clawbot
2e934c8894
All checks were successful
check / check (push) Successful in 5s
closes #24 ## QA Audit Fixes This PR addresses issues found during the 1.0/MVP QA audit. ### Changes 1. **TODO.md: Mark AVIF encoding as done** — AVIF encoding is fully implemented via govips in `processor.go` but was still listed as a TODO item. 2. **scripts/manual-test.sh: Fix form field names** — The manual test script was using wrong field names: - Login form: was sending `password=...`, should be `key=...` (matching the HTML form's `name="key"`) - Generator form: was sending `source_url`, `fit_mode` — should be `url`, `fit` (matching the handler's `r.FormValue()` calls) - This means **the manual test script never actually worked** — login always failed silently because the `key` field was empty. ### Full QA Audit Results The comprehensive QA audit report has been posted as a comment on [issue #24](#24). Co-authored-by: user <user@Mac.lan guest wan> Reviewed-on: #25 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
66 lines
2.0 KiB
Markdown
66 lines
2.0 KiB
Markdown
# Pixa 1.0 TODO
|
|
|
|
Remaining tasks sorted by priority for a working 1.0 release.
|
|
|
|
## P0: Critical for 1.0
|
|
|
|
### Image Processing
|
|
- [x] Add WebP encoding support (currently returns error)
|
|
- [x] Add AVIF encoding support (implemented via govips)
|
|
|
|
### Manual Testing (verify auth/encrypted URLs work)
|
|
- [ ] Manual test: visit `/`, see login form
|
|
- [ ] Manual test: enter wrong key, see error
|
|
- [ ] Manual test: enter correct signing key, see generator form
|
|
- [ ] Manual test: generate encrypted URL, verify it works
|
|
- [ ] Manual test: wait for expiration or use short TTL, verify expired URL returns 410
|
|
- [ ] Manual test: logout, verify redirected to login
|
|
|
|
### Cache Management
|
|
- [ ] Implement cache size management/eviction (prevent disk from filling up)
|
|
|
|
### Configuration
|
|
- [ ] Validate configuration on startup (fail fast on bad config)
|
|
|
|
## P1: Important for Production
|
|
|
|
### Security
|
|
- [ ] Implement blocked networks configuration (extend SSRF protection)
|
|
- [ ] Add rate limiting global concurrent fetches (prevent resource exhaustion)
|
|
|
|
### Image Processing
|
|
- [ ] Implement EXIF/metadata stripping (privacy)
|
|
|
|
## P2: Nice to Have
|
|
|
|
### Security
|
|
- [ ] Implement referer blacklist
|
|
- [ ] Add rate limiting per-IP
|
|
- [ ] Add rate limiting per-origin
|
|
|
|
### HTTP Response Handling
|
|
- [ ] Implement Last-Modified headers
|
|
- [ ] Implement Vary header for content negotiation
|
|
- [ ] Implement X-Request-ID propagation
|
|
|
|
### Additional Endpoints
|
|
- [ ] Implement auto-format selection (format=auto based on Accept header)
|
|
|
|
### Configuration
|
|
- [ ] Add all configuration options from README
|
|
- [ ] Implement environment variable overrides
|
|
- [ ] Implement YAML config file support
|
|
|
|
### Operational
|
|
- [ ] Implement Sentry error reporting (optional)
|
|
- [ ] Add comprehensive request logging
|
|
- [ ] Add performance metrics (Prometheus)
|
|
- [ ] Write integration tests for image proxy flow
|
|
- [ ] Write load tests to verify 1-5k req/s target
|
|
|
|
### Documentation
|
|
- [ ] Document configuration options
|
|
- [ ] Document API endpoints
|
|
- [ ] Document deployment guide
|
|
- [ ] Add example nginx/caddy reverse proxy config
|