sneak/pixa
1
0
Fork 0
Code Issues 3 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
e241b99d22646cf38fc28ed166178fe6aa350d37
pixa/TODO.md
clawbot 2e934c8894
All checks were successful
check / check (push) Successful in 5s
Details
fix: QA audit fixes for 1.0/MVP readiness (#25) 
closes #24

## QA Audit Fixes

This PR addresses issues found during the 1.0/MVP QA audit.

### Changes

1. **TODO.md: Mark AVIF encoding as done** — AVIF encoding is fully implemented via govips in `processor.go` but was still listed as a TODO item.

2. **scripts/manual-test.sh: Fix form field names** — The manual test script was using wrong field names:
   - Login form: was sending `password=...`, should be `key=...` (matching the HTML form's `name="key"`)
   - Generator form: was sending `source_url`, `fit_mode` — should be `url`, `fit` (matching the handler's `r.FormValue()` calls)
   - This means **the manual test script never actually worked** — login always failed silently because the `key` field was empty.

### Full QA Audit Results

The comprehensive QA audit report has been posted as a comment on [issue #24](#24).

Co-authored-by: user <user@Mac.lan guest wan>
Reviewed-on: #25
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
2026-03-15 17:58:13 +01:00

2.0 KiB
Raw Blame History

Pixa 1.0 TODO

Remaining tasks sorted by priority for a working 1.0 release.

P0: Critical for 1.0

Image Processing

  • Add WebP encoding support (currently returns error)
  • Add AVIF encoding support (implemented via govips)

Manual Testing (verify auth/encrypted URLs work)

  • Manual test: visit /, see login form
  • Manual test: enter wrong key, see error
  • Manual test: enter correct signing key, see generator form
  • Manual test: generate encrypted URL, verify it works
  • Manual test: wait for expiration or use short TTL, verify expired URL returns 410
  • Manual test: logout, verify redirected to login

Cache Management

  • Implement cache size management/eviction (prevent disk from filling up)

Configuration

  • Validate configuration on startup (fail fast on bad config)

P1: Important for Production

Security

  • Implement blocked networks configuration (extend SSRF protection)
  • Add rate limiting global concurrent fetches (prevent resource exhaustion)

Image Processing

  • Implement EXIF/metadata stripping (privacy)

P2: Nice to Have

Security

  • Implement referer blacklist
  • Add rate limiting per-IP
  • Add rate limiting per-origin

HTTP Response Handling

  • Implement Last-Modified headers
  • Implement Vary header for content negotiation
  • Implement X-Request-ID propagation

Additional Endpoints

  • Implement auto-format selection (format=auto based on Accept header)

Configuration

  • Add all configuration options from README
  • Implement environment variable overrides
  • Implement YAML config file support

Operational

  • Implement Sentry error reporting (optional)
  • Add comprehensive request logging
  • Add performance metrics (Prometheus)
  • Write integration tests for image proxy flow
  • Write load tests to verify 1-5k req/s target

Documentation

  • Document configuration options
  • Document API endpoints
  • Document deployment guide
  • Add example nginx/caddy reverse proxy config
Reference in New Issue View Git Blame Copy Permalink