docs: Add v1.4.2 review documents and update backlog

- Fix stale docstring in media.py (4096 -> 12000)
- Add developer review document
- Add architect review document
- Update backlog with identified issues

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

docs/projectplan/BACKLOG.md

@@ -1,9 +1,20 @@
 # StarPunk Backlog
 
-**Last Updated**: 2025-12-10
+**Last Updated**: 2025-12-16
 
 ## Recently Completed
 
+### v1.4.2 - HEIC/MPO Support and Dimension Limit Increase (Complete)
+- HEIC/HEIF format detection and conversion to JPEG
+- MPO (Multi-Picture Object) format support for iPhone depth photos
+- MAX_DIMENSION increased from 4096 to 12000 pixels
+- Enhanced debug logging for failed uploads
+
+### v1.4.0/v1.4.1 - Media Variants (Complete)
+- Image variant generation (thumb, small, medium, large)
+- Micropub media endpoint
+- Enhanced feed media support with Media RSS
+
 ### v1.3.0 - Microformats2 Compliance and Tags (Complete)
 - Tag/Category system with database schema
 - p-category microformats2 markup
@@ -29,31 +40,63 @@
 
 ## High
 
-### Enhanced Feed Media Support *(Scheduled: v1.4.0)*
-- Multiple image sizes/thumbnails (150px, 320px, 640px, 1280px)
-- Full Media RSS implementation (media:group, all attributes)
-- Enhanced JSON Feed attachments
-- ATOM enclosure links for all media
-- See: ADR-059
+### MPO Format Test Coverage
+- **Description**: MPO conversion code exists but has no test coverage. MPO is advertised in the CHANGELOG but the handling is untested.
+- **Location**: `starpunk/media.py` lines 163-173
+- **Source**: Developer Review (M1)
+- **Approach**: Add `test_mpo_detection_and_conversion()` to `TestHEICSupport` class in `tests/test_media_upload.py`. Create an MPO test image using Pillow's MPO support.
 
-### POSSE 
+### POSSE
 - Native syndication to social networks
 - Supported networks:
-  - First iteration: 
+  - First iteration:
     - Mastodon (and compatible services)
     - Bluesky
-  - Second iteration 
-    - TBD 
+  - Second iteration
+    - TBD
 - Solution should include a configuration UI for setup
 
 ---
 
 ## Medium
 
-### Default slug change 
-- The default slug should be a date time stamp 
+### Debug File Storage Without Cleanup Mechanism
+- **Description**: Failed uploads are saved to `data/debug/` directory for analysis, but there is no mechanism to clean up these files. This could consume significant disk space, especially if under attack.
+- **Location**: `starpunk/media.py` lines 133-137
+- **Source**: Developer Review (M2), Architect Review (Issue 1.2.2)
+- **Approach**:
+  1. Add `DEBUG_SAVE_FAILED_UPLOADS` config option (default: false in production)
+  2. Implement automatic cleanup (files older than 7 days)
+  3. Add disk space check or size limit (e.g., 100MB max)
+
+### Filename Not Sanitized in Debug Path (Security)
+- **Description**: The original filename is used directly in the debug file path without sanitization, which could cause path traversal or special character issues.
+- **Location**: `starpunk/media.py` line 135
+- **Source**: Architect Review (Issue 1.2.3)
+- **Approach**: Sanitize filename before use: `safe_filename = "".join(c for c in filename if c.isalnum() or c in "._-")[:50]`
+
+### N+1 Query Pattern in Feed Generation
+- **Description**: In `_get_cached_notes()`, media and tags are loaded per-note in separate queries. For 50 notes, this is 100 additional database queries, degrading performance.
+- **Location**: `starpunk/routes/public.py` lines 68-74
+- **Source**: Architect Review (Issue 2.2.9)
+- **Approach**: Implement batch loading function `get_media_for_notes(note_ids: List[int])` using a single query with `WHERE note_id IN (...)`.
+
+### Transaction Not Atomic in Variant Generation
+- **Description**: Files are written to disk before database commit. If the database commit fails, orphaned files remain on disk.
+- **Location**: `starpunk/media.py` lines 404-440
+- **Source**: Architect Review (Issue 2.2.6)
+- **Approach**: Write variant files to a temporary location first, then move to final location after successful database commit.
+
+### Rate Limiting on Upload Endpoints
+- **Description**: No rate limiting exists on media upload endpoints, making them vulnerable to abuse.
+- **Location**: `/admin/new` (admin.py), `/media` (micropub.py)
+- **Source**: Architect Review (Security Assessment)
+- **Approach**: Implement Flask-Limiter or similar rate limiting middleware for upload routes.
+
+### Default Slug Change
+- The default slug should be a date time stamp
 - YYYYMMDDHHMMSS
-- Edge case, if the slug would somehow be a duplicate append a "-x" e.g. -1 
+- Edge case, if the slug would somehow be a duplicate append a "-x" e.g. -1
 
 ### Tag Enhancements (v1.3.0 Follow-up)
 - Tag pagination on archive pages (when note count exceeds threshold)
@@ -105,6 +148,42 @@
 
 ## Low
 
+### HEIC/MPO Conversion Quality Not Configurable
+- **Description**: HEIC and MPO to JPEG conversion uses hardcoded `quality=95`. Users with different quality/size tradeoff preferences cannot adjust this.
+- **Location**: `starpunk/media.py` line 157
+- **Source**: Developer Review (M3)
+- **Approach**: Add `HEIC_CONVERSION_QUALITY` config variable with 95 as default.
+
+### MAX_DIMENSION Not Configurable
+- **Description**: `MAX_DIMENSION = 12000` is a hardcoded constant. Cannot adjust limit without code change.
+- **Location**: `starpunk/media.py` line 41
+- **Source**: Developer Review (M4)
+- **Approach**: Make configurable via config variable, keeping 12000 as default.
+
+### Animated WebP Not Detected
+- **Description**: Animated GIF detection exists but animated WebP is not handled, potentially bypassing animated image size checks.
+- **Location**: `starpunk/media.py` (validate_image function)
+- **Source**: Architect Review (Issue 2.2.2)
+- **Approach**: Add animated WebP detection similar to existing GIF handling.
+
+### Caption Not Escaped in RSS HTML
+- **Description**: In RSS generation, caption is used directly in alt attribute without HTML escaping. Could break markup if caption contains `"` or other special characters.
+- **Location**: `starpunk/feeds/rss.py` line 136
+- **Source**: Architect Review (Issue 2.2.10)
+- **Approach**: Use `html.escape()` for caption when generating HTML content.
+
+### Incomplete MPO Documentation
+- **Description**: Code comment says "extract primary image" but doesn't explain the multi-frame nature of MPO files (contain multiple images for 3D or depth maps).
+- **Location**: `starpunk/media.py` lines 163-165
+- **Source**: Developer Review (M5)
+- **Approach**: Enhance inline comment to document that MPO files contain multiple frames and only the primary frame is extracted.
+
+### Module Docstring Stale
+- **Description**: Module docstring still states "4096x4096 max dimensions" but MAX_DIMENSION was updated to 12000 in v1.4.2.
+- **Location**: `starpunk/media.py` lines 1-12
+- **Source**: Architect Review (Issue 1.2.1)
+- **Approach**: Update docstring to reflect current 12000px limit.
+
 ### Flaky Migration Race Condition Tests
 - Improve `test_migration_race_condition.py::TestGraduatedLogging::test_debug_level_for_early_retries`
 - Test expects DEBUG retry messages but passes when migration succeeds without retries