Skip to content

[8.0] PSR-4 src/ layout, S3 support, async messaging, security hardening#4

Merged
wtorsi merged 4 commits intomainfrom
8.0
Feb 22, 2026
Merged

[8.0] PSR-4 src/ layout, S3 support, async messaging, security hardening#4
wtorsi merged 4 commits intomainfrom
8.0

Conversation

@wtorsi
Copy link
Contributor

@wtorsi wtorsi commented Feb 22, 2026
edited
Loading

Summary

  • PSR-4 migration: All source files moved from root to src/ directory under ChamberOrchestra\ImageBundle namespace
  • S3 support: Added S3Loader, S3Resolver, and S3ResolverFactory with proper listObjectsV2 pagination for large buckets
  • Async processing: ProcessImageMessage / ProcessImageMessageHandler via Symfony Messenger with shared lock-slot concurrency limiting; async: 'auto' config auto-detects Messenger
  • Client SDK controller: ClientAction with HMAC-signed URLs for TypeScript, Swift, Kotlin clients; RuntimeAction replacing monolithic ImageController
  • AVIF post-processor: AvifPostProcessor for avifenc CLI conversion
  • Security hardening: 16-char base64url HMAC tokens (96-bit entropy), array depth limiting, absolute path rejection, file_put_contents validation, assert() replaced with LogicException
  • Cache improvements: Prefix-based invalidation in CacheResolver, CacheManager::remove() path normalization, WebPathResolver respects RequestContext::getBaseUrl()
  • FilterManager fix: Strip internal keys (format, optimize, flatten, animated) before $image->get()
  • Tests: Integration tests for all processors/post-processors; unit tests for S3Loader, S3Resolver, FilterService, FilterResult, ProcessImageMessageHandler (274 tests, 523 assertions)
  • README: Full configuration reference with defaults, quick start guide, client SDK examples, web server configs (nginx/Apache/Caddy), badges
  • CI/tooling: Updated workflows, dependabot.yml, phpstan.neon.dist, .env.dist

Test plan

  • All 274 unit/integration tests pass with 523 assertions
  • Verify S3 loader/resolver with MinIO or AWS in staging
  • Test async processing with Symfony Messenger + Redis transport
  • Validate client SDK URL generation matches controller expectations
  • Confirm nginx try_files serves cached images without hitting PHP

🤖 Generated with Claude Code

Dev and others added 4 commits February 22, 2026 17:13
@claude
[8.0] Major refactor: PSR-4 src/ layout, S3 support, async messaging,…
f73be58 
… client SDK, security hardening

- Move all source files from root to src/ directory (PSR-4 namespace ChamberOrchestra\ImageBundle)
- Add S3 loader/resolver with pagination support for large buckets
- Add async image processing via Symfony Messenger with concurrency limiting
- Add ClientAction controller with HMAC-signed URLs for client SDKs
- Add RuntimeAction controller replacing ImageController
- Add AvifPostProcessor for AVIF conversion via avifenc
- Add ProcessImageMessage/Handler with shared lock slot concurrency control
- Strengthen Signer HMAC: 16-char base64url tokens (96-bit entropy, up from ~47-bit)
- Add array depth limiting in RuntimeAction to prevent recursive input abuse
- Add FileSystemLocator absolute path rejection as defence-in-depth
- Add file_put_contents return value validation in post-processors
- Replace assert() with LogicException in ProcessImageMessageHandler
- Add CacheManager::remove() path normalization
- Fix WebPathResolver to use RequestContext::getBaseUrl() for sub-path deployments
- Strip internal keys before passing to Imagine's image->get()
- Add CacheResolver prefix-based cache invalidation
- Introduce async: 'auto' config (auto-detect symfony/messenger)
- Add comprehensive README with full config reference, client SDKs, web server configs
- Add integration tests for all processors and post-processors
- Add unit tests for S3Loader, S3Resolver, FilterService, FilterResult, ProcessImageMessageHandler
- Improve composer.json SEO: expanded description, keywords, suggest descriptions
- Add phpstan.neon.dist, .env.dist, dependabot.yml, updated CI workflows

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
[8.0] Remove unused imageFilter/avif Twig methods, fix code style
84f7ace 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
[8.0] Fix services.php DI bugs, add integration tests for controllers…
9e4ffb5 
…, cache, security, concurrency, bundle boot

Fix namespace function calls (\service(), \inline_service()) that broke container
compilation, remove unused $cachePath binding, exclude value objects from service
auto-registration. Add 51 integration tests covering HMAC-signed client/runtime
URLs, CacheResolver with real PSR-6 cache, CacheManager wiring, exposed filter
security round-trips, dispatch deduplication with lock slots, and full DI
container boot verification.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
[8.0] Fix 14 PHPStan errors across 4 source files
f40154b 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@wtorsi wtorsi merged commit 8c702ae into main Feb 22, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wtorsi