CI: Update dummy OWNER_PASSWORD in jobs

CI: Shrink dummy JWT secret key
CI: Extend dummy JWT key to pass test without InsecureKeyLengthWarning
2026-05-10 19:51:46 -04:00 · 2026-05-10 19:49:36 -04:00 · 2026-05-10 19:45:59 -04:00 · 2026-05-10 19:36:14 -04:00 · 2026-05-10 19:33:16 -04:00 · 2026-05-10 19:27:28 -04:00
215 changed files with 13022 additions and 411 deletions
--- a/.env.example
+++ b/.env.example
@@ -11,6 +11,10 @@ S3_REGION=us-east-1
 # Angular SPA — injected at build or runtime
 API_BASE_URL=http://localhost:8000
 # CDN base URL for serving images (e.g. https://cdn.example.com).
 # Leave empty in local dev to use API proxy fallback.
 S3_PUBLIC_BASE_URL=
 # Upload size limit in bytes (default 50 MiB)
 MAX_UPLOAD_BYTES=52428800
@@ -19,3 +23,15 @@ JWT_SECRET_KEY=change-me-to-a-long-random-string
 JWT_EXPIRY_SECONDS=86400
 OWNER_USERNAME=owner
 OWNER_PASSWORD=change-me
 # Login brute-force protection
 LOGIN_MAX_FAILURES=5
 LOGIN_WINDOW_SECONDS=300
 LOGIN_COOLDOWN_SECONDS=900
 # Comma-separated IPs/CIDRs of trusted upstream proxies (e.g. nginx ingress pod CIDR).
 # Leave empty when not behind a reverse proxy.
 LOGIN_TRUSTED_PROXY_IPS=
 # API documentation endpoints (Swagger UI, ReDoc, OpenAPI schema)
 # Set to false in production to avoid exposing the API surface publicly.
 API_DOCS_ENABLED=true
--- a/.env.test.example
+++ b/.env.test.example
@@ -0,0 +1,36 @@
 # Integration test environment variables
 # Used when running pytest directly on the host (outside Docker).
 #
 # Start test services first:
 #   docker compose -f docker-compose.test.yml up -d postgres-test minio-test minio-init-test
 #
 # Then source this file and run tests:
 #   export $(grep -v '^#' .env.test.example | xargs)
 #   cd api && python -m pytest tests/integration/ -v
 # PostgreSQL test database (postgres-test container on host port 5433)
 TEST_DATABASE_URL=postgresql+asyncpg://reactbin:reactbin@localhost:5433/reactbin_test
 DATABASE_URL=postgresql+asyncpg://reactbin:reactbin@localhost:5433/reactbin_test
 # MinIO test instance (minio-test container on host port 9002)
 S3_ENDPOINT_URL=http://localhost:9002
 S3_BUCKET_NAME=reactbin-test
 S3_ACCESS_KEY_ID=minioadmin
 S3_SECRET_ACCESS_KEY=minioadmin
 S3_REGION=us-east-1
 # Auth (test values — not for production)
 JWT_SECRET_KEY=test-secret-key-for-testing-only
 OWNER_USERNAME=testowner
 OWNER_PASSWORD=testpassword
 # API
 API_BASE_URL=http://localhost:8000
 MAX_UPLOAD_BYTES=52428800
 # Login brute-force protection
 LOGIN_MAX_FAILURES=5
 LOGIN_WINDOW_SECONDS=300
 LOGIN_COOLDOWN_SECONDS=900
 # Comma-separated IPs/CIDRs of trusted upstream proxies; leave empty for direct connections.
 LOGIN_TRUSTED_PROXY_IPS=
--- a/.gitea/workflows/pipeline.yml
+++ b/.gitea/workflows/pipeline.yml
@@ -0,0 +1,241 @@
 name: Pipeline
 on:
  push:
    branches: [master]
    tags: ['v*']
  pull_request:
    branches: [master]
 jobs:
  # ── UI ────────────────────────────────────────────────────────────────────────
  ui-test:
    name: UI Tests
    runs-on: ubuntu-latest
    container:
      image: node:22-bullseye
    steps:
      - uses: actions/checkout@v4
      - name: Install Firefox
        run: apt-get update -qq && apt-get install -y --no-install-recommends firefox-esr
      - name: Cache node_modules
        uses: actions/cache@v3
        with:
          path: ui/node_modules
          key: npm-${{ hashFiles('ui/package-lock.json') }}
          restore-keys: npm-
      - name: Install dependencies
        run: npm ci
        working-directory: ui
      - name: Run tests
        run: FIREFOX_BIN=/usr/bin/firefox-esr npx ng test --watch=false
        working-directory: ui
  ui-lint:
    name: UI Lint
    runs-on: ubuntu-latest
    container:
      image: node:22-bullseye
    steps:
      - uses: actions/checkout@v4
      - name: Cache node_modules
        uses: actions/cache@v3
        with:
          path: ui/node_modules
          key: npm-${{ hashFiles('ui/package-lock.json') }}
          restore-keys: npm-
      - name: Install dependencies
        run: npm ci
        working-directory: ui
      - name: Run ESLint
        run: npm run lint
        working-directory: ui
  # ── API ───────────────────────────────────────────────────────────────────────
  api-unit:
    name: API Unit Tests
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/astral-sh/uv:python3.12-bookworm
    steps:
      - name: Install Node (for JS actions)
        run: |
          apt-get update -qq
          apt-get install -y --no-install-recommends nodejs ca-certificates curl
      - uses: actions/checkout@v4
      - name: Cache uv store
        uses: actions/cache@v3
        with:
          path: /root/.cache/uv
          key: uv-${{ hashFiles('api/uv.lock') }}
          restore-keys: uv-
      - name: Install dependencies
        run: uv sync --group dev
        working-directory: api
      - name: Run unit tests
        run: uv run pytest tests/unit/ -q
        working-directory: api
        env:
          DATABASE_URL: postgresql+asyncpg://u:p@localhost/db
          S3_ENDPOINT_URL: http://localhost:9000
          S3_BUCKET_NAME: test
          S3_ACCESS_KEY_ID: key
          S3_SECRET_ACCESS_KEY: secret
          S3_REGION: us-east-1
          API_BASE_URL: http://localhost:8000
          JWT_SECRET_KEY: d34db33fc4f3b00bd34db33fc4f3b00b
          OWNER_USERNAME: testowner
          OWNER_PASSWORD: testpassword
  api-lint:
    name: API Lint
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/astral-sh/uv:python3.12-bookworm
    steps:
      - name: Install Node (for JS actions)
        run: |
          apt-get update -qq
          apt-get install -y --no-install-recommends nodejs ca-certificates curl
      - uses: actions/checkout@v4
      - name: Run Ruff
        run: uvx ruff check .
        working-directory: api
  api-integration:
    name: API Integration Tests
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/astral-sh/uv:python3.12-bookworm
    services:
      postgres:
        image: postgres:16
        env:
          POSTGRES_USER: reactbin
          POSTGRES_PASSWORD: reactbin
          POSTGRES_DB: reactbin_test
        options: >-
          --health-cmd "pg_isready -U reactbin -d reactbin_test"
          --health-interval 5s
          --health-timeout 5s
          --health-retries 10
      minio:
        image: bitnamilegacy/minio:2025.7.23-debian-12-r5
        env:
          MINIO_ROOT_USER: minioadmin
          MINIO_ROOT_PASSWORD: minioadmin
          MINIO_DEFAULT_BUCKETS: reactbin-test
        options: >-
          --health-cmd "mc ready local || exit 1"
          --health-interval 5s
          --health-timeout 5s
          --health-retries 10
    steps:
      - name: Diagnose
        run: |
          echo "=== resolv.conf ==="
          cat /etc/resolv.conf
          echo "=== Service DNS ==="
          getent hosts postgres || echo "postgres: not in DNS"
          getent hosts minio || echo "minio: not in DNS"
      - name: Install Node and curl (for JS actions and mc)
        run: |
          apt-get update -qq
          apt-get install -y --no-install-recommends nodejs ca-certificates curl
      - uses: actions/checkout@v4
      - name: Cache uv store
        uses: actions/cache@v3
        with:
          path: /root/.cache/uv
          key: uv-${{ hashFiles('api/uv.lock') }}
          restore-keys: uv-
      - name: Install dependencies
        run: uv sync --group dev
        working-directory: api
      - name: Run integration tests
        run: uv run pytest tests/integration/ -q
        working-directory: api
        env:
          TEST_DATABASE_URL: postgresql+asyncpg://reactbin:reactbin@postgres/reactbin_test
          DATABASE_URL: postgresql+asyncpg://reactbin:reactbin@postgres/reactbin_test
          S3_ENDPOINT_URL: http://minio:9000
          S3_BUCKET_NAME: reactbin-test
          S3_ACCESS_KEY_ID: minioadmin
          S3_SECRET_ACCESS_KEY: minioadmin
          S3_REGION: us-east-1
          API_BASE_URL: http://localhost:8000
          JWT_SECRET_KEY: d34db33fc4f3b00bd34db33fc4f3b00b
          OWNER_USERNAME: testowner
          OWNER_PASSWORD: testpassword
  # ── Image builds (tag-only, gated on all jobs) ────────────────────────────────
  build-api:
    name: Build & Push API Image
    runs-on: ubuntu-latest
    needs: [ui-test, ui-lint, api-unit, api-lint, api-integration]
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ${{ vars.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.REGISTRY_TOKEN }}
      - uses: docker/build-push-action@v6
        with:
          context: ./api
          file: ./api/Dockerfile.prod
          push: true
          tags: |
            ${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}/reactbin-api:${{ github.ref_name }}
            ${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}/reactbin-api:latest
  build-ui:
    name: Build & Push UI Image
    runs-on: ubuntu-latest
    needs: [ui-test, ui-lint, api-unit, api-lint, api-integration]
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ${{ vars.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.REGISTRY_TOKEN }}
      - uses: docker/build-push-action@v6
        with:
          context: ./ui
          file: ./ui/Dockerfile.prod
          push: true
          tags: |
            ${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}/reactbin-ui:${{ github.ref_name }}
            ${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}/reactbin-ui:latest
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,11 @@
 # Developer notes
 notes/
 # Environment
 .env
 .env.*
 !.env.example
 !.env.test.example
 # Python
 __pycache__/
@@ -12,6 +16,8 @@ venv/
 *.egg-info/
 dist/
 build/
 !api/tests/build/
 !ui/tests/build/
 .pytest_cache/
 .ruff_cache/
 .coverage
--- a/.img/reactbin-ui.png
+++ b/.img/reactbin-ui.png
--- a/.specify/feature.json
+++ b/.specify/feature.json
@@ -1,3 +1 @@
-{
+{"feature_directory":"specs/018-pagination-controls"}
  "feature_directory": "specs/004-jwt-bearer-auth"
 }
--- a/.specify/memory/constitution.md
+++ b/.specify/memory/constitution.md
@@ -1,8 +1,8 @@
 <!--
 SYNC IMPACT REPORT
 ==================
-Version change: 1.1.0 → 1.1.1
+Version change: 1.3.0 → 1.4.0
-Ratified: 2026-05-01 | Last amended: 2026-05-03
+Ratified: 2026-05-01 | Last amended: 2026-05-08
 Principles introduced (first population from docs/CONSTITUTION.md):
  - §2  Architecture Principles (6 sub-principles)
@@ -82,22 +82,23 @@ or SDK-specific types directly — only the interface contract.
 ### 2.4 Auth abstraction (progressive)
-Authentication is treated as a pluggable backend from day one, even though
+Authentication is treated as a pluggable backend from day one. The API MUST
-Phase 1 ships with no auth. The API MUST route all request-identity resolution
+route all request-identity resolution through a single `AuthProvider` interface.
-through a single `AuthProvider` interface. The no-op provider (Phase 1) returns
+Each phase introduces a new provider implementation; no phase rewrites business
-a static anonymous identity. Adding username/password or OIDC in a later phase
+logic already behind the interface.
 MUST be a new provider implementation, not a rewrite of business logic.
-**Phase 1 implements: no-auth (localhost only).**
+**Phase 1 — no-auth (NoOpAuthProvider): complete.**
-**Planned phases: username/password, then OIDC.**
+**Phase 2 — JWT bearer token (JWTAuthProvider, HS256, single owner): complete.**
 **Phase 3 — OIDC: planned.**
 The constitution acknowledges all three; the spec governs which is built.
 ### 2.5 Database abstraction
-PostgreSQL is the Phase 1 database. All DB access MUST go through a repository
+PostgreSQL is the database. All DB access MUST go through a repository layer
-layer (one repository class per domain aggregate). Raw SQL or an ORM is
+(one repository class per domain aggregate). Raw SQL or an ORM is acceptable,
-acceptable, but no query logic MAY live outside a repository. This makes the
+but no query logic MAY live outside a repository. No alternative database
-planned PostgreSQL → SQLite refactor a repository-layer change only.
+engine (SQLite, DuckDB, in-memory substitutes) MAY be used in integration
 tests — dialect differences mask production bugs.
 ### 2.6 No speculative abstraction
@@ -170,17 +171,23 @@ OR/NOT logic is explicitly out of scope until the constitution is revised.
 ## 5. Testing Discipline
-### 5.1 TDD is non-negotiable
+### 5.1 Tests are required alongside every implementation task
-No production code MAY be written before a failing test exists for it. This
+Every implementation task MUST be accompanied by tests covering its behaviour.
-applies to both API and UI. Tasks MUST include a "write failing test" step
+The ideal is red-green-refactor: write a failing test, then make it pass. In
-before any implementation step.
+practice, tests written in the same task as the implementation are acceptable;
 what is non-negotiable is that no implementation task is marked done without
 corresponding test coverage. Tasks MUST NOT be split such that implementation
 is complete but tests are deferred to a later task.
 ### 5.2 Test pyramid
 - **Unit tests** — pure logic, repository mocks, no I/O
- **Integration tests** — API routes tested against a real (test) database
+- **Integration tests** — API routes tested against a real PostgreSQL instance
-  and a real (test) S3-compatible bucket (e.g. MinIO in Docker)
+  and a real S3-compatible bucket (e.g. MinIO in Docker). SQLite and other
  in-memory database substitutes are **prohibited** — PostgreSQL-specific
  behaviour (GROUP BY enforcement, JSON operators, constraint handling) MUST
  be exercised by the test suite.
 - **E2E tests** — Angular + API, minimal set covering the core happy paths
 Unit and integration tests are required. E2E tests are best-effort in v1.
@@ -190,10 +197,15 @@ Unit and integration tests are required. E2E tests are best-effort in v1.
 API tests in `api/tests/`, UI tests colocated with their components. No
 separate top-level `tests/` directory that mirrors the source tree.
-### 5.4 CI must pass before any task is considered done
+### 5.4 The test suite must pass before any task is considered done
 "Done" means: all tests pass, linter passes, type checker passes. A task MUST
-NOT be marked complete while CI is failing.
+NOT be marked complete while any of these are failing.
 The acceptance gate is `make test-unit && make test-integration` plus `ruff
 check` / `ruff format --check` for the API. A formal CI pipeline is planned
 but not yet in place; until one exists, passing the above commands locally is
 the required gate. When CI is introduced it MUST enforce the same checks.
 ---
@@ -206,9 +218,13 @@ NOT be marked complete while CI is failing.
 | ORM / query      | SQLAlchemy 2.x (async) + asyncpg driver   | Repository layer owns all queries         |
 | DB migrations    | Alembic                                   | Schema changes tracked in version control |
 | Object storage   | S3-compatible via `boto3` / `aiobotocore` | Swap MinIO ↔ S3 via env config            |
 | Auth tokens      | PyJWT (HS256)                             | Lightweight; compatible with OIDC migration path |
 | UI framework     | Angular (latest stable)                   | Job-relevant, learning goal               |
 | UI language      | TypeScript strict mode                    | No `any`, no implicit types               |
 | Containerisation | Docker + Docker Compose                   | Local dev must start with one command     |
 | Production runtime | k3s (Kubernetes)                        | Manifests in `k8s/`; see deployment docs  |
 | Ingress          | nginx ingress controller + cert-manager   | TLS via Let's Encrypt (`letsencrypt-prod` ClusterIssuer) |
 | Secret management | HashiCorp Vault + VSO (Vault Secrets Operator) | Secrets never committed; VSO syncs Vault KV v2 → K8s Secrets |
 ---
@@ -244,9 +260,17 @@ revised:
 - Image editing or transformation beyond thumbnail generation
 - OR/NOT tag logic
 - Mobile-native app
 - Username/password auth (planned Phase 2)
 - OIDC auth (planned Phase 3)
 **Known gaps carried forward from v1** — these are not out of scope; they are
 acknowledged deficiencies that MUST be resolved before the affected area is
 expanded:
 - **Password hashing**: The owner password is currently stored and compared in
  plaintext. Hashing (bcrypt or Argon2) MUST be implemented before any
  additional authentication work (e.g. OIDC, additional accounts) is started.
  Specs that touch credential storage MUST address this first.
 ---
 ## 9. Governance
@@ -283,7 +307,10 @@ Phase 1 design is complete.
 | 1.1.0   | 2026-05-01 | asyncpg driver explicit; SHA-256 deduplication added to data model; deduplication removed from out-of-scope                     |
 | 1.1.0   | 2026-05-02 | Adopted into Spec Kit memory; fixed duplicate §4.3 → §4.4; strengthened "should" language to MUST/MUST NOT; added §9 Governance |
 | 1.1.1   | 2026-05-03 | Clarify that the only acceptable form of image transformation or editing is thumbnail generation                                |
 | 1.2.0   | 2026-05-03 | §2.4: Mark Phase 2 (JWT bearer auth) complete, reword phase status; §6: Add PyJWT to tech stack table; §8: Remove username/password auth from out-of-scope (now shipped) |
 | 1.3.0   | 2026-05-06 | §2.5: Remove planned PostgreSQL → SQLite refactor note; prohibit alternative database engines in integration tests. §5.2: Explicitly require PostgreSQL for integration tests; prohibit SQLite — a production HAVING/GROUP BY bug was masked by SQLite's permissive dialect. |
 | 1.4.0   | 2026-05-08 | §5.1: Soften strict TDD wording to reflect actual practice — tests alongside implementation are acceptable; deferring tests to a later task is not. §5.4: Replace "CI must pass" with local test suite gate; note CI is planned but not yet in place. §6: Add production runtime rows (k3s, nginx ingress + cert-manager, Vault + VSO). §8: Add "known gaps" subsection; document plaintext password storage as a deficiency that must be resolved before further auth work. |
 ---
-**Version**: 1.1.1 | **Ratified**: 2026-05-01 | **Last Amended**: 2026-05-03
+**Version**: 1.4.0 | **Ratified**: 2026-05-01 | **Last Amended**: 2026-05-08
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -0,0 +1,4 @@
 extends: relaxed
 rules:
  line-length:
    max: 120
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,5 +1,5 @@
 <!-- SPECKIT START -->
 For additional context about technologies to be used, project structure,
 shell commands, and other important information, read the current plan at
-`specs/004-jwt-bearer-auth/plan.md`.
+`specs/018-pagination-controls/plan.md`.
 <!-- SPECKIT END -->
--- a/25
+++ b/25
@@ -0,0 +1,25 @@
 .PHONY: test-unit test-integration build-prod verify-prod build-ui-prod verify-ui-prod validate-k8s
 test-unit:
 	cd api && python -m pytest tests/unit/ -v
 test-integration:
 	docker compose -f docker-compose.test.yml build api-test
 	docker compose -f docker-compose.test.yml run --rm api-test
 build-prod:
 	docker build -f api/Dockerfile.prod api/ -t reactbin-api-prod:latest
 verify-prod:
 	bash api/tests/build/verify_production_image.sh
 build-ui-prod:
 	docker build -f ui/Dockerfile.prod ui/ -t reactbin-ui-prod:latest
 verify-ui-prod:
 	bash ui/tests/build/verify_production_image.sh
 # Offline: yamllint only. Online (requires kubeconfig): kubectl apply --dry-run=client -f k8s/
 validate-k8s:
 	yamllint -d relaxed k8s/
 	kubectl apply --dry-run=client -f k8s/
--- a/README.md
+++ b/README.md
@@ -2,3 +2,141 @@
 _Organize your reaction images._
 ![Reactbin UI](.img/reactbin-ui.png)
 A self-hosted reaction image board. Single owner account, tag-based browsing, S3-compatible image storage.
 ---
 ## Local development
 ```bash
 cp .env.example .env
 # Edit .env — defaults work out of the box for local dev
 docker compose up
 ```
 - UI: http://localhost:4200
 - API: http://localhost:8000
 - MinIO console: http://localhost:9001 (minioadmin / minioadmin)
 The API serves on port 8000 directly in dev. In production the nginx ingress routes `/api/` there.
 ### Running tests
 ```bash
 make test-unit          # pytest unit tests (no Docker)
 make test-integration   # builds api-test image, runs full suite against Postgres + MinIO
 ```
 ### Production image builds
 ```bash
 make build-prod         # builds reactbin-api-prod:latest from api/Dockerfile.prod
 make verify-prod        # smoke-tests the production image
 make build-ui-prod      # builds reactbin-ui-prod:latest from ui/Dockerfile.prod
 make verify-ui-prod     # smoke-tests the production UI image
 ```
 ---
 ## Production deployment (k3s)
 ### Cluster prerequisites
 - nginx ingress controller
 - cert-manager with a `letsencrypt-prod` ClusterIssuer
 - Vault Secrets Operator (VSO) installed and connected to Vault
 - Vault KV v2 secrets populated (see below)
 ### Vault secrets
 Two KV v2 paths. VSO syncs these into Kubernetes Secrets automatically.
 **`reactbin/api/config`** → K8s Secret `api-env`
 | Key | Notes |
 |-----|-------|
 | `DATABASE_URL` | `postgresql+asyncpg://user:pass@host:5432/db` |
 | `JWT_SECRET_KEY` | Long random string — `openssl rand -base64 48` |
 | `OWNER_USERNAME` | Login username |
 | `OWNER_PASSWORD` | Login password |
 | `S3_ENDPOINT_URL` | `http://minio.reactbin.svc.cluster.local:9000` |
 | `S3_BUCKET_NAME` | `reactbin` |
 | `S3_ACCESS_KEY_ID` | Same value as `MINIO_ROOT_USER` |
 | `S3_SECRET_ACCESS_KEY` | Same value as `MINIO_ROOT_PASSWORD` |
 | `API_BASE_URL` | `https://<your-domain>` |
 | `LOGIN_TRUSTED_PROXY_IPS` | Pod CIDR of nginx ingress pods, e.g. `10.42.0.0/16` — needed for per-client login rate limiting behind the ingress |
 **`reactbin/minio/credentials`** → K8s Secret `minio-credentials`
 | Key | Notes |
 |-----|-------|
 | `MINIO_ROOT_USER` | MinIO admin username |
 | `MINIO_ROOT_PASSWORD` | `openssl rand -base64 32` |
 ### Apply order
 ```bash
 # 1. Namespace first
 kubectl apply -f k8s/namespace.yaml
 # 2. Vault CRDs — wait for VSO to create api-env and minio-credentials Secrets
 kubectl apply -f k8s/vault/
 kubectl get secret -n reactbin api-env minio-credentials   # wait until both appear
 # 3. API, UI, Ingress — replace 'latest' tags and <your-domain> first
 kubectl apply -f k8s/api/ -f k8s/ui/ -f k8s/ingress.yaml
 kubectl rollout status deployment/api -n reactbin          # Alembic init container runs here
 # 4. MinIO — wait for StatefulSet ready before running the bucket init Job
 kubectl apply -f k8s/minio/service.yaml -f k8s/minio/statefulset.yaml
 kubectl rollout status statefulset/minio -n reactbin
 kubectl apply -f k8s/minio/init-job.yaml
 ```
 Before applying: substitute real image tags in the Deployment manifests and replace `<your-domain>` in `k8s/ingress.yaml`.
 ### Updating a secret
 1. Update the value in Vault
 2. Force VSO to sync immediately (otherwise waits up to 1 hour):
   ```bash
   kubectl annotate vaultstaticsecret api-secret -n reactbin \
     secrets.hashicorp.com/force-sync=$(date +%s) --overwrite
   ```
 3. Restart the deployment to pick up the new Secret:
   ```bash
   kubectl rollout restart deployment/api -n reactbin
   ```
 ### Validating manifests
 ```bash
 make validate-k8s   # yamllint + kubectl apply --dry-run=client (requires kubeconfig)
 ```
 ---
 ## Environment variables reference
 All variables are read at startup from environment / `.env`.
 | Variable | Default | Notes |
 |----------|---------|-------|
 | `DATABASE_URL` | — | Async DSN: `postgresql+asyncpg://...` |
 | `JWT_SECRET_KEY` | — | Required; use a long random string in production |
 | `JWT_EXPIRY_SECONDS` | `86400` | Token lifetime (24 h) |
 | `OWNER_USERNAME` | — | Single owner account username |
 | `OWNER_PASSWORD` | — | Single owner account password |
 | `S3_ENDPOINT_URL` | — | MinIO or any S3-compatible endpoint |
 | `S3_BUCKET_NAME` | `reactbin` | |
 | `S3_ACCESS_KEY_ID` | — | |
 | `S3_SECRET_ACCESS_KEY` | — | |
 | `S3_REGION` | `us-east-1` | |
 | `MAX_UPLOAD_BYTES` | `52428800` | 50 MiB |
 | `API_BASE_URL` | — | Used for generating public URLs |
 | `API_DOCS_ENABLED` | `true` | Set to `false` in production |
 | `LOGIN_MAX_FAILURES` | `5` | Failed attempts before cooldown |
 | `LOGIN_WINDOW_SECONDS` | `300` | Sliding window for failure count |
 | `LOGIN_COOLDOWN_SECONDS` | `900` | Lock duration after threshold hit |
 | `LOGIN_TRUSTED_PROXY_IPS` | `""` | Comma-separated CIDRs of trusted upstream proxies |
--- a/api/Dockerfile.prod
+++ b/api/Dockerfile.prod
@@ -0,0 +1,55 @@
 # syntax=docker/dockerfile:1
 # ════════════════════════════════════════════════
 # Build stage: install production deps via uv
 # ════════════════════════════════════════════════
 FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS builder
 WORKDIR /app
 ENV UV_COMPILE_BYTECODE=1 \
    UV_LINK_MODE=copy \
    UV_PYTHON_DOWNLOADS=never
 # Layer cache split: deps only (changes rarely)
 COPY pyproject.toml uv.lock ./
 RUN --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-dev --no-install-project
 # Layer cache split: source (changes often)
 COPY app/ ./app/
 # ════════════════════════════════════════════════
 # Runtime stage: lean image with venv + source
 # ════════════════════════════════════════════════
 FROM python:3.12-slim
 WORKDIR /app
 RUN apt-get update \
    && apt-get install -y --no-install-recommends curl \
    && rm -rf /var/lib/apt/lists/*
 RUN groupadd --system --gid 1001 appgroup \
    && useradd --system --uid 1001 --gid 1001 --no-create-home appuser
 COPY --from=builder --chown=appuser:appgroup /app/.venv /app/.venv
 # Explicitly list every source directory — add new top-level dirs here or they won't exist in prod
 COPY --chown=appuser:appgroup app/ ./app/
 COPY --chown=appuser:appgroup alembic/ ./alembic/
 COPY --chown=appuser:appgroup alembic.ini .
 COPY --chown=appuser:appgroup scripts/ ./scripts/
 USER appuser
 ENV PATH="/app/.venv/bin:$PATH"
 EXPOSE 8000
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD curl -f http://localhost:8000/api/v1/health || exit 1
 CMD ["uvicorn", "app.main:app", \
     "--host", "0.0.0.0", \
     "--port", "8000", \
     "--timeout-graceful-shutdown", "30"]
--- a/api/alembic/versions/003_add_short_id.py
+++ b/api/alembic/versions/003_add_short_id.py
@@ -0,0 +1,24 @@
 """add short_id column to images
 Revision ID: 003
 Revises: 002
 Create Date: 2026-05-09
 """
 from alembic import op
 import sqlalchemy as sa
 revision = "003"
 down_revision = "002"
 branch_labels = None
 depends_on = None
 def upgrade() -> None:
    op.add_column("images", sa.Column("short_id", sa.String(8), nullable=True))
    op.create_index("ix_images_short_id", "images", ["short_id"], unique=True)
 def downgrade() -> None:
    op.drop_index("ix_images_short_id", table_name="images")
    op.drop_column("images", "short_id")
--- a/api/alembic/versions/004_short_id_not_null.py
+++ b/api/alembic/versions/004_short_id_not_null.py
@@ -0,0 +1,24 @@
 """set short_id NOT NULL on images
 Revision ID: 004
 Revises: 003
 Create Date: 2026-05-09
 IMPORTANT: Run migrate_to_short_ids.py script BEFORE applying this migration.
 This migration will fail if any rows still have short_id IS NULL.
 """
 from alembic import op
 revision = "004"
 down_revision = "003"
 branch_labels = None
 depends_on = None
 def upgrade() -> None:
    op.alter_column("images", "short_id", nullable=False)
 def downgrade() -> None:
    op.alter_column("images", "short_id", nullable=True)
--- a/api/app/auth/rate_limiter.py
+++ b/api/app/auth/rate_limiter.py
@@ -0,0 +1,99 @@
 import ipaddress
 import logging
 import time
 from dataclasses import dataclass, field
 from ipaddress import IPv4Network, IPv6Network
 from threading import Lock
 from starlette.requests import Request
 logger = logging.getLogger(__name__)
 def get_client_ip(
    request: Request,
    trusted_networks: list[IPv4Network | IPv6Network],
 ) -> str:
    """Return the resolved client IP.
    Prefers X-Real-IP over X-Forwarded-For when the TCP peer is a trusted
    proxy. ingress-nginx sets X-Real-IP via its realip module using an
    authoritative CIDR allowlist; it overwrites any client-supplied value, so
    it cannot be spoofed via XFF injection. XFF[0] is the fallback for paths
    that lack nginx (none currently exist, but kept for defence in depth).
    """
    peer = request.client.host if request.client else "unknown"
    if trusted_networks and peer != "unknown":
        try:
            peer_addr = ipaddress.ip_address(peer)
            if any(peer_addr in net for net in trusted_networks):
                real_ip = request.headers.get("X-Real-IP", "").strip()
                if real_ip:
                    return real_ip
                # XFF[0] fallback — warn because this path should not be
                # reached in production (nginx always sets X-Real-IP).
                xff = request.headers.get("X-Forwarded-For", "").split(",")[0].strip()
                if xff:
                    logger.warning(
                        "X-Real-IP absent from trusted peer %s; falling back to XFF[0]", peer
                    )
                    return xff
        except ValueError:
            pass
    return peer
@dataclass
 class _Record:
    failures: int = 0
    window_start: float = field(default_factory=time.time)
    blocked_until: float = 0.0
 class LoginRateLimiter:
    def __init__(
        self,
        max_failures: int = 5,
        window_seconds: int = 300,
        cooldown_seconds: int = 900,
    ) -> None:
        self._max = max_failures
        self._window = window_seconds
        self._cooldown = cooldown_seconds
        self._store: dict[str, _Record] = {}
        self._lock = Lock()
    @property
    def cooldown_seconds(self) -> int:
        return self._cooldown
    def is_blocked(self, ip: str) -> bool:
        now = time.time()
        with self._lock:
            rec = self._store.get(ip)
            if rec is None:
                return False
            if rec.blocked_until > now:
                return True
            if rec.blocked_until > 0:
                del self._store[ip]
            return False
    def record_failure(self, ip: str) -> None:
        now = time.time()
        with self._lock:
            rec = self._store.get(ip)
            if rec is None:
                rec = _Record(window_start=now)
                self._store[ip] = rec
            if now - rec.window_start > self._window:
                rec.failures = 0
                rec.window_start = now
            rec.failures += 1
            if rec.failures >= self._max:
                rec.blocked_until = now + self._cooldown
                logger.warning("Login blocked for %s after %d failures", ip, rec.failures)
    def record_success(self, ip: str) -> None:
        with self._lock:
            self._store.pop(ip, None)
--- a/api/app/config.py
+++ b/api/app/config.py
@@ -1,5 +1,6 @@
 from functools import lru_cache
 from pydantic import field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
@@ -13,11 +14,29 @@ class Settings(BaseSettings):
    s3_secret_access_key: str
    s3_region: str = "us-east-1"
    api_base_url: str = "http://localhost:8000"
    s3_public_base_url: str | None = None
    max_upload_bytes: int = 52_428_800  # 50 MiB
    jwt_secret_key: str
    jwt_expiry_seconds: int = 86400
    owner_username: str
    owner_password: str
    login_max_failures: int = 5
    login_window_seconds: int = 300
    login_cooldown_seconds: int = 900
    login_trusted_proxy_ips: str = ""
    api_docs_enabled: bool = True
    @field_validator("api_docs_enabled", mode="before")
    @classmethod
    def coerce_docs_enabled(cls, v):
        if isinstance(v, bool):
            return v
        try:
            from pydantic import TypeAdapter
            return TypeAdapter(bool).validate_python(v)
        except Exception:
            return True
@lru_cache
--- a/api/app/database.py
+++ b/api/app/database.py
@@ -1,4 +1,4 @@
-from sqlalchemy.ext.asyncio import create_async_engine, AsyncSession, async_sessionmaker
+from sqlalchemy.ext.asyncio import async_sessionmaker, create_async_engine
 from sqlalchemy.orm import DeclarativeBase
 from app.config import get_settings
--- a/api/app/main.py
+++ b/api/app/main.py
@@ -1,17 +1,30 @@
-from contextlib import asynccontextmanager
+import ipaddress
 from contextlib import asynccontextmanager, suppress
 from fastapi import FastAPI, Request
 from fastapi.exceptions import HTTPException
 from fastapi.responses import JSONResponse
 from app.auth.rate_limiter import LoginRateLimiter
 from app.config import get_settings
 from app.database import Base, get_engine
@asynccontextmanager
 async def lifespan(application: FastAPI):
-    get_settings()
+    settings = get_settings()
-    # Verify DB connection and run migrations on startup
+    application.state.login_rate_limiter = LoginRateLimiter(
        max_failures=settings.login_max_failures,
        window_seconds=settings.login_window_seconds,
        cooldown_seconds=settings.login_cooldown_seconds,
    )
    trusted_networks = []
    for part in settings.login_trusted_proxy_ips.split(","):
        part = part.strip()
        if part:
            with suppress(ValueError):
                trusted_networks.append(ipaddress.ip_network(part, strict=False))
    application.state.login_trusted_networks = trusted_networks
    engine = get_engine()
    async with engine.begin() as conn:
        # In production, Alembic handles migrations; this is a dev convenience
@@ -20,7 +33,20 @@ async def lifespan(application: FastAPI):
    await engine.dispose()
-app = FastAPI(title="Reactbin API", version="1.0.0", lifespan=lifespan)
+_settings = get_settings()
 app = FastAPI(
    title="Reactbin API",
    version="1.0.0",
    lifespan=lifespan,
    docs_url="/docs" if _settings.api_docs_enabled else None,
    redoc_url="/redoc" if _settings.api_docs_enabled else None,
    openapi_url="/openapi.json" if _settings.api_docs_enabled else None,
 )
 # Defaults so app.state is populated even when lifespan doesn't run (e.g. tests)
 app.state.login_rate_limiter = LoginRateLimiter()
 app.state.login_trusted_networks = []
@app.exception_handler(HTTPException)
--- a/api/app/models.py
+++ b/api/app/models.py
@@ -1,7 +1,7 @@
 import uuid
-from datetime import datetime, timezone
+from datetime import UTC, datetime
-from sqlalchemy import String, Integer, BigInteger, DateTime, ForeignKey, UniqueConstraint, Index
+from sqlalchemy import BigInteger, DateTime, ForeignKey, Index, Integer, String, UniqueConstraint
 from sqlalchemy.dialects.postgresql import UUID
 from sqlalchemy.orm import Mapped, mapped_column, relationship
@@ -9,7 +9,7 @@ from app.database import Base
 def _utcnow() -> datetime:
-    return datetime.now(timezone.utc)
+    return datetime.now(UTC)
 class Image(Base):
@@ -22,11 +22,16 @@ class Image(Base):
    size_bytes: Mapped[int] = mapped_column(BigInteger, nullable=False)
    width: Mapped[int] = mapped_column(Integer, nullable=False)
    height: Mapped[int] = mapped_column(Integer, nullable=False)
    short_id: Mapped[str | None] = mapped_column(String(8), unique=True, nullable=True, index=True)
    storage_key: Mapped[str] = mapped_column(String(64), nullable=False)
    thumbnail_key: Mapped[str | None] = mapped_column(String(70), nullable=True, default=None)
-    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), default=_utcnow, nullable=False)
+    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), default=_utcnow, nullable=False
    )
-    image_tags: Mapped[list["ImageTag"]] = relationship(back_populates="image", cascade="all, delete-orphan")
+    image_tags: Mapped[list["ImageTag"]] = relationship(
        back_populates="image", cascade="all, delete-orphan"
    )
    @property
    def tags(self) -> list[str]:
@@ -38,7 +43,9 @@ class Tag(Base):
    id: Mapped[uuid.UUID] = mapped_column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
    name: Mapped[str] = mapped_column(String(64), unique=True, nullable=False, index=True)
-    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), default=_utcnow, nullable=False)
+    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), default=_utcnow, nullable=False
    )
    image_tags: Mapped[list["ImageTag"]] = relationship(back_populates="tag")
--- a/api/app/repositories/image_repo.py
+++ b/api/app/repositories/image_repo.py
@@ -1,5 +1,4 @@
 import uuid
 from typing import Optional
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
@@ -12,15 +11,27 @@ class ImageRepository:
    def __init__(self, session: AsyncSession) -> None:
        self._session = session
-    async def get_by_hash(self, hash_hex: str) -> Optional[Image]:
+    async def get_by_hash(self, hash_hex: str) -> Image | None:
        result = await self._session.execute(
-            select(Image).where(Image.hash == hash_hex).options(selectinload(Image.image_tags).selectinload(ImageTag.tag))
+            select(Image)
            .where(Image.hash == hash_hex)
            .options(selectinload(Image.image_tags).selectinload(ImageTag.tag))
        )
        return result.scalar_one_or_none()
-    async def get_by_id(self, image_id: uuid.UUID) -> Optional[Image]:
+    async def get_by_id(self, image_id: uuid.UUID) -> Image | None:
        result = await self._session.execute(
-            select(Image).where(Image.id == image_id).options(selectinload(Image.image_tags).selectinload(ImageTag.tag))
+            select(Image)
            .where(Image.id == image_id)
            .options(selectinload(Image.image_tags).selectinload(ImageTag.tag))
        )
        return result.scalar_one_or_none()
    async def get_by_short_id(self, short_id: str) -> Image | None:
        result = await self._session.execute(
            select(Image)
            .where(Image.short_id == short_id)
            .options(selectinload(Image.image_tags).selectinload(ImageTag.tag))
        )
        return result.scalar_one_or_none()
@@ -34,6 +45,7 @@ class ImageRepository:
        width: int,
        height: int,
        storage_key: str,
        short_id: str,
        thumbnail_key: str | None = None,
    ) -> Image:
        image = Image(
@@ -44,6 +56,7 @@ class ImageRepository:
            width=width,
            height=height,
            storage_key=storage_key,
            short_id=short_id,
            thumbnail_key=thumbnail_key,
        )
        self._session.add(image)
@@ -57,7 +70,7 @@ class ImageRepository:
        limit: int = 50,
        offset: int = 0,
    ) -> tuple[list[Image], int]:
-        from sqlalchemy import func, and_
+        from sqlalchemy import func
        base_query = select(Image).options(
            selectinload(Image.image_tags).selectinload(ImageTag.tag)
--- a/api/app/repositories/tag_repo.py
+++ b/api/app/repositories/tag_repo.py
@@ -1,7 +1,7 @@
 import re
 import uuid
-from sqlalchemy import select, func
+from sqlalchemy import func, select
 from sqlalchemy.ext.asyncio import AsyncSession
 from app.models import Image, ImageTag, Tag
@@ -48,9 +48,7 @@ class TagRepository:
        for name in tag_names:
            tag = await self.upsert_by_name(name)
            existing = await self._session.execute(
-                select(ImageTag).where(
+                select(ImageTag).where(ImageTag.image_id == image.id, ImageTag.tag_id == tag.id)
                    ImageTag.image_id == image.id, ImageTag.tag_id == tag.id
                )
            )
            if existing.scalar_one_or_none() is None:
                self._session.add(ImageTag(image_id=image.id, tag_id=tag.id))
@@ -76,6 +74,8 @@ class TagRepository:
        prefix: str | None = None,
        limit: int = 100,
        offset: int = 0,
        sort: str = "name",
        min_count: int = 0,
    ) -> tuple[list[dict], int]:
        count_subq = (
            select(func.count(ImageTag.image_id))
@@ -86,17 +86,20 @@ class TagRepository:
        query = select(Tag, count_subq.label("image_count"))
        if prefix:
-            query = query.where(Tag.name.like(f"{prefix}%"))
+            query = query.where(Tag.name.ilike(f"%{prefix}%"))
        if min_count > 0:
            query = query.where(count_subq >= min_count)
        total_query = select(func.count()).select_from(query.subquery())
        total_result = await self._session.execute(total_query)
        total = total_result.scalar_one()
-        paginated = query.order_by(Tag.name).limit(limit).offset(offset)
+        order = [count_subq.desc(), Tag.name.asc()] if sort == "count_desc" else [Tag.name.asc()]
        paginated = query.order_by(*order).limit(limit).offset(offset)
        rows = await self._session.execute(paginated)
        items = [
-            {"id": str(tag.id), "name": tag.name, "image_count": count}
+            {"id": str(tag.id), "name": tag.name, "image_count": count} for tag, count in rows.all()
            for tag, count in rows.all()
        ]
        return items, total
--- a/api/app/routers/auth.py
+++ b/api/app/routers/auth.py
@@ -1,7 +1,9 @@
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.responses import JSONResponse
 from pydantic import BaseModel
 from app.auth.jwt_provider import JWTAuthProvider
 from app.auth.rate_limiter import LoginRateLimiter, get_client_ip
 from app.dependencies import get_jwt_auth
 router = APIRouter(tags=["auth"])
@@ -19,12 +21,32 @@ class TokenResponse(BaseModel):
@router.post("/auth/token", response_model=TokenResponse)
-async def login(body: LoginRequest, auth: JWTAuthProvider = Depends(get_jwt_auth)):
+async def login(
    request: Request,
    body: LoginRequest,
    auth: JWTAuthProvider = Depends(get_jwt_auth),
 ):
    limiter: LoginRateLimiter = request.app.state.login_rate_limiter
    ip: str = get_client_ip(request, request.app.state.login_trusted_networks)
    if limiter.is_blocked(ip):
        return JSONResponse(
            status_code=429,
            content={
                "detail": "Too many failed login attempts. Please try again later.",
                "code": "login_rate_limited",
            },
            headers={"Retry-After": str(limiter.cooldown_seconds)},
        )
    if not auth.verify_credentials(body.username, body.password):
        limiter.record_failure(ip)
        raise HTTPException(
            status_code=401,
            detail={"detail": "Invalid credentials", "code": "invalid_credentials"},
        )
    limiter.record_success(ip)
    token = auth.create_token()
    return TokenResponse(
        access_token=token,
--- a/api/app/routers/images.py
+++ b/api/app/routers/images.py
@@ -1,7 +1,7 @@
 import asyncio
 import logging
 import re
 import struct
 import uuid
 from typing import Any
 from fastapi import APIRouter, Depends, File, Form, HTTPException, Response, UploadFile
@@ -15,7 +15,7 @@ from app.repositories.image_repo import ImageRepository
 from app.repositories.tag_repo import TagRepository
 from app.storage.backend import StorageBackend
 from app.thumbnail import generate_thumbnail
-from app.utils import compute_sha256
+from app.utils import compute_sha256, generate_short_id
 from app.validation import FileSizeError, MimeTypeError, validate_file_size, validate_mime_type
 logger = logging.getLogger(__name__)
@@ -23,13 +23,35 @@ logger = logging.getLogger(__name__)
 router = APIRouter(tags=["images"])
 _SHORT_ID_RE = re.compile(r"^[a-zA-Z0-9]{8}$")
 def _error(detail: str, code: str, status: int):
    raise HTTPException(status_code=status, detail={"detail": detail, "code": code})
-def _image_to_dict(image: Image, *, duplicate: bool | None = None) -> dict[str, Any]:
+def _validate_short_id(short_id: str) -> str:
    if not _SHORT_ID_RE.match(short_id):
        raise HTTPException(
            status_code=422,
            detail={"detail": "Invalid image ID", "code": "invalid_short_id"},
        )
    return short_id
 def _image_to_dict(
    image: Image, *, cdn_base: str | None = None, duplicate: bool | None = None
 ) -> dict[str, Any]:
    _base = cdn_base.strip().rstrip("/") if cdn_base else None
    file_url = f"{_base}/{image.storage_key}" if _base else f"/api/v1/i/{image.short_id}/file"
    thumbnail_url = (
        (f"{_base}/{image.thumbnail_key}" if _base else f"/api/v1/i/{image.short_id}/thumbnail")
        if image.thumbnail_key
        else None
    )
    data: dict[str, Any] = {
        "id": str(image.id),
        "short_id": image.short_id,
        "hash": image.hash,
        "filename": image.filename,
        "mime_type": image.mime_type,
@@ -38,6 +60,8 @@ def _image_to_dict(image: Image, *, duplicate: bool | None = None) -> dict[str,
        "height": image.height,
        "storage_key": image.storage_key,
        "thumbnail_key": image.thumbnail_key,
        "file_url": file_url,
        "thumbnail_url": thumbnail_url,
        "created_at": image.created_at.isoformat(),
        "tags": image.tags,
    }
@@ -133,10 +157,13 @@ async def upload_image(
    hash_hex = compute_sha256(data)
    image_repo = ImageRepository(db)
    _cdn_base = settings.s3_public_base_url
    existing = await image_repo.get_by_hash(hash_hex)
    if existing:
        return Response(
-            content=__import__("json").dumps(_image_to_dict(existing, duplicate=True)),
+            content=__import__("json").dumps(
                _image_to_dict(existing, cdn_base=_cdn_base, duplicate=True)
            ),
            status_code=200,
            media_type="application/json",
        )
@@ -155,18 +182,24 @@ async def upload_image(
            )
    width, height = _read_image_dimensions(data, mime_type)
-    await storage.put(hash_hex, data, mime_type)
+
    from sqlalchemy.exc import IntegrityError
    for _ in range(10):
        short_id = generate_short_id()
        await storage.put(short_id, data, mime_type)
        thumbnail_key: str | None = None
        try:
            thumb_bytes = await asyncio.to_thread(generate_thumbnail, data, mime_type)
-        await storage.put(f"{hash_hex}-thumb", thumb_bytes, "image/webp")
+            await storage.put(f"{short_id}-thumb", thumb_bytes, "image/webp")
-        thumbnail_key = f"{hash_hex}-thumb"
+            thumbnail_key = f"{short_id}-thumb"
        except Exception:
            logger.warning(
-            "Thumbnail generation failed for %s; upload will proceed without thumbnail", hash_hex
+                "Thumbnail generation failed for %s; proceeding without thumbnail", short_id
            )
        try:
            image = await image_repo.create(
                hash_hex=hash_hex,
                filename=file.filename or "upload",
@@ -174,16 +207,30 @@ async def upload_image(
                size_bytes=len(data),
                width=width,
                height=height,
-        storage_key=hash_hex,
+                storage_key=short_id,
                short_id=short_id,
                thumbnail_key=thumbnail_key,
            )
            break
        except IntegrityError:
            await db.rollback()
            await storage.delete(short_id)
            if thumbnail_key:
                await storage.delete(thumbnail_key)
            thumbnail_key = None
            continue
    else:
        raise HTTPException(
            status_code=500,
            detail={"detail": "Failed to assign unique ID", "code": "id_collision"},
        )
    if tag_names:
        tag_repo = TagRepository(db)
        await tag_repo.attach_tags(image, tag_names)
        image = await image_repo.reload_with_tags(image.id)
-    return _image_to_dict(image, duplicate=False)
+    return _image_to_dict(image, cdn_base=_cdn_base, duplicate=False)
@router.get("/images")
@@ -192,42 +239,48 @@ async def list_images(
    limit: int = 50,
    offset: int = 0,
    db: AsyncSession = Depends(get_db),
    settings=Depends(get_settings),
 ):
    limit = min(limit, 100)
    _cdn_base = settings.s3_public_base_url
    tag_names = [t.strip() for t in tags.split(",") if t.strip()] if tags else None
    image_repo = ImageRepository(db)
    images, total = await image_repo.list_images(tag_names=tag_names, limit=limit, offset=offset)
    return {
-        "items": [_image_to_dict(img) for img in images],
+        "items": [_image_to_dict(img, cdn_base=_cdn_base) for img in images],
        "total": total,
        "limit": limit,
        "offset": offset,
    }
-@router.get("/images/{image_id}")
+@router.get("/i/{short_id}")
 async def get_image(
-    image_id: uuid.UUID,
+    short_id: str,
    db: AsyncSession = Depends(get_db),
    settings=Depends(get_settings),
 ):
    _validate_short_id(short_id)
    _cdn_base = settings.s3_public_base_url
    image_repo = ImageRepository(db)
-    image = await image_repo.get_by_id(image_id)
+    image = await image_repo.get_by_short_id(short_id)
    if not image:
        raise HTTPException(
            status_code=404,
            detail={"detail": "Image not found", "code": "image_not_found"},
        )
-    return _image_to_dict(image)
+    return _image_to_dict(image, cdn_base=_cdn_base)
-@router.get("/images/{image_id}/file")
+@router.get("/i/{short_id}/file")
 async def serve_image_file(
-    image_id: uuid.UUID,
+    short_id: str,
    db: AsyncSession = Depends(get_db),
    storage: StorageBackend = Depends(get_storage),
 ):
    _validate_short_id(short_id)
    image_repo = ImageRepository(db)
-    image = await image_repo.get_by_id(image_id)
+    image = await image_repo.get_by_short_id(short_id)
    if not image:
        raise HTTPException(
            status_code=404,
@@ -250,14 +303,15 @@ async def serve_image_file(
    )
-@router.get("/images/{image_id}/thumbnail")
+@router.get("/i/{short_id}/thumbnail")
 async def serve_image_thumbnail(
-    image_id: uuid.UUID,
+    short_id: str,
    db: AsyncSession = Depends(get_db),
    storage: StorageBackend = Depends(get_storage),
 ):
    _validate_short_id(short_id)
    image_repo = ImageRepository(db)
-    image = await image_repo.get_by_id(image_id)
+    image = await image_repo.get_by_short_id(short_id)
    if not image:
        raise HTTPException(
            status_code=404,
@@ -282,15 +336,18 @@ async def serve_image_thumbnail(
    )
-@router.patch("/images/{image_id}/tags")
+@router.patch("/i/{short_id}/tags")
 async def update_image_tags(
-    image_id: uuid.UUID,
+    short_id: str,
    body: dict,
    db: AsyncSession = Depends(get_db),
    _: Identity = Depends(require_auth),
    settings=Depends(get_settings),
 ):
    _validate_short_id(short_id)
    _cdn_base = settings.s3_public_base_url
    image_repo = ImageRepository(db)
-    image = await image_repo.get_by_id(image_id)
+    image = await image_repo.get_by_short_id(short_id)
    if not image:
        raise HTTPException(
            status_code=404,
@@ -309,18 +366,19 @@ async def update_image_tags(
    await tag_repo.replace_tags_on_image(image, tag_names)
    image = await image_repo.reload_with_tags(image.id)
-    return _image_to_dict(image)
+    return _image_to_dict(image, cdn_base=_cdn_base)
-@router.delete("/images/{image_id}", status_code=204)
+@router.delete("/i/{short_id}", status_code=204)
 async def delete_image(
-    image_id: uuid.UUID,
+    short_id: str,
    db: AsyncSession = Depends(get_db),
    storage: StorageBackend = Depends(get_storage),
    _: Identity = Depends(require_auth),
 ):
    _validate_short_id(short_id)
    image_repo = ImageRepository(db)
-    image = await image_repo.get_by_id(image_id)
+    image = await image_repo.get_by_short_id(short_id)
    if not image:
        raise HTTPException(
            status_code=404,
--- a/api/app/routers/tags.py
+++ b/api/app/routers/tags.py
@@ -12,9 +12,13 @@ async def list_tags(
    q: str | None = None,
    limit: int = 100,
    offset: int = 0,
    sort: str = "name",
    min_count: int = 0,
    db: AsyncSession = Depends(get_db),
 ):
-    limit = min(limit, 200)
+    limit = min(limit, 500)
    tag_repo = TagRepository(db)
-    items, total = await tag_repo.list_tags(prefix=q, limit=limit, offset=offset)
+    items, total = await tag_repo.list_tags(
        prefix=q, limit=limit, offset=offset, sort=sort, min_count=min_count
    )
    return {"items": items, "total": total, "limit": limit, "offset": offset}
--- a/api/app/utils.py
+++ b/api/app/utils.py
@@ -1,5 +1,13 @@
 import hashlib
 import secrets
 import string
 BASE62 = string.ascii_letters + string.digits
 def compute_sha256(data: bytes) -> str:
    return hashlib.sha256(data).hexdigest()
 def generate_short_id(length: int = 8) -> str:
    return "".join(secrets.choice(BASE62) for _ in range(length))
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -30,6 +30,7 @@ dev = [
 [tool.ruff]
 line-length = 100
 target-version = "py312"
 exclude = ["alembic/"]
 [tool.ruff.lint]
 select = ["E", "F", "I", "UP", "B", "SIM"]
--- a/api/scripts/init.py
+++ b/api/scripts/init.py
--- a/api/scripts/migrate_to_short_ids.py
+++ b/api/scripts/migrate_to_short_ids.py
@@ -0,0 +1,107 @@
 """
 Migrate existing images to use short_id-based storage keys.
 Run after applying Alembic migration 003 (adds short_id column).
 Run before applying migration 004 (sets short_id NOT NULL).
 Usage:
    python -m scripts.migrate_to_short_ids
 """
 import asyncio
 import logging
 from typing import Any
 from sqlalchemy import select
 from app.database import get_session_factory
 from app.models import Image
 from app.storage.s3_backend import S3StorageBackend
 from app.utils import generate_short_id
 logger = logging.getLogger(__name__)
 async def migrate_image(image: Any, storage: Any, session: Any) -> bool:
    """Migrate one image to a short_id-based key. Returns True if migrated, False if skipped."""
    if image.short_id is not None:
        return False
    new_short_id = generate_short_id()
    old_key = image.storage_key
    old_thumb_key = image.thumbnail_key
    try:
        data = await storage.get(old_key)
        await storage.put(new_short_id, data, image.mime_type)
        # Verify copy succeeded
        await storage.get(new_short_id)
    except Exception as exc:
        logger.error("Failed to copy storage object for image %s: %s", image.id, exc)
        return False
    new_thumb_key: str | None = None
    if old_thumb_key:
        try:
            thumb_data = await storage.get(old_thumb_key)
            new_thumb_key = f"{new_short_id}-thumb"
            await storage.put(new_thumb_key, thumb_data, "image/webp")
            await storage.get(new_thumb_key)
        except Exception as exc:
            logger.warning("Failed to copy thumbnail for image %s: %s", image.id, exc)
            new_thumb_key = None
    try:
        image.short_id = new_short_id
        image.storage_key = new_short_id
        image.thumbnail_key = new_thumb_key
        await session.flush()
        await storage.delete(old_key)
        if old_thumb_key and new_thumb_key:
            await storage.delete(old_thumb_key)
    except Exception as exc:
        logger.error("Failed to update DB record for image %s: %s", image.id, exc)
        return False
    return True
 async def run_migration(images: list, storage: Any, session: Any) -> tuple[int, int, int]:
    """Process a list of images. Returns (migrated, skipped, failed) counts."""
    migrated = skipped = failed = 0
    for image in images:
        if image.short_id is not None:
            skipped += 1
            continue
        try:
            success = await migrate_image(image, storage, session)
            if success:
                migrated += 1
            else:
                failed += 1
        except Exception as exc:
            logger.error("Unexpected error migrating image %s: %s", image.id, exc)
            failed += 1
    return migrated, skipped, failed
 async def main() -> None:
    logging.basicConfig(level=logging.INFO)
    storage = S3StorageBackend()
    async with get_session_factory()() as session:
        result = await session.execute(select(Image).where(Image.short_id.is_(None)))
        images = list(result.scalars().all())
        logger.info("Found %d images to migrate", len(images))
        migrated, skipped, failed = await run_migration(images, storage, session)
        await session.commit()
    print(f"Migrated: {migrated}, Skipped: {skipped}, Failed: {failed}")
 if __name__ == "__main__":
    asyncio.run(main())
--- a/api/tests/build/.gitkeep
+++ b/api/tests/build/.gitkeep
--- a/api/tests/build/verify_production_image.sh
+++ b/api/tests/build/verify_production_image.sh
@@ -0,0 +1,119 @@
 #!/usr/bin/env bash
 # TDD verification script for api/Dockerfile.prod
 # Fails (red) if Dockerfile.prod does not exist or any check fails.
 set -euo pipefail
 IMAGE="reactbin-api-prod:verify-$$"
 IMAGE2="reactbin-api-prod:verify-cache-$$"
 PG_CONTAINER=""
 APP_CONTAINER=""
 cleanup() {
    [ -n "$APP_CONTAINER" ] && docker rm -f "$APP_CONTAINER" 2>/dev/null || true
    [ -n "$PG_CONTAINER" ] && docker rm -f "$PG_CONTAINER" 2>/dev/null || true
    docker rmi "$IMAGE" 2>/dev/null || true
    docker rmi "$IMAGE2" 2>/dev/null || true
 }
 trap cleanup EXIT
 # ── US1 check 1: build ────────────────────────────────────────────────────────
 echo "[verify] Building $IMAGE..."
 docker build -f api/Dockerfile.prod api/ -t "$IMAGE"
 echo "[verify] Build OK"
 # ── US1 check 2: start with a throwaway postgres ──────────────────────────────
 echo "[verify] Starting postgres..."
 PG_CONTAINER=$(docker run -d \
    -e POSTGRES_DB=reactbin_verify \
    -e POSTGRES_USER=verify \
    -e POSTGRES_PASSWORD=verify \
    postgres:16-alpine)
 for i in $(seq 1 30); do
    if docker exec "$PG_CONTAINER" pg_isready -U verify -q 2>/dev/null; then break; fi
    sleep 1
    if [[ $i -eq 30 ]]; then echo "FAIL: postgres did not become ready"; exit 1; fi
 done
 PG_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$PG_CONTAINER")
 echo "[verify] Starting production container..."
 APP_CONTAINER=$(docker run -d \
    -p 18000:8000 \
    -e JWT_SECRET_KEY=verify-key \
    -e OWNER_USERNAME=testowner \
    -e OWNER_PASSWORD=testpassword \
    -e DATABASE_URL="postgresql+asyncpg://verify:verify@${PG_IP}:5432/reactbin_verify" \
    -e S3_ENDPOINT_URL=http://noop:9000 \
    -e S3_BUCKET_NAME=noop \
    -e S3_ACCESS_KEY_ID=noop \
    -e S3_SECRET_ACCESS_KEY=noop \
    -e S3_REGION=us-east-1 \
    "$IMAGE")
 # ── US1 check 3: health endpoint ──────────────────────────────────────────────
 echo "[verify] Polling health endpoint..."
 for i in $(seq 1 30); do
    if curl -sf http://localhost:18000/api/v1/health > /dev/null; then break; fi
    sleep 1
    if [[ $i -eq 30 ]]; then echo "FAIL: health check timed out after 30s"; exit 1; fi
 done
 echo "[verify] Health check passed"
 # ── US2 check 1: non-root user ────────────────────────────────────────────────
 UID_IN_CONTAINER=$(docker exec "$APP_CONTAINER" id -u)
 if [[ "$UID_IN_CONTAINER" -eq 0 ]]; then
    echo "FAIL: process running as root (UID 0)"; exit 1
 fi
 echo "[verify] Non-root user OK (UID $UID_IN_CONTAINER)"
 # ── C1: stdout/stderr log capture ────────────────────────────────────────────
 LOGS=$(docker logs "$APP_CONTAINER" 2>&1)
 if [[ -z "$LOGS" ]]; then
    echo "FAIL: no output on stdout/stderr"; exit 1
 fi
 if ! echo "$LOGS" | grep -qiE "(started server|application startup complete|uvicorn)"; then
    echo "FAIL: no startup logs found on stdout/stderr"; exit 1
 fi
 echo "[verify] Stdout logging OK"
 # ── US1 check 4: SIGTERM → exit 0 ────────────────────────────────────────────
 docker stop "$APP_CONTAINER" > /dev/null
 EXIT_CODE=$(docker wait "$APP_CONTAINER")
 if [[ "$EXIT_CODE" -ne 0 ]]; then
    echo "FAIL: non-zero exit code $EXIT_CODE after SIGTERM"; exit 1
 fi
 echo "[verify] Graceful shutdown OK (exit $EXIT_CODE)"
 # ── US2 check 2: dev deps absent ─────────────────────────────────────────────
 if docker run --rm "$IMAGE" /app/.venv/bin/python -c "import pytest" 2>/dev/null; then
    echo "FAIL: pytest importable in production image (dev deps present)"; exit 1
 fi
 echo "[verify] Dev deps absent OK"
 # ── C2: no hardcoded secrets in image layers ─────────────────────────────────
 if docker history --no-trunc "$IMAGE" 2>&1 | grep -qiE "(password|secret_key|api_key|token)"; then
    echo "FAIL: potential secret found in image history"; exit 1
 fi
 echo "[verify] No secrets in image layers OK"
 # ── C3: missing env var → non-zero exit ──────────────────────────────────────
 set +e
 docker run --rm -e JWT_SECRET_KEY=verify-key "$IMAGE" 2>/dev/null
 MISSING_ENV_EXIT=$?
 set -e
 if [[ "$MISSING_ENV_EXIT" -eq 0 ]]; then
    echo "FAIL: container exited 0 despite missing OWNER_USERNAME"; exit 1
 fi
 echo "[verify] Missing-env-var exit check OK (exit $MISSING_ENV_EXIT)"
 # ── US3: dep layer cached on source-only rebuild ──────────────────────────────
 echo "[verify] Testing cache hit on source-only rebuild..."
 touch api/app/main.py
 BUILD2_OUTPUT=$(docker build --progress=plain -f api/Dockerfile.prod api/ -t "$IMAGE2" 2>&1)
 if ! echo "$BUILD2_OUTPUT" | grep -q "CACHED"; then
    echo "FAIL: dependency layer not reused on source-only rebuild"; exit 1
 fi
 echo "[verify] Dep layer cache hit confirmed (US3 OK)"
 echo "[verify] All checks passed (US1 + US2 + US3)."
--- a/api/tests/integration/conftest.py
+++ b/api/tests/integration/conftest.py
@@ -1,19 +1,20 @@
 import os
 import pytest
 import pytest_asyncio
-from httpx import AsyncClient, ASGITransport
+from httpx import ASGITransport, AsyncClient
-from sqlalchemy.ext.asyncio import create_async_engine, AsyncSession, async_sessionmaker
+from sqlalchemy.ext.asyncio import async_sessionmaker, create_async_engine
 # Provide required settings for the test environment before any app imports resolve them
 os.environ.setdefault("JWT_SECRET_KEY", "test-secret-key-for-testing-only")
 os.environ.setdefault("OWNER_USERNAME", "testowner")
 os.environ.setdefault("OWNER_PASSWORD", "testpassword")
-from app.main import app
+from app.auth.jwt_provider import JWTAuthProvider  # noqa: E402
-from app.config import get_settings
+from app.config import get_settings  # noqa: E402
-from app.database import Base
+from app.database import Base  # noqa: E402
-from app.dependencies import get_db, get_storage, get_auth
+from app.dependencies import get_auth, get_db, get_storage  # noqa: E402
-from app.auth.jwt_provider import JWTAuthProvider
+from app.main import app  # noqa: E402
 # Bust the LRU cache so get_settings() picks up the env vars set above
 get_settings.cache_clear()
@@ -26,8 +27,6 @@ _TEST_OWNER_PASSWORD = os.environ["OWNER_PASSWORD"]
@pytest_asyncio.fixture(scope="session", loop_scope="session")
 async def engine():
    settings = get_settings()
    # Use a separate test database URL if TEST_DATABASE_URL is set
    import os
    db_url = os.getenv("TEST_DATABASE_URL", settings.database_url)
    eng = create_async_engine(db_url, echo=False)
    async with eng.begin() as conn:
@@ -48,8 +47,8 @@ async def db_session(engine):
@pytest_asyncio.fixture
 async def client(db_session):
    from app.storage.s3_backend import S3StorageBackend
    from app.auth.noop import NoOpAuthProvider
    from app.storage.s3_backend import S3StorageBackend
    storage = S3StorageBackend()
    auth = NoOpAuthProvider()
@@ -108,3 +107,15 @@ async def authed_client(db_session, jwt_auth_provider):
        yield c, valid_token
    app.dependency_overrides.clear()
 def pytest_configure(config):
    db_url = os.getenv("TEST_DATABASE_URL") or os.getenv("DATABASE_URL", "")
    if not db_url.startswith("postgresql+asyncpg://"):
        pytest.exit(
            "Integration tests require a PostgreSQL database "
            "(postgresql+asyncpg://...). "
            "Set TEST_DATABASE_URL or DATABASE_URL accordingly. "
            f"Got: {db_url!r}",
            returncode=1,
        )
--- a/api/tests/integration/test_delete.py
+++ b/api/tests/integration/test_delete.py
@@ -1,10 +1,9 @@
 """
-T065 — DELETE /api/v1/images/{id} → 204; subsequent GET returns 404
+T065 — DELETE /api/v1/i/{short_id} → 204; subsequent GET returns 404
 T066 — DELETE verifies MinIO object is removed
 T067 — DELETE of unknown ID → 404 image_not_found
 """
 import io
 import uuid
 import pytest
 from PIL import Image as PILImage
@@ -19,51 +18,62 @@ def _minimal_jpeg_v2() -> bytes:
@pytest.mark.asyncio
-async def test_delete_removes_record(client):
+async def test_delete_removes_record(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    data = _minimal_jpeg_v2()
    upload = await client.post(
        "/api/v1/images",
        files={"file": ("del-test.jpg", io.BytesIO(data), "image/jpeg")},
        headers=headers,
    )
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
-    delete_resp = await client.delete(f"/api/v1/images/{image_id}")
+    delete_resp = await client.delete(f"/api/v1/i/{image_id}", headers=headers)
    assert delete_resp.status_code == 204
-    get_resp = await client.get(f"/api/v1/images/{image_id}")
+    get_resp = await client.get(f"/api/v1/i/{image_id}")
    assert get_resp.status_code == 404
    assert get_resp.json()["code"] == "image_not_found"
@pytest.mark.asyncio
-async def test_delete_removes_storage_object(client):
+async def test_delete_removes_storage_object(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    data = _minimal_jpeg_v2() + b"\x00"
    upload = await client.post(
        "/api/v1/images",
        files={"file": ("del-storage-test.jpg", io.BytesIO(data), "image/jpeg")},
        headers=headers,
    )
    assert upload.status_code in (200, 201)
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
    storage_key = upload.json()["hash"]
-    delete_resp = await client.delete(f"/api/v1/images/{image_id}")
+    delete_resp = await client.delete(f"/api/v1/i/{image_id}", headers=headers)
    assert delete_resp.status_code == 204
    # Confirm storage redirect no longer works (404 since record is gone)
-    file_resp = await client.get(f"/api/v1/images/{image_id}/file")
+    file_resp = await client.get(f"/api/v1/i/{image_id}/file")
    assert file_resp.status_code == 404
@pytest.mark.asyncio
-async def test_delete_unknown_id_returns_404(client):
+async def test_delete_unknown_id_returns_404(authed_client):
-    response = await client.delete(f"/api/v1/images/{uuid.uuid4()}")
+    client, token = authed_client
    response = await client.delete(
        "/api/v1/i/NotFound",
        headers={"Authorization": f"Bearer {token}"},
    )
    assert response.status_code == 404
    body = response.json()
    assert body["code"] == "image_not_found"
@pytest.mark.asyncio
-async def test_delete_removes_thumbnail(client):
+async def test_delete_removes_thumbnail(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    buf = io.BytesIO()
    PILImage.new("RGB", (200, 150), color=(60, 90, 120)).save(buf, format="JPEG")
    data = buf.getvalue()
@@ -71,14 +81,15 @@ async def test_delete_removes_thumbnail(client):
    upload = await client.post(
        "/api/v1/images",
        files={"file": ("thumb-del.jpg", io.BytesIO(data), "image/jpeg")},
        headers=headers,
    )
    assert upload.status_code == 201
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
    assert upload.json()["thumbnail_key"] is not None
-    delete_resp = await client.delete(f"/api/v1/images/{image_id}")
+    delete_resp = await client.delete(f"/api/v1/i/{image_id}", headers=headers)
    assert delete_resp.status_code == 204
-    thumb_resp = await client.get(f"/api/v1/images/{image_id}/thumbnail")
+    thumb_resp = await client.get(f"/api/v1/i/{image_id}/thumbnail")
    assert thumb_resp.status_code == 404
    assert thumb_resp.json()["code"] == "image_not_found"
--- a/api/tests/integration/test_docs_gate.py
+++ b/api/tests/integration/test_docs_gate.py
@@ -0,0 +1,48 @@
 import importlib
 from starlette.testclient import TestClient
 from app.config import get_settings
 _BASE_ENV = {
    "DATABASE_URL": "postgresql+asyncpg://u:p@localhost/db",
    "JWT_SECRET_KEY": "test-secret",
    "OWNER_USERNAME": "admin",
    "OWNER_PASSWORD": "password",
    "S3_ENDPOINT_URL": "http://localhost:9000",
    "S3_BUCKET_NAME": "test-bucket",
    "S3_ACCESS_KEY_ID": "key",
    "S3_SECRET_ACCESS_KEY": "secret",
 }
 def _set_env(monkeypatch, extra=None):
    for k, v in {**_BASE_ENV, **(extra or {})}.items():
        monkeypatch.setenv(k, v)
 def test_docs_hidden_when_flag_disabled(monkeypatch):
    _set_env(monkeypatch, {"API_DOCS_ENABLED": "false"})
    get_settings.cache_clear()
    import app.main as m
    importlib.reload(m)
    client = TestClient(m.app, raise_server_exceptions=False)
    assert client.get("/docs").status_code == 404
    assert client.get("/redoc").status_code == 404
    assert client.get("/openapi.json").status_code == 404
    assert client.get("/api/v1/health").status_code == 200
    get_settings.cache_clear()
 def test_docs_visible_when_flag_enabled(monkeypatch):
    _set_env(monkeypatch, {"API_DOCS_ENABLED": "true"})
    get_settings.cache_clear()
    import app.main as m
    importlib.reload(m)
    client = TestClient(m.app, raise_server_exceptions=False)
    assert client.get("/docs").status_code == 200
    assert client.get("/redoc").status_code == 200
    assert client.get("/openapi.json").status_code == 200
    get_settings.cache_clear()
--- a/api/tests/integration/test_login_rate_limit.py
+++ b/api/tests/integration/test_login_rate_limit.py
@@ -0,0 +1,121 @@
 import os
 import pytest
 from httpx import AsyncClient
 from app.auth.rate_limiter import LoginRateLimiter
 from app.main import app
 BAD_CREDS = {"username": "attacker", "password": "wrong"}
 VALID_CREDS = {
    "username": os.environ.get("OWNER_USERNAME", "testowner"),
    "password": os.environ.get("OWNER_PASSWORD", "testpassword"),
 }
 def _fresh_limiter():
    return LoginRateLimiter(max_failures=3, window_seconds=60, cooldown_seconds=30)
@pytest.mark.asyncio
 async def test_repeated_failures_trigger_429(client: AsyncClient):
    original_limiter = app.state.login_rate_limiter
    original_networks = app.state.login_trusted_networks
    app.state.login_rate_limiter = _fresh_limiter()
    app.state.login_trusted_networks = []
    try:
        for _ in range(3):
            await client.post("/api/v1/auth/token", json=BAD_CREDS)
        resp = await client.post("/api/v1/auth/token", json=BAD_CREDS)
        assert resp.status_code == 429
        assert resp.json()["code"] == "login_rate_limited"
    finally:
        app.state.login_rate_limiter = original_limiter
        app.state.login_trusted_networks = original_networks
@pytest.mark.asyncio
 async def test_success_resets_counter(client: AsyncClient):
    original_limiter = app.state.login_rate_limiter
    original_networks = app.state.login_trusted_networks
    app.state.login_rate_limiter = _fresh_limiter()
    app.state.login_trusted_networks = []
    try:
        for _ in range(2):
            await client.post("/api/v1/auth/token", json=BAD_CREDS)
        await client.post("/api/v1/auth/token", json=VALID_CREDS)
        for _ in range(3):
            resp = await client.post("/api/v1/auth/token", json=BAD_CREDS)
            assert resp.status_code == 401, "counter should have reset after success"
    finally:
        app.state.login_rate_limiter = original_limiter
        app.state.login_trusted_networks = original_networks
@pytest.mark.asyncio
 async def test_429_has_retry_after_header(client: AsyncClient):
    original_limiter = app.state.login_rate_limiter
    original_networks = app.state.login_trusted_networks
    app.state.login_rate_limiter = _fresh_limiter()
    app.state.login_trusted_networks = []
    try:
        for _ in range(3):
            await client.post("/api/v1/auth/token", json=BAD_CREDS)
        resp = await client.post("/api/v1/auth/token", json=BAD_CREDS)
        assert resp.status_code == 429
        assert "Retry-After" in resp.headers
        assert int(resp.headers["Retry-After"]) > 0
    finally:
        app.state.login_rate_limiter = original_limiter
        app.state.login_trusted_networks = original_networks
@pytest.mark.asyncio
 async def test_429_body_shape(client: AsyncClient):
    original_limiter = app.state.login_rate_limiter
    original_networks = app.state.login_trusted_networks
    app.state.login_rate_limiter = _fresh_limiter()
    app.state.login_trusted_networks = []
    try:
        for _ in range(3):
            await client.post("/api/v1/auth/token", json=BAD_CREDS)
        resp = await client.post("/api/v1/auth/token", json=BAD_CREDS)
        assert resp.status_code == 429
        assert resp.json() == {
            "detail": "Too many failed login attempts. Please try again later.",
            "code": "login_rate_limited",
        }
    finally:
        app.state.login_rate_limiter = original_limiter
        app.state.login_trusted_networks = original_networks
@pytest.mark.asyncio
 async def test_xff_header_ignored_when_no_trusted_networks(client: AsyncClient):
    original_limiter = app.state.login_rate_limiter
    original_networks = app.state.login_trusted_networks
    app.state.login_rate_limiter = _fresh_limiter()
    app.state.login_trusted_networks = []
    try:
        # Send 3 failures all claiming to be "1.2.3.4" via XFF
        for _ in range(3):
            await client.post(
                "/api/v1/auth/token",
                json=BAD_CREDS,
                headers={"X-Forwarded-For": "1.2.3.4"},
            )
        # 4th request with a *different* XFF — if XFF were trusted, this
        # would appear to be a fresh IP and get 401. Since XFF is ignored,
        # the real peer ("testclient") is blocked and we get 429.
        resp = await client.post(
            "/api/v1/auth/token",
            json=BAD_CREDS,
            headers={"X-Forwarded-For": "9.9.9.9"},
        )
        assert resp.status_code == 429, (
            "XFF should be ignored when no trusted networks are configured; "
            "expected real peer to be blocked"
        )
    finally:
        app.state.login_rate_limiter = original_limiter
        app.state.login_trusted_networks = original_networks
--- a/api/tests/integration/test_protected.py
+++ b/api/tests/integration/test_protected.py
@@ -3,7 +3,6 @@ Tests that write endpoints require authentication (US2).
 These use the authed_client fixture which wires JWTAuthProvider.
 """
 import io
 import uuid
 import pytest
@@ -42,8 +41,7 @@ async def test_upload_with_valid_token_succeeds(authed_client):
@pytest.mark.asyncio
 async def test_delete_without_token_returns_401(authed_client):
    client, _ = authed_client
-    fake_id = uuid.uuid4()
+    response = await client.delete("/api/v1/i/NotFound")
    response = await client.delete(f"/api/v1/images/{fake_id}")
    assert response.status_code == 401
    assert response.json().get("code") == "unauthorized"
@@ -57,9 +55,9 @@ async def test_delete_with_valid_token_succeeds(authed_client):
        files={"file": ("del-protected.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
    response = await client.delete(
-        f"/api/v1/images/{image_id}",
+        f"/api/v1/i/{image_id}",
        headers={"Authorization": f"Bearer {token}"},
    )
    assert response.status_code == 204
@@ -68,9 +66,8 @@ async def test_delete_with_valid_token_succeeds(authed_client):
@pytest.mark.asyncio
 async def test_patch_tags_without_token_returns_401(authed_client):
    client, _ = authed_client
    fake_id = uuid.uuid4()
    response = await client.patch(
-        f"/api/v1/images/{fake_id}/tags",
+        "/api/v1/i/NotFound/tags",
        json={"tags": ["a"]},
    )
    assert response.status_code == 401
@@ -86,9 +83,9 @@ async def test_patch_tags_with_valid_token_succeeds(authed_client):
        files={"file": ("tag-protected.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
    response = await client.patch(
-        f"/api/v1/images/{image_id}/tags",
+        f"/api/v1/i/{image_id}/tags",
        json={"tags": ["protected-tag"]},
        headers={"Authorization": f"Bearer {token}"},
    )
--- a/api/tests/integration/test_public_access.py
+++ b/api/tests/integration/test_public_access.py
@@ -3,7 +3,6 @@ US3 regression tests: all read endpoints must remain accessible without a token
 even after require_auth is applied to write endpoints.
 """
 import io
 import uuid
 import pytest
@@ -31,8 +30,8 @@ async def test_get_image_without_token_is_200(authed_client):
        files={"file": ("pub-test.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
-    response = await client.get(f"/api/v1/images/{image_id}")
+    response = await client.get(f"/api/v1/i/{image_id}")
    assert response.status_code == 200
@@ -45,8 +44,8 @@ async def test_serve_file_without_token_is_200(authed_client):
        files={"file": ("pub-file.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
-    response = await client.get(f"/api/v1/images/{image_id}/file")
+    response = await client.get(f"/api/v1/i/{image_id}/file")
    assert response.status_code == 200
@@ -59,8 +58,8 @@ async def test_serve_thumbnail_without_token_is_200(authed_client):
        files={"file": ("pub-thumb.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
-    response = await client.get(f"/api/v1/images/{image_id}/thumbnail")
+    response = await client.get(f"/api/v1/i/{image_id}/thumbnail")
    assert response.status_code == 200
--- a/api/tests/integration/test_search.py
+++ b/api/tests/integration/test_search.py
@@ -3,6 +3,7 @@ T041 — GET /api/v1/images?tags=cat,funny → only images with both tags
 T042 — same query excludes images with only one matching tag
 """
 import io
 import pytest
@@ -15,7 +16,9 @@ def _minimal_gif() -> bytes:
@pytest.mark.asyncio
-async def test_and_filter_returns_only_matching_images(client):
+async def test_and_filter_returns_only_matching_images(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    data = _minimal_gif()
    # Image with both tags
@@ -23,6 +26,7 @@ async def test_and_filter_returns_only_matching_images(client):
        "/api/v1/images",
        files={"file": ("both.gif", io.BytesIO(data), "image/gif")},
        data={"tags": "andcat,andfunny"},
        headers=headers,
    )
    both_id = r_both.json()["id"]
@@ -31,6 +35,7 @@ async def test_and_filter_returns_only_matching_images(client):
        "/api/v1/images",
        files={"file": ("one.gif", io.BytesIO(data + b"\x00"), "image/gif")},
        data={"tags": "andcat"},
        headers=headers,
    )
    response = await client.get("/api/v1/images?tags=andcat,andfunny")
@@ -42,7 +47,9 @@ async def test_and_filter_returns_only_matching_images(client):
@pytest.mark.asyncio
-async def test_filter_excludes_partial_tag_match(client):
+async def test_filter_excludes_partial_tag_match(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    data = _minimal_gif()
    # Image with only "exclcat"
@@ -50,6 +57,7 @@ async def test_filter_excludes_partial_tag_match(client):
        "/api/v1/images",
        files={"file": ("partial.gif", io.BytesIO(data + b"\x01"), "image/gif")},
        data={"tags": "exclcat"},
        headers=headers,
    )
    # Filter requires both exclcat and exclother
--- a/api/tests/integration/test_serving.py
+++ b/api/tests/integration/test_serving.py
@@ -1,10 +1,9 @@
 """
-T055 — GET /api/v1/images/{id}/file → 200 with binary content, ETag, Cache-Control
+T055 — GET /api/v1/i/{short_id}/file → 200 with binary content, ETag, Cache-Control
 T056 — /file for unknown ID → 404 image_not_found
 T057 — /file response exposes no storage-specific details
 """
 import io
 import uuid
 import pytest
 from PIL import Image as PILImage
@@ -29,18 +28,20 @@ def _minimal_webp() -> bytes:
@pytest.mark.asyncio
-async def test_file_returns_200_with_content(client):
+async def test_file_returns_200_with_content(authed_client):
    client, token = authed_client
    data = _minimal_webp()
    upload = await client.post(
        "/api/v1/images",
        files={"file": ("img.webp", io.BytesIO(data), "image/webp")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert upload.status_code in (200, 201)
    upload_body = upload.json()
-    image_id = upload_body["id"]
+    image_id = upload_body["short_id"]
    image_hash = upload_body["hash"]
-    response = await client.get(f"/api/v1/images/{image_id}/file")
+    response = await client.get(f"/api/v1/i/{image_id}/file")
    assert response.status_code == 200
    assert response.headers["content-type"].startswith("image/")
    assert response.headers["etag"] == f'"{image_hash}"'
@@ -50,23 +51,25 @@ async def test_file_returns_200_with_content(client):
@pytest.mark.asyncio
 async def test_file_unknown_id_returns_404(client):
-    response = await client.get(f"/api/v1/images/{uuid.uuid4()}/file")
+    response = await client.get("/api/v1/i/NotFound/file")
    assert response.status_code == 404
    body = response.json()
    assert body["code"] == "image_not_found"
@pytest.mark.asyncio
-async def test_file_response_exposes_no_storage_details(client):
+async def test_file_response_exposes_no_storage_details(authed_client):
    client, token = authed_client
    data = _minimal_webp()
    upload = await client.post(
        "/api/v1/images",
        files={"file": ("img.webp", io.BytesIO(data), "image/webp")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert upload.status_code in (200, 201)
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
-    response = await client.get(f"/api/v1/images/{image_id}/file")
+    response = await client.get(f"/api/v1/i/{image_id}/file")
    assert response.status_code == 200
    assert "location" not in response.headers
    assert "minio" not in response.text.lower()
@@ -75,18 +78,20 @@ async def test_file_response_exposes_no_storage_details(client):
@pytest.mark.asyncio
-async def test_thumbnail_returns_webp(client):
+async def test_thumbnail_returns_webp(authed_client):
    client, token = authed_client
    data = _real_jpeg()
    upload = await client.post(
        "/api/v1/images",
        files={"file": ("t.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert upload.status_code == 201
    body = upload.json()
-    image_id = body["id"]
+    image_id = body["short_id"]
    image_hash = body["hash"]
-    response = await client.get(f"/api/v1/images/{image_id}/thumbnail")
+    response = await client.get(f"/api/v1/i/{image_id}/thumbnail")
    assert response.status_code == 200
    assert response.headers["content-type"] == "image/webp"
    assert response.headers["etag"] == f'"{image_hash}"'
@@ -95,22 +100,24 @@ async def test_thumbnail_returns_webp(client):
@pytest.mark.asyncio
-async def test_thumbnail_fallback_returns_original(client, db_session):
+async def test_thumbnail_fallback_returns_original(authed_client, db_session):
    client, token = authed_client
    data = _real_jpeg()
    upload = await client.post(
        "/api/v1/images",
        files={"file": ("fallback.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert upload.status_code == 201
-    image_id = upload.json()["id"]
+    image_id = upload.json()["short_id"]
    await db_session.execute(
-        update(Image).where(Image.id == uuid.UUID(image_id)).values(thumbnail_key=None)
+        update(Image).where(Image.short_id == image_id).values(thumbnail_key=None)
    )
    await db_session.flush()
    db_session.expire_all()
-    response = await client.get(f"/api/v1/images/{image_id}/thumbnail")
+    response = await client.get(f"/api/v1/i/{image_id}/thumbnail")
    assert response.status_code == 200
    assert "image/jpeg" in response.headers["content-type"]
    assert len(response.content) > 0
@@ -118,7 +125,7 @@ async def test_thumbnail_fallback_returns_original(client, db_session):
@pytest.mark.asyncio
 async def test_thumbnail_unknown_id_returns_404(client):
-    response = await client.get(f"/api/v1/images/{uuid.uuid4()}/thumbnail")
+    response = await client.get("/api/v1/i/NotFound/thumbnail")
    assert response.status_code == 404
    body = response.json()
    assert body["code"] == "image_not_found"
--- a/api/tests/integration/test_tags.py
+++ b/api/tests/integration/test_tags.py
@@ -5,13 +5,17 @@ T057 — PATCH replaces tags, old tags unlinked, new tags upserted
 T058 — PATCH with invalid tag → 422 invalid_tag
 T073 — GET /api/v1/tags returns all tags alphabetically with correct image_count
 T074 — GET /api/v1/tags?q=ca returns only tags prefixed "ca"
 T001 — GET /api/v1/tags?sort=count_desc returns tags ordered highest-count-first
 T002 — GET /api/v1/tags?min_count=N excludes tags with image_count < N
 """
 import io
 import pytest
 def _minimal_png() -> bytes:
-    import struct, zlib
+    import struct
    import zlib
    def chunk(name: bytes, data: bytes) -> bytes:
        c = name + data
        return struct.pack(">I", len(data)) + c + struct.pack(">I", zlib.crc32(c) & 0xFFFFFFFF)
@@ -27,12 +31,14 @@ def _minimal_png() -> bytes:
@pytest.mark.asyncio
-async def test_upload_with_tags_persists_tags(client):
+async def test_upload_with_tags_persists_tags(authed_client):
    client, token = authed_client
    data = _minimal_png()
    response = await client.post(
        "/api/v1/images",
        files={"file": ("img.png", io.BytesIO(data), "image/png")},
        data={"tags": "cat,funny"},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert response.status_code == 201
    body = response.json()
@@ -40,12 +46,15 @@ async def test_upload_with_tags_persists_tags(client):
@pytest.mark.asyncio
-async def test_duplicate_upload_tags_unchanged(client):
+async def test_duplicate_upload_tags_unchanged(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    data = _minimal_png()
    r1 = await client.post(
        "/api/v1/images",
        files={"file": ("img.png", io.BytesIO(data), "image/png")},
        data={"tags": "original-tag"},
        headers=headers,
    )
    assert r1.status_code in (200, 201)
    original_tags = set(r1.json()["tags"])
@@ -54,6 +63,7 @@ async def test_duplicate_upload_tags_unchanged(client):
        "/api/v1/images",
        files={"file": ("img.png", io.BytesIO(data), "image/png")},
        data={"tags": "different-tag"},
        headers=headers,
    )
    assert r2.status_code == 200
    assert r2.json()["duplicate"] is True
@@ -61,18 +71,22 @@ async def test_duplicate_upload_tags_unchanged(client):
@pytest.mark.asyncio
-async def test_patch_replaces_tag_set(client):
+async def test_patch_replaces_tag_set(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    data = _minimal_png()
    r1 = await client.post(
        "/api/v1/images",
        files={"file": ("patch-test.png", io.BytesIO(data), "image/png")},
        data={"tags": "old-tag"},
        headers=headers,
    )
-    image_id = r1.json()["id"]
+    image_id = r1.json()["short_id"]
    patch = await client.patch(
-        f"/api/v1/images/{image_id}/tags",
+        f"/api/v1/i/{image_id}/tags",
        json={"tags": ["new-tag", "another"]},
        headers=headers,
    )
    assert patch.status_code == 200
    body = patch.json()
@@ -81,17 +95,21 @@ async def test_patch_replaces_tag_set(client):
@pytest.mark.asyncio
-async def test_patch_invalid_tag_returns_422(client):
+async def test_patch_invalid_tag_returns_422(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    data = _minimal_png()
    r1 = await client.post(
        "/api/v1/images",
        files={"file": ("invalid-tag-test.png", io.BytesIO(data), "image/png")},
        headers=headers,
    )
-    image_id = r1.json()["id"]
+    image_id = r1.json()["short_id"]
    patch = await client.patch(
-        f"/api/v1/images/{image_id}/tags",
+        f"/api/v1/i/{image_id}/tags",
        json={"tags": ["valid", "INVALID TAG WITH SPACES!"]},
        headers=headers,
    )
    assert patch.status_code == 422
    body = patch.json()
@@ -99,12 +117,14 @@ async def test_patch_invalid_tag_returns_422(client):
@pytest.mark.asyncio
-async def test_list_tags_alphabetical_with_counts(client):
+async def test_list_tags_alphabetical_with_counts(authed_client):
    client, token = authed_client
    data = _minimal_png()
    await client.post(
        "/api/v1/images",
        files={"file": ("tag-list-test.png", io.BytesIO(data), "image/png")},
        data={"tags": "zebra,apple"},
        headers={"Authorization": f"Bearer {token}"},
    )
    response = await client.get("/api/v1/tags")
    assert response.status_code == 200
@@ -117,12 +137,14 @@ async def test_list_tags_alphabetical_with_counts(client):
@pytest.mark.asyncio
-async def test_list_tags_prefix_filter(client):
+async def test_list_tags_prefix_filter(authed_client):
    client, token = authed_client
    data = _minimal_png()
    await client.post(
        "/api/v1/images",
        files={"file": ("prefix-test.png", io.BytesIO(data), "image/png")},
        data={"tags": "cat,catfish,caterpillar,dog"},
        headers={"Authorization": f"Bearer {token}"},
    )
    response = await client.get("/api/v1/tags?q=cat")
    assert response.status_code == 200
@@ -130,3 +152,70 @@ async def test_list_tags_prefix_filter(client):
    for item in body["items"]:
        assert item["name"].startswith("cat")
    assert not any(item["name"] == "dog" for item in body["items"])
 def _unique_png(seed: int) -> bytes:
    """Generate a 1x1 PNG with a seed-determined pixel so each seed produces a distinct hash."""
    import struct
    import zlib
    def chunk(name: bytes, data: bytes) -> bytes:
        c = name + data
        return struct.pack(">I", len(data)) + c + struct.pack(">I", zlib.crc32(c) & 0xFFFFFFFF)
    ihdr = struct.pack(">IIBBBBB", 1, 1, 8, 2, 0, 0, 0)
    r, g, b = (seed * 37) % 256, (seed * 53) % 256, (seed * 71) % 256
    idat_data = zlib.compress(bytes([0, r, g, b]))
    return (
        b"\x89PNG\r\n\x1a\n"
        + chunk(b"IHDR", ihdr)
        + chunk(b"IDAT", idat_data)
        + chunk(b"IEND", b"")
    )
@pytest.mark.asyncio
 async def test_list_tags_sort_count_desc(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    # popular-sort-tag appears on 2 images, rare-sort-tag on 1 — verify count_desc ordering
    for seed in (100, 101):
        await client.post(
            "/api/v1/images",
            files={"file": (f"sort-{seed}.png", io.BytesIO(_unique_png(seed)), "image/png")},
            data={"tags": "popular-sort-tag,rare-sort-tag" if seed == 100 else "popular-sort-tag"},
            headers=headers,
        )
    response = await client.get("/api/v1/tags?sort=count_desc")
    assert response.status_code == 200
    items = response.json()["items"]
    sort_items = [i for i in items if i["name"] in ("popular-sort-tag", "rare-sort-tag")]
    assert len(sort_items) == 2
    # popular-sort-tag (count=2) must come before rare-sort-tag (count=1)
    names = [i["name"] for i in sort_items]
    assert names.index("popular-sort-tag") < names.index("rare-sort-tag")
    # Counts must be non-increasing
    counts = [i["image_count"] for i in items]
    assert counts == sorted(counts, reverse=True)
@pytest.mark.asyncio
 async def test_list_tags_min_count_excludes_below_threshold(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    # common-min-tag appears on 2 images, uncommon-min-tag on 1
    for seed in (200, 201):
        await client.post(
            "/api/v1/images",
            files={"file": (f"min-{seed}.png", io.BytesIO(_unique_png(seed)), "image/png")},
            data={"tags": "common-min-tag,uncommon-min-tag" if seed == 200 else "common-min-tag"},
            headers=headers,
        )
    # min_count=2 should exclude uncommon-min-tag (count=1) but keep common-min-tag (count=2)
    response = await client.get("/api/v1/tags?min_count=2")
    assert response.status_code == 200
    items = response.json()["items"]
    names = [i["name"] for i in items]
    assert "common-min-tag" in names
    assert "uncommon-min-tag" not in names
    # All returned tags must have image_count >= 2
    for item in items:
        assert item["image_count"] >= 2
--- a/api/tests/integration/test_upload.py
+++ b/api/tests/integration/test_upload.py
@@ -3,9 +3,10 @@ T026 — valid JPEG upload → 201, record in DB, object in MinIO
 T027 — same image uploaded twice → 200, duplicate: true, no second MinIO object
 T028 — invalid MIME type → 422 invalid_mime_type (error envelope with code field)
 T029 — file > MAX_UPLOAD_BYTES → 422 file_too_large
-T079 — GET /api/v1/images/{id} 404 → error envelope shape
+T013 — upload produces short_id; storage_key equals short_id; thumbnail_key = {short_id}-thumb
 """
 import io
 import re
 from unittest.mock import patch
 import pytest
@@ -27,11 +28,13 @@ def _minimal_jpeg() -> bytes:
@pytest.mark.asyncio
-async def test_upload_new_image_returns_201(client):
+async def test_upload_new_image_returns_201(authed_client):
    client, token = authed_client
    data = _minimal_jpeg()
    response = await client.post(
        "/api/v1/images",
        files={"file": ("test.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert response.status_code == 201
    body = response.json()
@@ -44,12 +47,15 @@ async def test_upload_new_image_returns_201(client):
@pytest.mark.asyncio
-async def test_upload_duplicate_returns_200_with_flag(client):
+async def test_upload_duplicate_returns_200_with_flag(authed_client):
    client, token = authed_client
    data = _minimal_jpeg()
    headers = {"Authorization": f"Bearer {token}"}
    # First upload
    r1 = await client.post(
        "/api/v1/images",
        files={"file": ("test.jpg", io.BytesIO(data), "image/jpeg")},
        headers=headers,
    )
    assert r1.status_code in (200, 201)
@@ -57,6 +63,7 @@ async def test_upload_duplicate_returns_200_with_flag(client):
    r2 = await client.post(
        "/api/v1/images",
        files={"file": ("test.jpg", io.BytesIO(data), "image/jpeg")},
        headers=headers,
    )
    assert r2.status_code == 200
    body = r2.json()
@@ -65,10 +72,12 @@ async def test_upload_duplicate_returns_200_with_flag(client):
@pytest.mark.asyncio
-async def test_upload_invalid_mime_type_returns_422(client):
+async def test_upload_invalid_mime_type_returns_422(authed_client):
    client, token = authed_client
    response = await client.post(
        "/api/v1/images",
        files={"file": ("doc.pdf", io.BytesIO(b"%PDF-1.4"), "application/pdf")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert response.status_code == 422
    body = response.json()
@@ -77,10 +86,12 @@ async def test_upload_invalid_mime_type_returns_422(client):
@pytest.mark.asyncio
-async def test_upload_oversized_file_returns_422(client):
+async def test_upload_oversized_file_returns_422(authed_client):
    import os
    from app.config import get_settings
    client, token = authed_client
    os.environ["MAX_UPLOAD_BYTES"] = "10"
    get_settings.cache_clear()
@@ -88,6 +99,7 @@ async def test_upload_oversized_file_returns_422(client):
        response = await client.post(
            "/api/v1/images",
            files={"file": ("big.jpg", io.BytesIO(b"x" * 11), "image/jpeg")},
            headers={"Authorization": f"Bearer {token}"},
        )
        assert response.status_code == 422
        body = response.json()
@@ -99,40 +111,117 @@ async def test_upload_oversized_file_returns_422(client):
@pytest.mark.asyncio
 async def test_get_unknown_image_returns_404_with_envelope(client):
-    import uuid
+    response = await client.get("/api/v1/i/NotFound")
    response = await client.get(f"/api/v1/images/{uuid.uuid4()}")
    assert response.status_code == 404
    body = response.json()
    assert body["code"] == "image_not_found"
    assert "detail" in body
 _SHORT_ID_RE = re.compile(r"^[a-zA-Z0-9]{8}$")
@pytest.mark.asyncio
-async def test_upload_returns_thumbnail_key(client):
+async def test_upload_returns_short_id(authed_client):
    client, token = authed_client
    data = _minimal_jpeg()
    response = await client.post(
        "/api/v1/images",
        files={"file": ("s1.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert response.status_code == 201
    body = response.json()
    assert "short_id" in body
    assert _SHORT_ID_RE.match(body["short_id"]), f"short_id invalid: {body['short_id']}"
@pytest.mark.asyncio
 async def test_upload_storage_key_equals_short_id(authed_client):
    client, token = authed_client
    data = _real_jpeg(color=(10, 20, 30))
    response = await client.post(
        "/api/v1/images",
        files={"file": ("s2.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert response.status_code == 201
    body = response.json()
    assert body["storage_key"] == body["short_id"]
@pytest.mark.asyncio
 async def test_upload_thumbnail_key_equals_short_id_thumb(authed_client):
    client, token = authed_client
    data = _real_jpeg(color=(30, 60, 90))
    response = await client.post(
        "/api/v1/images",
        files={"file": ("s3.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert response.status_code == 201
    body = response.json()
    if body["thumbnail_key"] is not None:
        assert body["thumbnail_key"] == f"{body['short_id']}-thumb"
@pytest.mark.asyncio
 async def test_duplicate_upload_returns_same_short_id(authed_client):
    client, token = authed_client
    data = _real_jpeg(color=(200, 100, 50))
    headers = {"Authorization": f"Bearer {token}"}
    r1 = await client.post(
        "/api/v1/images",
        files={"file": ("dup_short.jpg", io.BytesIO(data), "image/jpeg")},
        headers=headers,
    )
    assert r1.status_code in (200, 201)
    r2 = await client.post(
        "/api/v1/images",
        files={"file": ("dup_short.jpg", io.BytesIO(data), "image/jpeg")},
        headers=headers,
    )
    assert r2.status_code == 200
    assert r2.json()["duplicate"] is True
    assert r2.json()["short_id"] == r1.json()["short_id"]
@pytest.mark.asyncio
 async def test_upload_returns_thumbnail_key(authed_client):
    client, token = authed_client
    data = _real_jpeg(color=(100, 150, 200))
    response = await client.post(
        "/api/v1/images",
        files={"file": ("thumb_test.jpg", io.BytesIO(data), "image/jpeg")},
        headers={"Authorization": f"Bearer {token}"},
    )
    assert response.status_code == 201
    body = response.json()
    assert "thumbnail_key" in body
    assert body["thumbnail_key"] is not None
    assert body["thumbnail_key"].endswith("-thumb")
    assert "file_url" in body
    assert body["file_url"].startswith("/api/v1/i/")
    assert "thumbnail_url" in body
    assert body["thumbnail_url"].startswith("/api/v1/i/")
@pytest.mark.asyncio
-async def test_duplicate_upload_reuses_thumbnail_key(client):
+async def test_duplicate_upload_reuses_thumbnail_key(authed_client):
    client, token = authed_client
    headers = {"Authorization": f"Bearer {token}"}
    data = _real_jpeg(color=(200, 100, 50))
    r1 = await client.post(
        "/api/v1/images",
        files={"file": ("dup.jpg", io.BytesIO(data), "image/jpeg")},
        headers=headers,
    )
    assert r1.status_code in (200, 201)
    r2 = await client.post(
        "/api/v1/images",
        files={"file": ("dup.jpg", io.BytesIO(data), "image/jpeg")},
        headers=headers,
    )
    assert r2.status_code == 200
@@ -143,13 +232,18 @@ async def test_duplicate_upload_reuses_thumbnail_key(client):
@pytest.mark.asyncio
-async def test_upload_succeeds_when_thumbnail_fails(client):
+async def test_upload_succeeds_when_thumbnail_fails(authed_client):
    client, token = authed_client
    data = _real_jpeg(color=(50, 200, 150))
    with patch("app.routers.images.generate_thumbnail", side_effect=RuntimeError("simulated")):
        response = await client.post(
            "/api/v1/images",
            files={"file": ("no_thumb.jpg", io.BytesIO(data), "image/jpeg")},
            headers={"Authorization": f"Bearer {token}"},
        )
    assert response.status_code in (200, 201)
    body = response.json()
    assert body["thumbnail_key"] is None
    assert "file_url" in body
    assert body["file_url"].startswith("/api/v1/i/")
    assert body["thumbnail_url"] is None
--- a/api/tests/unit/test_config.py
+++ b/api/tests/unit/test_config.py
@@ -1,7 +1,3 @@
 import os
 import pytest
 _BASE_ENV = {
    "DATABASE_URL": "postgresql+asyncpg://u:p@localhost/db",
    "S3_ENDPOINT_URL": "http://localhost:9000",
@@ -26,7 +22,9 @@ def test_settings_load_from_env(monkeypatch):
    # Import inside test to pick up monkeypatched env
    import importlib
    import app.config as config_module
    importlib.reload(config_module)
    s = config_module.Settings()
@@ -42,7 +40,9 @@ def test_settings_max_upload_bytes_override(monkeypatch):
    _apply_env(monkeypatch, {"MAX_UPLOAD_BYTES": "10485760"})
    import importlib
    import app.config as config_module
    importlib.reload(config_module)
    s = config_module.Settings()
@@ -53,8 +53,49 @@ def test_settings_jwt_expiry_override(monkeypatch):
    _apply_env(monkeypatch, {"JWT_EXPIRY_SECONDS": "3600"})
    import importlib
    import app.config as config_module
    importlib.reload(config_module)
    s = config_module.Settings()
    assert s.jwt_expiry_seconds == 3600
 def test_api_docs_enabled_default(monkeypatch):
    _apply_env(monkeypatch)
    import importlib
    import app.config as config_module
    importlib.reload(config_module)
    s = config_module.Settings()
    assert s.api_docs_enabled is True
 def test_api_docs_enabled_false(monkeypatch):
    _apply_env(monkeypatch, {"API_DOCS_ENABLED": "false"})
    import importlib
    import app.config as config_module
    importlib.reload(config_module)
    s = config_module.Settings()
    assert s.api_docs_enabled is False
 def test_api_docs_invalid_value_defaults_to_enabled(monkeypatch):
    _apply_env(monkeypatch, {"API_DOCS_ENABLED": "not-a-bool"})
    import importlib
    import app.config as config_module
    importlib.reload(config_module)
    s = config_module.Settings()
    assert s.api_docs_enabled is True
--- a/api/tests/unit/test_hashing.py
+++ b/api/tests/unit/test_hashing.py
@@ -1,5 +1,6 @@
 import hashlib
-from app.utils import compute_sha256
+
 from app.utils import compute_sha256, generate_short_id
 def test_sha256_known_bytes():
@@ -18,3 +19,24 @@ def test_sha256_returns_64_char_hex():
    result = compute_sha256(b"test data")
    assert len(result) == 64
    assert all(c in "0123456789abcdef" for c in result)
 def test_generate_short_id_length():
    assert len(generate_short_id()) == 8
 def test_generate_short_id_charset():
    result = generate_short_id()
    assert all(
        c in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" for c in result
    )
 def test_generate_short_id_randomness():
    assert generate_short_id() != generate_short_id()
 def test_generate_short_id_importable():
    from app.utils import generate_short_id as fn
    assert callable(fn)
--- a/api/tests/unit/test_jwt_auth.py
+++ b/api/tests/unit/test_jwt_auth.py
@@ -1,6 +1,5 @@
 import time
 import pytest
 import jwt as pyjwt
 import pytest
 from fastapi import HTTPException
 from app.auth.jwt_provider import JWTAuthProvider
--- a/api/tests/unit/test_migration.py
+++ b/api/tests/unit/test_migration.py
@@ -0,0 +1,110 @@
 """Unit tests for migrate_to_short_ids script logic."""
 from unittest.mock import AsyncMock, MagicMock, patch
 import pytest
@pytest.fixture
 def mock_image_null_short_id():
    img = MagicMock()
    img.id = "img-uuid-1"
    img.short_id = None
    img.storage_key = "oldhashkey1234567890"
    img.thumbnail_key = "oldhashkey1234567890-thumb"
    img.mime_type = "image/jpeg"
    return img
@pytest.fixture
 def mock_image_with_short_id():
    img = MagicMock()
    img.id = "img-uuid-2"
    img.short_id = "AbCd1234"
    img.storage_key = "AbCd1234"
    img.thumbnail_key = "AbCd1234-thumb"
    img.mime_type = "image/jpeg"
    return img
@pytest.mark.asyncio
 async def test_migrate_processes_image_without_short_id(mock_image_null_short_id):
    """Images with short_id IS NULL are processed: storage copied, DB updated, old keys deleted."""
    from scripts.migrate_to_short_ids import migrate_image
    storage = MagicMock()
    storage.get = AsyncMock(return_value=b"imagedata")
    storage.put = AsyncMock()
    storage.delete = AsyncMock()
    session = MagicMock()
    session.execute = AsyncMock()
    session.flush = AsyncMock()
    old_key = mock_image_null_short_id.storage_key
    new_short_id = "NewSh123"
    with patch("scripts.migrate_to_short_ids.generate_short_id", return_value=new_short_id):
        result = await migrate_image(mock_image_null_short_id, storage, session)
    assert result is True
    storage.put.assert_any_call(new_short_id, b"imagedata", "image/jpeg")
    storage.delete.assert_any_call(old_key)
@pytest.mark.asyncio
 async def test_migrate_skips_image_with_short_id(mock_image_with_short_id):
    """Images that already have a short_id are skipped."""
    from scripts.migrate_to_short_ids import migrate_image
    storage = MagicMock()
    session = MagicMock()
    result = await migrate_image(mock_image_with_short_id, storage, session)
    assert result is False
    storage.get.assert_not_called() if hasattr(storage.get, "assert_not_called") else None
@pytest.mark.asyncio
 async def test_migrate_continues_on_storage_error(mock_image_null_short_id):
    """If storage copy fails, error is logged and migrate_image returns False without aborting."""
    from scripts.migrate_to_short_ids import migrate_image
    storage = MagicMock()
    storage.get = AsyncMock(side_effect=Exception("storage read error"))
    storage.put = AsyncMock()
    storage.delete = AsyncMock()
    session = MagicMock()
    session.execute = AsyncMock()
    session.flush = AsyncMock()
    with patch("scripts.migrate_to_short_ids.generate_short_id", return_value="ErrSh123"):
        result = await migrate_image(mock_image_null_short_id, storage, session)
    assert result is False
    storage.put.assert_not_called()
@pytest.mark.asyncio
 async def test_migrate_summary_counts(mock_image_null_short_id, mock_image_with_short_id):
    """run_migration reports correct migrated and skipped counts."""
    from scripts.migrate_to_short_ids import run_migration
    storage = MagicMock()
    storage.get = AsyncMock(return_value=b"data")
    storage.put = AsyncMock()
    storage.delete = AsyncMock()
    session = MagicMock()
    session.execute = AsyncMock()
    session.flush = AsyncMock()
    images = [mock_image_null_short_id, mock_image_with_short_id]
    with patch("scripts.migrate_to_short_ids.generate_short_id", return_value="NewSh999"):
        migrated, skipped, failed = await run_migration(images, storage, session)
    assert migrated == 1
    assert skipped == 1
    assert failed == 0
--- a/api/tests/unit/test_rate_limiter.py
+++ b/api/tests/unit/test_rate_limiter.py
@@ -0,0 +1,105 @@
 import ipaddress
 from unittest.mock import MagicMock
 from starlette.requests import Request
 from app.auth.rate_limiter import LoginRateLimiter, get_client_ip
 # ---------------------------------------------------------------------------
 # LoginRateLimiter tests
 # ---------------------------------------------------------------------------
 def make_limiter():
    return LoginRateLimiter(max_failures=3, window_seconds=60, cooldown_seconds=300)
 def test_not_blocked_initially():
    assert make_limiter().is_blocked("1.2.3.4") is False
 def test_blocked_after_threshold():
    limiter = make_limiter()
    for _ in range(3):
        limiter.record_failure("1.2.3.4")
    assert limiter.is_blocked("1.2.3.4") is True
 def test_success_clears_failures():
    limiter = make_limiter()
    limiter.record_failure("1.2.3.4")
    limiter.record_failure("1.2.3.4")
    limiter.record_success("1.2.3.4")
    assert limiter.is_blocked("1.2.3.4") is False
 def test_ips_are_isolated():
    limiter = make_limiter()
    for _ in range(3):
        limiter.record_failure("1.1.1.1")
    assert limiter.is_blocked("2.2.2.2") is False
 def test_window_resets_after_expiry():
    import time
    limiter = LoginRateLimiter(max_failures=3, window_seconds=0, cooldown_seconds=300)
    limiter.record_failure("1.2.3.4")
    limiter.record_failure("1.2.3.4")
    time.sleep(0.01)
    limiter.record_failure("1.2.3.4")
    # window expired — counter reset on third call, so failures = 1, not 3
    assert limiter.is_blocked("1.2.3.4") is False
 def test_log_warning_on_lockout(caplog):
    import logging
    limiter = make_limiter()
    with caplog.at_level(logging.WARNING, logger="app.auth.rate_limiter"):
        for _ in range(3):
            limiter.record_failure("5.6.7.8")
    assert "Login blocked" in caplog.text
    assert "5.6.7.8" in caplog.text
 # ---------------------------------------------------------------------------
 # get_client_ip tests
 # ---------------------------------------------------------------------------
 def make_request(peer: str, headers: dict) -> MagicMock:
    req = MagicMock(spec=Request)
    req.client.host = peer
    req.headers = headers
    return req
 def test_get_client_ip_no_trusted_networks_returns_peer():
    req = make_request("203.0.113.1", {"X-Forwarded-For": "10.0.0.1"})
    assert get_client_ip(req, []) == "203.0.113.1"
 def test_get_client_ip_trusted_peer_uses_real_ip():
    req = make_request("10.0.0.1", {"X-Real-IP": "203.0.113.9"})
    nets = [ipaddress.ip_network("10.0.0.0/8")]
    assert get_client_ip(req, nets) == "203.0.113.9"
 def test_get_client_ip_real_ip_wins_over_xff():
    # Regression: spoofed XFF must not override nginx-set X-Real-IP.
    req = make_request("10.0.0.1", {"X-Real-IP": "203.0.113.9", "X-Forwarded-For": "1.2.3.4"})
    nets = [ipaddress.ip_network("10.0.0.0/8")]
    assert get_client_ip(req, nets) == "203.0.113.9"
 def test_get_client_ip_untrusted_peer_ignores_xff():
    req = make_request("8.8.8.8", {"X-Forwarded-For": "203.0.113.5"})
    nets = [ipaddress.ip_network("10.0.0.0/8")]
    assert get_client_ip(req, nets) == "8.8.8.8"
 def test_get_client_ip_trusted_peer_falls_back_to_xff_when_no_real_ip():
    req = make_request("10.0.0.1", {"X-Forwarded-For": "203.0.113.5"})
    nets = [ipaddress.ip_network("10.0.0.0/8")]
    assert get_client_ip(req, nets) == "203.0.113.5"
--- a/api/tests/unit/test_short_id.py
+++ b/api/tests/unit/test_short_id.py
@@ -0,0 +1,59 @@
 """Unit tests for short_id generation, validation, and repository lookup."""
 import re
 from unittest.mock import AsyncMock, MagicMock
 import pytest
 from fastapi import HTTPException
 from app.routers.images import _validate_short_id
 from app.utils import generate_short_id
 _SHORT_ID_RE = re.compile(r"^[a-zA-Z0-9]{8}$")
 def test_validate_short_id_accepts_valid():
    _validate_short_id("AbCd1234")  # must not raise
 def test_validate_short_id_rejects_too_long():
    with pytest.raises(HTTPException) as exc:
        _validate_short_id("toolong!!")
    assert exc.value.status_code == 422
 def test_validate_short_id_rejects_too_short():
    with pytest.raises(HTTPException) as exc:
        _validate_short_id("short")
    assert exc.value.status_code == 422
 def test_validate_short_id_rejects_invalid_chars():
    with pytest.raises(HTTPException) as exc:
        _validate_short_id("has spa!")
    assert exc.value.status_code == 422
 def test_generate_short_id_unique():
    ids = {generate_short_id() for _ in range(100)}
    assert len(ids) > 90  # collision in 100 draws would be astronomically unlikely
 def test_repo_get_by_short_id_uses_correct_field():
    """get_by_short_id selects on Image.short_id, not Image.id."""
    import asyncio
    from app.repositories.image_repo import ImageRepository
    mock_session = MagicMock()
    scalar = MagicMock()
    scalar.scalar_one_or_none = MagicMock(return_value=None)
    mock_session.execute = AsyncMock(return_value=scalar)
    repo = ImageRepository(mock_session)
    asyncio.get_event_loop().run_until_complete(repo.get_by_short_id("AbCd1234"))
    call_args = mock_session.execute.call_args[0][0]
    compiled = call_args.compile(compile_kwargs={"literal_binds": True})
    assert "short_id" in str(compiled)
    assert "AbCd1234" in str(compiled)
--- a/api/tests/unit/test_tags.py
+++ b/api/tests/unit/test_tags.py
@@ -2,16 +2,21 @@
 T037 — tag normalisation: uppercase → lowercase, whitespace stripped
 T038 — tag validation: rejects names > 64 chars, invalid chars
 """
 import pytest
 from app.repositories.tag_repo import TagRepository
-@pytest.mark.parametrize("raw,expected", [
+@pytest.mark.parametrize(
    "raw,expected",
    [
        ("Cat", "cat"),
        ("  funny  ", "funny"),
        ("REACTION", "reaction"),
        (" MiXeD ", "mixed"),
-])
+    ],
 )
 def test_normalise_lowercases_and_strips(raw, expected):
    assert TagRepository.normalise(raw) == expected
--- a/api/tests/unit/test_thumbnail.py
+++ b/api/tests/unit/test_thumbnail.py
@@ -1,4 +1,5 @@
 """Unit tests for thumbnail generation utility."""
 import io
 from PIL import Image as PILImage
--- a/api/tests/unit/test_url_construction.py
+++ b/api/tests/unit/test_url_construction.py
@@ -0,0 +1,72 @@
 import uuid
 from unittest.mock import MagicMock
 from app.routers.images import _image_to_dict
 def _make_image(*, thumbnail_key=None):
    img = MagicMock()
    img.id = uuid.UUID("00000000-0000-0000-0000-000000000001")
    img.short_id = "AbCd1234"
    img.hash = "abc123"
    img.filename = "test.jpg"
    img.mime_type = "image/jpeg"
    img.size_bytes = 1024
    img.width = 100
    img.height = 100
    img.storage_key = "abc123storagekey"
    img.thumbnail_key = thumbnail_key
    img.created_at.isoformat.return_value = "2026-05-09T00:00:00"
    img.tags = []
    return img
 def test_cdn_configured_with_thumbnail():
    img = _make_image(thumbnail_key="abc123storagekey-thumb")
    result = _image_to_dict(img, cdn_base="https://cdn.example.com")
    assert result["file_url"] == "https://cdn.example.com/abc123storagekey"
    assert result["thumbnail_url"] == "https://cdn.example.com/abc123storagekey-thumb"
    assert result["short_id"] == "AbCd1234"
 def test_cdn_configured_no_thumbnail():
    img = _make_image(thumbnail_key=None)
    result = _image_to_dict(img, cdn_base="https://cdn.example.com")
    assert result["file_url"] == "https://cdn.example.com/abc123storagekey"
    assert result["thumbnail_url"] is None
    assert result["short_id"] == "AbCd1234"
 def test_no_cdn_with_thumbnail():
    img = _make_image(thumbnail_key="abc123storagekey-thumb")
    result = _image_to_dict(img, cdn_base=None)
    assert result["file_url"] == "/api/v1/i/AbCd1234/file"
    assert result["thumbnail_url"] == "/api/v1/i/AbCd1234/thumbnail"
 def test_no_cdn_no_thumbnail():
    img = _make_image(thumbnail_key=None)
    result = _image_to_dict(img, cdn_base=None)
    assert result["file_url"] == "/api/v1/i/AbCd1234/file"
    assert result["thumbnail_url"] is None
 def test_cdn_trailing_slash_normalised():
    img = _make_image(thumbnail_key="abc123storagekey-thumb")
    result = _image_to_dict(img, cdn_base="https://cdn.example.com/")
    assert result["file_url"] == "https://cdn.example.com/abc123storagekey"
    assert result["thumbnail_url"] == "https://cdn.example.com/abc123storagekey-thumb"
    assert "//" not in result["file_url"].replace("https://", "")
 def test_cdn_trailing_whitespace_normalised():
    img = _make_image(thumbnail_key="abc123storagekey-thumb")
    result = _image_to_dict(img, cdn_base="https://cdn.example.com  ")
    assert result["file_url"] == "https://cdn.example.com/abc123storagekey"
    assert result["thumbnail_url"] == "https://cdn.example.com/abc123storagekey-thumb"
 def test_short_id_in_response():
    img = _make_image()
    result = _image_to_dict(img, cdn_base=None)
    assert result["short_id"] == "AbCd1234"
--- a/api/tests/unit/test_validation.py
+++ b/api/tests/unit/test_validation.py
@@ -1,5 +1,6 @@
 import pytest
-from app.validation import validate_mime_type, validate_file_size, MimeTypeError, FileSizeError
+
 from app.validation import FileSizeError, MimeTypeError, validate_file_size, validate_mime_type
 ACCEPTED_TYPES = ["image/jpeg", "image/png", "image/gif", "image/webp"]
 REJECTED_TYPES = ["application/pdf", "video/mp4", "text/plain", "application/octet-stream"]
--- a/docker-compose.test.yml
+++ b/docker-compose.test.yml
@@ -0,0 +1,67 @@
 services:
  postgres-test:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: reactbin
      POSTGRES_PASSWORD: reactbin
      POSTGRES_DB: reactbin_test
    ports:
      - "5433:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U reactbin"]
      interval: 5s
      timeout: 5s
      retries: 5
  minio-test:
    image: minio/minio:latest
    command: server /data --console-address ":9001"
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    ports:
      - "9002:9000"
      - "9003:9001"
    healthcheck:
      test: ["CMD", "mc", "ready", "local"]
      interval: 5s
      timeout: 5s
      retries: 5
  minio-init-test:
    image: minio/mc:latest
    depends_on:
      minio-test:
        condition: service_healthy
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    entrypoint: >
      /bin/sh -c "
      mc alias set local http://minio-test:9000 $$MINIO_ROOT_USER $$MINIO_ROOT_PASSWORD &&
      mc mb --ignore-existing local/reactbin-test
      "
  api-test:
    build:
      context: ./api
    environment:
      TEST_DATABASE_URL: postgresql+asyncpg://reactbin:reactbin@postgres-test:5432/reactbin_test
      DATABASE_URL: postgresql+asyncpg://reactbin:reactbin@postgres-test:5432/reactbin_test
      S3_ENDPOINT_URL: http://minio-test:9000
      S3_BUCKET_NAME: reactbin-test
      S3_ACCESS_KEY_ID: minioadmin
      S3_SECRET_ACCESS_KEY: minioadmin
      S3_REGION: us-east-1
      JWT_SECRET_KEY: test-secret-key-for-testing-only
      OWNER_USERNAME: testowner
      OWNER_PASSWORD: testpassword
      API_BASE_URL: http://localhost:8000
      MAX_UPLOAD_BYTES: "52428800"
    depends_on:
      postgres-test:
        condition: service_healthy
      minio-init-test:
        condition: service_completed_successfully
    command: ["python", "-m", "pytest", "tests/", "-v"]
    working_dir: /app
--- a/k8s/api/deployment.yaml
+++ b/k8s/api/deployment.yaml
@@ -0,0 +1,52 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: api
  namespace: reactbin
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: api
  template:
    metadata:
      labels:
        app: api
    spec:
      initContainers:
        - name: migrate
          image: git.juggalol.com/juggalol/reactbin-api:v1.4.1
          command: ["alembic", "upgrade", "head"]
          workingDir: /app
          envFrom:
            - secretRef:
                name: api-env
          securityContext:
            runAsNonRoot: true
            runAsUser: 1001
      containers:
        - name: api
          image: git.juggalol.com/juggalol/reactbin-api:v1.4.1
          ports:
            - containerPort: 8000
          envFrom:
            - secretRef:
                name: api-env
          env:
            - name: API_DOCS_ENABLED
              value: "false"
          livenessProbe:
            httpGet:
              path: /api/v1/health
              port: 8000
            initialDelaySeconds: 10
            periodSeconds: 30
          readinessProbe:
            httpGet:
              path: /api/v1/health
              port: 8000
            initialDelaySeconds: 5
            periodSeconds: 10
          securityContext:
            runAsNonRoot: true
            runAsUser: 1001
--- a/k8s/api/service.yaml
+++ b/k8s/api/service.yaml
@@ -0,0 +1,13 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: api
  namespace: reactbin
 spec:
  type: ClusterIP
  selector:
    app: api
  ports:
    - name: http
      port: 8000
      targetPort: 8000
--- a/k8s/ingress.yaml
+++ b/k8s/ingress.yaml
@@ -0,0 +1,34 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: reactbin
  namespace: reactbin
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "52m"
 spec:
  ingressClassName: nginx-public
  tls:
    - hosts:
        - reactbin.juggalol.com
      secretName: reactbin-tls
  rules:
    - host: reactbin.juggalol.com
      http:
        paths:
          - path: /api/
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /
            pathType: Prefix
            backend:
              service:
                name: ui
                port:
                  number: 8080
--- a/k8s/minio/init-job.yaml
+++ b/k8s/minio/init-job.yaml
@@ -0,0 +1,24 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: minio-init
  namespace: reactbin
 spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
        - name: mc
          image: minio/mc:latest
          # mc runs as root by default; FR-013 exception documented in spec
          securityContext:
            runAsNonRoot: false
          command:
            - sh
            - -c
            - |
              mc alias set local http://minio:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD"
              mc mb --ignore-existing local/reactbin
          envFrom:
            - secretRef:
                name: minio-credentials
--- a/k8s/minio/service.yaml
+++ b/k8s/minio/service.yaml
@@ -0,0 +1,16 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: minio
  namespace: reactbin
 spec:
  type: ClusterIP
  selector:
    app: minio
  ports:
    - name: api
      port: 9000
      targetPort: 9000
    - name: console
      port: 9001
      targetPort: 9001
--- a/k8s/minio/statefulset.yaml
+++ b/k8s/minio/statefulset.yaml
@@ -0,0 +1,59 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: minio
  namespace: reactbin
 spec:
  serviceName: minio
  replicas: 1
  selector:
    matchLabels:
      app: minio
  template:
    metadata:
      labels:
        app: minio
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
        - name: minio
          image: minio/minio:latest
          args:
            - server
            - /data
            - --console-address
            - ":9001"
          ports:
            - containerPort: 9000
            - containerPort: 9001
          envFrom:
            - secretRef:
                name: minio-credentials
          livenessProbe:
            httpGet:
              path: /minio/health/live
              port: 9000
            initialDelaySeconds: 10
            periodSeconds: 30
          readinessProbe:
            httpGet:
              path: /minio/health/ready
              port: 9000
            initialDelaySeconds: 5
            periodSeconds: 10
          volumeMounts:
            - name: data
              mountPath: /data
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
--- a/k8s/namespace.yaml
+++ b/k8s/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: reactbin
--- a/k8s/ui/deployment.yaml
+++ b/k8s/ui/deployment.yaml
@@ -0,0 +1,29 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ui
  namespace: reactbin
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: ui
  template:
    metadata:
      labels:
        app: ui
    spec:
      containers:
        - name: ui
          image: git.juggalol.com/juggalol/reactbin-ui:v1.4.1
          ports:
            - containerPort: 8080
          livenessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 10
            periodSeconds: 30
          securityContext:
            runAsNonRoot: true
            runAsUser: 101  # nginxinc/nginx-unprivileged default UID
--- a/k8s/ui/service.yaml
+++ b/k8s/ui/service.yaml
@@ -0,0 +1,13 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: ui
  namespace: reactbin
 spec:
  type: ClusterIP
  selector:
    app: ui
  ports:
    - name: http
      port: 8080
      targetPort: 8080
--- a/k8s/vault/api-secret.yaml
+++ b/k8s/vault/api-secret.yaml
@@ -0,0 +1,18 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: api-secret
  namespace: reactbin
 spec:
  vaultAuthRef: reactbin-vault-auth
  mount: kv
  type: kv-v2
  # Required Vault keys at this path:
  #   DATABASE_URL, JWT_SECRET_KEY, OWNER_USERNAME, OWNER_PASSWORD,
  #   S3_ENDPOINT_URL, S3_BUCKET_NAME, S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY,
  #   API_BASE_URL
  path: reactbin/api/config
  refreshAfter: 1h
  destination:
    name: api-env
    create: true
--- a/k8s/vault/minio-secret.yaml
+++ b/k8s/vault/minio-secret.yaml
@@ -0,0 +1,16 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: minio-secret
  namespace: reactbin
 spec:
  vaultAuthRef: reactbin-vault-auth
  mount: kv
  type: kv-v2
  # Required Vault keys at this path:
  #   MINIO_ROOT_USER, MINIO_ROOT_PASSWORD
  path: reactbin/minio/credentials
  refreshAfter: 1h
  destination:
    name: minio-credentials
    create: true
--- a/k8s/vault/vault-auth.yaml
+++ b/k8s/vault/vault-auth.yaml
@@ -0,0 +1,22 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vso-reactbin
  namespace: reactbin
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: reactbin-vault-auth
  namespace: reactbin
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    # The operator must create this role in Vault and bind it to the
    # default service account in the reactbin namespace with read access
    # to both reactbin/api/config and reactbin/minio/credentials.
    role: vso-reactbin
    serviceAccount: vso-reactbin
    audiences:
      - vault
--- a/scripts/test_lockout.sh
+++ b/scripts/test_lockout.sh
@@ -0,0 +1,67 @@
 #!/usr/bin/env bash
 #
 # Test reactbin's login rate limiter and demonstrate the XFF injection bypass.
 #
 # Phase 1: Send 6 bad login attempts in quick succession.
 #   Attempts 1-5 should return 401 (invalid credentials).
 #   Attempt 6 should return 429 (rate limited) — the limiter blocks after
 #   max_failures=5 within the window.
 #
 # Phase 2: Send a 7th bad attempt with a spoofed X-Forwarded-For header
 #   pointing at a different IP. If the lockout keys correctly on the trusted
 #   client IP, this should still return 429 (same client, still locked).
 #   If reactbin trusts client-supplied XFF blindly, this would return 401
 #   instead — the spoof would make the request look like a different client
 #   that hasn't accumulated failures.
 #
 # Interpretation:
 #   - 429 on attempt 7  → lockout is correctly identifying the client
 #   - 401 on attempt 7  → XFF injection succeeded; server treated us as a
 #                          new client because we set a fake XFF
 #
 # Note: this script is ONLY useful when run against the public origin path
 # where XFF spoofing is potentially possible. It does not exercise the
 # Cloudflare-proxied path because Cloudflare strips/replaces XFF before
 # forwarding to origin.
 set -u
 URL="${URL:-https://reactbin.juggalol.com/api/v1/auth/token}"
 SPOOFED_IP="${SPOOFED_IP:-198.51.100.99}"  # TEST-NET-2, never routed
 USERNAME="${USERNAME:-not-a-real-user}"
 PASSWORD="${PASSWORD:-not-a-real-password}"
 # JSON body for a bad login. Username/password chosen to be obviously fake;
 # adjust if your auth provider has its own validation that would 400 instead
 # of 401 on these values.
 BODY=$(printf '{"username":"%s","password":"%s"}' "$USERNAME" "$PASSWORD")
 echo "Target: $URL"
 echo "Body:   $BODY"
 echo
 echo "=== Phase 1: 6 bad logins from real client IP ==="
 for i in 1 2 3 4 5 6; do
    code=$(curl -sS -o /dev/null -w '%{http_code}' \
        -X POST \
        -H 'Content-Type: application/json' \
        --data "$BODY" \
        "$URL")
    echo "Attempt $i: HTTP $code"
 done
 echo
 echo "=== Phase 2: 7th attempt with spoofed X-Forwarded-For ==="
 echo "Setting X-Forwarded-For: $SPOOFED_IP"
 code=$(curl -sS -o /dev/null -w '%{http_code}' \
    -X POST \
    -H 'Content-Type: application/json' \
    -H "X-Forwarded-For: $SPOOFED_IP" \
    --data "$BODY" \
    "$URL")
 echo "Attempt 7: HTTP $code"
 echo
 echo "Interpretation:"
 echo "  Attempt 7 = 429  → lockout correctly tracks real client; XFF spoof ineffective"
 echo "  Attempt 7 = 401  → XFF spoof succeeded; server believed the fake client IP"
--- a/specs/001-reaction-image-board/SHIPPED
+++ b/specs/001-reaction-image-board/SHIPPED
--- a/specs/002-api-image-proxy/SHIPPED
+++ b/specs/002-api-image-proxy/SHIPPED
--- a/specs/003-upload-thumbnails/SHIPPED
+++ b/specs/003-upload-thumbnails/SHIPPED
--- a/specs/004-jwt-bearer-auth/SHIPPED
+++ b/specs/004-jwt-bearer-auth/SHIPPED
--- a/specs/005-ui-polish/SHIPPED
+++ b/specs/005-ui-polish/SHIPPED
--- a/specs/005-ui-polish/checklists/requirements.md
+++ b/specs/005-ui-polish/checklists/requirements.md
@@ -0,0 +1,34 @@
 # Specification Quality Checklist: UI Polish & Design System
 **Purpose**: Validate specification completeness and quality before proceeding to planning
 **Created**: 2026-05-03
 **Feature**: [spec.md](../spec.md)
 ## Content Quality
 - [X] No implementation details (languages, frameworks, APIs)
 - [X] Focused on user value and business needs
 - [X] Written for non-technical stakeholders
 - [X] All mandatory sections completed
 ## Requirement Completeness
 - [X] No [NEEDS CLARIFICATION] markers remain
 - [X] Requirements are testable and unambiguous
 - [X] Success criteria are measurable
 - [X] Success criteria are technology-agnostic (no implementation details)
 - [X] All acceptance scenarios are defined
 - [X] Edge cases are identified
 - [X] Scope is clearly bounded
 - [X] Dependencies and assumptions identified
 ## Feature Readiness
 - [X] All functional requirements have clear acceptance criteria
 - [X] User scenarios cover primary flows
 - [X] Feature meets measurable outcomes defined in Success Criteria
 - [X] No implementation details leak into specification
 ## Notes
 - All items pass. Spec is ready for `/speckit-plan`.
--- a/specs/005-ui-polish/plan.md
+++ b/specs/005-ui-polish/plan.md
@@ -0,0 +1,242 @@
 # Implementation Plan: UI Polish & Design System
 **Branch**: `005-ui-polish` | **Date**: 2026-05-03 | **Spec**: [spec.md](spec.md)
 **Input**: Feature specification from `specs/005-ui-polish/spec.md`
 ## Summary
 Refine the existing Angular SPA from functional-but-bare to intentional and
 finished. All changes are purely front-end: a shared design-token layer
 (CSS custom properties) is introduced in `styles.css`, and each of the five
 views (library, upload, detail, login, app shell) is updated to use those tokens
 and to handle loading, empty, and error states consistently. No new dependencies,
 no new API endpoints.
 ---
 ## Technical Context
 **Language/Version**: TypeScript 5 / Angular 19 (standalone components, no NgModules)
 **Primary Dependencies**: Angular 19, RxJS 7 (already installed; no new deps added)
 **Storage**: N/A — UI-only feature
 **Testing**: Karma / Jasmine (Angular CLI default; `npm test`)
 **Target Platform**: Browser SPA (desktop-primary, 375 px minimum viewport)
 **Project Type**: Web application — UI layer only
 **Performance Goals**: Loading indicators must not flash on sub-150 ms responses
 **Constraints**: No new npm dependencies; no external icon or component library
 **Scale/Scope**: Five component files + one global CSS file
 ---
 ## Constitution Check
 *GATE: Must pass before Phase 0 research. Re-checked after Phase 1 design.*
 | Principle | Status | Notes |
 |-----------|--------|-------|
 | §2.1 Strict separation of concerns — UI knows nothing about storage or DB | ✅ Pass | No API or storage changes |
 | §2.2 Dependency direction — UI → API only | ✅ Pass | No new API calls introduced |
 | §2.3 Storage abstraction | ✅ Pass | Not touched |
 | §2.4 Auth abstraction — identity resolution via AuthProvider | ✅ Pass | Auth logic unchanged; FR-006 (hide write controls) already implemented |
 | §2.6 No speculative abstraction | ✅ Pass | Tokens centralised because all five views use them; no hypothetical interfaces |
 | §3.3 Error shape | ✅ Pass | UI consumes existing error envelopes; no API change |
 | §5.1 TDD non-negotiable | ✅ Pass | All template and state changes will have Angular component tests written first |
 | §5.2 Test pyramid | ✅ Pass | Unit tests (Karma) cover state logic; E2E visual check is the acceptance gate |
 | §6 Tech stack | ✅ Pass | Angular + TypeScript; no new languages or frameworks added |
 | §7.2 No hardcoded values | ✅ Pass | Colours/spacing moved to CSS custom properties, not hardcoded further |
 | §7.3 Linting non-optional | ✅ Pass | ESLint + Prettier enforced; `ng build` type-check must pass |
 | §8 Scope boundaries | ✅ Pass | UI-only; no multi-user, no OR/NOT tags, no OIDC |
 **Constitution Check result: ALL GATES PASS**
 No violations. No complexity justification table required.
 ---
 ## Project Structure
 ### Documentation (this feature)
 ```text
 specs/005-ui-polish/
 ├── plan.md          ← this file
 ├── research.md      ← Phase 0 output (complete)
 ├── quickstart.md    ← Phase 1 output (visual acceptance scenarios)
 └── tasks.md         ← Phase 2 output (/speckit-tasks — not yet created)
 ```
 *No `data-model.md` or `contracts/` — this feature introduces no new data
 entities and no API surface changes.*
 ### Source Code (affected files)
 ```text
 ui/
 └── src/
    ├── styles.css                              ← Add CSS custom properties (design tokens)
    └── app/
        ├── app.component.ts                    ← Polish header shell
        ├── library/
        │   └── library.component.ts            ← Skeleton load, empty state, error state, card polish
        ├── upload/
        │   └── upload.component.ts             ← Drop-zone polish, in-progress state, success/error states
        ├── detail/
        │   └── detail.component.ts             ← Loading state, not-found state, section organisation
        └── login/
            └── login.component.ts              ← Visual alignment with design system
 ```
 ---
 ## Milestones
 ### Milestone 1 — Design Token Layer (blocks all other milestones)
 Extract the shared colour, spacing, and motion values already present across the
 five components into CSS custom properties on `:root` in `styles.css`.
 **Deliverable**: `:root` block in `styles.css` with 13 named tokens (see
 research.md Decision 5). Each existing component still renders identically
 (tokens match current hard-coded values exactly). `ng build` passes.
 **Token set**:
 ```
 --bg, --surface, --surface-raised, --border, --border-focus,
 --text, --text-muted, --accent, --accent-text, --danger, --danger-text,
 --radius, --radius-chip, --transition
 ```
 ---
 ### Milestone 2 — Library View (US1)
 **Loading state**: Replace the current `loading = true` boolean with the
 150 ms–debounced spinner pattern (see research.md Decision 3). While loading,
 render a grid of skeleton cards (same dimensions as real cards) using the
 shimmer CSS class (see research.md Decision 2).
 **Empty state**: The existing empty-state `<p>` is already functional. Polish it:
 centred layout, muted icon (✦ or similar Unicode), larger text, and a prominent
 "Upload your first image" link that navigates to `/upload`.
 **Error state**: Add an `error: boolean` flag to the component. If the `list()`
 call errors, set `error = true` and render an error card with a retry button
 that calls `load()` again.
 **Card polish**: Apply tokens to card background, border-radius, and tag chips.
 Add a subtle `box-shadow` and `transform: translateY(-2px)` on hover (using
 `--transition`). Ensure the card thumbnail `<img>` has an `(error)` fallback
 (see research.md Decision 4).
 **Responsive**: The existing `auto-fill minmax(200px, 1fr)` grid already handles
 narrow viewports. Verify it does not overflow at 375 px; reduce min card width
 to 160 px if needed.
 ---
 ### Milestone 3 — Upload View (US2)
 **Drop-zone polish**: Apply token-based border and background to the existing
 drag-and-drop zone. Add a dashed border accent colour (`--accent` at 40%
 opacity) on active drag state.
 **In-progress state**: The existing `loading` flag already disables the button.
 Add a visible spinner or animated label ("Uploading…") inside the button while
 in-flight so the state change is unmistakable.
 **Success state**: After a successful upload, show a brief success banner
 (green-tinted surface, tick character) with a "Upload another" link and a "View
 in library" link. Auto-dismiss after 4 seconds or on navigation.
 **Error states**: Distinct messages for validation errors (wrong type/size —
 already returned by API) vs. network/server errors (generic retry). Both
 displayed inline below the form, not in a modal.
 **Double-submit prevention**: Already implemented (button disabled while
 `loading`). Confirm the disabled style is visually clear using `--text-muted`
 and reduced opacity.
 ---
 ### Milestone 4 — Detail View (US3)
 **Loading state**: Add a skeleton layout while `loading = true`: a grey
 rectangle at full width for the image area, and two skeleton chip rows below.
 **Not-found state**: The existing `!image && !loading` condition renders a
 plain text paragraph. Replace with a styled not-found card: centred layout,
 muted icon, "Image not found" heading, and a "Back to library" button.
 **Section organisation**: Visually separate the image area, tags section, and
 write controls with consistent spacing using `--surface` panels and token-based
 gaps. Write controls (tag input + delete button) should be grouped in a visually
 distinct "Owner actions" area when visible.
 **Tag error**: The existing `tagError` renders inline. Apply `--danger` colour
 and a left border accent to make it unmistakable.
 **Broken image**: Add `(error)` handler on the full-size `<img>` in the detail
 view (inline SVG placeholder showing a broken-link icon).
 ---
 ### Milestone 5 — Login View (US4)
 Apply the token-based design system to the login form:
 - Centre the card vertically and horizontally on the page
 - Wrap the form in a `--surface` card with `--radius` and a subtle border
 - Use token-based input styles matching the library filter bar
 - Display field-level validation errors using `--danger` colour
 - The submit button uses the same `--accent` style as the library upload button
 - In-progress state: button text changes to "Signing in…", button disabled
 No layout changes to the existing reactive-form structure.
 ---
 ### Milestone 6 — App Shell (US5)
 The existing `app.component.ts` header already conditionally renders the
 sign-out button. Polish:
 - Slim top bar: `--surface` background, bottom border using `--border`
 - App name / logo mark on the left (text only, no image asset)
 - Sign-out button aligned right using `--text-muted` colour and a simple
  hover state
 - Header height: `48px` fixed; does not reflow page content on state change
 ---
 ## Implementation Order
 ```
 Milestone 1 (tokens)
    ↓
 Milestone 2 (library) ─┐
 Milestone 3 (upload)   ├─ can proceed in parallel after M1
 Milestone 4 (detail)   │
 Milestone 5 (login)   ─┘
 Milestone 6 (shell)     ← last (touches app.component which wraps all views)
 ```
 M2–M5 are independent of each other (different component files). M6 is last
 because the app shell wraps all views and its final state is easiest to validate
 once the inner views are stable.
 ---
 ## Testing Strategy
 **Unit tests (Karma/Jasmine)**:
 - All new state variables (`error`, `showSpinner`, skeleton visibility) are
  tested via component spec files.
 - Template conditionals (`*ngIf="error"`, `*ngIf="loading"`) are verified with
  fixture queries.
 - The `(error)` image fallback handler is tested by simulating an error event.
 - Existing tests must continue to pass — no regressions.
 **Visual acceptance (manual, quickstart.md)**:
 - Each milestone has a corresponding scenario in quickstart.md.
 - Visual checks are performed in a running `docker compose up` stack.
 - 375 px viewport check: Chrome DevTools → device toolbar → iPhone SE.
 **Build gate**: `ng build` must pass with zero errors after every milestone.
--- a/specs/005-ui-polish/quickstart.md
+++ b/specs/005-ui-polish/quickstart.md
@@ -0,0 +1,155 @@
 # Quickstart: UI Polish Visual Acceptance Scenarios
 Use this guide to manually verify each milestone after implementation.
 Run `docker compose up` before starting. Open the browser at `http://localhost:4200`.
 ---
 ## M1 — Design Token Layer
 **Goal**: Tokens exist; visual output is identical to before.
 1. Open the library, upload, detail, and login pages.
 2. Open browser DevTools → Elements → `<html>` or `<body>`.
 3. Confirm `--bg`, `--surface`, `--accent`, `--danger` etc. are visible in
   computed styles.
 4. Confirm no visible change in any view compared to before M1.
 ---
 ## M2 — Library View
 ### Loading skeleton
 1. Open DevTools → Network → set throttle to "Slow 3G".
 2. Hard-refresh the library page.
 3. **Expect**: A grid of grey shimmer cards appears immediately; no blank white
   space; no layout jump when real images load in.
 ### Empty state
 1. Ensure no images are uploaded (or use a fresh test database).
 2. Open the library.
 3. **Expect**: A centred empty-state panel with explanatory text and a prominent
   "Upload your first image" link. Clicking the link navigates to `/upload`.
 ### Error state
 1. Stop the API container (`docker compose stop api`).
 2. Hard-refresh the library.
 3. **Expect**: An error card with a plain-language message and a "Retry" button.
   No blank grid, no raw status code.
 4. Restart the API (`docker compose start api`) and click "Retry".
 5. **Expect**: Images load successfully.
 ### Card polish
 1. Hover over an image card.
 2. **Expect**: Card lifts slightly (2 px translate) with a smooth transition.
 ### Broken image
 1. Manually corrupt a storage key in the database (or unplug MinIO) and reload.
 2. **Expect**: Card shows a grey placeholder graphic, not a broken-image browser icon.
 ### 375 px viewport
 1. DevTools → Device toolbar → iPhone SE (375 × 667).
 2. **Expect**: Cards stack, no horizontal scrollbar, all content readable.
 ---
 ## M3 — Upload View
 ### Drop-zone idle
 1. Navigate to `/upload` (must be logged in).
 2. **Expect**: A visually distinct drop-zone with dashed border and clear
   instructions. Submit button is disabled/greyed.
 ### In-progress
 1. Select a large image file.
 2. Click upload.
 3. **Expect**: Button label changes to "Uploading…" and is disabled. A spinner
   or animated indicator is visible.
 ### Success
 1. After a successful upload completes.
 2. **Expect**: A green-tinted success banner with the filename, "Upload another"
   link, and "View in library" link. Banner disappears after 4 seconds.
 ### Validation error
 1. Attempt to upload a `.txt` file.
 2. **Expect**: An inline error message names the problem ("Unsupported file type").
   The form is still usable — no page reload required.
 ### Network error
 1. Stop the API mid-upload (or use DevTools → block the upload request).
 2. **Expect**: A generic inline error with guidance to retry. Form remains usable.
 ---
 ## M4 — Detail View
 ### Loading skeleton
 1. Set network throttle to Slow 3G.
 2. Navigate directly to an image URL (e.g., `http://localhost:4200/images/<id>`).
 3. **Expect**: A grey rectangle skeleton for the image area and chip skeletons
   below. No blank page.
 ### Not-found state
 1. Navigate to `http://localhost:4200/images/00000000-0000-0000-0000-000000000000`.
 2. **Expect**: A styled not-found card with "Image not found" heading and a
   "Back to library" button. No blank page, no raw 404 text.
 ### Authenticated write controls
 1. Log in and open a detail page.
 2. **Expect**: Tag editing input and delete button are visible and clearly grouped.
 ### Unauthenticated view
 1. Open the detail page in a private/incognito window (not logged in).
 2. **Expect**: Image and read-only tag chips are visible. No tag input, no
   delete button.
 ### Tag error
 1. While logged in, attempt to add a tag with invalid characters (e.g., `TAG!`).
 2. **Expect**: An inline error in danger colour with a left accent border.
   Other tags and the image remain visible.
 ### Broken image
 1. Open a detail page for an image whose storage object has been deleted.
 2. **Expect**: A placeholder graphic replaces the image. Page layout is not broken.
 ---
 ## M5 — Login View
 ### Visual consistency
 1. Open `/login` without being logged in.
 2. **Expect**: Dark background matching the library; form centred in a surface
   card; same font and spacing as other pages.
 ### Field validation
 1. Click the Sign In button without entering any credentials.
 2. **Expect**: Inline validation messages appear on the username and password
   fields without a page reload.
 ### Invalid credentials error
 1. Enter wrong credentials and submit.
 2. **Expect**: A single error message below the form. Fields retain their values.
 ### In-progress state
 1. Submit valid credentials (throttle network if needed to see the state).
 2. **Expect**: Button label changes to "Signing in…" and is disabled while the
   request is in flight.
 ---
 ## M6 — App Shell
 ### Authenticated header
 1. Log in and navigate between library, upload, and an image detail page.
 2. **Expect**: A consistent 48 px header is present on all pages. Sign-out
   control is visible on the right. Header does not reflow content.
 ### Unauthenticated header
 1. Open the library or detail page without logging in.
 2. **Expect**: Header is present but sign-out control is absent.
 ### Sign out
 1. Click the sign-out control in the header.
 2. **Expect**: Redirected to `/login`. Header no longer shows sign-out control.
   Navigating to `/upload` redirects back to `/login`.
--- a/specs/005-ui-polish/research.md
+++ b/specs/005-ui-polish/research.md
@@ -0,0 +1,137 @@
 # Research: UI Polish & Design System
 ## Decision 1: Design token delivery mechanism
 **Decision**: CSS custom properties declared on `:root` in `styles.css`.
 **Rationale**: Angular's default ViewEncapsulation.Emulated scopes component
 selectors with attribute hashes but does not block CSS custom property
 inheritance. `:root` variables cascade into every inline component style block
 without any special configuration. This is now the standard Angular 2025+ token
 approach and requires zero new dependencies.
 **Alternatives considered**:
 - SCSS variables — require a preprocessor; project currently uses plain CSS.
 - A shared `.css` import per component — works but adds per-component boilerplate
  and duplicates the token surface unnecessarily.
 ---
 ## Decision 2: Skeleton loading pattern
 **Decision**: Pure-CSS shimmer using `::after` pseudo-element animated gradient;
 no third-party library.
 **Rationale**: The spec assumption explicitly prohibits new icon/component
 libraries. The standard pure-CSS skeleton pattern (placeholder divs with a
 light-to-dark horizontal gradient sweeping via `@keyframes`) produces the same
 visual result as library skeletons with zero added dependencies. The `::after`
 approach requires no extra DOM nodes per skeleton block.
 **Pattern**:
 ```css
@keyframes shimmer {
  from { background-position: -200% 0; }
  to   { background-position:  200% 0; }
 }
 .skeleton {
  background: linear-gradient(90deg, var(--surface) 25%, var(--surface-raised) 50%, var(--surface) 75%);
  background-size: 200% 100%;
  animation: shimmer 1.4s infinite;
  border-radius: var(--radius);
 }
 ```
 **Alternatives considered**:
 - `@angular/material` skeleton — adds the entire Material library as a dep.
 - CSS opacity pulse — simpler but less visually informative than a shimmer.
 ---
 ## Decision 3: Loading-flash debounce
 **Decision**: `timer(150).pipe(takeUntil(response$))` to gate the visibility of
 loading indicators.
 **Rationale**: Showing a spinner immediately causes a visible flash when the
 server responds in under ~150 ms (common on localhost). The idiomatic RxJS
 approach is to start a 150 ms timer alongside the real request; if the request
 completes first (`takeUntil`), the timer never fires and the spinner never
 appears. This avoids `race()` complexity and cleanly unsubscribes.
 **Implementation sketch**:
 ```typescript
 showSpinner = false;
 load(): void {
  const req$ = this.service.fetch().pipe(share());
  timer(150).pipe(takeUntil(req$)).subscribe(() => { this.showSpinner = true; });
  req$.subscribe(data => { this.showSpinner = false; /* handle data */ });
 }
 ```
 **Alternatives considered**:
 - `race([req$, timer(150)])` — fires timer regardless of req$ speed on certain
  race conditions; harder to reason about.
 - CSS `animation-delay` — cannot easily tie delay to actual response time.
 ---
 ## Decision 4: Broken-image fallback
 **Decision**: Inline `(error)` event binding on `<img>` elements, guarded
 against recursive fallback.
 **Rationale**: For a small number of distinct image elements (card thumbnail,
 detail full-image), an event binding is the minimal idiomatic pattern and
 avoids the complexity of a directive. Recursive fallback is prevented by
 checking that the current `src` is not already the placeholder before
 reassigning.
 **Pattern**:
 ```html
 <img [src]="url" (error)="onImgError($event)" />
 ```
 ```typescript
 onImgError(e: Event): void {
  const img = e.target as HTMLImageElement;
  if (!img.src.endsWith('placeholder')) {
    img.src = 'data:image/svg+xml,...'; // inline SVG placeholder
  }
 }
 ```
 **Alternatives considered**:
 - Custom `ImageFallbackDirective` — reusable but over-engineered for two call
  sites; can be extracted later if the pattern spreads.
 ---
 ## Decision 5: Global design token set
 **Decision**: Seven semantic tokens defined on `:root` in `styles.css`, derived
 from colours already present in the components.
 | Token              | Value     | Meaning                                      |
 |--------------------|-----------|----------------------------------------------|
 | `--bg`             | `#0f0f0f` | Page background (already in body)            |
 | `--surface`        | `#1a1a1a` | Card / input / panel background              |
 | `--surface-raised` | `#252525` | Hover state, skeleton highlight              |
 | `--border`         | `#333`    | Subtle dividers, input borders               |
 | `--border-focus`   | `#555`    | Input focus ring                             |
 | `--text`           | `#e0e0e0` | Primary text (already on body)               |
 | `--text-muted`     | `#777`    | Secondary text, placeholders                 |
 | `--accent`         | `#4a9eff` | CTAs, active chips (already in upload-btn)   |
 | `--accent-text`    | `#000`    | Text on accent backgrounds                   |
 | `--danger`         | `#c0392b` | Destructive actions (already in delete-btn)  |
 | `--danger-text`    | `#fff`    | Text on danger backgrounds                   |
 | `--radius`         | `6px`     | Standard border radius                       |
 | `--radius-chip`    | `12px`    | Pill-shaped chips                            |
 | `--transition`     | `200ms ease` | Standard animation duration               |
 **Rationale**: All values are already present in the components but hard-coded
 per file. Centralising them eliminates drift without introducing a new colour
 palette — the visual result is identical to the current state, but consistent.
 **Alternatives considered**:
 - Introducing a new darker/lighter palette — unnecessary scope creep; the
  existing colours are well-chosen for a dark personal tool.
--- a/specs/005-ui-polish/spec.md
+++ b/specs/005-ui-polish/spec.md
@@ -0,0 +1,180 @@
 # Feature Specification: UI Polish & Design System
 **Feature Branch**: `005-ui-polish`
 **Created**: 2026-05-03
 **Status**: Draft
 **Input**: User description: "Polish the Angular UI with a cohesive visual design. The three main views — library (image grid), upload form, and image detail — should feel intentional and finished. Add proper loading states, empty states, and error states to each view. The overall aesthetic should be dark-themed and minimal, fitting a personal tool used frequently. The login page should also match the design system."
 ## User Scenarios & Testing *(mandatory)*
 ### User Story 1 — Library Feels Complete (Priority: P1)
 The owner opens the app and is greeted by a polished image grid. While images
 load, something visually coherent fills the space so the page doesn't feel
 broken. If the library is empty, a helpful prompt explains what to do. If the
 request fails, a clear error message appears with a way to retry.
 **Why this priority**: The library is the landing page and the most-visited
 view. Its quality sets first impressions for every session.
 **Independent Test**: Open the app with no images uploaded — confirm an
 intentional empty state is shown. Upload an image, return to the library —
 confirm the grid renders cleanly with consistent card sizing. Throttle the
 network — confirm a loading indicator appears before images arrive.
 **Acceptance Scenarios**:
 1. **Given** the library is loading, **When** the page first renders, **Then** a skeleton or spinner occupies the grid area so the layout does not jump or appear blank.
 2. **Given** no images have been uploaded, **When** the library loads successfully, **Then** an empty-state message is shown explaining that no images exist yet, with a visible prompt to upload the first image.
 3. **Given** the image fetch fails (network error), **When** the library loads, **Then** an error message is shown with a retry action; the page does not display a blank grid or a raw error code.
 4. **Given** images exist, **When** the library renders, **Then** all image cards have consistent size, spacing, and visual weight; tag chips are readable and do not overflow their cards.
 ---
 ### User Story 2 — Upload Form Feels Finished (Priority: P1)
 The owner navigates to the upload page and finds a form that clearly communicates
 its state at every step: idle with a helpful drop-zone, active while uploading
 with visible progress, and resolved with success or a plain-language error.
 **Why this priority**: Upload is the primary write action. A rough upload
 experience erodes confidence in the whole tool.
 **Independent Test**: Upload a valid image and confirm the flow from drop-zone
 through in-progress indicator to success result is smooth and clearly
 communicated. Attempt an upload with an invalid file type and confirm a
 plain-language validation error appears without a page reload.
 **Acceptance Scenarios**:
 1. **Given** the upload page is idle, **When** no file is selected, **Then** a drop-zone with clear instructions is visible; the submit button is visibly disabled.
 2. **Given** a file is selected and uploading, **When** the upload is in progress, **Then** the submit button is disabled and a visible in-progress indicator is shown; the user cannot accidentally submit twice.
 3. **Given** an upload succeeds, **When** the server responds, **Then** a success confirmation is shown and the owner can navigate onward without confusion.
 4. **Given** an upload fails due to an invalid file type or size, **When** the server responds, **Then** a plain-language error message is shown identifying the problem; the form remains usable for another attempt.
 5. **Given** an upload fails due to a network or server error, **When** the server responds, **Then** a generic error message is shown with guidance to retry.
 ---
 ### User Story 3 — Detail Page Is Well Organised (Priority: P1)
 The owner opens an image's detail page and finds the image prominently displayed,
 tag management clearly grouped, and write controls (edit tags, delete) visually
 distinct from read content. Visitors who are not logged in see the image and
 tags but no write controls. Loading and error states are handled gracefully.
 **Why this priority**: The detail page is where tag curation and deletion
 happen — the two most common editing actions after upload.
 **Independent Test**: Open a detail page while logged in — confirm write
 controls are visible and clearly grouped. Open the same page while logged out —
 confirm write controls are hidden. Navigate to a non-existent image ID — confirm
 a not-found state is shown rather than a blank or broken page.
 **Acceptance Scenarios**:
 1. **Given** the detail page is loading, **When** the route is first entered, **Then** a loading indicator is shown in place of the image and metadata.
 2. **Given** the image exists and the owner is logged in, **When** the page renders, **Then** the image is the focal point; tags are displayed below; tag editing and delete controls are clearly grouped and visually differentiated from read content.
 3. **Given** the image exists and the visitor is not logged in, **When** the page renders, **Then** the image and tags are visible; no tag-edit input or delete button is present.
 4. **Given** a non-existent image ID is requested, **When** the page loads, **Then** a not-found state is shown with a link back to the library; no raw error code or blank area is displayed.
 5. **Given** a tag update fails, **When** the owner submits a tag change, **Then** an inline error message explains the failure; the image and other tags remain visible.
 ---
 ### User Story 4 — Login Page Matches the Design (Priority: P2)
 The owner lands on the login page (directly or after a redirect) and finds a
 form that visually belongs to the same application as the library and detail
 page. The form clearly communicates validation errors and submission state.
 **Why this priority**: Login is visited infrequently. A consistent visual
 treatment matters, but functional correctness (already implemented) is more
 critical than aesthetic alignment.
 **Independent Test**: Navigate to `/login` directly — confirm the page uses the
 same colour scheme, typography, and spacing as the rest of the app. Submit with
 empty fields — confirm visible validation errors appear without a page reload.
 **Acceptance Scenarios**:
 1. **Given** the login page loads, **When** the owner views it, **Then** the page uses the same dark background, colour palette, and typographic scale as all other views.
 2. **Given** the owner submits with empty username or password, **When** the form is submitted, **Then** inline validation messages appear on the relevant fields without a page reload or server round-trip.
 3. **Given** the owner submits invalid credentials, **When** the server rejects them, **Then** a single error message is shown below the form; the fields are not cleared.
 4. **Given** the form is submitting, **When** the request is in-flight, **Then** the submit button is disabled and shows an in-progress label so the owner cannot submit twice.
 ---
 ### User Story 5 — App Shell Is Consistent (Priority: P2)
 Every page shares a consistent outer frame: a slim header that shows the
 sign-out control when logged in. The header does not compete with page content
 for visual attention but is always present and usable.
 **Why this priority**: A coherent shell ties the individual views together into
 a single application rather than a collection of pages.
 **Independent Test**: Navigate between library, detail, and upload while logged
 in — confirm the header is consistent across all views. Sign out and visit a
 public page — confirm the sign-out control is absent.
 **Acceptance Scenarios**:
 1. **Given** the owner is logged in, **When** viewing any page, **Then** a slim header is present with a sign-out control; it does not draw excessive visual attention away from the page content.
 2. **Given** the visitor is not logged in, **When** viewing the library or a detail page, **Then** the header is present but contains no sign-out control.
 3. **Given** the owner clicks sign out in the header, **When** the action completes, **Then** they are redirected to the login page and the header no longer shows the sign-out control.
 ---
 ### Edge Cases
 - What happens if an image fails to load (broken URL or storage outage)? The card or detail view should show a placeholder, not the browser's default broken-image icon.
 - What happens on a very narrow viewport (mobile browser)? Cards should stack or resize; the layout must not overflow horizontally.
 - What happens if a tag is very long? Tag chips must truncate or wrap without breaking the card or detail layout.
 - What happens during slow network conditions? Loading states must appear promptly and not flash on fast connections.
 ---
 ## Requirements *(mandatory)*
 ### Functional Requirements
 - **FR-001**: Every view (library, upload, detail, login) MUST display a loading indicator while async data or actions are in progress.
 - **FR-002**: The library MUST display a meaningful empty-state message with a call to action when no images exist.
 - **FR-003**: All four views MUST display plain-language error messages when an operation fails; raw HTTP status codes or stack traces MUST NOT be shown to the user.
 - **FR-004**: The upload form MUST disable the submit control while an upload is in progress to prevent duplicate submissions.
 - **FR-005**: The detail page MUST show a not-found state (with a back link) when the requested image does not exist.
 - **FR-006**: Write controls on the detail page (tag editing, delete) MUST be hidden for unauthenticated visitors and visible only to the logged-in owner.
 - **FR-007**: All views MUST share a consistent set of visual tokens: background colours, text colours, spacing scale, border radii, and interactive-element styles.
 - **FR-008**: The application MUST be usable on viewports as narrow as 375 px (iPhone SE width) without horizontal overflow.
 - **FR-009**: Loading indicators MUST NOT flash on connections fast enough to resolve in under 150 ms; debounced or skeleton-based approaches are preferred.
 - **FR-010**: Broken image assets (failed loads) MUST display a visible placeholder rather than the browser's default broken-image icon.
 ### Key Entities
 - **Design token set**: The shared palette, spacing scale, and typographic rules that all views derive from (background, surface, border, text-primary, text-muted, accent, danger).
 - **Loading state**: A visual treatment applied to any view or element while data is being fetched or an action is in progress.
 - **Empty state**: A purposeful layout shown when a collection has zero items, including explanatory text and a next-action prompt.
 - **Error state**: A purposeful layout shown when an operation fails, including a plain-language description and (where applicable) a retry action.
 ---
 ## Success Criteria *(mandatory)*
 ### Measurable Outcomes
 - **SC-001**: Every view transitions from loading to content (or error/empty) without a layout shift visible to the naked eye.
 - **SC-002**: All five views pass a visual consistency check: an observer can identify them as belonging to the same application by colour, typography, and spacing alone.
 - **SC-003**: The library, upload, and detail views each render without horizontal scrollbars on a 375 px wide viewport.
 - **SC-004**: Each error condition (network failure, validation failure, not-found) produces a user-visible message within the current view — zero conditions result in a silent failure or blank screen.
 - **SC-005**: Loading indicators do not appear on responses that complete in under 150 ms in a local development environment (no flicker on fast connections).
 ---
 ## Assumptions
 - The existing dark colour palette already in the components (#1a1a1a backgrounds, #e0e0e0 text, #4a9eff accent) is the correct base; the polish work refines and extends it rather than replacing it wholesale.
 - No external component library or icon set is introduced; any icons needed are either inline SVG or Unicode characters to avoid new dependencies.
 - The app remains a single-page application; no server-side rendering or route-level transitions are in scope.
 - Mobile layout is "good enough to use" at 375 px rather than a fully optimised mobile-first redesign; a dedicated mobile redesign is out of scope.
 - No new API endpoints are needed; all changes are purely front-end.
 - Animations and transitions are minimal — a single standard duration applied consistently; no complex motion design.
 - FR-006 (hiding write controls for unauthenticated visitors) is already implemented in the detail component; this spec confirms the behaviour is preserved and visually correct, not that it needs to be built from scratch.
--- a/specs/005-ui-polish/tasks.md
+++ b/specs/005-ui-polish/tasks.md
@@ -0,0 +1,242 @@
 # Tasks: UI Polish & Design System
 **Input**: Design documents from `specs/005-ui-polish/`
 **Prerequisites**: plan.md ✓, spec.md ✓, research.md ✓, quickstart.md ✓
 **Tests**: Component spec tests are included per §5.1 (TDD non-negotiable). Tests are written first and must fail before implementation begins. Karma/Jasmine via Angular CLI test runner.
 **Organization**: Phase 2 (design token layer) blocks all user story phases. User story phases (Phase 3–7) are independent of each other and can proceed in parallel after Phase 2 completes.
 **Milestone mapping** (cross-reference with `plan.md` and `quickstart.md`):
 Phase 2 = M1 (Tokens) | Phase 3 = M2 (Library) | Phase 4 = M3 (Upload) | Phase 5 = M4 (Detail) | Phase 6 = M5 (Login) | Phase 7 = M6 (Shell)
 ## Format: `[ID] [P?] [Story] Description`
 - **[P]**: Can run in parallel (different files, no dependencies on incomplete tasks)
 - **[Story]**: Which user story this task belongs to (US1–US5)
 - All component files are under `ui/src/app/`
 ---
 ## Phase 1: Setup
 **Purpose**: Verify baseline state before any changes are made.
 - [X] T001 Confirm `ng build` passes with zero errors in `ui/` (baseline gate before any changes)
 ---
 ## Phase 2: Foundational — M1: Design Token Layer
 **Purpose**: Establish the shared CSS custom property layer in `ui/src/styles.css`. This is the blocking prerequisite for all five user story phases — no component work begins until these tokens exist.
 **⚠️ CRITICAL**: No user story phase can begin until T004 passes.
 - [X] T002 Add 13 CSS custom property tokens to `:root` in `ui/src/styles.css`: `--bg`, `--surface`, `--surface-raised`, `--border`, `--border-focus`, `--text`, `--text-muted`, `--accent`, `--accent-text`, `--danger`, `--danger-text`, `--radius`, `--radius-chip`, `--transition` — use exact values from research.md Decision 5
 - [X] T003 Add `@keyframes shimmer` animation and `.skeleton` utility class to `ui/src/styles.css` using the gradient pattern from research.md Decision 2
 - [X] T004 Confirm `ng build` passes with zero errors after token additions (M1 gate — components unchanged, visual output identical)
 **Checkpoint**: Design token layer complete. User story phases 3–7 may now start.
 ---
 ## Phase 3: User Story 1 — Library Feels Complete (Priority: P1) 🎯 MVP
 **Goal**: The library view has skeleton loading, a styled empty state, an error state with retry, polished cards with hover lift, image error fallback, and responsive layout at 375 px.
 **Independent Test**: Throttle network to Slow 3G and hard-refresh `/` — confirm shimmer skeleton appears. Remove all images — confirm styled empty state with "Upload your first image" link. Stop API — confirm error card with Retry button. Hover a card — confirm 2 px lift. Set viewport to 375 px — confirm no horizontal scrollbar.
 ### Tests for User Story 1 (TDD — write first, confirm failure before T008) ⚠️
 - [X] T005 [US1] Add component tests for `showSpinner` debounce flag, `error` flag, skeleton card count, empty-state link, error card retry button, and `onImgError` handler in `ui/src/app/library/library.component.spec.ts`
 ### Implementation for User Story 1
 - [X] T006 [P] [US1] Replace all hardcoded colour and spacing values with CSS token variables in the component styles block of `ui/src/app/library/library.component.ts`
 - [X] T007 [US1] Replace `loading = true` boolean with `showSpinner = false` and add 150 ms debounce using `timer(150).pipe(takeUntil(req$))` from research.md Decision 3 in `ui/src/app/library/library.component.ts`
 - [X] T008 [US1] Add skeleton loading grid: while `showSpinner` is true render 8 `<div class="skeleton card-skeleton">` placeholders at the same dimensions as real cards in `ui/src/app/library/library.component.ts`
 - [X] T009 [US1] Add `error = false` flag; set it on `list()` failure; render an error card with plain-language message and "Retry" button that calls `load()` in `ui/src/app/library/library.component.ts`
 - [X] T010 [US1] Replace the plain empty-state `<p>` with a centred panel: Unicode icon (✦), larger muted heading, and a `routerLink="/upload"` "Upload your first image" link in `ui/src/app/library/library.component.ts`
 - [X] T011 [US1] Add card hover effect: `transform: translateY(-2px)` and `box-shadow` with `transition: var(--transition)` using `--surface-raised` in `ui/src/app/library/library.component.ts`
 - [X] T012 [US1] Add `(error)="onImgError($event)"` on the card thumbnail `<img>` and implement `onImgError` with an inline SVG placeholder (guard against recursive fallback per research.md Decision 4) in `ui/src/app/library/library.component.ts`
 - [X] T013 [US1] Check the `auto-fill minmax()` value in the grid at 375 px: if cards overflow horizontally, reduce min card width to `160px` and record the change; if no overflow, document "verified at 160px — no change needed" in a code comment in `ui/src/app/library/library.component.ts`
 **Checkpoint**: Library view is fully functional with all loading/empty/error/responsive states.
 ---
 ## Phase 4: User Story 2 — Upload Form Feels Finished (Priority: P1)
 **Goal**: The upload form has a visually distinct drop-zone, visible in-progress state ("Uploading…" + spinner), a success banner with auto-dismiss, distinct validation vs. network error messages, and a clearly disabled button style.
 **Independent Test**: Navigate to `/upload` — confirm dashed drop-zone border. Select a large file and click Upload — confirm button shows "Uploading…" and is disabled. After success — confirm green banner appears then disappears after 4 s. Attempt to upload a `.txt` file — confirm "Unsupported file type" inline error.
 ### Tests for User Story 2 (TDD — write first, confirm failure before T016) ⚠️
 - [X] T014 [US2] Add component tests for `loading` button-disabled state, "Uploading…" label, `showSuccess` banner visibility, auto-dismiss timer, validation error message, and network error message in `ui/src/app/upload/upload.component.spec.ts`
 ### Implementation for User Story 2
 - [X] T015 [P] [US2] Replace all hardcoded colour values with CSS token variables in the component styles block of `ui/src/app/upload/upload.component.ts`
 - [X] T016 [US2] Style the drop-zone with a dashed `--accent`-coloured border at 40% opacity; add an active drag state that brightens the border to full `--accent` in `ui/src/app/upload/upload.component.ts`
 - [X] T017 [US2] Change submit button label to "Uploading…" and add a CSS spinner `<span>` inside the button while `loading = true` in `ui/src/app/upload/upload.component.ts`
 - [X] T018 [US2] Add `showSuccess = false` and `uploadedFilename = ''`; after a successful upload set both, show a green-tinted banner with filename, "Upload another" link, and "View in library" routerLink, then auto-dismiss after 4 s using `setTimeout` in `ui/src/app/upload/upload.component.ts`
 - [X] T019 [US2] Show distinct inline error messages: validation errors (wrong type/size from API) show the specific problem; network/server errors show a generic retry message — both rendered below the form without a page reload in `ui/src/app/upload/upload.component.ts`
 - [X] T020 [US2] Apply `--text-muted` colour and `opacity: 0.5` to the disabled button style to make the disabled state visually unmistakable in `ui/src/app/upload/upload.component.ts`
 **Checkpoint**: Upload form communicates every state clearly and prevents duplicate submission.
 ---
 ## Phase 5: User Story 3 — Detail Page Is Well Organised (Priority: P1)
 **Goal**: The detail view has a loading skeleton, a network error state with retry, a styled not-found card with back link, a grouped "Owner actions" panel for write controls, danger-styled tag errors, and a broken-image fallback.
 **Independent Test**: Throttle to Slow 3G and navigate to `/images/<id>` — confirm skeleton appears. Stop the API and hard-refresh a detail page — confirm error card with retry (not a blank page). Navigate to `/images/00000000-0000-0000-0000-000000000000` — confirm not-found card with "Back to library" button. Log in and open a detail page — confirm write controls are grouped. Open detail page while logged out — confirm write controls absent. Add tag with `!` character — confirm danger-coloured inline error.
 ### Tests for User Story 3 (TDD — write first, confirm failure before T023) ⚠️
 - [X] T021 [US3] Add component tests for skeleton visibility while `loading=true`, network error card when fetch fails (non-404), not-found card when `!image && !loading && !error`, tag error `--danger` style application, and `onImgError` handler in `ui/src/app/detail/detail.component.spec.ts`
 ### Implementation for User Story 3
 - [X] T022 [P] [US3] Replace all hardcoded colour values with CSS token variables in the component styles block of `ui/src/app/detail/detail.component.ts`
 - [X] T023 [US3] Add skeleton loading layout while `loading = true`: a full-width grey `.skeleton` rectangle for the image area and two rows of `.skeleton` chip placeholders below in `ui/src/app/detail/detail.component.ts`
 - [X] T024 [US3] Add `error = false` flag; set it on API fetch failure (non-404 errors); render an error card with plain-language "Failed to load image" message, "Back to library" link, and a "Retry" button that calls the fetch again — distinct from the not-found state in `ui/src/app/detail/detail.component.ts`
 - [X] T025 [US3] Replace the plain `!image && !loading && !error` paragraph with a styled not-found card: centred layout, muted Unicode icon, "Image not found" `<h2>`, and a "Back to library" `routerLink="/"` button in `ui/src/app/detail/detail.component.ts`
 - [X] T026 [US3] Wrap the tag-edit input and delete button in a visually distinct "Owner actions" `<section>` with a `--surface` panel, `--border` top separator, and token-based padding/gap in `ui/src/app/detail/detail.component.ts`
 - [X] T027 [US3] Apply `color: var(--danger)` and `border-left: 3px solid var(--danger)` with left-padding to the `tagError` inline error element in `ui/src/app/detail/detail.component.ts`
 - [X] T028 [US3] Add `(error)="onImgError($event)"` on the full-size `<img>` and implement `onImgError` with an inline SVG broken-link placeholder (guard against recursive fallback) in `ui/src/app/detail/detail.component.ts`
 **Checkpoint**: Detail page handles all states (loading, error, not-found, success) gracefully and clearly separates read from write content.
 ---
 ## Phase 6: User Story 4 — Login Page Matches the Design (Priority: P2)
 **Goal**: The login page uses the shared dark design system, displays field-level validation errors and server error messages in `--danger` colour without a page reload, shows a single server error below the form on bad credentials, and disables the button with "Signing in…" label while in-flight.
 **Independent Test**: Navigate to `/login` — confirm dark background, surface card, same font as library. Click Sign In with empty fields — confirm field-level errors without page reload. Enter wrong credentials — confirm single error message below form in danger colour; fields retain values. Throttle network and submit valid credentials — confirm button shows "Signing in…" and is disabled.
 ### Tests for User Story 4 (TDD — write first, confirm failure before T031) ⚠️
 - [X] T029 [US4] Add component tests for field-level validation error display on empty submit, `errorMessage` server error paragraph visibility after failed login, "Signing in…" button label while `loading=true`, and fields-not-cleared behaviour in `ui/src/app/login/login.component.spec.ts`
 ### Implementation for User Story 4
 - [X] T030 [P] [US4] Replace all hardcoded colour values with CSS token variables in the component styles block of `ui/src/app/login/login.component.ts`
 - [X] T031 [US4] Centre the login card vertically (`height: 100vh; display: flex; align-items: center; justify-content: center`) and wrap the form in a `--surface` card with `--radius` border-radius and a `1px solid var(--border)` border in `ui/src/app/login/login.component.ts`
 - [X] T032 [US4] Apply `color: var(--danger)` to field-level reactive-form validation error `<span>` elements for both username and password fields, and to the `errorMessage` server error paragraph below the form in `ui/src/app/login/login.component.ts`
 - [X] T033 [US4] Change submit button label to "Signing in…" and add `disabled` attribute while `loading = true`; style the button with `--accent` background and `--accent-text` foreground matching other views in `ui/src/app/login/login.component.ts`
 **Checkpoint**: Login page is visually consistent with the rest of the app and communicates all form states.
 ---
 ## Phase 7: User Story 5 — App Shell Is Consistent (Priority: P2)
 **Goal**: Every page shares a 48 px fixed-height header with the app name on the left and the sign-out control on the right (when authenticated). The header uses `--surface` background and `--border` bottom border and does not reflow page content on auth state change.
 **Independent Test**: Log in and navigate between library, upload, and detail — confirm identical 48 px header on all pages. Log out — confirm sign-out control disappears but header height is unchanged. Visit library without logging in — confirm header is present but sign-out control absent.
 ### Tests for User Story 5 (TDD — write first, confirm failure before T036) ⚠️
 - [X] T034 [US5] Add component tests for header 48 px height, sign-out button visibility when authenticated, sign-out button absence when unauthenticated, sign-out action redirecting to `/login`, and header height unchanged between auth states in `ui/src/app/app.component.spec.ts`
 ### Implementation for User Story 5
 - [X] T035 [P] [US5] Replace all hardcoded colour values with CSS token variables in the component styles block of `ui/src/app/app.component.ts`
 - [X] T036 [US5] Style the header `<header>` element with `height: 48px`, `background: var(--surface)`, `border-bottom: 1px solid var(--border)`, and a flex layout placing the app name text on the left and the sign-out button on the right; use `color: var(--text-muted)` and a token-based hover state for the sign-out button; ensure `height` is declared on the host element so the 48 px is preserved regardless of sign-out button visibility in `ui/src/app/app.component.ts`
 **Checkpoint**: All five views share a coherent shell. Application feels like one product.
 ---
 ## Phase 8: Polish & Cross-Cutting Concerns
 **Purpose**: Linting gate, build validation, responsive checks, and visual acceptance walk-through across all milestones.
 - [X] T037 [P] Run `ng lint` in `ui/` and confirm zero ESLint and Prettier violations across all modified component files (§7.3 gate)
 - [X] T038 [P] Run `ng build` in `ui/` and confirm zero TypeScript or template errors across all modified components
 - [ ] T039 [P] Run `ng test --watch=false` in `ui/` (or equivalent build-time check) and confirm all new component spec tests pass with zero regressions
 - [ ] T040 [P] Verify upload form layout at 375 px viewport (Chrome DevTools device toolbar → iPhone SE): confirm no horizontal scrollbar and all form elements are usable in `ui/src/app/upload/upload.component.ts`
 - [ ] T041 [P] Verify detail page layout at 375 px viewport: confirm image, tags, and (when authenticated) owner actions are all visible without horizontal overflow in `ui/src/app/detail/detail.component.ts`
 - [ ] T042 Walk through `specs/005-ui-polish/quickstart.md` scenarios M1–M6 in a running `docker compose up` stack and confirm every visual acceptance criterion passes
 ---
 ## Dependencies & Execution Order
 ### Phase Dependencies
 - **Setup (Phase 1)**: No dependencies — start immediately
 - **Foundational (Phase 2)**: Depends on Phase 1 — **BLOCKS all user story phases**
 - **User Stories (Phases 3–7)**: ALL depend on Phase 2 (T004 gate); independent of each other
 - **Polish (Phase 8)**: Depends on all desired user story phases completing
 ### User Story Dependencies
 - **US1 Library (Phase 3, P1)**: Can start after Phase 2 — no dependency on US2–US5
 - **US2 Upload (Phase 4, P1)**: Can start after Phase 2 — no dependency on US1, US3–US5
 - **US3 Detail (Phase 5, P1)**: Can start after Phase 2 — no dependency on US1–US2, US4–US5
 - **US4 Login (Phase 6, P2)**: Can start after Phase 2 — no dependency on US1–US3, US5
 - **US5 App Shell (Phase 7, P2)**: Can start after Phase 2 — best done last as it wraps all views, but technically independent
 ### Within Each User Story Phase
 1. Write component spec tests first (TDD) — they MUST fail before implementation
 2. Token replacement task [P] can run alongside test writing (different files)
 3. Implementation tasks follow in sequence (each new feature depends on the test that exercises it)
 ---
 ## Parallel Execution Examples
 ### Running US1 (Library) startup in parallel
 ```text
 # Start simultaneously after Phase 2 completes:
 Task T005: Write library component tests (spec file)
 Task T006: Apply CSS tokens to library component styles
 ```
 ### Running all three P1 stories in parallel (Phase 3, 4, 5)
 ```text
 # All can start simultaneously after T004 (Phase 2 gate):
 Phase 3 (US1): T005 → T006/T007 → T008 → T009 → T010 → T011 → T012 → T013
 Phase 4 (US2): T014 → T015/T016 → T017 → T018 → T019 → T020
 Phase 5 (US3): T021 → T022/T023 → T024 → T025 → T026 → T027 → T028
 ```
 ---
 ## Implementation Strategy
 ### MVP First (US1 + US2 + US3 — all P1 stories)
 1. Complete Phase 1: Baseline verification
 2. Complete Phase 2: Design token layer (CRITICAL gate)
 3. Complete Phases 3, 4, 5 in parallel or sequence (all P1)
 4. **STOP and VALIDATE**: Run quickstart.md M1–M4 scenarios
 5. Add Phase 6 (US4 Login) and Phase 7 (US5 Shell) for complete polish
 ### Incremental Delivery
 1. Phase 1 + Phase 2 → Token layer live (no visible change)
 2. Phase 3 (US1) → Library feels complete → Demo
 3. Phase 4 (US2) → Upload flow polished → Demo
 4. Phase 5 (US3) → Detail page organised → Demo
 5. Phase 6 (US4) + Phase 7 (US5) → Full design system applied → Final demo
 6. Phase 8 → Lint clean, build clean, all tests pass, quickstart validated
 ---
 ## Notes
 - `[P]` tasks have no file conflicts with other concurrent `[P]` tasks in the same phase
 - TDD order is mandatory: spec tests must be written and confirmed failing before implementation tasks
 - All five component files are standalone Angular components — changes are isolated
 - `ng build` is the type-check gate; Karma tests require the full Docker stack for browser runner
 - No new npm dependencies are introduced in any task
 - Commit after each milestone (M1–M6) for clean rollback points
--- a/specs/006-header-nav-signout/SHIPPED
+++ b/specs/006-header-nav-signout/SHIPPED
--- a/specs/006-header-nav-signout/checklists/requirements.md
+++ b/specs/006-header-nav-signout/checklists/requirements.md
@@ -0,0 +1,34 @@
 # Specification Quality Checklist: Header Navigation & Sign-Out Destination
 **Purpose**: Validate specification completeness and quality before proceeding to planning
 **Created**: 2026-05-03
 **Feature**: [spec.md](../spec.md)
 ## Content Quality
 - [X] No implementation details (languages, frameworks, APIs)
 - [X] Focused on user value and business needs
 - [X] Written for non-technical stakeholders
 - [X] All mandatory sections completed
 ## Requirement Completeness
 - [X] No [NEEDS CLARIFICATION] markers remain
 - [X] Requirements are testable and unambiguous
 - [X] Success criteria are measurable
 - [X] Success criteria are technology-agnostic (no implementation details)
 - [X] All acceptance scenarios are defined
 - [X] Edge cases are identified
 - [X] Scope is clearly bounded
 - [X] Dependencies and assumptions identified
 ## Feature Readiness
 - [X] All functional requirements have clear acceptance criteria
 - [X] User scenarios cover primary flows
 - [X] Feature meets measurable outcomes defined in Success Criteria
 - [X] No implementation details leak into specification
 ## Notes
 - All items pass. Both changes are small, independent, and clearly bounded. Spec is ready for `/speckit-plan`.
--- a/specs/006-header-nav-signout/plan.md
+++ b/specs/006-header-nav-signout/plan.md
@@ -0,0 +1,25 @@
 # Implementation Plan: Header Navigation & Sign-Out Destination
 **Branch**: `006-header-nav-signout` | **Date**: 2026-05-03 | **Spec**: [spec.md](spec.md)
 ## Summary
 Two targeted changes to `ui/src/app/app.component.ts`:
 1. Wrap the header app-name text in a router link to `/`.
 2. Change the post-sign-out navigation target from `/login` to `/`.
 No API changes. No new dependencies. One component file affected.
 ## Technical Context
 **Language/Version**: TypeScript 5 / Angular 19 (standalone components)
 **Affected files**: `ui/src/app/app.component.ts`, `ui/src/app/app.component.spec.ts`
 **Testing**: Karma / Jasmine
 ## Constitution Check
 | Principle | Status |
 |-----------|--------|
 | §2.1 Strict separation of concerns | ✅ UI-only change |
 | §5.1 TDD non-negotiable | ✅ Tests written first |
 | §7.3 Linting non-optional | ✅ ng lint gate in tasks |
--- a/specs/006-header-nav-signout/spec.md
+++ b/specs/006-header-nav-signout/spec.md
@@ -0,0 +1,69 @@
 # Feature Specification: Header Navigation & Sign-Out Destination
 **Feature Branch**: `006-header-nav-signout`
 **Created**: 2026-05-03
 **Status**: Draft
 **Input**: User description: "Simple updates to the UI. Site title in the header should link to the base URL so that it's quick to get back to the main grid view from any sub-page now or in the future. When a user signs out, they should be sent back to the grid view instead of the sign in form."
 ## User Scenarios & Testing *(mandatory)*
 ### User Story 1 — Header Title Links to Grid (Priority: P1)
 The owner (or any visitor) is on a sub-page — an image detail page, the upload form, or any future page — and wants to return to the main image grid. Clicking the application name in the header takes them there immediately, without needing the browser back button or a dedicated navigation link.
 **Why this priority**: The header title is always visible on every page and is the most natural home-navigation affordance. Making it functional costs almost nothing and benefits every session.
 **Independent Test**: Open any sub-page (e.g., an image detail page). Click the application title in the header. Confirm the image grid loads. Works identically whether logged in or not.
 **Acceptance Scenarios**:
 1. **Given** the user is on any page other than the grid, **When** they click the application title in the header, **Then** they are taken to the image grid view.
 2. **Given** the user is already on the grid view, **When** they click the application title, **Then** the page either reloads the grid or stays on it — no error, no blank page.
 3. **Given** the user is not logged in and is on a public detail page, **When** they click the application title, **Then** they are taken to the grid (which is publicly visible) without being redirected to login.
 ---
 ### User Story 2 — Sign Out Lands on Grid (Priority: P1)
 The owner signs out of the application and is returned to the image grid rather than the login page. Since the grid is publicly accessible, there is no need to force a redirect to login — the owner can choose to sign back in if they wish.
 **Why this priority**: Sending a signed-out user to the login page is unnecessary friction for a personal tool where the grid content is public. It also makes the sign-out flow feel punitive rather than neutral.
 **Independent Test**: Log in and sign out from the header. Confirm the image grid is shown, not the login form. Confirm the grid shows images in read-only mode (no write controls).
 **Acceptance Scenarios**:
 1. **Given** the user is signed in, **When** they click the sign-out control, **Then** their session ends and they are taken to the image grid view.
 2. **Given** the user has landed on the grid after signing out, **When** they view the page, **Then** tag-edit and delete controls are not shown (consistent with unauthenticated behaviour already in place).
 3. **Given** the user signs out from a sub-page (e.g., detail page), **When** the sign-out completes, **Then** they are taken to the grid — not to the page they were on, and not to the login form.
 ---
 ### Edge Cases
 - What happens if the grid is unavailable when the user clicks the title? The navigation attempt is made; any existing error-state handling on the grid covers this.
 - What if a future page introduces an auth-required route? The header title links to the grid unconditionally; auth guards on specific routes handle their own redirects independently.
 ## Requirements *(mandatory)*
 ### Functional Requirements
 - **FR-001**: The application title displayed in the persistent header MUST be a navigable link that takes the user to the image grid view from any page in the application.
 - **FR-002**: The title link MUST be accessible to both authenticated and unauthenticated users; it MUST NOT trigger a login redirect.
 - **FR-003**: After a user successfully signs out, the application MUST navigate them to the image grid view.
 - **FR-004**: The sign-out destination MUST be the grid view regardless of which page the user was on when they signed out.
 ## Success Criteria *(mandatory)*
 ### Measurable Outcomes
 - **SC-001**: From any page, the image grid is reachable in exactly one click via the header title — no intermediate pages or redirects.
 - **SC-002**: After signing out, the user sees the image grid (not the login page) in 100% of sign-out flows.
 - **SC-003**: The title link functions correctly for both authenticated and unauthenticated sessions — verified across the grid, detail, and upload pages.
 ## Assumptions
 - The image grid at the root URL is publicly accessible without authentication (confirmed: existing behaviour shows images to unauthenticated visitors).
 - The application title ("Reactbin") is already rendered as a text element in the persistent header from the UI polish work; this spec adds navigation behaviour to it, not a new visual element.
 - No change is made to the login redirect behaviour for protected routes (e.g., navigating directly to `/upload` while logged out still redirects to login as before).
 - The sign-out action clears the session as already implemented; only the post-sign-out destination changes.
--- a/specs/006-header-nav-signout/tasks.md
+++ b/specs/006-header-nav-signout/tasks.md
@@ -0,0 +1,15 @@
 # Tasks: Header Navigation & Sign-Out Destination
 ## Phase 1: Tests (TDD — write first)
 - [X] T001 Add component tests for header title routerLink to `/` and sign-out navigation to `/` in `ui/src/app/app.component.spec.ts`
 ## Phase 2: Implementation
 - [X] T002 Wrap the `.app-name` span in a `routerLink="/"` anchor in `ui/src/app/app.component.ts`
 - [X] T003 Change `onLogout()` navigation target from `/login` to `/` in `ui/src/app/app.component.ts`
 ## Phase 3: Validation
 - [X] T004 Run `ng lint` in `ui/` — zero violations
 - [X] T005 Run `ng build` in `ui/` — zero errors
--- a/specs/007-tag-browser/SHIPPED
+++ b/specs/007-tag-browser/SHIPPED
--- a/specs/007-tag-browser/checklists/requirements.md
+++ b/specs/007-tag-browser/checklists/requirements.md
@@ -0,0 +1,34 @@
 # Specification Quality Checklist: Tag Browser
 **Purpose**: Validate specification completeness and quality before proceeding to planning
 **Created**: 2026-05-06
 **Feature**: [spec.md](../spec.md)
 ## Content Quality
 - [X] No implementation details (languages, frameworks, APIs)
 - [X] Focused on user value and business needs
 - [X] Written for non-technical stakeholders
 - [X] All mandatory sections completed
 ## Requirement Completeness
 - [X] No [NEEDS CLARIFICATION] markers remain
 - [X] Requirements are testable and unambiguous
 - [X] Success criteria are measurable
 - [X] Success criteria are technology-agnostic (no implementation details)
 - [X] All acceptance scenarios are defined
 - [X] Edge cases are identified
 - [X] Scope is clearly bounded
 - [X] Dependencies and assumptions identified
 ## Feature Readiness
 - [X] All functional requirements have clear acceptance criteria
 - [X] User scenarios cover primary flows
 - [X] Feature meets measurable outcomes defined in Success Criteria
 - [X] No implementation details leak into specification
 ## Notes
 - All items pass. Feature is small and well-bounded — two P1 stories (browse + navigate) form the core MVP; P2 (discoverability link) is a natural follow-on. No clarifications needed. Ready for `/speckit-plan`.
--- a/specs/007-tag-browser/contracts/tags-endpoint.md
+++ b/specs/007-tag-browser/contracts/tags-endpoint.md
@@ -0,0 +1,58 @@
 # Contract: GET /api/v1/tags (enhanced)
 ## Overview
 Extends the existing tags list endpoint with two new optional query parameters. All existing behaviour is preserved when the new parameters are omitted.
 ## Request
 ```
 GET /api/v1/tags
 ```
 ### Query Parameters
 | Parameter  | Type    | Default  | Description |
 |------------|---------|----------|-------------|
 | `q`        | string  | —        | Filter tags by name prefix (existing) |
 | `limit`    | integer | 100      | Max items to return; capped at 200 (existing) |
 | `offset`   | integer | 0        | Pagination offset (existing) |
 | `sort`     | string  | `name`   | Sort order: `name` (alphabetical asc) or `count_desc` (image count descending, alphabetical secondary) |
 | `min_count`| integer | 0        | Exclude tags with fewer than this many images. Use `1` to hide zero-count tags. |
 ### Authentication
 Not required. Public endpoint.
 ## Response
 ```json
 {
  "items": [
    { "id": "uuid", "name": "string", "image_count": 0 }
  ],
  "total": 0,
  "limit": 100,
  "offset": 0
 }
 ```
 No changes to the response shape.
 ## Tag Browser Usage
 The tag browser component calls:
 ```
 GET /api/v1/tags?sort=count_desc&min_count=1&limit=500
 ```
 `limit=500` is a safe upper bound for a personal library. If `total` exceeds `limit` in the response, the component logs a warning but renders what it received (no pagination UI required at this scale).
 ## Library Autocomplete Usage (unchanged)
 ```
 GET /api/v1/tags?q=<prefix>&limit=10
 ```
 Uses neither `sort` nor `min_count` — default behaviour is unchanged.
--- a/specs/007-tag-browser/data-model.md
+++ b/specs/007-tag-browser/data-model.md
@@ -0,0 +1,23 @@
 # Data Model: Tag Browser
 No schema changes are required for this feature. All data needed to power the tag browser already exists.
 ## Derived Entity: Tag with Count
 The tag browser displays a **read-only, derived view** of existing data:
 | Field | Source | Notes |
 |-------|--------|-------|
 | `name` | `tags.name` | Lowercase, normalised string |
 | `image_count` | `COUNT(image_tags.image_id) WHERE image_tags.tag_id = tags.id` | Computed at query time |
 This is exactly the shape already returned by `GET /api/v1/tags` as `{"id", "name", "image_count"}`.
 ## What Changes
 The query in `TagRepository.list_tags()` gains two optional behaviours:
 1. **Sort by count descending** — adds `ORDER BY image_count DESC, name ASC` (count-desc primary, alphabetical secondary) instead of the current `ORDER BY name ASC`.
 2. **Exclude zero-count tags** — adds `HAVING image_count > 0` (or equivalent `WHERE` on the subquery) when `min_count=1` is requested.
 No new tables, columns, indexes, or migrations are needed.
--- a/specs/007-tag-browser/plan.md
+++ b/specs/007-tag-browser/plan.md
@@ -0,0 +1,96 @@
 # Implementation Plan: Tag Browser
 **Branch**: `007-tag-browser` | **Date**: 2026-05-06 | **Spec**: [spec.md](spec.md)
 **Input**: Feature specification from `specs/007-tag-browser/spec.md`
 ## Summary
 Add a `/tags` page that lists every tag with its image count, sorted by popularity, each linking to the filtered library view. Requires: (1) two new query parameters on the existing `/api/v1/tags` endpoint to support sort-by-count and zero-count exclusion, (2) query-parameter-driven filtering on the library route so tag browser links deep-link correctly, (3) a new `TagBrowserComponent`, and (4) a navigation entry point from the library.
 ## Technical Context
 **Language/Version**: Python 3.12 (API), TypeScript strict / Angular 19 (UI)
 **Primary Dependencies**: FastAPI, SQLAlchemy 2.x async, Angular standalone components
 **Storage**: PostgreSQL (read-only for this feature — no schema changes)
 **Testing**: pytest + httpx (API integration), Jasmine/Karma (Angular unit)
 **Target Platform**: Web (same stack as all prior features)
 **Project Type**: Web service + SPA
 **Performance Goals**: Tag list page load perceived as instant (same bar as library)
 **Constraints**: No schema changes; no new dependencies; counts must be accurate at page-load time
 **Scale/Scope**: Personal library — tag count is bounded; no pagination UI needed for tag browser, but the API call uses existing paginated endpoint
 ## Constitution Check
 | Principle | Status | Notes |
 |-----------|--------|-------|
 | §2.1 Strict separation of concerns | ✅ | UI calls API; API owns all DB logic |
 | §2.5 Repository layer | ✅ | All query changes go in `TagRepository.list_tags()` |
 | §2.6 No speculative abstraction | ✅ | No new interfaces; extends existing repo method |
 | §3.1 API versioning `/api/v1/` | ✅ | Modifying existing versioned endpoint |
 | §3.2 OpenAPI as contract | ✅ | New query params documented via FastAPI |
 | §3.3 Error shape | ✅ | No new error paths |
 | §3.4 Pagination | ✅ | Existing endpoint already paginates; tag browser fetches with `limit=500` (safe upper bound for a personal library) |
 | §4.1 Tags lowercase normalised | ✅ | No change to tag creation/normalisation |
 | §5.1 TDD non-negotiable | ✅ | Tests written before implementation in tasks |
 | §5.3 Tests colocated | ✅ | API tests in `api/tests/`, Angular spec next to component |
 | §6 Tech stack | ✅ | No new dependencies |
 | §7.3 Linting/formatting enforced | ✅ | `ng lint` + `ruff` gates in tasks |
 **Gate**: All principles pass. Phase 0 research not required — no unknowns.
 ## Project Structure
 ### Documentation (this feature)
 ```text
 specs/007-tag-browser/
 ├── plan.md              ← this file
 ├── research.md          ← not required (no unknowns)
 ├── data-model.md        ← see below (derived data, no schema changes)
 ├── contracts/
 │   └── tags-endpoint.md ← enhanced GET /api/v1/tags contract
 └── tasks.md             ← generated by /speckit-tasks
 ```
 ### Source Code Changes
 ```text
 api/
 ├── app/
 │   ├── repositories/
 │   │   └── tag_repo.py          ← extend list_tags() with sort + min_count params
 │   └── routers/
 │       └── tags.py              ← expose sort + min_count as query params
 └── tests/
    ├── integration/
    │   └── test_tags.py         ← new tests: sort=count_desc, min_count=1
    └── unit/
        └── test_tags.py         ← unit tests for repo sort/filter logic (if applicable)
 ui/src/app/
 ├── tags/
 │   ├── tags.component.ts        ← new TagBrowserComponent
 │   └── tags.component.spec.ts   ← component tests
 ├── services/
 │   └── tag.service.ts           ← add sort param to list() method
 ├── library/
 │   └── library.component.ts     ← read ?tags= query param on init; add /tags nav link
 └── app.routes.ts                ← add /tags route (lazy-loaded)
 ```
 ## Design Decisions
 ### API: extend existing endpoint rather than add new one
 The `/api/v1/tags` endpoint already returns tags with `image_count`. Two new optional query parameters make it serve the tag browser without breaking existing callers (the library autocomplete uses the endpoint unchanged):
 - `sort`: `name` (default, current behaviour) | `count_desc` (tag browser use case)
 - `min_count`: integer, default `0` (all tags, current behaviour) | `1` (excludes zero-count tags)
 ### Library: query param deep-linking
 The library component currently manages `activeFilters` in memory only. Adding `?tags=cat,funny` query parameter support (read on `ngOnInit` via `ActivatedRoute`) allows the tag browser to link directly to a pre-filtered library view. The library already uses `addFilter()` / `applyFilter()` internally — reading from query params simply pre-populates `activeFilters` before the initial `load()` call. Navigation from within the library that changes filters should update the URL to keep it shareable, but that is a polish concern — minimum requirement is that arriving at `/?tags=cat` shows the cat-filtered library.
 ### Tag browser UI layout
 A responsive chip/card grid sorted by count descending. Each item shows the tag name and count. Each item is a `routerLink` to `/?tags=<name>`. Follows the existing design token system (`--surface`, `--accent`, `--chip` styles). Empty state if no tags exist.
--- a/specs/007-tag-browser/quickstart.md
+++ b/specs/007-tag-browser/quickstart.md
@@ -0,0 +1,45 @@
 # Quickstart: Tag Browser
 ## Verifying the feature end-to-end
 ### Prerequisites
 - Docker stack running (`docker compose up`)
 - At least 3 images uploaded with different tags (e.g., `cat`, `funny`, `reaction`)
 - At least one image with two tags (e.g., both `cat` and `funny`)
 ### Scenario 1 — Tag browser shows all tags with correct counts
 1. Open the app (not logged in).
 2. Navigate to `/tags`.
 3. **Expected**: A list of tags is shown. Each tag displays the number of images with that tag. Tags are ordered from most images to fewest.
 4. Verify: Count next to `cat` matches the number of images actually tagged `cat`.
 5. Verify: Tags with zero images are not shown.
 ### Scenario 2 — Clicking a tag navigates to the filtered library
 1. On the `/tags` page, click the `cat` tag.
 2. **Expected**: Navigated to the library (`/`) showing only images tagged `cat`.
 3. Verify: The active filter chip shows `cat` in the library.
 ### Scenario 3 — Library page links to tag browser
 1. Navigate to `/` (library, logged in or out).
 2. **Expected**: A link or button labelled "Browse by tag" (or similar) is visible.
 3. Click it.
 4. **Expected**: The tag browser page loads.
 ### Scenario 4 — Empty state
 1. If the library has no images at all, navigate to `/tags`.
 2. **Expected**: An empty state message is shown rather than a blank page or error.
 ### API verification
 ```bash
 # Sorted by count, zero-count tags excluded
 curl http://localhost:8000/api/v1/tags?sort=count_desc&min_count=1
 # Existing autocomplete behaviour unchanged
 curl http://localhost:8000/api/v1/tags?q=ca&limit=10
 ```
--- a/specs/007-tag-browser/spec.md
+++ b/specs/007-tag-browser/spec.md
@@ -0,0 +1,95 @@
 # Feature Specification: Tag Browser
 **Feature Branch**: `007-tag-browser`
 **Created**: 2026-05-06
 **Status**: Draft
 **Input**: User description: "A page that lists all tags with their image counts so that users don't have to guess at searches to find image categories/tags"
 ## User Scenarios & Testing *(mandatory)*
 ### User Story 1 — Browse All Tags (Priority: P1)
 The owner (or any visitor) wants to know what categories of images exist in the library without having to type guesses into a search box. They navigate to the tag browser page and see every tag in the library alongside the number of images associated with it, sorted so the most-used tags appear first.
 **Why this priority**: This is the entire purpose of the feature. A visitor who doesn't know what tags exist has no way to discover them otherwise — the tag filter on the library page only helps when you already know what to type.
 **Independent Test**: Navigate to the tag browser page without being logged in. Confirm every tag in the library is shown with its image count, ordered from highest to lowest count.
 **Acceptance Scenarios**:
 1. **Given** the library contains images with various tags, **When** a visitor opens the tag browser page, **Then** every tag in the library is listed with the number of images that carry that tag.
 2. **Given** the tag list is displayed, **When** the visitor looks at the ordering, **Then** tags with more images appear before tags with fewer images.
 3. **Given** the visitor is not logged in, **When** they open the tag browser page, **Then** the page loads and displays tags without requiring authentication.
 ---
 ### User Story 2 — Navigate from Tag to Library (Priority: P1)
 A visitor sees a tag they are interested in and wants to view the images in that category. Clicking a tag on the tag browser page takes them directly to the library filtered to that tag, without requiring them to retype it.
 **Why this priority**: The tag browser page has no value as a dead end. Each tag must be a link to the filtered library view — that is the core action the page enables. Treated as P1 because the browse and navigate actions together form the minimum useful feature.
 **Independent Test**: Click any tag on the tag browser page. Confirm the library view opens showing only images carrying that tag.
 **Acceptance Scenarios**:
 1. **Given** the tag browser is showing a list of tags, **When** the visitor clicks a tag, **Then** they are taken to the library view filtered to show only images with that tag.
 2. **Given** the visitor clicks a tag with a count of one, **When** the library loads, **Then** exactly one image is shown.
 ---
 ### User Story 3 — Reach the Tag Browser from the Library (Priority: P2)
 The owner is browsing the image library and wants to switch to the tag browser to explore by category. A navigation element on the library page makes the tag browser discoverable without requiring the visitor to type the URL directly.
 **Why this priority**: The tag browser is only useful if visitors can find it. A direct entry point from the library is the most natural discovery path; however, the core value of browsing and navigating tags is independently deliverable without it.
 **Independent Test**: Load the library page. Confirm a visible link or button leads to the tag browser and navigates correctly when clicked.
 **Acceptance Scenarios**:
 1. **Given** the visitor is on the library page, **When** they look for a way to browse by tag, **Then** a visible link or button leads them to the tag browser.
 2. **Given** the visitor clicks that link, **When** the tag browser loads, **Then** all tags and counts are shown as expected.
 ---
 ### Edge Cases
 - What if there are no tags in the library at all? The page displays an appropriate empty state message rather than a blank page or error.
 - What if a tag has been removed from all images (count reaches zero)? Tags with a count of zero are not shown on the tag browser page.
 - What if the library contains a very large number of distinct tags? The page renders all of them without truncation; pagination is not required at personal library scale.
 - What if two tags share the same count? An alphabetical secondary sort is acceptable — no specific tie-breaking order was requested.
 ## Requirements *(mandatory)*
 ### Functional Requirements
 - **FR-001**: The application MUST provide a dedicated tag browser page accessible at a stable URL.
 - **FR-002**: The tag browser page MUST display every tag that exists in the library with at least one associated image, each shown with its current image count.
 - **FR-003**: Tags with an image count of zero MUST NOT appear on the tag browser page.
 - **FR-004**: Tags MUST be ordered from highest image count to lowest image count.
 - **FR-005**: Each tag on the tag browser page MUST be a navigable link that takes the visitor to the library view filtered to that tag.
 - **FR-006**: The tag browser page MUST be publicly accessible without authentication.
 - **FR-007**: The library page MUST include a discoverable navigation element leading to the tag browser page.
 ### Key Entities
 - **Tag with count**: A tag label paired with the number of images currently carrying that tag. No new stored data — counts are derived from existing image–tag relationships at read time.
 ## Success Criteria *(mandatory)*
 ### Measurable Outcomes
 - **SC-001**: Every tag present in the library with at least one image appears on the tag browser page — 0% omission rate.
 - **SC-002**: The image count displayed next to each tag matches the actual number of images with that tag — 100% accuracy.
 - **SC-003**: Clicking any tag on the tag browser navigates to the correctly filtered library view in 100% of cases.
 - **SC-004**: The tag browser page loads successfully without authentication — verified by opening it while logged out.
 - **SC-005**: A visitor can go from the library page to the tag browser and on to a filtered library view in three interactions or fewer.
 ## Assumptions
 - Tags are already a first-class concept in the library — images can have multiple tags and the data needed to derive counts already exists. No schema changes are required.
 - The library page already supports filtering by tag (via the existing search/filter mechanism); the tag browser links into that existing behaviour.
 - Alphabetical secondary sort for equal-count tags is acceptable.
 - Pagination of the tag list is out of scope for a personal image library.
 - Creating, renaming, or deleting tags from the tag browser page is out of scope; it is a read-only view.
--- a/specs/007-tag-browser/tasks.md
+++ b/specs/007-tag-browser/tasks.md
@@ -0,0 +1,152 @@
 # Tasks: Tag Browser
 **Input**: Design documents from `specs/007-tag-browser/`
 **Prerequisites**: plan.md ✅, spec.md ✅, data-model.md ✅, contracts/ ✅, quickstart.md ✅
 **Tests**: TDD is non-negotiable (§5.1). Every implementation task is preceded by a failing-test task. Test tasks MUST be written and confirmed failing before the corresponding implementation task begins.
 **Organization**: Foundational API + service changes first (block all stories), then one phase per user story.
 ## Format: `[ID] [P?] [Story] Description`
 - **[P]**: Can run in parallel with other [P] tasks in the same phase
 - **[Story]**: Which user story this task belongs to
 - Exact file paths included in every task description
 ---
 ## Phase 1: Setup
 No new project structure required. The existing layout accommodates all changes.
 ---
 ## Phase 2: Foundational — API Enhancement & Service Update
 **Purpose**: Extend `GET /api/v1/tags` with `sort` and `min_count` query parameters; update the Angular `TagService` to pass them. All three user stories depend on the API returning tags sorted by count with zero-count tags excluded.
 **⚠️ CRITICAL**: No user story work can begin until this phase is complete.
 - [X] T001 [P] Write failing API integration tests for `sort=count_desc` and `min_count=1` params in `api/tests/integration/test_tags.py` — assert response is ordered highest-count-first and excludes zero-count tags
 - [X] T002 [P] Write failing spec for updated `TagService.list()` accepting `sort` and `minCount` params in `ui/src/app/services/tag.service.spec.ts` — final signature: `list(prefix = '', limit = 100, offset = 0, sort?: string, minCount?: number)`
 - [X] T003 Extend `TagRepository.list_tags()` in `api/app/repositories/tag_repo.py` — add `sort: str = "name"` and `min_count: int = 0` params; apply `ORDER BY image_count DESC, name ASC` when `sort="count_desc"`; apply `HAVING image_count >= min_count` filter — run AFTER T001 (TDD)
 - [X] T004 Expose `sort` and `min_count` as optional query params in `api/app/routers/tags.py` — pass through to `tag_repo.list_tags()` — run AFTER T003
 - [X] T005 Update `TagService.list()` in `ui/src/app/services/tag.service.ts` — final signature: `list(prefix = '', limit = 100, offset = 0, sort?: string, minCount?: number)`; include `sort` and `min_count` in `HttpParams` when provided — run AFTER T002 (TDD)
 **Execution order**: T001 ∥ T002 → T003 (after T001), T005 (after T002) → T004 (after T003)
 **Checkpoint**: `GET /api/v1/tags?sort=count_desc&min_count=1` returns tags sorted by image count descending with zero-count tags excluded. `TagService.list()` passes the new params.
 ---
 ## Phase 3: User Story 1 — Browse All Tags (Priority: P1) 🎯 MVP
 **Goal**: A `/tags` page that lists every tag (with count ≥ 1) sorted from most-used to least-used, with loading skeleton, empty state, and error state matching the existing design system.
 **Independent Test**: Navigate to `/tags` while logged out. Confirm every tag with at least one image is shown with its count, ordered by count descending. Confirm the empty state appears when no tags exist.
 ### Tests for User Story 1
 - [X] T006 [US1] Write failing spec for `TagBrowserComponent` in `ui/src/app/tags/tags.component.spec.ts` covering: (a) skeleton shown while loading, (b) tag list rendered with name and count after load, (c) tags ordered by count descending, (d) empty state shown when tag list is empty, (e) error state shown on fetch failure with retry button, (f) each rendered tag element has an `href` of `/?tags=<tagname>` (FR-005 coverage), (g) component renders when `AuthService` is not present / user is unauthenticated (FR-006 coverage)
 ### Implementation for User Story 1
 - [X] T007 [US1] Create `TagBrowserComponent` in `ui/src/app/tags/tags.component.ts` — standalone component; on init call `tagService.list('', 500, 0, 'count_desc', 1)` (positional order matches T005 signature); display tag chips with name + count; each chip is a `routerLink="/"` with `[queryParams]="{tags: tag.name}"` so the href renders as `/?tags=<name>`; include skeleton loading state (reuse `.skeleton` class from global styles), empty state, and error state with retry; apply design tokens throughout
 - [X] T008 [P] [US1] Add `/tags` lazy route to `ui/src/app/app.routes.ts` — load `TagBrowserComponent`; no auth guard (public route)
 **Checkpoint**: `/tags` renders a sorted, filterable tag list visible without authentication.
 ---
 ## Phase 4: User Story 2 — Navigate from Tag to Library (Priority: P1)
 **Goal**: Clicking a tag on the tag browser navigates to the library pre-filtered to that tag. Requires the library to read `?tags=<name>` from the URL on init and apply it as an active filter before the first image load.
 **Independent Test**: Navigate directly to `/?tags=cat` in the browser. Confirm the library loads showing only images tagged `cat` and the `cat` chip appears in the active filter bar.
 ### Tests for User Story 2
 - [X] T009 [US2] Write failing spec for `LibraryComponent` reading `?tags=` query param in `ui/src/app/library/library.component.spec.ts` — assert that when the component initialises with `?tags=cat` in the URL, `activeFilters` contains `['cat']` and `imageService.list` is called with `['cat']`
 ### Implementation for User Story 2
 - [X] T010 [US2] Update `LibraryComponent` in `ui/src/app/library/library.component.ts` — inject `ActivatedRoute`; in `ngOnInit`, read `snapshot.queryParamMap.get('tags')`; if present, split by comma, set `activeFilters` before calling `load()` so the first fetch is already filtered
 **Checkpoint**: Navigating to `/?tags=cat` from the tag browser shows the correctly filtered library.
 ---
 ## Phase 5: User Story 3 — Tag Browser Discoverable from Library (Priority: P2)
 **Goal**: A visible "Browse tags" link in the library page header navigates to `/tags`. Makes the tag browser discoverable without requiring the user to type the URL.
 **Independent Test**: Load the library page. Confirm a link to `/tags` is visible in the header and navigates correctly when clicked.
 ### Tests for User Story 3
 - [X] T011 [US3] Write failing spec for library nav link to `/tags` in `ui/src/app/library/library.component.spec.ts` — assert a link element with `href="/tags"` is present in the rendered header
 ### Implementation for User Story 3
 - [X] T012 [US3] Add "Browse tags" `routerLink="/tags"` link to `LibraryComponent` header in `ui/src/app/library/library.component.ts` — place alongside the existing Upload button; style consistently with the existing header button pattern
 **Checkpoint**: All three user stories are independently functional.
 ---
 ## Phase 6: Polish & Cross-Cutting Concerns
 - [X] T013 [P] Run `ruff check api/app/ api/tests/` and fix any violations
 - [X] T014 [P] Run `ng lint` in `ui/` — zero violations required
 - [X] T015 Run `ng build` in `ui/` — zero errors required
 ---
 ## Dependencies & Execution Order
 ### Phase Dependencies
 - **Phase 2 (Foundational)**: Blocks all user story phases — must complete first
 - **Phase 3 (US1)**: Depends on Phase 2 — TagBrowserComponent needs the sorted tag endpoint
 - **Phase 4 (US2)**: Depends on Phase 2 — library deep-link needs no API change, but should follow US1 for coherent testing
 - **Phase 5 (US3)**: Depends on Phase 3 (needs the `/tags` route to exist for the link to be meaningful)
 - **Phase 6 (Polish)**: Depends on all prior phases
 ### Within Phase 2
 - T001 ∥ T002 (different repos, both write failing tests)
 - T003 after T001 (TDD: failing test must exist first)
 - T005 after T002 (TDD: failing test must exist first)
 - T003 ∥ T005 (different repos, after their respective tests)
 - T004 after T003 (router wraps repo)
 ### Execution Order (Phase 2)
 ```
 Step 1 (parallel): T001, T002
 Step 2 (parallel): T003 (after T001), T005 (after T002)
 Step 3: T004 (after T003)
 ```
 ### Parallel Opportunities (Phases 3–5)
 - T007 and T008 are parallel within Phase 3
 ---
 ## Implementation Strategy
 ### MVP (US1 + US2 — both P1)
 1. Complete Phase 2 (Foundational)
 2. Complete Phase 3 (US1 — TagBrowserComponent)
 3. Complete Phase 4 (US2 — library deep-link)
 4. **Validate**: Navigate from tag browser → library → confirm pre-filtered results
 5. Phases 5–6 add discoverability and polish
 ### Incremental Delivery
 - After Phase 3: `/tags` page is live and usable (visitors can browse tags)
 - After Phase 4: clicking a tag works end-to-end (browse → filtered library)
 - After Phase 5: tag browser is discoverable from the library without typing the URL
 - After Phase 6: lint and build clean, ready for merge
--- a/specs/008-postgres-integration-tests/SHIPPED
+++ b/specs/008-postgres-integration-tests/SHIPPED
--- a/specs/008-postgres-integration-tests/plan.md
+++ b/specs/008-postgres-integration-tests/plan.md
@@ -0,0 +1,236 @@
 # Implementation Plan: PostgreSQL Integration Test Infrastructure
 **Branch**: `master` | **Date**: 2026-05-06 | **Spec**: specs/008-postgres-integration-tests/spec.md
 **Input**: Feature specification from `specs/008-postgres-integration-tests/spec.md`
 ---
 ## Summary
 Enforce the constitution's PostgreSQL mandate (§2.5, §5.2 v1.3.0) for integration tests. Three concrete deliverables: (1) a fast-fail guard in `conftest.py` that rejects non-PostgreSQL URLs before any test collects, (2) a `docker-compose.test.yml` that provides isolated `postgres-test` and `minio-test` services and an `api-test` runner, and (3) a `Makefile` + `.env.test.example` that document the canonical test commands.
 ---
 ## Technical Context
 **Language/Version**: Python 3.12, Docker Compose v2
 **Primary Dependencies**: pytest, pytest-asyncio, asyncpg, SQLAlchemy 2.x (all already in `pyproject.toml [dev]`)
 **Storage**: PostgreSQL 16-alpine (test instance), MinIO (test instance)
 **Testing**: pytest — this feature *is* the test infrastructure change
 **Target Platform**: Developer workstation (Linux/macOS) with Docker
 **Project Type**: Infrastructure / developer-experience
 **Performance Goals**: Guard exits in < 2 s; full integration suite continues to run in < 60 s
 **Constraints**: Must not break the existing dev compose stack; no changes to application source code
 **Scale/Scope**: One guard, one compose file, one Makefile, one env example
 ---
 ## Constitution Check
 | Principle | Status | Notes |
 |-----------|--------|-------|
 | §2.5 Database abstraction — no alternative DB in integration tests | ✅ ENFORCED | This feature implements the enforcement |
 | §5.1 TDD — failing test before implementation | ✅ | Guard itself is tested by running with a bad URL before adding the guard |
 | §5.2 Test pyramid — integration tests use real PostgreSQL | ✅ ENFORCED | docker-compose.test.yml provides the real instance |
 | §5.4 CI must pass before task is done | ✅ | Verified by running the full suite via compose |
 | §6 Tech stack — asyncpg driver, Docker Compose | ✅ | No new technologies introduced |
 | §7.1 One-command local start | ✅ | `docker compose -f docker-compose.test.yml run --rm api-test` |
 | §7.2 Environment config via env vars | ✅ | .env.test.example documents all vars |
 | §7.3 Linting not optional | ✅ | ruff will run as part of task validation |
 No violations.
 ---
 ## Project Structure
 ### Documentation (this feature)
 ```text
 specs/008-postgres-integration-tests/
 ├── plan.md          ← this file
 ├── research.md      ← decisions made above
 ├── spec.md          ← feature specification
 └── tasks.md         ← generated by /speckit-tasks
 ```
 ### Source changes
 ```text
 # New files
 docker-compose.test.yml          ← isolated test services + api-test runner
 .env.test.example                ← documents test environment variables
 Makefile                         ← test-unit / test-integration targets
 # Modified files
 api/tests/integration/conftest.py   ← add postgresql+asyncpg:// dialect guard
 ```
 No application source files (`api/app/`) are modified. No UI files are touched.
 ---
 ## Detailed Design
 ### 1. conftest.py — dialect guard
 Add a module-level `pytest_configure` hook at the top of `api/tests/integration/conftest.py`. It resolves the database URL (same logic as the `engine` fixture: prefer `TEST_DATABASE_URL`, fall back to `settings.database_url`) and calls `pytest.exit()` if the scheme is not `postgresql+asyncpg`:
 ```python
 def pytest_configure(config):
    import os
    db_url = os.getenv("TEST_DATABASE_URL") or os.getenv("DATABASE_URL", "")
    if not db_url.startswith("postgresql+asyncpg://"):
        pytest.exit(
            "Integration tests require a PostgreSQL database "
            "(postgresql+asyncpg://...). "
            "Set TEST_DATABASE_URL or DATABASE_URL accordingly. "
            f"Got: {db_url!r}",
            returncode=1,
        )
 ```
 The hook runs before any fixture or collection, giving an immediate, unambiguous error.
 **Note**: This guard goes in `api/tests/integration/conftest.py` only, not in `api/tests/conftest.py`, so that unit tests (which use no database) are unaffected.
 ### 2. docker-compose.test.yml
 ```yaml
 services:
  postgres-test:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: reactbin
      POSTGRES_PASSWORD: reactbin
      POSTGRES_DB: reactbin_test
    ports:
      - "5433:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U reactbin"]
      interval: 5s
      timeout: 5s
      retries: 5
  minio-test:
    image: minio/minio:latest
    command: server /data --console-address ":9001"
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    ports:
      - "9002:9000"
      - "9003:9001"
    healthcheck:
      test: ["CMD", "mc", "ready", "local"]
      interval: 5s
      timeout: 5s
      retries: 5
  minio-init-test:
    image: minio/mc:latest
    depends_on:
      minio-test:
        condition: service_healthy
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    entrypoint: >
      /bin/sh -c "
      mc alias set local http://minio-test:9000 $$MINIO_ROOT_USER $$MINIO_ROOT_PASSWORD &&
      mc mb --ignore-existing local/reactbin-test
      "
  api-test:
    build:
      context: ./api
    environment:
      TEST_DATABASE_URL: postgresql+asyncpg://reactbin:reactbin@postgres-test:5432/reactbin_test
      DATABASE_URL: postgresql+asyncpg://reactbin:reactbin@postgres-test:5432/reactbin_test
      S3_ENDPOINT_URL: http://minio-test:9000
      S3_BUCKET_NAME: reactbin-test
      S3_ACCESS_KEY_ID: minioadmin
      S3_SECRET_ACCESS_KEY: minioadmin
      S3_REGION: us-east-1
      JWT_SECRET_KEY: test-secret-key-for-testing-only
      OWNER_USERNAME: testowner
      OWNER_PASSWORD: testpassword
      API_BASE_URL: http://localhost:8000
      MAX_UPLOAD_BYTES: "52428800"
    depends_on:
      postgres-test:
        condition: service_healthy
      minio-init-test:
        condition: service_completed_successfully
    command: ["python", "-m", "pytest", "tests/", "-v"]
    working_dir: /app
 ```
 ### 3. .env.test.example
 Documents the variables needed to run integration tests from the host (with postgres-test and minio-test already running via compose):
 ```bash
 # Integration test environment — used when running pytest directly on the host
 # Start test services first: docker compose -f docker-compose.test.yml up -d postgres-test minio-test minio-init-test
 TEST_DATABASE_URL=postgresql+asyncpg://reactbin:reactbin@localhost:5433/reactbin_test
 DATABASE_URL=postgresql+asyncpg://reactbin:reactbin@localhost:5433/reactbin_test
 S3_ENDPOINT_URL=http://localhost:9002
 S3_BUCKET_NAME=reactbin-test
 S3_ACCESS_KEY_ID=minioadmin
 S3_SECRET_ACCESS_KEY=minioadmin
 S3_REGION=us-east-1
 JWT_SECRET_KEY=test-secret-key-for-testing-only
 OWNER_USERNAME=testowner
 OWNER_PASSWORD=testpassword
 API_BASE_URL=http://localhost:8000
 MAX_UPLOAD_BYTES=52428800
 ```
 ### 4. Makefile
 ```makefile
 .PHONY: test-unit test-integration
 test-unit:
 	cd api && python -m pytest tests/unit/ -v
 test-integration:
 	docker compose -f docker-compose.test.yml run --rm api-test
 ```
 ---
 ## Phase Breakdown
 ### Phase 1: Guard (FR-001) — US1
 - Write a failing test: run `pytest api/tests/integration/` with `TEST_DATABASE_URL=sqlite+aiosqlite:///test.db` — confirm it does NOT exit early (test that the guard is absent)
 - Add `pytest_configure` guard to `api/tests/integration/conftest.py`
 - Verify: running with SQLite URL now exits immediately with the correct message
 - Verify: running with a PostgreSQL URL proceeds normally
 ### Phase 2: Docker Compose test stack (FR-002, FR-003) — US2
 - Write `docker-compose.test.yml` with `postgres-test`, `minio-test`, `minio-init-test`, `api-test`
 - Run `docker compose -f docker-compose.test.yml run --rm api-test` — all tests pass
 - Confirm dev stack (port 5432, 9000) is unaffected
 ### Phase 3: Documentation (FR-004, FR-005) — US3
 - Write `.env.test.example`
 - Write `Makefile` with `test-unit` and `test-integration`
 - Verify `make test-unit` runs unit tests without Docker
 - Verify `make test-integration` invokes the compose command
 ### Phase 4: Polish
 - `ruff check api/app/ api/tests/` — zero violations
 - `ng lint` is unaffected (no UI changes)
 ---
 ## No data model or API contracts
 This feature touches only developer tooling. No new API endpoints, database schema changes, or UI components.
--- a/specs/008-postgres-integration-tests/quickstart.md
+++ b/specs/008-postgres-integration-tests/quickstart.md
@@ -0,0 +1,38 @@
 # Quickstart: Integration Test Infrastructure
 ## Run the full integration test suite (Docker, recommended)
 ```bash
 docker compose -f docker-compose.test.yml run --rm api-test
 ```
 Test services start automatically. The command exits with pytest's return code.
 ## Run unit tests only (no Docker required)
 ```bash
 make test-unit
 # or directly:
 cd api && python -m pytest tests/unit/ -v
 ```
 ## Run integration tests from the host (test services must be running)
 ```bash
 # Start test services
 docker compose -f docker-compose.test.yml up -d postgres-test minio-test minio-init-test
 # Copy and source test env vars
 cp .env.test.example .env.test
 export $(cat .env.test | xargs)
 # Run tests
 cd api && python -m pytest tests/integration/ -v
 ```
 ## Validate the guard works
 ```bash
 TEST_DATABASE_URL=sqlite+aiosqlite:///test.db python -m pytest api/tests/integration/
 # Expected: exits immediately with "Integration tests require postgresql+asyncpg://"
 ```
--- a/specs/008-postgres-integration-tests/research.md
+++ b/specs/008-postgres-integration-tests/research.md
@@ -0,0 +1,55 @@
 # Research: PostgreSQL Integration Test Infrastructure
 ## Decision 1: How to enforce the PostgreSQL dialect in conftest.py
 **Decision**: Add a `pytest_configure` hook (or a module-level guard in `conftest.py`) that calls `pytest.exit()` if the resolved database URL does not start with `postgresql+asyncpg://`.
 **Rationale**: `pytest_configure` runs before collection, giving the clearest possible failure signal. A module-level assertion would also work but produces a less readable traceback. `pytest.exit()` with a human-readable message is the idiomatic approach.
 **Alternatives considered**:
 - A custom pytest plugin in a separate file — unnecessary complexity for a one-liner guard.
 - Raising an exception in the `engine` fixture — runs too late (after collection); developers see confusing fixture errors instead of a clear message.
 ---
 ## Decision 2: Separate docker-compose.test.yml vs profiles in docker-compose.yml
 **Decision**: Use a standalone `docker-compose.test.yml` at the repo root.
 **Rationale**: Docker Compose profiles require the developer to remember `--profile test` on every command. A separate file is explicit and self-contained. The test file can define its own service names and ports without touching the dev compose file at all.
 **Alternatives considered**:
 - `docker-compose.yml` with a `test` profile — profile discovery is non-obvious; modifying the dev file risks breaking the dev stack.
 - A `docker-compose.override.yml` — override files apply automatically to `docker compose up`, which is the opposite of what we want for tests.
 ---
 ## Decision 3: Port assignments for test services
 **Decision**:
 - `postgres-test`: host port 5433 (standard offset from dev 5432)
 - `minio-test` API: host port 9002 (offset from dev 9000)
 - `minio-test` console: host port 9003 (offset from dev 9001)
 **Rationale**: Predictable offsets make it easy to remember. Developers running both stacks simultaneously won't hit port conflicts.
 ---
 ## Decision 4: S3 isolation strategy for tests
 **Decision**: The `api-test` service sets `S3_BUCKET_NAME=reactbin-test` pointing to the dedicated `minio-test` instance. The `minio-init-test` sidecar creates that bucket before tests run.
 **Rationale**: The existing conftest already manages database isolation via `create_all` / `drop_all`. MinIO requires bucket pre-creation (same as dev). A dedicated test bucket on a dedicated test MinIO instance gives full isolation. No changes to application storage code are needed.
 ---
 ## Decision 5: Makefile vs shell scripts
 **Decision**: A `Makefile` at the repo root with `test-unit` and `test-integration` targets.
 **Rationale**: `make` is universally available on Linux/macOS developer machines. The targets are short wrappers that document the canonical test invocation. No build logic; just convenience aliases.
 **Alternatives considered**:
 - Shell scripts (`scripts/test.sh`) — no discoverability; `make help` is more ergonomic.
 - `package.json` scripts — wrong tool for a Python/Docker project.
 - `justfile` — not universally installed.
--- a/specs/008-postgres-integration-tests/spec.md
+++ b/specs/008-postgres-integration-tests/spec.md
@@ -0,0 +1,95 @@
 # Feature Specification: PostgreSQL Integration Test Infrastructure
 **Feature Branch**: `008-postgres-integration-tests`
 **Created**: 2026-05-06
 **Status**: Draft
 ---
 ## Overview
 Integration tests currently permit any SQLAlchemy-compatible database URL, including SQLite. This allowed a real production bug (incorrect `HAVING` without `GROUP BY`) to ship undetected because SQLite's permissive dialect did not reject it. The project constitution (§2.5, §5.2 v1.3.0) now explicitly mandates PostgreSQL for integration tests. This feature enforces that mandate with infrastructure and guardrails.
 ---
 ## User Scenarios & Testing
 ### User Story 1 — Integration tests are enforced to run against PostgreSQL (Priority: P1)
 A developer running `pytest` against a non-PostgreSQL database URL receives an immediate, descriptive failure before any test runs.
 **Why this priority**: Directly addresses the production bug that prompted this feature. Without this, the constitution mandate has no teeth.
 **Independent Test**: Set `TEST_DATABASE_URL=sqlite+aiosqlite:///test.db` and run `pytest api/tests/integration/`. Confirm pytest exits immediately with a message identifying the dialect problem and naming the required scheme.
 **Acceptance Scenarios**:
 1. **Given** `TEST_DATABASE_URL` is set to a SQLite URL, **When** `pytest api/tests/integration/` is invoked, **Then** pytest exits before collecting any test with an error: `Integration tests require postgresql+asyncpg://`.
 2. **Given** `DATABASE_URL` is unset and `TEST_DATABASE_URL` is unset, **When** pytest is invoked, **Then** pytest exits with a clear message about the missing database URL.
 3. **Given** `TEST_DATABASE_URL` is a valid `postgresql+asyncpg://` URL, **When** pytest is invoked, **Then** tests collect and run normally.
 ---
 ### User Story 2 — One-command integration test run against isolated services (Priority: P1)
 A developer can run the entire integration test suite against dedicated, isolated PostgreSQL and MinIO instances with a single command.
 **Why this priority**: Without this, the PostgreSQL requirement is mandated but impractical — developers have no easy way to satisfy it.
 **Independent Test**: From the repo root with Docker available, run `docker compose -f docker-compose.test.yml run --rm api-test`. Confirm all integration tests pass, test containers start and stop cleanly, and dev database/bucket are untouched.
 **Acceptance Scenarios**:
 1. **Given** Docker is running and dev services are stopped, **When** the test command is run, **Then** isolated `postgres-test` and `minio-test` services start, all tests run against them, and the command exits with pytest's return code.
 2. **Given** dev services are running on their normal ports, **When** the test command is run, **Then** test services use different ports (5433, 9002/9003) and do not interfere with the dev stack.
 3. **Given** any test data is written during the run, **When** the test run completes, **Then** all test schema is dropped (conftest teardown is unchanged).
 ---
 ### User Story 3 — Test infrastructure is documented (Priority: P2)
 A developer new to the project can understand how to run unit tests vs integration tests without reading the source code.
 **Independent Test**: Read `.env.test.example` and `Makefile`. Confirm all required environment variables are documented and `make test-unit` / `make test-integration` targets are present.
 **Acceptance Scenarios**:
 1. **Given** a fresh clone, **When** the developer reads `.env.test.example`, **Then** they see every variable needed to run integration tests outside Docker, with example values.
 2. **Given** the Makefile, **When** the developer runs `make test-unit`, **Then** the pytest unit suite runs without requiring Docker.
 3. **Given** the Makefile, **When** the developer runs `make test-integration`, **Then** the Docker Compose test command runs.
 ---
 ### Edge Cases
 - What if `TEST_DATABASE_URL` is set but malformed? — The guard should still catch a non-PostgreSQL scheme; asyncpg will raise its own error for a malformed URL.
 - What if Docker is not available? — `make test-integration` fails at the Docker level with Docker's own error; the Makefile does not need to guard for this.
 - What if the test PostgreSQL port (5433) is already in use? — Standard Docker port conflict error; no special handling needed.
 ---
 ## Requirements
 ### Functional Requirements
 - **FR-001**: `conftest.py` MUST assert the resolved database URL starts with `postgresql+asyncpg://` and call `pytest.exit()` with a descriptive message before any test collects.
 - **FR-002**: A `docker-compose.test.yml` MUST define isolated `postgres-test` (port 5433) and `minio-test` (ports 9002/9003) services and an `api-test` runner service.
 - **FR-003**: The `api-test` service MUST set `TEST_DATABASE_URL` pointing to `postgres-test` and all S3 env vars pointing to `minio-test`.
 - **FR-004**: A `.env.test.example` MUST document all environment variables required to run integration tests outside Docker.
 - **FR-005**: A `Makefile` MUST provide `test-unit` and `test-integration` targets.
 ---
 ## Success Criteria
 - **SC-001**: Running `pytest api/tests/integration/` with a SQLite URL exits in under 2 seconds with a clear error message — no tests run.
 - **SC-002**: `docker compose -f docker-compose.test.yml run --rm api-test` completes successfully with all integration tests passing.
 - **SC-003**: Dev services (postgres on 5432, minio on 9000) are unaffected when the test command runs.
 ---
 ## Assumptions
 - Docker Compose v2 (`docker compose`) is available in the developer environment.
 - The existing `conftest.py` `engine` fixture (session-scoped `create_all` / `drop_all`) continues to handle schema lifecycle; no per-test transaction rollback mechanism is introduced.
 - CI/CD pipeline configuration is out of scope for this feature.
--- a/specs/008-postgres-integration-tests/tasks.md
+++ b/specs/008-postgres-integration-tests/tasks.md
@@ -0,0 +1,113 @@
 # Tasks: PostgreSQL Integration Test Infrastructure
 **Input**: Design documents from `specs/008-postgres-integration-tests/`
 **Prerequisites**: plan.md ✅, spec.md ✅, research.md ✅, quickstart.md ✅
 **Tests**: TDD is non-negotiable (§5.1). For infrastructure tasks the "failing test" is a verification step that confirms the thing being built is absent before building it, then confirms it works after. Every user story has an explicit TDD red step before its implementation task.
 **Organization**: No foundational blocking phase — all three user stories touch independent files and can proceed in order.
 ## Format: `[ID] [P?] [Story] Description`
 - **[P]**: Can run in parallel with other [P] tasks in the same phase
 - **[Story]**: Which user story this task belongs to
 - Exact file paths included in every task description
 ---
 ## Phase 1: Setup
 No new project structure required. The existing layout accommodates all changes.
 ---
 ## Phase 2: User Story 1 — Dialect guard in conftest (Priority: P1) 🎯 MVP
 **Goal**: `pytest api/tests/integration/` exits immediately with a clear message if the database URL is not `postgresql+asyncpg://`.
 **Independent Test**: Run `TEST_DATABASE_URL=sqlite+aiosqlite:///test.db python -m pytest api/tests/integration/ -q` — command exits in < 2 s with the error message `Integration tests require postgresql+asyncpg://` and no tests are collected.
 - [X] T001 [US1] Confirm guard is absent (TDD red): from `api/`, run `TEST_DATABASE_URL=sqlite+aiosqlite:///test.db python -m pytest tests/integration/ -q --co 2>&1 | head -20` — observe that tests ARE collected and note the count (guard not yet in place)
 - [X] T002 [US1] Add `pytest_configure` hook to `api/tests/integration/conftest.py` — resolve URL via `os.getenv("TEST_DATABASE_URL") or os.getenv("DATABASE_URL", "")`, call `pytest.exit("Integration tests require postgresql+asyncpg://...", returncode=1)` if URL does not start with `postgresql+asyncpg://`; place hook before any imports that depend on the database URL
 - [X] T003 [US1] Verify guard works (TDD green): run `TEST_DATABASE_URL=sqlite+aiosqlite:///test.db python -m pytest api/tests/integration/ -q` — confirm immediate exit with the correct error message and zero tests collected; also confirm a valid `postgresql+asyncpg://` URL does not trigger the guard
 **Checkpoint**: Dialect-mismatched test runs are blocked before any test collects.
 ---
 ## Phase 3: User Story 2 — Docker Compose test stack (Priority: P1)
 **Goal**: `docker compose -f docker-compose.test.yml run --rm api-test` runs the full integration suite against isolated PostgreSQL and MinIO services on different ports than the dev stack.
 **Independent Test**: Run `docker compose -f docker-compose.test.yml run --rm api-test` from the repo root — all tests pass; verify `docker compose ps` shows dev services (if running) are unaffected on their original ports.
 - [X] T004 [US2] Confirm compose file is absent (TDD red): run `test -f docker-compose.test.yml && echo EXISTS || echo ABSENT` — confirm output is `ABSENT`
 - [X] T005 [US2] Create `docker-compose.test.yml` at the repo root with four services: `postgres-test` (image `postgres:16-alpine`, host port 5433, db `reactbin_test`), `minio-test` (image `minio/minio:latest`, host ports 9002/9003), `minio-init-test` (creates bucket `reactbin-test`, depends on `minio-test` healthy), and `api-test` (builds from `./api`, runs `python -m pytest tests/ -v`, depends on `postgres-test` healthy and `minio-init-test` completed, environment sets `TEST_DATABASE_URL=postgresql+asyncpg://reactbin:reactbin@postgres-test:5432/reactbin_test`, `DATABASE_URL` to same value, and all S3 vars pointing to `minio-test:9000` with bucket `reactbin-test`) — follow exact design in `specs/008-postgres-integration-tests/plan.md`
 - [X] T006 [US2] Verify compose stack (TDD green): run `docker compose -f docker-compose.test.yml run --rm api-test` — confirm all integration tests pass; confirm no errors about missing env vars or connection failures
 **Checkpoint**: Full integration suite runs against real PostgreSQL via one command.
 ---
 ## Phase 4: User Story 3 — Test documentation (Priority: P2)
 **Goal**: `.env.test.example` and `Makefile` document how to run both test tiers.
 **Independent Test**: Read `.env.test.example` — all variables needed for integration tests are present with example values. Run `make test-unit` — pytest unit suite runs without Docker and passes.
 - [X] T007 [P] [US3] Create `.env.test.example` at the repo root documenting all variables required to run integration tests outside Docker: `TEST_DATABASE_URL`, `DATABASE_URL`, `S3_ENDPOINT_URL`, `S3_BUCKET_NAME`, `S3_ACCESS_KEY_ID`, `S3_SECRET_ACCESS_KEY`, `S3_REGION`, `JWT_SECRET_KEY`, `OWNER_USERNAME`, `OWNER_PASSWORD`, `API_BASE_URL`, `MAX_UPLOAD_BYTES` — with example values pointing to `localhost:5433` and `localhost:9002` (test service ports); include a comment explaining how to start test services first — follow exact design in `specs/008-postgres-integration-tests/plan.md`
 - [X] T008 [P] [US3] Create `Makefile` at the repo root with `.PHONY: test-unit test-integration`, `test-unit` target running `cd api && python -m pytest tests/unit/ -v`, and `test-integration` target running `docker compose -f docker-compose.test.yml run --rm api-test`
 - [X] T009 [US3] Verify `make test-unit` — unit tests pass without Docker (validates the Makefile target and confirms unit tests have no Docker dependency)
 - [X] T010 Verify `make test-integration` — Docker integration suite passes end-to-end (cross-story verification: exercises the US2 compose stack via the US3 Makefile target)
 **Checkpoint**: All three user stories independently functional.
 ---
 ## Phase 5: Polish & Cross-Cutting Concerns
 - [X] T011 Run `ruff check api/app/ api/tests/` — zero violations (conftest change must pass ruff; fix any issues)
 ---
 ## Dependencies & Execution Order
 ### Phase Dependencies
 - **Phase 2 (US1)**: No external dependencies — can start immediately
 - **Phase 3 (US2)**: Depends on Phase 2 (guard must be in place so the compose stack run exercises it)
 - **Phase 4 (US3)**: T007 and T008 are independent file writes (can run in parallel with each other after Phase 3); T009 requires T008; T010 requires T008 and T006
 - **Phase 5 (Polish)**: Depends on all prior phases
 ### Within Phase 4
 - T007 ∥ T008 (different files, no dependency)
 - T009 after T008 (Makefile must exist)
 - T010 after T008 and T006 (requires both Makefile and compose stack)
 ### Execution Order Summary
 ```
 Step 1: T001, T002, T003 (sequential — TDD for guard)
 Step 2: T004, T005, T006 (sequential — TDD for compose stack)
 Step 3 (parallel): T007, T008
 Step 4: T009 (after T008), T010 (after T008 + T006)
 Step 5: T011
 ```
 ---
 ## Implementation Strategy
 ### MVP (US1 — the guard)
 1. Complete T001–T003
 2. **Validate**: SQLite URL is blocked; PostgreSQL URL proceeds
 3. US2 and US3 add the infrastructure to make the mandate practical
 ### Incremental Delivery
 - After Phase 2: Dialect bugs are caught immediately — core safety net is in place
 - After Phase 3: Full integration suite runs against PostgreSQL via one Docker command
 - After Phase 4: Both test tiers are documented and accessible via `make`
 - After Phase 5: Lint clean, ready for merge
--- a/specs/009-login-rate-limiting/SHIPPED
+++ b/specs/009-login-rate-limiting/SHIPPED
--- a/specs/009-login-rate-limiting/checklists/requirements.md
+++ b/specs/009-login-rate-limiting/checklists/requirements.md
@@ -0,0 +1,34 @@
 # Specification Quality Checklist: Login Brute-Force Protection
 **Purpose**: Validate specification completeness and quality before proceeding to planning
 **Created**: 2026-05-06
 **Feature**: [spec.md](../spec.md)
 ## Content Quality
 - [X] No implementation details (languages, frameworks, APIs)
 - [X] Focused on user value and business needs
 - [X] Written for non-technical stakeholders
 - [X] All mandatory sections completed
 ## Requirement Completeness
 - [X] No [NEEDS CLARIFICATION] markers remain
 - [X] Requirements are testable and unambiguous
 - [X] Success criteria are measurable
 - [X] Success criteria are technology-agnostic (no implementation details)
 - [X] All acceptance scenarios are defined
 - [X] Edge cases are identified
 - [X] Scope is clearly bounded
 - [X] Dependencies and assumptions identified
 ## Feature Readiness
 - [X] All functional requirements have clear acceptance criteria
 - [X] User scenarios cover primary flows
 - [X] Feature meets measurable outcomes defined in Success Criteria
 - [X] No implementation details leak into specification
 ## Notes
 - All items pass. Spec is ready for `/speckit-plan`.
--- a/specs/009-login-rate-limiting/contracts/auth.md
+++ b/specs/009-login-rate-limiting/contracts/auth.md
@@ -0,0 +1,85 @@
 # API Contract: Authentication
 ## POST /api/v1/auth/token
 Authenticates the owner and returns a JWT access token.
 **This endpoint is modified by feature 009** to enforce brute-force protection.
 All previous behaviour is preserved. One new response code (429) is added.
 ### Request
 ```
 POST /api/v1/auth/token
 Content-Type: application/json
 ```
 ```json
 {
  "username": "string",
  "password": "string"
 }
 ```
 ### Responses
 #### 200 OK — Credentials accepted
 ```json
 {
  "access_token": "<jwt>",
  "token_type": "bearer",
  "expires_in": 86400
 }
 ```
 Side effect: resets the failure counter for the caller's IP address.
 ---
 #### 401 Unauthorized — Credentials rejected
 ```json
 {
  "detail": "Invalid credentials",
  "code": "invalid_credentials"
 }
 ```
 Side effect: increments the failure counter for the caller's IP address. If the
 counter reaches `LOGIN_MAX_FAILURES`, subsequent requests from this IP will receive
 429 until the cooldown expires.
 ---
 #### 429 Too Many Requests — Source blocked after repeated failures
 **This response is new in feature 009.**
 ```
 HTTP/1.1 429 Too Many Requests
 Retry-After: 900
 Content-Type: application/json
 ```
 ```json
 {
  "detail": "Too many failed login attempts. Please try again later.",
  "code": "login_rate_limited"
 }
 ```
 The `Retry-After` header value is the configured cooldown duration in seconds (default: 900).
 It reflects the maximum possible wait, not the exact remaining lockout time.
 No credentials are verified when this response is returned — the request is
 rejected before authentication is attempted.
 ---
 ### Notes
 - The failure counter is per source IP address (TCP peer, not forwarded headers).
 - Threshold values (`LOGIN_MAX_FAILURES`, `LOGIN_WINDOW_SECONDS`, `LOGIN_COOLDOWN_SECONDS`)
  are not disclosed in any response.
 - Counters are in-memory and reset on process restart.
--- a/specs/009-login-rate-limiting/data-model.md
+++ b/specs/009-login-rate-limiting/data-model.md
@@ -0,0 +1,53 @@
 # Data Model: Login Brute-Force Protection
 ## Overview
 This feature introduces no new database tables. The only data entity is a transient,
 in-memory rate-limit record that does not survive process restarts. This is intentional
 (see research.md Decision 3).
 ---
 ## Entity: Rate-Limit Record (in-memory only)
 | Field          | Type    | Description                                                                 |
 |----------------|---------|-----------------------------------------------------------------------------|
 | `failures`     | int     | Count of consecutive failed login attempts in the current window            |
 | `window_start` | float   | Unix timestamp marking when the current counting window began               |
 | `blocked_until`| float   | Unix timestamp after which the source is no longer blocked; 0.0 if not blocked |
 **Keyed by**: resolved client IP address string (e.g., `"192.168.1.1"`); see `get_client_ip()` in `rate_limiter.py` for resolution logic
 **Lifecycle**:
 1. Record is created on the first failed login from a source.
 2. `failures` increments on each subsequent failure within the window.
 3. When `failures >= LOGIN_MAX_FAILURES`, `blocked_until` is set to `now + LOGIN_COOLDOWN_SECONDS`.
 4. When `blocked_until` has passed, the record is deleted on the next request from that source.
 5. A successful login deletes the record immediately (failure counter reset).
 6. If `now - window_start > LOGIN_WINDOW_SECONDS` without triggering lockout, the counter resets within the existing record.
 **State machine**:
 ```
 [no record]
     │ first failure
     ▼
 [tracking] ──── failure N ≥ max ────► [blocked]
     │                                     │
     │ success / window expires             │ cooldown expires
     ▼                                     ▼
 [no record] ◄─────────────────────── [no record]
 ```
 ---
 ## Configuration Entity: Rate-Limit Settings
 Stored as environment variables; loaded via `app.config.Settings`:
 | Env Var                    | Default | Description                                              |
 |----------------------------|---------|----------------------------------------------------------|
 | `LOGIN_MAX_FAILURES`       | `5`     | Failures within window before lockout                    |
 | `LOGIN_WINDOW_SECONDS`     | `300`   | Rolling window duration in seconds (5 minutes)           |
 | `LOGIN_COOLDOWN_SECONDS`   | `900`   | Lockout duration in seconds after threshold exceeded (15 minutes) |
 | `LOGIN_TRUSTED_PROXY_IPS`  | `""`    | Comma-separated IPs/CIDRs of trusted upstream proxies (e.g., `10.0.0.0/8`); empty = disabled |
--- a/specs/009-login-rate-limiting/plan.md
+++ b/specs/009-login-rate-limiting/plan.md
@@ -0,0 +1,388 @@
 # Implementation Plan: Login Brute-Force Protection
 **Branch**: `009-login-rate-limiting` | **Date**: 2026-05-06 | **Spec**: [spec.md](spec.md)  
 **Input**: Feature specification from `specs/009-login-rate-limiting/spec.md`
 ## Summary
 Add failure-counting brute-force protection to the login endpoint (`POST /api/v1/auth/token`).
 After a configurable number of consecutive failed attempts from the same resolved client IP,
 the endpoint returns HTTP 429 with a `Retry-After` header for a configurable cooldown period.
 A successful login resets the counter. All thresholds are configurable via environment variables.
 When deployed behind a reverse proxy (nginx, Kubernetes ingress), a `LOGIN_TRUSTED_PROXY_IPS`
 setting enables extraction of the real client IP from `X-Forwarded-For`. No new infrastructure
 (no Redis, no new DB table) — counters live in process memory.
 ---
 ## Technical Context
 **Language/Version**: Python 3.12+  
 **Primary Dependencies**: FastAPI, pydantic-settings (already in use); no new dependencies added  
 **Storage**: In-memory `dict` (no persistence across restarts — intentional)  
 **Testing**: pytest + pytest-asyncio (existing test infrastructure)  
 **Target Platform**: Linux server (Docker)  
 **Project Type**: Web service (API only — this feature has no UI surface)  
 **Performance Goals**: Rate limiter adds negligible overhead (dict lookup + lock acquisition; sub-millisecond)  
 **Constraints**: Must not add new runtime service dependencies; must not change any auth behaviour for non-blocked sources  
 **Scale/Scope**: Single process, single user; in-memory store is sufficient
 ---
 ## Constitution Check
 | Principle | Status | Notes |
 |-----------|--------|-------|
 | §2.4 Auth abstraction (AuthProvider interface) | ✅ Pass | Rate limiter is a guard *before* `JWTAuthProvider.verify_credentials()`, not a bypass of the interface |
 | §2.5 DB abstraction (repository layer) | ✅ Pass | No database access; in-memory only |
 | §2.6 No speculative abstraction | ✅ Pass | Concrete `LoginRateLimiter` class, no interface; only one implementation planned |
 | §3.3 Error envelope (`detail` + `code`) | ✅ Pass | 429 response uses `{"detail": "...", "code": "login_rate_limited"}` |
 | §5.1 TDD | ✅ Required | Tasks follow red → green order |
 | §5.2 Integration tests against PostgreSQL | ✅ Pass | Integration test for the login endpoint will run against the Docker PostgreSQL stack |
 | §7.2 Environment configuration | ✅ Pass | `LOGIN_MAX_FAILURES`, `LOGIN_WINDOW_SECONDS`, `LOGIN_COOLDOWN_SECONDS`, `LOGIN_TRUSTED_PROXY_IPS` from env vars |
 | §7.3 Linting (ruff) | ✅ Required | All new files must pass `ruff check` |
 **Gate result**: No violations. Cleared to proceed.
 ---
 ## Project Structure
 ### Documentation (this feature)
 ```text
 specs/009-login-rate-limiting/
 ├── plan.md              ← this file
 ├── research.md          ← decisions on approach
 ├── data-model.md        ← rate-limit record entity
 ├── quickstart.md        ← curl runbook
 ├── contracts/
 │   └── auth.md          ← updated POST /api/v1/auth/token with 429
 └── tasks.md             ← generated by /speckit-tasks
 ```
 ### Source Code Changes
 ```text
 api/
 ├── app/
 │   ├── auth/
 │   │   ├── rate_limiter.py          ← NEW: LoginRateLimiter class
 │   │   ├── jwt_provider.py          (unchanged)
 │   │   ├── noop.py                  (unchanged)
 │   │   └── provider.py              (unchanged)
 │   ├── config.py                    ← add login_max_failures, login_window_seconds, login_cooldown_seconds, login_trusted_proxy_ips
 │   ├── main.py                      ← init LoginRateLimiter in lifespan, attach to app.state
 │   └── routers/
 │       └── auth.py                  ← check rate limit before auth, record outcome
 └── tests/
    ├── unit/
    │   └── test_rate_limiter.py     ← NEW: unit tests for LoginRateLimiter logic
    └── integration/
        └── test_login_rate_limit.py ← NEW: integration tests for 429 behaviour via HTTP
 ```
 ---
 ## Implementation Detail
 ### `api/app/auth/rate_limiter.py`
 ```python
 import ipaddress
 import logging
 import time
 from dataclasses import dataclass, field
 from ipaddress import IPv4Network, IPv6Network
 from threading import Lock
 from starlette.requests import Request
 logger = logging.getLogger(__name__)
 def get_client_ip(
    request: Request,
    trusted_networks: list[IPv4Network | IPv6Network],
 ) -> str:
    """Return the resolved client IP, honouring X-Forwarded-For when the
    TCP peer is a trusted upstream proxy. Falls back to the TCP peer address
    when no trusted networks are configured or the peer is not in the list."""
    peer = request.client.host if request.client else "unknown"
    if trusted_networks and peer != "unknown":
        try:
            peer_addr = ipaddress.ip_address(peer)
            if any(peer_addr in net for net in trusted_networks):
                xff = request.headers.get("X-Forwarded-For", "").split(",")[0].strip()
                if xff:
                    return xff
                real_ip = request.headers.get("X-Real-IP", "").strip()
                if real_ip:
                    return real_ip
        except ValueError:
            pass
    return peer
@dataclass
 class _Record:
    failures: int = 0
    window_start: float = field(default_factory=time.time)
    blocked_until: float = 0.0
 class LoginRateLimiter:
    def __init__(
        self,
        max_failures: int = 5,
        window_seconds: int = 300,
        cooldown_seconds: int = 900,
    ) -> None:
        self._max = max_failures
        self._window = window_seconds
        self._cooldown = cooldown_seconds
        self._store: dict[str, _Record] = {}
        self._lock = Lock()
    @property
    def cooldown_seconds(self) -> int:
        return self._cooldown
    def is_blocked(self, ip: str) -> bool:
        now = time.time()
        with self._lock:
            rec = self._store.get(ip)
            if rec is None:
                return False
            if rec.blocked_until > now:
                return True
            if rec.blocked_until > 0:
                del self._store[ip]
            return False
    def record_failure(self, ip: str) -> None:
        now = time.time()
        with self._lock:
            rec = self._store.get(ip)
            if rec is None:
                rec = _Record(window_start=now)
                self._store[ip] = rec
            if now - rec.window_start > self._window:
                rec.failures = 0
                rec.window_start = now
            rec.failures += 1
            if rec.failures >= self._max:
                rec.blocked_until = now + self._cooldown
                logger.warning(
                    "Login blocked for %s after %d failures", ip, rec.failures
                )
    def record_success(self, ip: str) -> None:
        with self._lock:
            self._store.pop(ip, None)
 ```
 ### `api/app/config.py` additions
 ```python
 login_max_failures: int = 5
 login_window_seconds: int = 300
 login_cooldown_seconds: int = 900
 login_trusted_proxy_ips: str = ""  # comma-separated IPs/CIDRs; empty = disabled
 ```
 ### `api/app/main.py` lifespan update
 ```python
 import ipaddress
 from app.auth.rate_limiter import LoginRateLimiter
@asynccontextmanager
 async def lifespan(application: FastAPI):
    settings = get_settings()
    application.state.login_rate_limiter = LoginRateLimiter(
        max_failures=settings.login_max_failures,
        window_seconds=settings.login_window_seconds,
        cooldown_seconds=settings.login_cooldown_seconds,
    )
    trusted_networks = []
    for part in settings.login_trusted_proxy_ips.split(","):
        part = part.strip()
        if part:
            try:
                trusted_networks.append(ipaddress.ip_network(part, strict=False))
            except ValueError:
                pass  # invalid entry — skip silently
    application.state.login_trusted_networks = trusted_networks
    # ... existing DB setup unchanged
    engine = get_engine()
    async with engine.begin() as conn:
        await conn.run_sync(Base.metadata.create_all)
    yield
    await engine.dispose()
 ```
 ### `api/app/routers/auth.py` update
 ```python
 from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.responses import JSONResponse
 from pydantic import BaseModel
 from app.auth.jwt_provider import JWTAuthProvider
 from app.auth.rate_limiter import LoginRateLimiter, get_client_ip
 from app.dependencies import get_jwt_auth
 router = APIRouter(tags=["auth"])
 class LoginRequest(BaseModel):
    username: str
    password: str
 class TokenResponse(BaseModel):
    access_token: str
    token_type: str = "bearer"
    expires_in: int
@router.post("/auth/token", response_model=TokenResponse)
 async def login(
    request: Request,
    body: LoginRequest,
    auth: JWTAuthProvider = Depends(get_jwt_auth),
 ):
    limiter: LoginRateLimiter = request.app.state.login_rate_limiter
    ip: str = get_client_ip(request, request.app.state.login_trusted_networks)
    if limiter.is_blocked(ip):
        return JSONResponse(
            status_code=429,
            content={
                "detail": "Too many failed login attempts. Please try again later.",
                "code": "login_rate_limited",
            },
            headers={"Retry-After": str(limiter.cooldown_seconds)},
        )
    if not auth.verify_credentials(body.username, body.password):
        limiter.record_failure(ip)
        raise HTTPException(
            status_code=401,
            detail={"detail": "Invalid credentials", "code": "invalid_credentials"},
        )
    limiter.record_success(ip)
    token = auth.create_token()
    return TokenResponse(
        access_token=token,
        token_type="bearer",
        expires_in=auth._expiry_seconds,
    )
 ```
 ### `api/tests/unit/test_rate_limiter.py` (representative cases)
 ```python
 import time
 import pytest
 from app.auth.rate_limiter import LoginRateLimiter
 def test_not_blocked_initially():
    limiter = LoginRateLimiter(max_failures=3, window_seconds=60, cooldown_seconds=300)
    assert limiter.is_blocked("1.2.3.4") is False
 def test_blocked_after_threshold():
    limiter = LoginRateLimiter(max_failures=3, window_seconds=60, cooldown_seconds=300)
    for _ in range(3):
        limiter.record_failure("1.2.3.4")
    assert limiter.is_blocked("1.2.3.4") is True
 def test_success_clears_failures():
    limiter = LoginRateLimiter(max_failures=3, window_seconds=60, cooldown_seconds=300)
    limiter.record_failure("1.2.3.4")
    limiter.record_failure("1.2.3.4")
    limiter.record_success("1.2.3.4")
    assert limiter.is_blocked("1.2.3.4") is False
 def test_ips_are_isolated():
    limiter = LoginRateLimiter(max_failures=2, window_seconds=60, cooldown_seconds=300)
    limiter.record_failure("1.1.1.1")
    limiter.record_failure("1.1.1.1")
    assert limiter.is_blocked("2.2.2.2") is False
 ```
 ### `api/tests/integration/test_login_rate_limit.py` (representative cases)
 ```python
 import pytest
 from httpx import AsyncClient
 # Uses the 'client' fixture (NoOpAuthProvider) from conftest — sufficient for this
 # endpoint since we're testing the rate-limit layer, not auth correctness.
 # The login endpoint instantiates its own limiter via app.state, so we need
 # the full ASGI app.
 BAD_CREDS = {"username": "attacker", "password": "wrong"}
@pytest.mark.asyncio
 async def test_repeated_failures_trigger_429(client: AsyncClient):
    # Use a custom limiter with low threshold to avoid slow tests
    # (the app.state.login_rate_limiter is set in lifespan; override for test)
    from app.auth.rate_limiter import LoginRateLimiter
    from app.main import app
    original = app.state.login_rate_limiter
    app.state.login_rate_limiter = LoginRateLimiter(
        max_failures=3, window_seconds=60, cooldown_seconds=30
    )
    try:
        for _ in range(3):
            await client.post("/api/v1/auth/token", json=BAD_CREDS)
        resp = await client.post("/api/v1/auth/token", json=BAD_CREDS)
        assert resp.status_code == 429
        assert resp.json()["code"] == "login_rate_limited"
        assert "Retry-After" in resp.headers
    finally:
        app.state.login_rate_limiter = original
 ```
 ---
 ## Implementation Phases
 ### Phase 1 (MVP — P1): Blocking after repeated failures
 1. Add `login_max_failures`, `login_window_seconds`, `login_cooldown_seconds`, `login_trusted_proxy_ips` to `api/app/config.py`
 2. Create `api/app/auth/rate_limiter.py` with `LoginRateLimiter` and `get_client_ip()`
 3. Initialize rate limiter and parse trusted networks in `api/app/main.py` lifespan; attach both to `app.state`
 4. Update `api/app/routers/auth.py` to resolve client IP via `get_client_ip()`, then check + record outcomes
 5. Unit tests: `api/tests/unit/test_rate_limiter.py`
 6. Integration tests: `api/tests/integration/test_login_rate_limit.py`
 ### Phase 2 (US2 — observability): Logging and response hints
 Delivered as part of Phase 1 (the `logger.warning(...)` call and `Retry-After` header
 are embedded in the same implementation). No separate phase needed.
 ---
 ## Environment Variables to Add to `.env.example`
 ```dotenv
 # Login brute-force protection
 LOGIN_MAX_FAILURES=5
 LOGIN_WINDOW_SECONDS=300
 LOGIN_COOLDOWN_SECONDS=900
 # Comma-separated IPs/CIDRs of trusted upstream proxies (e.g. nginx ingress pod CIDR).
 # Leave empty when not behind a reverse proxy.
 LOGIN_TRUSTED_PROXY_IPS=
 ```
 These are optional (have defaults) so existing `.env` files without them continue working.
--- a/specs/009-login-rate-limiting/quickstart.md
+++ b/specs/009-login-rate-limiting/quickstart.md
@@ -0,0 +1,112 @@
 # Quickstart: Login Brute-Force Protection
 ## Prerequisites
 - API running (via `docker compose up` or locally with `.env` set)
 - `curl` available
 ---
 ## Scenario 1: Trigger the rate limiter
 Send 6 consecutive failed login attempts (default threshold is 5):
 ```bash
 for i in $(seq 1 6); do
  echo "Attempt $i:"
  curl -s -o /dev/null -w "%{http_code}\n" \
    -X POST http://localhost:8000/api/v1/auth/token \
    -H "Content-Type: application/json" \
    -d '{"username": "wrong", "password": "wrong"}'
 done
 ```
 Expected output:
 ```
 Attempt 1: 401
 Attempt 2: 401
 Attempt 3: 401
 Attempt 4: 401
 Attempt 5: 401
 Attempt 6: 429
 ```
 The 6th attempt returns 429. Inspect the headers:
 ```bash
 curl -i -X POST http://localhost:8000/api/v1/auth/token \
  -H "Content-Type: application/json" \
  -d '{"username": "wrong", "password": "wrong"}'
 ```
 Expected headers include:
 ```
 HTTP/1.1 429 Too Many Requests
 Retry-After: 900
 ```
 Expected body:
 ```json
 {"detail": "Too many failed login attempts. Please try again later.", "code": "login_rate_limited"}
 ```
 ---
 ## Scenario 2: Successful login resets the counter
 Make some failed attempts, then log in with valid credentials:
 ```bash
 # Fail twice
 for i in 1 2; do
  curl -s -o /dev/null -w "fail $i: %{http_code}\n" \
    -X POST http://localhost:8000/api/v1/auth/token \
    -H "Content-Type: application/json" \
    -d '{"username": "wrong", "password": "wrong"}'
 done
 # Succeed — resets counter
 curl -s -o /dev/null -w "success: %{http_code}\n" \
  -X POST http://localhost:8000/api/v1/auth/token \
  -H "Content-Type: application/json" \
  -d '{"username": "'"$OWNER_USERNAME"'", "password": "'"$OWNER_PASSWORD"'"}'
 # Now fail 5 more times — counter was reset, so no 429 yet
 for i in $(seq 1 5); do
  curl -s -o /dev/null -w "fail after reset $i: %{http_code}\n" \
    -X POST http://localhost:8000/api/v1/auth/token \
    -H "Content-Type: application/json" \
    -d '{"username": "wrong", "password": "wrong"}'
 done
 ```
 Expected: all "fail after reset" lines return 401 (not 429), confirming the counter was reset.
 ---
 ## Scenario 3: Observe log output
 While triggering the rate limiter (Scenario 1), watch API logs:
 ```bash
 docker compose logs -f api
 ```
 After the threshold is crossed you should see a line like:
 ```
 WARNING  app.auth.rate_limiter:rate_limiter.py:NN Login blocked for 172.18.0.1 after 5 failures
 ```
 ---
 ## Environment variable overrides
 To test with a lower threshold without code changes:
 ```bash
 LOGIN_MAX_FAILURES=2 LOGIN_WINDOW_SECONDS=60 LOGIN_COOLDOWN_SECONDS=30 \
  uvicorn app.main:app --reload
 ```
 Then only 2 failures trigger the lockout, and it clears after 30 seconds.
--- a/Show More
+++ b/Show More