Default client_max_body_size of 1MB was rejecting uploads larger than 1MB
with a 413 before the request reached the API.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Aligns principles with actual project state: soften TDD wording to allow
tests alongside implementation, replace CI gate with concrete local test
suite gate, add production infrastructure to tech stack (k3s, nginx,
Vault + VSO), and document plaintext password storage as a known gap
that must be resolved before further auth work.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds complete k8s/ manifest tree: Namespace, VaultAuth + VaultStaticSecret
CRDs (VSO secret sync from Vault KV v2), API and UI Deployments and Services,
nginx Ingress with cert-manager TLS, MinIO StatefulSet with PVC and init Job,
and Alembic init container on the API Deployment for automatic schema
migrations. Includes .yamllint.yml config and validate-k8s Makefile target.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When API_DOCS_ENABLED=false, FastAPI registers no routes for /docs,
/redoc, or /openapi.json, returning 404 for all three. Default is true
for backwards compatibility. Invalid values fall back to true (FR-007).
Fix: Remove tests/ and alembic/ from api/.dockerignore so the test
Dockerfile (which uses COPY . .) includes the test suite; Dockerfile.prod
is unaffected as it only copies app/ explicitly.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Two-stage build (uv builder + python:3.12-slim runtime) with non-root
user (UID 1001), no dev deps, layer-cache-optimised dep install, and
graceful SIGTERM shutdown. Verified by api/tests/build/verify_production_image.sh
covering build, health endpoint, non-root, stdout logging, secret-free
layers, missing-env-var exit, and dep-layer cache hit. All 102 integration
tests still pass; shellcheck clean.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
After LOGIN_MAX_FAILURES consecutive failed attempts from the same source
IP within LOGIN_WINDOW_SECONDS, POST /api/v1/auth/token returns HTTP 429
with a Retry-After header for LOGIN_COOLDOWN_SECONDS. A successful login
resets the counter. Trusted upstream proxy IPs/CIDRs can be declared via
LOGIN_TRUSTED_PROXY_IPS so X-Forwarded-For is honoured correctly behind
nginx ingress or similar reverse proxies.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- conftest.py: pytest_configure guard rejects non-postgresql+asyncpg:// URLs
before any test collects (per constitution §2.5/§5.2 v1.3.0)
- docker-compose.test.yml: isolated postgres-test (5433) + minio-test (9002)
+ api-test runner; one command runs the full suite against real PostgreSQL
- Makefile: test-unit and test-integration targets
- .env.test.example: documents variables needed to run tests outside Docker
- Fix pre-existing test bug: integration tests using client fixture (NoOpAuthProvider)
for write operations (upload/delete/patch) now use authed_client with Bearer
token — these were never caught because tests never ran against a live stack
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
§2.5: Remove the planned PostgreSQL→SQLite refactor note; prohibit
alternative database engines in integration tests.
§5.2: Explicitly require a real PostgreSQL instance for integration
tests; ban SQLite — a GROUP BY/HAVING production bug was masked by
SQLite's permissive dialect in feature 007.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
HAVING requires GROUP BY; count_subq is a correlated scalar subquery, not
an aggregate, so PostgreSQL rejects it. WHERE works correctly and the
integration tests used SQLite which is permissive about this rule.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Extends GET /api/v1/tags with sort=count_desc and min_count query params
- New TagsComponent at /tags (public, no auth guard) shows all tags sorted by image count
- Clicking a tag navigates to /?tags=<name> for a pre-filtered library view
- LibraryComponent reads ?tags= query param on init to support deep-linking from tag browser
- Library header gains a "Browse tags" link to /tags for discoverability
- All 15 TDD tasks complete; ruff, ng lint, and ng build clean
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Make the app title a clickable link to / so users can return to the
image grid from any sub-page without the browser back button. Change
the sign-out destination from /login to / since the grid is publicly
accessible and avoids unnecessary friction post-logout.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Due to the introduction of image thumbnail generation in
cd89ba5dea, the scope boundaries in §10 of
the project constitution should be updated with a clarification.
- Add Pillow dependency and thumbnail.py with generate_thumbnail() — produces
WebP ≤400px, preserves aspect ratio, never upscales, handles GIF frame 0
- Alembic migration 002 adds nullable thumbnail_key column to images table
- Upload route generates thumbnail via asyncio.to_thread (non-blocking),
stores at {hash}-thumb; failure is tolerated and upload succeeds with null key
- New GET /api/v1/images/{id}/thumbnail endpoint: serves WebP thumbnail or
falls back to original for pre-feature images; ETag + immutable cache headers
- Delete route cleans up thumbnail storage object alongside original
- Library grid switches from /file to /thumbnail for all image src bindings
- 59 tests passing (46 existing + 13 new across unit, upload, serving, delete)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace the presigned-URL redirect (302) in GET /api/v1/images/{id}/file
with a direct proxy that fetches bytes from S3 server-side and returns them
to the client. The browser never contacts the storage backend, eliminating
the /etc/hosts workaround needed in local development.
- StorageBackend: swap get_presigned_url for get(key) -> bytes
- S3StorageBackend: implement get() via aiobotocore get_object
- serve_image_file: return Response with ETag + Cache-Control: immutable
- test_serving: assert 200 + content-type + ETag; add no-storage-details test
- Spec Kit artifacts for feature 002-api-image-proxy
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Build fixes:
- ui/Dockerfile: npm install instead of npm ci (no lockfile)
- api/pyproject.toml: setuptools.build_meta instead of setuptools.backends.legacy:build
- api/Dockerfile: install curl so the Docker healthcheck doesn't always fail
- docker-compose.yml: add start_period: 30s to API healthcheck
Test fixes:
- pyproject.toml: asyncio_default_fixture_loop_scope/test_loop_scope = session to
prevent asyncpg connections being used across different event loops
- conftest.py: loop_scope="session" on session-scoped engine fixture
- main.py: custom HTTPException handler to flatten dict details to top level
(FastAPI wraps dict details as {"detail": {...}} by default)
- test_upload.py: use env var + cache_clear() to override max_upload_bytes since
monkeypatch can't reach past @lru_cache and already-imported references
- image_repo.py: add reload_with_tags() with populate_existing=True to force
SQLAlchemy to repopulate the identity-map object after tag mutations
- images.py: use reload_with_tags() instead of db.refresh(image, ["image_tags"])
which only loaded ImageTag rows without their .tag sub-relationship, causing
MissingGreenlet on any access to image.tags after attach/replace operations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
