check exact match
+	if _, ok := w.exactHosts[host]; ok {
+		return true
+	}
 
-	return ok
+	// Check suffix match
+	for _, suffix := range w.suffixHosts {
+		if strings.HasSuffix(host, suffix) {
+			return true
+		}
+		// Also match if host equals the suffix without the leading dot
+		// e.g., pattern ".example.com" should match "example.com"
+		if host == strings.TrimPrefix(suffix, ".") {
+			return true
+		}
+	}
+
+	return false
 }
 
 // IsEmpty returns true if the whitelist has no entries.
 func (w *HostWhitelist) IsEmpty() bool {
-	return len(w.exactHosts) == 0
+	return len(w.exactHosts) == 0 && len(w.suffixHosts) == 0
 }
 
 // Count returns the total number of whitelist entries.
 func (w *HostWhitelist) Count() int {
-	return len(w.exactHosts)
+	return len(w.exactHosts) + len(w.suffixHosts)
 }

internal/imgcache/whitelist_test.go

@@ -31,41 +31,41 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			want:     false,
 		},
 		{
-			name:     "no suffix matching for subdomains",
+			name:     "suffix match",
-			patterns: []string{"example.com"},
+			patterns: []string{".example.com"},
 			testURL:  "https://cdn.example.com/image.jpg",
-			want:     false,
+			want:     true,
 		},
 		{
-			name:     "leading dot stripped to exact match",
+			name:     "suffix match deep subdomain",
+			patterns: []string{".example.com"},
+			testURL:  "https://cdn.images.example.com/image.jpg",
+			want:     true,
+		},
+		{
+			name:     "suffix match apex domain",
 			patterns: []string{".example.com"},
 			testURL:  "https://example.com/image.jpg",
 			want:     true,
 		},
 		{
-			name:     "leading dot does not enable suffix matching",
+			name:     "suffix match not found",
 			patterns: []string{".example.com"},
-			testURL:  "https://cdn.example.com/image.jpg",
+			testURL:  "https://notexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "leading dot does not match deep subdomain",
+			name:     "suffix match partial not allowed",
 			patterns: []string{".example.com"},
-			testURL:  "https://cdn.images.example.com/image.jpg",
+			testURL:  "https://fakeexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "multiple patterns exact only",
+			name:     "multiple patterns",
-			patterns: []string{"cdn.example.com", "photos.images.org", "static.test.net"},
+			patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
 			testURL:  "https://photos.images.org/image.jpg",
 			want:     true,
 		},
-		{
-			name:     "multiple patterns no suffix leak",
-			patterns: []string{"cdn.example.com", "images.org"},
-			testURL:  "https://photos.images.org/image.jpg",
-			want:     false,
-		},
 		{
 			name:     "empty whitelist",
 			patterns: []string{},
@@ -86,7 +86,7 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 		},
 		{
 			name:     "whitespace in patterns",
-			patterns: []string{"  cdn.example.com  ", "  other.com  "},
+			patterns: []string{"  cdn.example.com  ", "  .other.com  "},
 			testURL:  "https://cdn.example.com/image.jpg",
 			want:     true,
 		},
@@ -139,11 +139,6 @@ func TestHostWhitelist_IsEmpty(t *testing.T) {
 			patterns: []string{"example.com"},
 			want:     false,
 		},
-		{
-			name:     "leading dot normalised to entry",
-			patterns: []string{".example.com"},
-			want:     false,
-		},
 	}
 
 	for _, tt := range tests {
@@ -173,14 +168,14 @@ func TestHostWhitelist_Count(t *testing.T) {
 			want:     3,
 		},
 		{
-			name:     "leading dots normalised to exact",
+			name:     "suffix hosts only",
 			patterns: []string{".a.com", ".b.com"},
 			want:     2,
 		},
 		{
-			name:     "mixed deduplication",
+			name:     "mixed",
-			patterns: []string{"example.com", ".example.com"},
+			patterns: []string{"exact.com", ".suffix.com"},
-			want:     1,
+			want:     2,
 		},
 	}
 

scripts/manual-test.sh

@@ -48,7 +48,7 @@ fi
 
 # Test 3: Wrong password shows error
 echo "--- Test 3: Login with wrong password ---"
-WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "key=wrong-key" -c "$COOKIE_JAR")
+WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "password=wrong-key" -c "$COOKIE_JAR")
 if echo "$WRONG_LOGIN" | grep -qi "invalid\|error\|incorrect\|wrong"; then
     pass "Wrong password shows error message"
 else
@@ -57,7 +57,7 @@ fi
 
 # Test 4: Correct password redirects to generator
 echo "--- Test 4: Login with correct signing key ---"
-curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 GENERATOR_PAGE=$(curl -sf "$BASE_URL/" -b "$COOKIE_JAR")
 if echo "$GENERATOR_PAGE" | grep -qi "generate\|url\|source\|logout"; then
     pass "Correct password shows generator page"
@@ -68,12 +68,12 @@ fi
 # Test 5: Generate encrypted URL
 echo "--- Test 5: Generate encrypted URL ---"
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "url=$TEST_IMAGE_URL" \
+    -d "source_url=$TEST_IMAGE_URL" \
     -d "width=800" \
     -d "height=600" \
     -d "format=jpeg" \
     -d "quality=85" \
-    -d "fit=cover" \
+    -d "fit_mode=cover" \
     -d "ttl=3600")
 if echo "$GEN_RESULT" | grep -q "/v1/e/"; then
     pass "Encrypted URL generated"
@@ -121,10 +121,10 @@ fi
 # Test 9: Generate short-TTL URL and verify expiration
 echo "--- Test 9: Expired URL returns 410 ---"
 # Login again
-curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 # Generate URL with 1 second TTL
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "url=$TEST_IMAGE_URL" \
+    -d "source_url=$TEST_IMAGE_URL" \
     -d "width=100" \
     -d "height=100" \
     -d "format=jpeg" \