Skip to content

[8.0] Quality & DX improvements across the bundle#5

Merged
wtorsi merged 1 commit intomainfrom
8.0
Feb 24, 2026
Merged

[8.0] Quality & DX improvements across the bundle#5
wtorsi merged 1 commit intomainfrom
8.0

Conversation

@wtorsi
Copy link
Contributor

@wtorsi wtorsi commented Feb 24, 2026

Summary

  • Modern PHP: Add ImageFormat and ImagineDriver backed string enums, replace hardcoded constants; add #[Override] attributes to all interface/parent method implementations (~22 files)
  • HTTP caching: Switch redirects from 301 to 302 for correct cache invalidation semantics
  • Cache optimization: Add resolveIfStored() to ResolverInterface and all implementations, eliminating double cache lookups and TOCTOU race conditions in CacheManager and FilterService
  • Security: SSRF protection via scheme allowlist on StreamLoader (default: file, data); dangerous extension guard and :// sanitization on S3Resolver
  • Error handling: Bundle-specific exceptions in FilterManager, catch ExceptionInterface in controller, throw HttpException(500) instead of bare RuntimeException
  • S3 hardening: CacheControl and optional ACL headers on putObject(), configurable via resolver factory
  • DoS protection: Move pixel budget enforcement to apply() after dimension auto-calculation, covering single-dimension inputs
  • Twig DX: Restore image_filter filter, add optional filter parameter to fit/fill/optimize; clean up dead code in macro template
  • Configuration DX: Driver short aliases (gd/imagick/gmagick), binaries config node with defaults, strengthened exposed filter secret validation
  • Boot-time validation: Verify post-processor binaries are executable at container compile time
  • Tests: New FilterManagerTest (9 cases), updated S3ResolverTest, CacheManagerTest, StreamLoaderTest, ImageRuntimeTest, integration test status code assertions

Test plan

  • All 338 tests pass (659 assertions, 0 failures)
  • Code style clean (php-cs-fixer)
  • Manual smoke test of image filter pipeline
  • Verify S3 resolver CacheControl/ACL in staging environment

🤖 Generated with Claude Code

@claude
[8.0] Quality & DX improvements: enums, #[Override], SSRF protection,…
fb58ece 
… cache optimization, error handling, S3 hardening, DoS fix, Twig restore, tests

- Add ImageFormat and ImagineDriver backed string enums, replace hardcoded constants
- Add #[Override] attributes to all interface/parent method implementations
- Switch redirects from 301 to 302 for correct cache semantics
- Add resolveIfStored() to eliminate double cache lookups (TOCTOU fix)
- Add SSRF protection via scheme allowlist on StreamLoader
- Use bundle exceptions in FilterManager, catch ExceptionInterface in controller
- Harden S3Resolver: CacheControl/ACL on store, dangerous extension guard
- Move DoS pixel budget check to apply() after dimension auto-calculation
- Validate post-processor binaries at container compile time
- Restore image_filter Twig filter, add filter param to fit/fill/optimize
- Add driver short aliases (gd/imagick/gmagick) and binaries config node
- Add FilterManager unit tests, update existing tests for new behavior

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@wtorsi wtorsi merged commit fb6d4cb into main Feb 24, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wtorsi