docs: Add v1.4.2 review documents and update backlog

- Fix stale docstring in media.py (4096 -> 12000) - Add developer review document - Add architect review document - Update backlog with identified issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
fix(media): Increase max dimension to 12000px for modern phone cameras
2025-12-16 18:57:39 -07:00 · 2025-12-16 18:29:21 -07:00 · 2025-12-16 18:23:23 -07:00 · 2025-12-16 18:14:05 -07:00 · 2025-12-16 18:08:36 -07:00 · 2025-12-16 18:06:51 -07:00
16 changed files with 2727 additions and 97 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ## [1.4.2] - 2025-12-16
 ### Added
 - HEIC/HEIF image format support for iPhone photo uploads
 - MPO (Multi-Picture Object) format support for iPhone depth/portrait photos
 - Automatic HEIC/MPO to JPEG conversion (browsers cannot display these formats)
 - Graceful error handling if pillow-heif library not installed
 ### Changed
 - Increased maximum input image dimensions from 4096x4096 to 12000x12000 to support modern phone cameras (48MP+); images are still optimized to smaller sizes for web delivery
 ### Dependencies
 - Added `pillow-heif` for HEIC image processing
 - Updated `Pillow` from 10.0.* to 10.1.* (required by pillow-heif)
 ## [1.4.1] - 2025-12-16
 ### Fixed
 - Media upload failures are now logged for debugging and observability
 - Validation errors (invalid format, file too large) logged at WARNING level
 - Optimization failures logged at WARNING level
 - Variant generation failures logged at WARNING level (upload continues)
 - Unexpected errors logged at ERROR level with error type and message
 - Successful uploads logged at INFO level with file details
 - Removed duplicate logging in Micropub media endpoint
 ## [1.4.0rc1] - 2025-12-16
 ### Added
--- a/docs/design/v1.4.1/2025-12-16-implementation-report.md
+++ b/docs/design/v1.4.1/2025-12-16-implementation-report.md
@@ -0,0 +1,172 @@
 # Implementation Report - v1.4.1 Media Upload Logging
 **Developer**: Developer Agent
 **Date**: 2025-12-16
 **Status**: Complete
 ## Summary
 Successfully implemented v1.4.1 - Media Upload Logging per design specifications. All media upload operations now log appropriately for debugging and observability.
 ## Changes Implemented
 ### 1. Modified `starpunk/media.py`
 Added comprehensive logging to the `save_media()` function:
 - **Validation failures**: Log at WARNING level with filename, size, and error message
 - **Optimization failures**: Log at WARNING level with filename, size, and error message
 - **Variant generation failures**: Log at WARNING level with filename, media_id, and error message (non-fatal)
 - **Successful uploads**: Log at INFO level with filename, stored filename, size, optimization status, and variant count
 - **Unexpected errors**: Log at ERROR level with filename, error type, and error message
 All logging uses the specified format from the design document.
 ### 2. Modified `starpunk/routes/micropub.py`
 Removed duplicate logging at line 202 in the media endpoint exception handler. The `save_media()` function now handles all logging, preventing duplicate log entries.
 ### 3. Added tests to `tests/test_media_upload.py`
 Created new `TestMediaLogging` test class with 5 comprehensive tests:
 - `test_save_media_logs_success`: Verifies INFO log on successful upload
 - `test_save_media_logs_validation_failure`: Verifies WARNING log on validation errors
 - `test_save_media_logs_optimization_failure`: Verifies WARNING log on optimization errors
 - `test_save_media_logs_variant_failure`: Verifies WARNING log when variant generation fails (but upload succeeds)
 - `test_save_media_logs_unexpected_error`: Verifies ERROR log on unexpected system errors
 All tests use `caplog` fixture to capture and assert log messages.
 ### 4. Updated `starpunk/__init__.py`
 Bumped version from `1.4.0rc1` to `1.4.1`:
 - `__version__ = "1.4.1"`
 - `__version_info__ = (1, 4, 1)`
 ### 5. Updated `CHANGELOG.md`
 Added v1.4.1 entry documenting all logging improvements in the "Fixed" section.
 ## Test Results
 All new tests pass:
 - ✅ 5/5 new logging tests pass
 - ✅ 28/28 total media upload tests pass
 - ✅ 338 tests pass overall (1 pre-existing failure unrelated to this implementation)
 ### Test Execution
 ```bash
 $ uv run pytest tests/test_media_upload.py::TestMediaLogging -v
 ============================= test session starts ==============================
 tests/test_media_upload.py::TestMediaLogging::test_save_media_logs_success PASSED [ 20%]
 tests/test_media_upload.py::TestMediaLogging::test_save_media_logs_validation_failure PASSED [ 40%]
 tests/test_media_upload.py::TestMediaLogging::test_save_media_logs_optimization_failure PASSED [ 60%]
 tests/test_media_upload.py::TestMediaLogging::test_save_media_logs_variant_failure PASSED [ 80%]
 tests/test_media_upload.py::TestMediaLogging::test_save_media_logs_unexpected_error PASSED [100%]
 ============================== 5 passed in 0.97s
 ```
 ## Design Adherence
 Implementation follows the design specifications exactly:
 ✅ All logging in `save_media()` function (single location)
 ✅ Correct log levels (INFO/WARNING/ERROR) per design
 ✅ Exact log message format per design specifications
 ✅ Variant generation failures are non-fatal
 ✅ ValueError exceptions are re-raised after logging
 ✅ Unexpected errors logged at ERROR before re-raising
 ✅ No changes to flash messages or error responses
 ✅ Duplicate logging removed from Micropub route
 ## Acceptance Criteria
 All acceptance criteria from design document met:
 - [x] Successful media uploads are logged at INFO level with filename, stored name, size, optimization status, and variant count
 - [x] Validation failures are logged at WARNING level with filename, input size, and error message
 - [x] Optimization failures are logged at WARNING level with filename, input size, and error message
 - [x] Variant generation failures are logged at WARNING level with filename, media ID, and error message
 - [x] Unexpected errors are logged at ERROR level with filename, exception type, and error message
 - [x] Micropub endpoint duplicate logging is removed
 - [x] Flash messages continue to work unchanged in admin UI
 - [x] Error responses continue to work unchanged in Micropub endpoint
 - [x] All new logging is tested with unit tests
 - [x] CHANGELOG.md is updated
 ## Files Modified
 | File | Lines Changed | Description |
 |------|---------------|-------------|
 | `starpunk/media.py` | +48 | Added logging to `save_media()` |
 | `starpunk/routes/micropub.py` | -1 | Removed duplicate logging |
 | `tests/test_media_upload.py` | +119 | Added 5 logging tests |
 | `starpunk/__init__.py` | 2 | Bumped version to 1.4.1 |
 | `CHANGELOG.md` | +12 | Added v1.4.1 entry |
 ## Example Log Output
 ### Successful Upload
 ```
 INFO: Media upload successful: filename="vacation.jpg", stored="a1b2c3d4-e5f6-7890-abcd-ef1234567890.jpg", size=524288b, optimized=True, variants=4
 ```
 ### Validation Failure
 ```
 WARNING: Media upload validation failed: filename="document.pdf", size=2048576b, error="Invalid image format. Accepted: JPEG, PNG, GIF, WebP"
 ```
 ### Optimization Failure
 ```
 WARNING: Media upload optimization failed: filename="huge-photo.jpg", size=52428800b, error="Image cannot be optimized to target size. Please use a smaller or lower-resolution image."
 ```
 ### Variant Generation Failure
 ```
 WARNING: Media upload variant generation failed: filename="photo.jpg", media_id=42, error="Disk full"
 INFO: Media upload successful: filename="photo.jpg", stored="uuid.jpg", size=1024000b, optimized=True, variants=0
 ```
 ### Unexpected Error
 ```
 ERROR: Media upload failed unexpectedly: filename="photo.jpg", error_type="OSError", error="[Errno 28] No space left on device"
 ```
 ## Implementation Notes
 1. **Top-level exception handler**: Added try/except wrapper around entire function body to catch unexpected errors (disk full, database errors, etc.) and log them at ERROR level before re-raising.
 2. **Variant generation error handling**: Per architect's guidance, variant failures are non-fatal. The function continues with an empty variants list and logs at WARNING level.
 3. **File size variable**: Used existing `file_size` variable name (per architect's clarification) instead of creating new `input_size` variable.
 4. **Test implementation**: Used `caplog.at_level(logging.INFO)` for tests that need to capture both WARNING and INFO logs (e.g., variant failure test needs to verify success log too).
 5. **No integration test changes**: Per architect's guidance, integration tests focus on HTTP behavior (status codes, responses) not logging assertions. Logging is an implementation detail tested via unit tests.
 ## Verification
 The implementation has been verified to:
 1. Log all media upload operations appropriately
 2. Maintain backward compatibility (no API changes)
 3. Pass all existing tests
 4. Not affect user-facing behavior (flash messages, error responses)
 5. Provide actionable debugging information for operators
 ## Ready for Commit
 Implementation is complete and ready to commit:
 - All tests pass
 - Version bumped
 - CHANGELOG updated
 - Design specifications followed exactly
 - Code is clean and maintainable
 ## Next Steps
 1. Review implementation report
 2. Commit changes with appropriate message
 3. Deploy v1.4.1 to production
--- a/docs/design/v1.4.1/architect-responses.md
+++ b/docs/design/v1.4.1/architect-responses.md
@@ -0,0 +1,187 @@
 # Architect Responses - v1.4.1 Media Upload Logging
 **Architect**: Architect Agent
 **Date**: 2025-12-16
 **Status**: Complete
 ---
 ## Responses to Developer Questions
 ### Question 1: Variant Generation Error Handling and Re-raising
 **Answer**: Option A - Catch all exceptions, log at WARNING, and continue.
 **Rationale**: The design explicitly states variant generation failure should NOT fail the overall upload. The original image is the primary deliverable; variants are optimizations. Users can still use their uploaded image even if variant generation fails.
 **Return value when generation fails**: Empty list (`variants = []`).
 The success log will then show `variants=0` (or `variants=1` if we count the original, but per the current code the `generate_all_variants` return value only counts generated variants, not the original). This accurately reflects what was created.
 **Implementation guidance**: Wrap the `generate_all_variants()` call in a try/except that catches `Exception`, logs at WARNING with the specified format, and allows the function to continue to the success log and return.
 ---
 ### Question 2: Unexpected Error Logging and Exception Re-raising
 **Answer**: Add a top-level try/except in `save_media()` that catches non-ValueError exceptions, logs at ERROR, and re-raises.
 **Rationale**: The ERROR log format (line 111-122) is meant for truly unexpected errors like disk full, database errors, or other system failures. These should be logged before propagating to the caller.
 **Implementation pattern**:
 ```
 def save_media(file_data: bytes, filename: str) -> Dict:
    input_size = len(file_data)
    try:
        # All existing logic (validation, optimization, save, variants)
        ...
        # Success log
        ...
        return result
    except ValueError:
        # Already logged at WARNING in validation/optimization blocks
        raise
    except Exception as e:
        current_app.logger.error(
            f'Media upload failed unexpectedly: filename="{filename}", '
            f'error_type="{type(e).__name__}", error="{e}"'
        )
        raise
 ```
 This ensures:
 1. Validation/optimization ValueErrors are logged at WARNING and re-raised (per existing design)
 2. Unexpected errors (OSError, database errors, etc.) are logged at ERROR before re-raising
 3. Callers still receive exceptions and can handle them appropriately
 ---
 ### Question 3: Logging Import
 **Answer**: No additional imports needed.
 **Confirmation**: `current_app.logger` from Flask is sufficient. No `import logging` is required in `starpunk/media.py`.
 ---
 ### Question 4: Test File Naming and Location
 **Answer**: Option A - Add tests to the existing `tests/test_media_upload.py` file.
 **Rationale**: The design document incorrectly referenced `tests/test_media.py`. The existing file `tests/test_media_upload.py` already tests `save_media()` and related functions, making it the logical home for logging tests.
 **Design document update**: I will update the design document to reference the correct filename.
 ---
 ### Question 5: Integration Test Scope
 **Answer**: Option C - Skip integration tests for logging; unit tests are sufficient.
 **Rationale**:
 1. The logging occurs entirely within `save_media()`, which is thoroughly unit-tested
 2. Integration tests for routes should focus on HTTP behavior (status codes, response bodies, flash messages)
 3. Adding `caplog` assertions to route tests couples them to implementation details
 4. The routes are not adding or modifying logging - they just call `save_media()`
 Keep integration tests focused on:
 - Flash messages work correctly (admin route)
 - Error responses are correct (micropub route)
 - No duplicate logging assertion needed since we're removing the duplicate
 **Design document update**: I will clarify that integration tests verify behavior, not logging.
 ---
 ### Question 6: Optimized Image Bytes Variable Scope
 **Answer**: Use existing `file_size` variable; no rename needed.
 **Rationale**: The existing code has `file_size = len(file_data)` at line 398. The design pseudocode used `input_size` for clarity, but the existing variable name is fine. Consistency within the existing codebase takes precedence over matching pseudocode exactly.
 **Implementation**: Use `file_size` wherever the design shows `input_size`. The logs will still be accurate and meaningful.
 ---
 ### Question 7: Media ID Availability for Variant Failure Logging
 **Confirmation**: Correct. The `media_id` is available at line 442 after the database insert, and variant generation happens at line 447. No changes needed.
 ---
 ### Question 8: Empty File Handling
 **Confirmation**: Correct. Empty files will show `size=0b` in the validation failure log. This is accurate and helpful for debugging.
 ---
 ### Question 9: Animated GIF Rejection Logging
 **Confirmation**: Correct. Animated GIF >10MB rejection is a validation failure and will be logged at WARNING with the detailed error message. This is intended behavior.
 ---
 ### Question 10: GIF Optimization Path
 **Confirmation**: Correct. For animated GIFs:
 - `optimized=False` (original bytes unchanged)
 - `variants=1` (only 'original' variant in database)
 This is expected and documented behavior.
 ---
 ### Question 11: Mocking and Application Context
 **Answer**: Option B - Create a new test class `TestMediaLogging`.
 **Rationale**: A dedicated test class improves clarity and groups related tests. However, this is a minor organizational preference; either approach is acceptable.
 ---
 ### Question 12: Caplog Level Setting
 **Answer**: Use `caplog.at_level(logging.INFO)` as shown in the design.
 **Rationale**: The context manager pattern is cleaner and ensures the level is reset after the test. This matches the design document.
 ---
 ## Implementation Approach Validation
 The developer's planned implementation approach (Question section, lines 149-161) is **approved** with one clarification:
 - Step 2 and 3 should only catch `ValueError` (as shown in the design)
 - Step 4 should catch `Exception` (variant failures)
 - Add top-level `Exception` handler for unexpected errors (per Question 2 response)
 ---
 ## Design Document Updates
 Based on these questions, the following updates should be made to `docs/design/v1.4.1/media-logging-design.md`:
 1. **Line 225**: Change `tests/test_media.py` to `tests/test_media_upload.py`
 2. **Line 245-250**: Clarify that integration tests verify HTTP behavior, not logging assertions
 3. **Line 270**: Change `tests/test_media.py` to `tests/test_media_upload.py`
 4. **Add clarification**: Top-level exception handler for unexpected errors
 I will make these updates now.
 ---
 ## Summary
 All questions answered. The design is sound and ready for implementation. Key clarifications:
 1. Variant failures: Catch all, log WARNING, continue with empty list
 2. Unexpected errors: Top-level handler logs ERROR, then re-raises
 3. Test file: Use existing `tests/test_media_upload.py`
 4. Integration tests: Focus on HTTP behavior, not logging assertions
 5. Variable naming: Use existing `file_size`, no rename needed
 The developer may proceed with implementation.
--- a/docs/design/v1.4.1/developer-questions.md
+++ b/docs/design/v1.4.1/developer-questions.md
@@ -0,0 +1,193 @@
 # Developer Questions - v1.4.1 Media Upload Logging
 **Developer**: Developer Agent
 **Date**: 2025-12-16
 **Status**: Addressed - See architect-responses.md
 ## Overview
 I have reviewed the design document at `docs/design/v1.4.1/media-logging-design.md` and the existing code. Below are my questions and concerns before implementation.
 ## Questions
 ### 1. Variant Generation Error Handling and Re-raising
 **Issue**: The design shows variant generation failures should be logged at WARNING level but NOT fail the overall upload (line 109: "Variant generation failure should NOT fail the overall upload"). However, the example code shows:
 ```python
 try:
    variants = generate_all_variants(...)
 except Exception as e:
    current_app.logger.warning(...)
    # Continue - original image is still usable
 ```
 **Current behavior**: Looking at the existing `save_media()` function (lines 444-456 in `starpunk/media.py`), variant generation is called **without** explicit error handling. If `generate_all_variants()` raises an exception, it will propagate up and fail the entire upload.
 **Question**: Should I:
 - A) Add a try/except around `generate_all_variants()` to catch all exceptions, log them at WARNING, and continue (making it non-fatal)?
 - B) Only catch specific expected exceptions and let unexpected errors propagate?
 If option A, what should be returned for `variants` in the return dict when generation fails? Empty list?
 ### 2. Unexpected Error Logging and Exception Re-raising
 **Issue**: The design specifies an "Unexpected Error (ERROR)" log format (lines 111-122), but the pseudocode doesn't show where this would be caught.
 **Question**: Should I add a top-level try/except in `save_media()` that catches any unexpected exception (not ValueError), logs it at ERROR level with the format shown, and then re-raises it? Or is this log format meant for callers to use (though you said not to add logging to callers)?
 **Current behavior**: Unexpected errors (like `OSError` for disk full) will currently propagate without being logged.
 ### 3. Logging Import
 **Minor detail**: Should I add `import logging` at the top of `starpunk/media.py`? I see the design uses `current_app.logger` which doesn't require importing `logging`, but I want to confirm there are no other logging-related imports needed.
 **Current state**: The file already imports `from flask import current_app` (line 20), so `current_app.logger` is available.
 ### 4. Test File Naming and Location
 **Issue**: The design references `tests/test_media.py` for unit tests (line 225), but the actual test file is named `tests/test_media_upload.py`.
 **Question**: Should I:
 - A) Add the logging tests to the existing `tests/test_media_upload.py` file?
 - B) Create a new `tests/test_media.py` file as specified in the design?
 - C) Ask the architect to clarify/update the design?
 **Recommendation**: Option A seems more practical since the existing file already tests `save_media()` and related functions.
 ### 5. Integration Test Scope
 **Issue**: The design says to add integration tests to `tests/test_admin_routes.py` and `tests/test_micropub.py` (lines 244-250), but:
 - The actual file is named `tests/test_routes_admin.py` (not `test_admin_routes.py`)
 - The design says "Verify that upload failures are logged (check caplog)" but also says not to add logging to these routes
 **Question**: Since we're removing the duplicate logging from the Micropub route and not adding any to the admin route, should these integration tests:
 - A) Test that `save_media()` logging works when called from these routes (using caplog)?
 - B) Only test that flash messages and error responses are unchanged (no logging assertions)?
 - C) Be skipped entirely since unit tests will cover the logging behavior?
 **My understanding**: Option A - verify that when an upload fails through the admin or micropub route, the logging from `save_media()` is captured. This ensures the logging is working end-to-end.
 ### 6. Optimized Image Bytes Variable Scope
 **Minor implementation detail**: Looking at the existing code (lines 400-401 in `starpunk/media.py`):
 ```python
 optimized_img, width, height, optimized_bytes = optimize_image(file_data, file_size)
 ```
 The variable `optimized_bytes` is already in scope and used later in the function. The success log needs to check if optimization occurred:
 ```python
 was_optimized = len(optimized_bytes) < input_size
 ```
 **Question**: Should `input_size` be captured at the start of the function (before validation) to compare against final size? The design pseudocode shows this (line 136: `input_size = len(file_data)`), and this makes sense.
 **Current state**: The function currently has `file_size = len(file_data)` at line 398. Should I rename this to `input_size` for consistency with the design, or add a separate `input_size` variable?
 ### 7. Media ID Availability for Variant Failure Logging
 **Issue**: The design shows that variant generation failures should log the `media_id` (line 106-108):
 ```python
 Media upload variant generation failed: filename="{original_filename}", media_id={id}, error="{error_message}"
 ```
 **Current code flow**: In `save_media()`, the `media_id` is available at line 442 after the database insert. However, variant generation happens immediately after (line 447), so the media_id is in scope. This should work fine.
 **Confirmation**: Just confirming this is correct - we'll have the media_id available when catching variant generation exceptions. No issue here, just documenting my understanding.
 ## Edge Cases and Concerns
 ### 8. Empty File Handling
 **Current behavior**: `validate_image()` is called first, which will fail on empty files with "Invalid or corrupted image" at line 101.
 **Concern**: The validation failure log message includes `size={input_size}b` which would show `size=0b` for empty files. This is correct behavior, just noting it for completeness.
 ### 9. Animated GIF Rejection Logging
 **Current behavior**: Animated GIFs >10MB are rejected in `validate_image()` with a ValueError at lines 128-132.
 **Question**: This will be logged as a validation failure with the error message. Is this the intended behavior? The error message is quite detailed for users.
 **My understanding**: Yes, this is correct - it's a validation failure and should be logged at WARNING level with the full error message.
 ### 10. GIF Optimization Path
 **Current behavior**: Animated GIFs return early from `optimize_image()` at lines 175-177, returning the original `image_data` bytes.
 **Concern**: For animated GIFs, the success log will show:
 - `optimized=False` (since `len(image_data) == input_size`)
 - `variants=1` (only the 'original' variant is created, per line 357)
 This is correct, just documenting expected behavior.
 ## Testing Concerns
 ### 11. Mocking and Application Context
 **Issue**: The existing tests in `tests/test_media_upload.py` use fixtures like `app` and `tmp_path`. Looking at the test structure (lines 48-50), tests are organized in classes.
 **Question**: For the logging tests with `caplog`, should I:
 - A) Add them to existing test classes (e.g., `TestImageValidation`, `TestMediaSave`)?
 - B) Create a new test class `TestMediaLogging`?
 **Recommendation**: Option B for clarity - a dedicated test class for logging behavior.
 ### 12. Caplog Level Setting
 **From existing tests**: I see examples using both:
 - `caplog.at_level(logging.INFO)` (context manager)
 - `caplog.set_level(logging.WARNING)` (method call)
 **Question**: Which pattern should I follow? The design example shows `caplog.at_level(logging.INFO)` (line 237), so I'll use that pattern unless directed otherwise.
 ## Implementation Approach
 Based on my understanding, here's my planned implementation approach:
 1. **Add input_size tracking** at the start of `save_media()` (rename or alias `file_size`)
 2. **Add try/except for validation** with WARNING logging (wrap existing validate call)
 3. **Add try/except for optimization** with WARNING logging (wrap existing optimize call)
 4. **Add try/except for variant generation** with WARNING logging (new error handling)
 5. **Add success logging** at the end before return
 6. **Remove duplicate logging** from `starpunk/routes/micropub.py` (line 202)
 7. **Add unit tests** to `tests/test_media_upload.py` in new `TestMediaLogging` class
 8. **Add integration tests** to existing route test files
 9. **Update version** to 1.4.1 in `starpunk/__init__.py`
 10. **Update CHANGELOG.md** with the provided entry
 ## Clarifications Needed Before Implementation
 **Priority 1 (Blocking)**:
 - Question 1: Variant generation error handling strategy
 - Question 2: Unexpected error logging location and strategy
 **Priority 2 (Important)**:
 - Question 4: Test file naming
 - Question 5: Integration test scope
 **Priority 3 (Nice to have)**:
 - Question 6: Variable naming consistency
 - Questions 9, 10: Confirmation of edge case behavior
 ## Summary
 The design is generally clear and well-specified. My main concerns are around:
 1. The variant generation error handling strategy (fatal vs non-fatal)
 2. Where/how to log unexpected errors (OSError, etc.)
 3. Integration test scope and what to verify
 Once these are clarified, implementation should be straightforward. The logging patterns are consistent with existing code, and the test infrastructure (caplog) is already in use.
 ## References
 - Design document: `/home/phil/Projects/starpunk/docs/design/v1.4.1/media-logging-design.md`
 - Existing media code: `/home/phil/Projects/starpunk/starpunk/media.py`
 - Existing micropub route: `/home/phil/Projects/starpunk/starpunk/routes/micropub.py`
 - Existing admin route: `/home/phil/Projects/starpunk/starpunk/routes/admin.py`
 - Existing tests: `/home/phil/Projects/starpunk/tests/test_media_upload.py`
 - Logging examples: `/home/phil/Projects/starpunk/starpunk/media.py` (delete_media function, line 639)
--- a/docs/design/v1.4.1/media-logging-design.md
+++ b/docs/design/v1.4.1/media-logging-design.md
@@ -0,0 +1,322 @@
 # Media Upload Logging Design - v1.4.1
 **Author**: Architect
 **Date**: 2025-12-16
 **Status**: Ready for Implementation
 ## Problem Statement
 Media upload failures in StarPunk are currently invisible to operators:
 1. Errors from the admin UI (`POST /admin/new`) are only shown as flash messages that disappear
 2. Errors are NOT logged to server logs
 3. The Micropub media endpoint logs generic errors but loses validation details
 4. Debugging upload failures requires reproducing the issue
 This makes production support and debugging effectively impossible.
 ## Scope
 This is a **PATCH release** (v1.4.1). The scope is strictly limited to:
 - Adding logging to media upload operations
 - No new features
 - No API changes
 - No database changes
 - No UI changes
 ## Design
 ### Logging Location
 All media logging should occur in `starpunk/media.py` in the `save_media()` function. This is the single entry point for all media uploads (both admin UI and Micropub endpoint), ensuring:
 1. No duplicate logging
 2. Consistent log format
 3. Single place to maintain
 ### Log Levels
 Per Python logging conventions:
 | Event | Level | Rationale |
 |-------|-------|-----------|
 | Successful upload | INFO | Normal operation, useful for auditing |
 | Validation failure (user error) | WARNING | Expected errors (bad file type, too large) |
 | Processing failure (system error) | ERROR | Unexpected errors requiring investigation |
 ### Log Messages
 #### Success (INFO)
 Log after successful save to database and before returning:
 ```
 Media upload successful: filename="{original_filename}", stored="{stored_filename}", size={final_size_bytes}b, optimized={was_optimized}, variants={variant_count}
 ```
 Fields:
 - `original_filename`: User-provided filename (for correlation with user reports)
 - `stored_filename`: UUID-based stored filename (for finding the file)
 - `size`: Final file size in bytes after optimization
 - `optimized`: Boolean indicating if optimization was applied
 - `variants`: Number of variants generated
 Example:
 ```
 INFO Media upload successful: filename="vacation.jpg", stored="a1b2c3d4-e5f6-7890-abcd-ef1234567890.jpg", size=524288b, optimized=True, variants=4
 ```
 #### Validation Failure (WARNING)
 Log when `validate_image()` raises `ValueError`:
 ```
 Media upload validation failed: filename="{original_filename}", size={input_size_bytes}b, error="{error_message}"
 ```
 Fields:
 - `original_filename`: User-provided filename
 - `size`: Input file size in bytes (may be 0 if file was empty)
 - `error`: The validation error message
 Example:
 ```
 WARNING Media upload validation failed: filename="document.pdf", size=2048576b, error="Invalid image format. Accepted: JPEG, PNG, GIF, WebP"
 ```
 #### Optimization Failure (WARNING)
 Log when `optimize_image()` raises `ValueError`:
 ```
 Media upload optimization failed: filename="{original_filename}", size={input_size_bytes}b, error="{error_message}"
 ```
 Example:
 ```
 WARNING Media upload optimization failed: filename="huge-photo.jpg", size=52428800b, error="Image cannot be optimized to target size. Please use a smaller or lower-resolution image."
 ```
 #### Variant Generation Failure (WARNING)
 Log when `generate_all_variants()` fails but original was saved:
 ```
 Media upload variant generation failed: filename="{original_filename}", media_id={id}, error="{error_message}"
 ```
 Note: Variant generation failure should NOT fail the overall upload. The original image is still usable.
 #### Unexpected Error (ERROR)
 Log when any unexpected exception occurs:
 ```
 Media upload failed unexpectedly: filename="{original_filename}", error_type="{exception_class}", error="{error_message}"
 ```
 Example:
 ```
 ERROR Media upload failed unexpectedly: filename="photo.jpg", error_type="OSError", error="[Errno 28] No space left on device"
 ```
 ### Implementation Location
 Modify `save_media()` in `starpunk/media.py`:
 ```python
 def save_media(file_data: bytes, filename: str) -> Dict:
    """
    Save uploaded media file
    ...
    """
    from starpunk.database import get_db
    input_size = len(file_data)
    try:
        # Validate image
        mime_type, orig_width, orig_height = validate_image(file_data, filename)
    except ValueError as e:
        current_app.logger.warning(
            f'Media upload validation failed: filename="{filename}", '
            f'size={input_size}b, error="{e}"'
        )
        raise
    try:
        # Optimize image
        optimized_img, width, height, optimized_bytes = optimize_image(file_data, input_size)
    except ValueError as e:
        current_app.logger.warning(
            f'Media upload optimization failed: filename="{filename}", '
            f'size={input_size}b, error="{e}"'
        )
        raise
    # ... existing save logic ...
    # Generate variants (with isolated error handling)
    variants = []
    try:
        variants = generate_all_variants(...)
    except Exception as e:
        current_app.logger.warning(
            f'Media upload variant generation failed: filename="{filename}", '
            f'media_id={media_id}, error="{e}"'
        )
        # Continue - original image is still usable
    # Log success
    was_optimized = len(optimized_bytes) < input_size
    current_app.logger.info(
        f'Media upload successful: filename="{filename}", '
        f'stored="{stored_filename}", size={len(optimized_bytes)}b, '
        f'optimized={was_optimized}, variants={len(variants)}'
    )
    return { ... }
 ```
 #### Top-Level Exception Handler
 Wrap the entire function body in a try/except to catch unexpected errors (disk full, database errors, etc.):
 ```python
 def save_media(file_data: bytes, filename: str) -> Dict:
    input_size = len(file_data)
    try:
        # All the logic above (validation, optimization, save, variants, success log)
        ...
        return result
    except ValueError:
        # Already logged at WARNING level in validation/optimization blocks
        raise
    except Exception as e:
        current_app.logger.error(
            f'Media upload failed unexpectedly: filename="{filename}", '
            f'error_type="{type(e).__name__}", error="{e}"'
        )
        raise
 ```
 This ensures unexpected errors are logged at ERROR level before propagating to the caller.
 ### Caller-Side Changes
 #### Admin Route (`starpunk/routes/admin.py`)
 The admin route currently catches exceptions and builds flash messages. **Do not add logging here** - the logging in `save_media()` will capture all failures.
 However, the current code has a gap: the generic `except Exception` clause loses error details:
 ```python
 except Exception as e:
    errors.append(f"{file.filename}: Upload failed")  # Detail lost!
 ```
 This should remain unchanged for the flash message (we don't want to expose internal errors to users), but the logging in `save_media()` will capture the full error before it's caught here.
 #### Micropub Route (`starpunk/routes/micropub.py`)
 The current code already logs at ERROR level:
 ```python
 except Exception as e:
    current_app.logger.error(f"Media upload failed: {e}")
    return error_response("server_error", "Failed to process upload", 500)
 ```
 **Remove this logging** since `save_media()` will now handle it. The route should only handle the response:
 ```python
 except Exception as e:
    return error_response("server_error", "Failed to process upload", 500)
 ```
 ### What NOT to Change
 1. **Flash messages** - Keep them as-is for user feedback
 2. **Error responses** - Keep HTTP error responses unchanged
 3. **Exception propagation** - Continue to raise ValueError for validation errors
 4. **Variant generation behavior** - Keep it non-fatal (original still usable)
 ## Testing Strategy
 ### Unit Tests
 Add tests to `tests/test_media_upload.py`:
 1. **test_save_media_logs_success**: Verify INFO log on successful upload
 2. **test_save_media_logs_validation_failure**: Verify WARNING log on invalid file type
 3. **test_save_media_logs_optimization_failure**: Verify WARNING log when optimization fails
 4. **test_save_media_logs_variant_failure**: Verify WARNING log when variant generation fails
 Use `caplog` fixture to capture and assert log messages:
 ```python
 def test_save_media_logs_success(app, caplog):
    with caplog.at_level(logging.INFO):
        result = save_media(valid_image_data, "test.jpg")
    assert "Media upload successful" in caplog.text
    assert "test.jpg" in caplog.text
 ```
 ### Integration Tests
 Existing integration tests in `tests/test_routes_admin.py` and `tests/test_micropub.py` should continue to pass. These tests verify:
 1. Flash messages still appear correctly (admin route)
 2. Error responses are unchanged (micropub route)
 Note: Integration tests should NOT add `caplog` assertions for logging. Logging behavior is an implementation detail tested via unit tests. Integration tests should focus on HTTP-level behavior (status codes, response bodies, headers).
 ## Acceptance Criteria
 1. [ ] Successful media uploads are logged at INFO level with filename, stored name, size, optimization status, and variant count
 2. [ ] Validation failures are logged at WARNING level with filename, input size, and error message
 3. [ ] Optimization failures are logged at WARNING level with filename, input size, and error message
 4. [ ] Variant generation failures are logged at WARNING level with filename, media ID, and error message
 5. [ ] Unexpected errors are logged at ERROR level with filename, exception type, and error message
 6. [ ] Micropub endpoint duplicate logging is removed
 7. [ ] Flash messages continue to work unchanged in admin UI
 8. [ ] Error responses continue to work unchanged in Micropub endpoint
 9. [ ] All new logging is tested with unit tests
 10. [ ] CHANGELOG.md is updated
 ## Files to Modify
 | File | Change |
 |------|--------|
 | `starpunk/media.py` | Add logging to `save_media()` |
 | `starpunk/routes/micropub.py` | Remove duplicate logging in media endpoint |
 | `tests/test_media_upload.py` | Add logging tests |
 | `starpunk/__init__.py` | Bump version to 1.4.1 |
 | `CHANGELOG.md` | Add v1.4.1 entry |
 ## CHANGELOG Entry
 ```markdown
 ## [1.4.1] - YYYY-MM-DD
 ### Fixed
 - Media upload failures are now logged for debugging and observability
 - Validation errors (invalid format, file too large) logged at WARNING level
 - Successful uploads logged at INFO level with file details
 - Removed duplicate logging in Micropub media endpoint
 ```
 ## Questions for Developer
 None - this design is complete and ready for implementation.
 ## References
 - Existing logging patterns: `starpunk/notes.py`, `starpunk/media.py:delete_media()`
 - Flask logging: https://flask.palletsprojects.com/en/stable/logging/
 - Python logging levels: https://docs.python.org/3/library/logging.html#logging-levels
--- a/docs/design/v1.4.2/2025-12-16-architect-review.md
+++ b/docs/design/v1.4.2/2025-12-16-architect-review.md
@@ -0,0 +1,527 @@
 # Architect Review: v1.4.2 Implementation and End-to-End Media Pipeline
 **Date**: 2025-12-16
 **Architect**: Claude (StarPunk Architect Agent)
 **Scope**: v1.4.2 HEIC support implementation + comprehensive media pipeline review
 **Status**: Complete
 ---
 ## Executive Summary
 The v1.4.2 implementation is architecturally sound and follows the established design patterns. The HEIC support was implemented cleanly with minimal code changes. However, the comprehensive end-to-end media pipeline review reveals several architectural concerns that should be addressed in future releases, ranging from security hardening to consistency improvements.
 **Overall Assessment**: Acceptable with recommendations for future improvement.
 ---
 ## Part 1: v1.4.2 Implementation Review
 ### 1.1 Design Decisions Assessment
 | Decision | Assessment | Notes |
 |----------|------------|-------|
 | D1: Convert at validation time | **Acceptable** | Keeps change minimal; conversion in `validate_image()` is logical since it normalizes input formats |
 | D2: Convert to JPEG | **Acceptable** | JPEG has universal browser support; appropriate for photographic content |
 | D3: Graceful degradation | **Good** | Conditional import with `HEIC_SUPPORTED` flag enables runtime flexibility |
 | D4: Quality 95 for conversion | **Acceptable** | High quality preserved; subsequent optimization will reduce if needed |
 | D5: Return signature change | **Acceptable** | 4-tuple return is clean; API change is internal-only |
 ### 1.2 Issues Found in v1.4.2
 #### Issue 1.2.1: Module-Level Documentation Stale (LOW)
 **Location**: `/home/phil/Projects/starpunk/starpunk/media.py`, lines 1-12
 **Problem**: The module docstring still states "4096x4096 max dimensions" but `MAX_DIMENSION` was updated to 12000 in v1.4.2.
 **Impact**: Documentation mismatch causes confusion; could lead to incorrect assumptions by future developers.
 **Recommendation**: Update docstring to reflect current limits:
 ```
 - 12000x12000 max input dimensions (v1.4.2)
 ```
 #### Issue 1.2.2: Debug File Storage Without Cleanup (MEDIUM)
 **Location**: `/home/phil/Projects/starpunk/starpunk/media.py`, lines 133-137
 **Problem**: Failed uploads are saved to `data/debug/` directory for analysis, but there is no mechanism to clean up these files. Over time, this could consume significant disk space, especially if under attack.
 ```python
 debug_dir = Path(current_app.config.get('DATA_PATH', 'data')) / 'debug'
 debug_dir.mkdir(parents=True, exist_ok=True)
 debug_file = debug_dir / f"failed_{datetime.now().strftime('%Y%m%d_%H%M%S')}_{filename}"
 debug_file.write_bytes(file_data)
 ```
 **Impact**:
 - Disk space exhaustion risk
 - Potential storage of malicious payloads
 - No visibility into debug file accumulation
 **Recommendation**:
 1. Add a configuration option to enable/disable debug file saving
 2. Implement automatic cleanup (e.g., files older than 7 days)
 3. Add disk space check before saving
 4. Consider rate limiting debug file creation
 #### Issue 1.2.3: Filename in Debug Path Not Sanitized (MEDIUM)
 **Location**: `/home/phil/Projects/starpunk/starpunk/media.py`, line 135
 **Problem**: The original filename is used directly in the debug file path without sanitization.
 ```python
 debug_file = debug_dir / f"failed_{datetime.now().strftime('%Y%m%d_%H%M%S')}_{filename}"
 ```
 **Impact**: Path traversal or special character issues could occur if filename contains malicious patterns (though `pathlib` provides some protection).
 **Recommendation**: Sanitize filename before use:
 ```python
 safe_filename = "".join(c for c in filename if c.isalnum() or c in "._-")[:50]
 ```
 #### Issue 1.2.4: Explicit HEIC Read After Pillow Failure (LOW)
 **Location**: `/home/phil/Projects/starpunk/starpunk/media.py`, lines 111-139
 **Problem**: When Pillow fails to open a file, the code attempts to read it explicitly as HEIC. This is a workaround for iOS files with wrong extensions, but the error handling is complex and could be clearer.
 **Impact**: Code complexity; potential for subtle bugs in error paths.
 **Recommendation**: Consider refactoring to a cleaner pattern:
 ```
 1. Try Pillow standard open
 2. If fails and HEIC_SUPPORTED, try explicit HEIC
 3. If both fail, provide clear diagnostic
 ```
 ### 1.3 v1.4.2 Architecture Compliance
 | Principle | Compliance | Notes |
 |-----------|------------|-------|
 | Minimal code | **Yes** | 41 lines added for significant functionality |
 | Standards first | **Yes** | HEIC conversion preserves IndieWeb compatibility |
 | No lock-in | **Yes** | JPEG output is universal |
 | Single responsibility | **Yes** | Validation handles input normalization |
 | Documentation | **Partial** | Design doc complete; module docstring stale |
 ---
 ## Part 2: End-to-End Media Pipeline Review
 ### 2.1 Architecture Diagram
 ```
                                 MEDIA PIPELINE ARCHITECTURE
                                 ===========================
 USER UPLOAD                                                     FEED DELIVERY
 ===========                                                     ============
                         +-------------------+
   Admin UI              |                   |
   /admin/new ---------> |   validate_image  | ----+
   POST multipart        |                   |     |
                         +-------------------+     |
                                                   |
                         +-------------------+     |     +------------------+
   Micropub Endpoint     |                   |     |     |                  |
   /media POST --------> |    save_media     |<----+---->|   SQLite DB      |
   multipart/form-data   |                   |           |   - media        |
                         +-------------------+           |   - note_media   |
                                 |                       |   - media_vars   |
                                 v                       +------------------+
                         +-------------------+                    ^
                         |                   |                    |
                         |  optimize_image   |                    |
                         |  (resize, compress)|                   |
                         +-------------------+                    |
                                 |                                |
                                 v                                |
                         +-------------------+                    |
                         |                   |                    |
                         | generate_variants |--------------------+
                         | (thumb/sm/md/lg)  |
                         +-------------------+
                                 |
                                 v
                         +-------------------+
                         |                   |
                         |   FILESYSTEM      |
                         |   data/media/     |
                         |   YYYY/MM/uuid.ext|
                         +-------------------+
                                 |
                                 |
    +----------------------------+----------------------------+
    |                            |                            |
    v                            v                            v
 +--------+               +--------+                   +--------+
 |  RSS   |               |  ATOM  |                   |  JSON  |
 | /feed  |               | /feed  |                   | /feed  |
 | .xml   |               | .atom  |                   | .json  |
 +--------+               +--------+                   +--------+
    |                            |                            |
    +----------------------------+----------------------------+
                                 |
                                 v
                         +-------------------+
                         |                   |
                         |   /media/<path>   |
                         |   Static serving  |
                         +-------------------+
 ```
 ### 2.2 Stage-by-Stage Analysis
 #### Stage 1: Upload Entry Points
 **Admin Upload (`/home/phil/Projects/starpunk/starpunk/routes/admin.py`, lines 112-136)**
 | Aspect | Assessment | Notes |
 |--------|------------|-------|
 | Authentication | **Good** | `@require_auth` decorator enforced |
 | Input validation | **Partial** | Relies on `save_media`; no pre-check on file count |
 | Error handling | **Good** | Per-file errors collected; partial success allowed |
 | Content-Type check | **Missing** | No verification of `multipart/form-data` |
 **Issues**:
 - No maximum file count enforced at route level (relies on downstream check)
 - `request.files.getlist('media_files')` could be empty list with misleading behavior
 **Micropub Upload (`/home/phil/Projects/starpunk/starpunk/routes/micropub.py`, lines 124-202)**
 | Aspect | Assessment | Notes |
 |--------|------------|-------|
 | Authentication | **Good** | Token extraction and verification |
 | Scope check | **Good** | Requires `create` scope |
 | Content-Type check | **Good** | Explicit `multipart/form-data` verification |
 | Input validation | **Good** | Single file field validated |
 | Error handling | **Good** | OAuth 2.0 error format |
 **Issues**:
 - None significant; well-implemented endpoint
 #### Stage 2: Validation (`validate_image`)
 **Location**: `/home/phil/Projects/starpunk/starpunk/media.py`, lines 79-219
 | Check | Order | Assessment |
 |-------|-------|------------|
 | File size | 1st | **Good** - Early rejection before processing |
 | Pillow verify | 2nd | **Good** - Validates image integrity |
 | HEIC fallback | 3rd | **Acceptable** - Complex but necessary |
 | Format conversion | 4th | **Good** - HEIC/MPO to JPEG |
 | MIME type check | 5th | **Good** - Whitelist approach |
 | Dimension check | 6th | **Good** - Prevents memory issues |
 | Animated GIF check | 7th | **Good** - Special handling for animations |
 **Issues Found**:
 ##### Issue 2.2.1: No Content-Type Header Validation (MEDIUM)
 **Problem**: The upload content-type from the HTTP request is not validated against the detected image format.
 **Impact**: Potential for MIME type confusion attacks. A file uploaded as `image/png` could actually be a JPEG.
 **Recommendation**: Log warning when declared MIME type differs from detected format.
 ##### Issue 2.2.2: Missing WebP Animation Detection (LOW)
 **Problem**: Animated GIF detection exists but animated WebP is not handled.
 **Impact**: Large animated WebP files could bypass the animated image size check.
 **Recommendation**: Add animated WebP detection similar to GIF handling.
 ##### Issue 2.2.3: Pillow Decompression Bomb Protection (LOW)
 **Problem**: No explicit `Image.MAX_IMAGE_PIXELS` configuration.
 **Impact**: Pillow has default protection, but explicit configuration documents intent.
 **Recommendation**: Add explicit `Image.MAX_IMAGE_PIXELS` setting or document reliance on default.
 #### Stage 3: Optimization (`optimize_image`)
 **Location**: `/home/phil/Projects/starpunk/starpunk/media.py`, lines 222-304
 | Aspect | Assessment | Notes |
 |--------|------------|-------|
 | Tiered strategy | **Good** | Size-aware quality/dimension selection |
 | EXIF handling | **Good** | Orientation correction applied |
 | GIF passthrough | **Good** | Animated GIFs preserved |
 | Iterative reduction | **Good** | Quality then dimension reduction |
 | Safety limits | **Good** | MIN_DIMENSION prevents infinite loop |
 **Issues Found**:
 ##### Issue 2.2.4: PNG Optimization Limited (LOW)
 **Problem**: PNG files only get `optimize=True` flag; no palette reduction or other optimizations.
 **Impact**: Large PNG files may not compress well.
 **Recommendation**: Consider PNG-specific optimization (pngquant integration) for future release.
 ##### Issue 2.2.5: No WebP Quality Handling (LOW)
 **Problem**: WebP gets same quality treatment as JPEG but WebP quality values behave differently.
 **Impact**: WebP files may not be optimized as expected.
 **Recommendation**: Consider WebP-specific quality mapping.
 #### Stage 4: Variant Generation (`generate_all_variants`)
 **Location**: `/home/phil/Projects/starpunk/starpunk/media.py`, lines 306-452
 | Aspect | Assessment | Notes |
 |--------|------------|-------|
 | Spec definitions | **Good** | Clear variant specifications |
 | Skip logic | **Good** | Smaller images skip larger variants |
 | Cleanup on failure | **Good** | Created files removed on error |
 | Database integration | **Good** | Variants recorded with dimensions |
 **Issues Found**:
 ##### Issue 2.2.6: Transaction Not Atomic (MEDIUM)
 **Problem**: Files are created on disk before database commit. If database fails, files remain orphaned (cleanup only happens on exception within the loop).
 ```python
 try:
    for variant_type in ['thumb', 'small', 'medium', 'large']:
        variant = generate_variant(...)  # File created
        variants.append(variant)
        created_files.append(...)
        db.execute(...)  # DB insert
    db.execute(...)  # Original variant
    db.commit()  # <-- If this fails, files already exist
 ```
 **Impact**: Database failure after file creation could leave orphaned files.
 **Recommendation**: Consider writing to temp location first, then moving after commit.
 ##### Issue 2.2.7: Variant Path Calculation Fragile (LOW)
 **Problem**: Line 363 calculates relative path using parent traversal:
 ```python
 'path': str(variant_path.relative_to(base_path.parent.parent))
 ```
 **Impact**: Dependent on directory structure assumptions.
 **Recommendation**: Use explicit path construction as done for original (lines 428-429).
 #### Stage 5: Storage and Serving
 **Location**: `/home/phil/Projects/starpunk/starpunk/routes/public.py`, lines 174-221
 | Aspect | Assessment | Notes |
 |--------|------------|-------|
 | Path traversal protection | **Good** | Resolve and prefix check |
 | Cache headers | **Good** | 1 year immutable cache |
 | File serving | **Good** | Uses Flask's `send_from_directory` |
 **Issues Found**:
 ##### Issue 2.2.8: Symlink Following (LOW)
 **Problem**: `resolve()` follows symlinks, which could potentially escape the media directory if symlinks exist within.
 **Impact**: Low risk since symlinks would need to be created manually.
 **Recommendation**: Add `strict=True` to resolve for Python 3.6+ or check `is_symlink()`.
 #### Stage 6: Feed Integration
 **Locations**:
 - `/home/phil/Projects/starpunk/starpunk/feeds/rss.py`
 - `/home/phil/Projects/starpunk/starpunk/routes/public.py` (`_get_cached_notes`)
 | Aspect | Assessment | Notes |
 |--------|------------|-------|
 | Media attachment | **Good** | Media loaded and attached to notes |
 | URL construction | **Good** | Consistent absolute URLs |
 | Media RSS | **Good** | Proper namespace and elements |
 | Enclosure element | **Good** | First image for RSS 2.0 spec |
 | Variant selection | **Good** | Fallback order for default variant |
 **Issues Found**:
 ##### Issue 2.2.9: N+1 Query Pattern in Feed Generation (MEDIUM)
 **Problem**: In `_get_cached_notes()`, media and tags are loaded per-note in loops:
 ```python
 for note in notes:
    media = get_note_media(note.id)  # DB query per note
    object.__setattr__(note, 'media', media)
    tags = get_note_tags(note.id)    # DB query per note
 ```
 **Impact**: For 50 notes, this is 100 additional queries. Performance degrades with more notes.
 **Recommendation**: Implement batch loading:
 ```python
 def get_media_for_notes(note_ids: List[int]) -> Dict[int, List[Dict]]:
    # Single query with WHERE note_id IN (...)
 ```
 ##### Issue 2.2.10: Caption Not Escaped in RSS (LOW)
 **Problem**: In RSS generation, caption is used directly in alt attribute:
 ```python
 html_content += f'<img src="{media_url}" alt="{caption}" />'
 ```
 **Impact**: If caption contains `"` or other HTML special characters, could break markup.
 **Recommendation**: Use `html.escape()` for caption in HTML context.
 ### 2.3 Security Assessment
 | Category | Status | Notes |
 |----------|--------|-------|
 | **Authentication** | **Good** | Admin routes protected; Micropub uses token auth |
 | **Authorization** | **Good** | Scope checking on Micropub |
 | **File Type Validation** | **Good** | Whitelist + Pillow verification |
 | **Path Traversal** | **Good** | Protected in media serving |
 | **File Size Limits** | **Good** | 50MB upload, 10MB output |
 | **Dimension Limits** | **Good** | 12000px max input |
 | **Filename Handling** | **Good** | UUID-based storage filenames |
 | **Debug File Exposure** | **Needs Attention** | Debug files may contain malicious content |
 | **DoS Protection** | **Partial** | Limits exist but no rate limiting |
 **Security Recommendations**:
 1. **Add rate limiting** on media upload endpoints (medium priority)
 2. **Disable debug file saving** in production or add access controls (medium priority)
 3. **Log MIME type mismatches** for security monitoring (low priority)
 4. **Consider Content-Security-Policy** headers for served media (low priority)
 ### 2.4 Performance Assessment
 | Operation | Assessment | Notes |
 |-----------|------------|-------|
 | Upload processing | **Acceptable** | In-memory processing; synchronous variant generation |
 | Feed generation | **Needs Improvement** | N+1 query pattern |
 | Media serving | **Good** | Static file serving with long cache |
 | Caching | **Good** | Feed caching with ETag support |
 **Performance Recommendations**:
 1. **Implement batch media loading** for feeds (high priority)
 2. **Consider async variant generation** for large uploads (low priority)
 3. **Add database query logging** in development mode (low priority)
 ---
 ## Part 3: Recommendations Summary
 ### 3.1 Immediate Fixes (None Critical)
 No blocking issues found. The implementation is production-ready.
 ### 3.2 Future Improvements
 #### High Priority
 | Item | Description | Effort |
 |------|-------------|--------|
 | N+1 Query Fix | Batch load media/tags for feeds | Small |
 | Debug File Controls | Config option + cleanup mechanism | Small |
 #### Medium Priority
 | Item | Description | Effort |
 |------|-------------|--------|
 | Rate Limiting | Add upload rate limits | Medium |
 | Caption Escaping | HTML escape in feed generation | Small |
 | Filename Sanitization | Sanitize debug filenames | Small |
 | Transaction Atomicity | Temp files before commit | Medium |
 #### Low Priority
 | Item | Description | Effort |
 |------|-------------|--------|
 | WebP Animation | Detect animated WebP | Small |
 | PNG Optimization | Enhanced PNG compression | Medium |
 | Decompression Bomb Config | Explicit pixel limit | Trivial |
 | Symlink Handling | Stricter path resolution | Small |
 | Module Docstring | Update documentation | Trivial |
 ### 3.3 Technical Debt Register
 | Item | Location | Notes |
 |------|----------|-------|
 | Complex HEIC fallback logic | `media.py:111-139` | Works but could be cleaner |
 | Variant path calculation | `media.py:363` | Uses parent traversal |
 | Debug file accumulation | `media.py:133-137` | No cleanup mechanism |
 | N+1 queries in feed | `public.py:68-74` | Performance impact |
 ---
 ## Part 4: Architectural Observations
 ### 4.1 Strengths
 1. **Clean separation of concerns**: Validation, optimization, variant generation are distinct functions
 2. **Defensive programming**: Extensive try/except blocks with proper cleanup
 3. **Standards compliance**: Good adherence to IndieWeb, RSS, and W3C specs
 4. **Logging**: Comprehensive logging at INFO and WARNING levels
 5. **Backward compatibility**: Variants are optional; pre-v1.4.0 media works
 ### 4.2 Design Pattern Compliance
 | Pattern | Usage | Assessment |
 |---------|-------|------------|
 | Route Adapter | Feed generation | **Good** |
 | Graceful Degradation | HEIC support | **Good** |
 | Early Rejection | File size check | **Good** |
 | Iterative Optimization | Quality reduction | **Good** |
 | UUID-based Storage | Collision avoidance | **Good** |
 ### 4.3 Areas for Future ADRs
 1. **Media Processing Strategy**: Consider documenting the full media pipeline as an ADR
 2. **Debug/Diagnostic Data Handling**: Policy for storing failed uploads
 3. **Performance Targets**: Document expected query counts and response times
 ---
 ## Conclusion
 The v1.4.2 implementation successfully addresses the iPhone HEIC upload issue with minimal, clean changes. The broader media pipeline is well-architected with appropriate security controls and error handling. The main areas for improvement are:
 1. **Performance**: N+1 query pattern in feed generation should be addressed
 2. **Operations**: Debug file management needs cleanup mechanism
 3. **Security**: Rate limiting would harden upload endpoints
 None of these issues block the v1.4.2 release. They should be tracked in the project backlog for future releases.
 **Recommendation**: Accept v1.4.2 as implemented. Create backlog items for identified improvements.
 ---
 ## Appendix: Files Reviewed
 | File | Lines | Purpose |
 |------|-------|---------|
 | `starpunk/media.py` | 775 | Core media handling |
 | `starpunk/routes/admin.py` | 603 | Admin upload endpoint |
 | `starpunk/routes/micropub.py` | 203 | Micropub media endpoint |
 | `starpunk/routes/public.py` | 567 | Media serving, feeds |
 | `starpunk/feeds/rss.py` | 601 | RSS feed with media |
 | `migrations/007_add_media_support.sql` | 38 | Media schema |
 | `migrations/009_add_media_variants.sql` | 22 | Variant schema |
 | `docs/decisions/ADR-057-media-attachment-model.md` | 110 | Media architecture |
 | `docs/decisions/ADR-058-image-optimization-strategy.md` | 183 | Optimization strategy |
 | `docs/design/v1.4.2/heic-support-design.md` | 220 | HEIC design spec |
 | `docs/design/v1.4.2/2025-12-16-implementation-report.md` | 171 | Implementation report |
--- a/docs/design/v1.4.2/2025-12-16-developer-review.md
+++ b/docs/design/v1.4.2/2025-12-16-developer-review.md
@@ -0,0 +1,360 @@
 # v1.4.2 Developer Review - HEIC/MPO Support and Dimension Limit Increase
 **Date**: 2025-12-16
 **Reviewer**: Claude (Fullstack Developer Agent - Review Mode)
 **Implementation Report**: `/home/phil/Projects/starpunk/docs/design/v1.4.2/2025-12-16-implementation-report.md`
 **Design Document**: `/home/phil/Projects/starpunk/docs/design/v1.4.2/heic-support-design.md`
 ## Executive Summary
 The v1.4.2 implementation successfully addresses iPhone photo upload issues through HEIC/MPO format support and increased dimension limits. The implementation is **production-ready** with **minor recommendations** for improvements. All core functionality works correctly, tests pass, and backward compatibility is maintained.
 **Overall Assessment**: APPROVED with recommendations for follow-up enhancements
 ## Implementation Summary
 ### Changes Delivered
 1. **HEIC/HEIF Support** - Automatic detection and conversion to JPEG
 2. **MPO Support** - Multi-Picture Object format handling for iPhone depth/portrait photos
 3. **Dimension Limit Increase** - From 4096px to 12000px (supports 48MP+ cameras)
 4. **Enhanced Error Handling** - Fallback HEIC detection, debug logging, and file saving
 5. **Graceful Degradation** - Works without pillow-heif library (with clear errors)
 ### Files Modified
 - `starpunk/media.py` - Core media handling logic
 - `starpunk/config.py` - Added MAX_CONTENT_LENGTH
 - `requirements.txt` - Added pillow-heif dependency, bumped Pillow version
 - `tests/test_media_upload.py` - Added HEIC test coverage
 - `CHANGELOG.md` - Release notes
 - `starpunk/__init__.py` - Version bump to 1.4.2
 ## Code Quality Assessment
 ### Strengths
 1. **Minimal Changes**: Implementation focused on specific problem without scope creep
 2. **Error Handling**: Comprehensive fallback strategy for HEIC detection
 3. **Debug Support**: Failed uploads saved to debug directory with magic bytes logged
 4. **Test Coverage**: 5 new HEIC-specific tests, all passing (33/33 total)
 5. **Documentation**: Clear inline comments explaining iPhone-specific behavior
 6. **Backward Compatibility**: No breaking changes, existing uploads unaffected
 ### Issues Found
 #### Critical Issues
 **None identified**
 #### Major Issues
 **None identified**
 #### Minor Issues
 **M1: MPO Format Has No Test Coverage**
 - **Location**: `starpunk/media.py` lines 163-173
 - **Issue**: MPO conversion code exists but no tests verify it works
 - **Impact**: MPO handling is untested; potential for silent failures
 - **Evidence**: Grep search found zero MPO test cases in test suite
 - **Recommendation**: Add MPO test case to `TestHEICSupport` class:
  ```python
  def test_mpo_detection_and_conversion(self):
      """Test MPO file is detected and converted to JPEG"""
      # MPO format is used by iPhone for depth/portrait mode photos
      # Create an MPO test image (Pillow supports creating these)
      # ... test implementation
  ```
 - **Severity**: Minor (MPO is relatively rare format, but advertised in CHANGELOG)
 **M2: Debug File Saving Could Fill Disk**
 - **Location**: `starpunk/media.py` lines 133-137
 - **Issue**: Failed uploads saved to `data/debug/` without size limits or cleanup
 - **Impact**: Repeated failed uploads could accumulate and consume disk space
 - **Scenario**: Malicious user repeatedly uploads invalid 50MB files
 - **Recommendation**: Add cleanup strategy:
  - Limit debug directory to 100MB total
  - Auto-delete files older than 7 days
  - Add config option `DEBUG_SAVE_FAILED_UPLOADS` (default: false in production)
 - **Severity**: Minor (requires deliberate abuse; easily monitored)
 **M3: HEIC Conversion Quality Not Configurable**
 - **Location**: `starpunk/media.py` line 157
 - **Issue**: Hardcoded `quality=95` for HEIC→JPEG conversion
 - **Impact**: Users with different quality/size tradeoff preferences cannot adjust
 - **Current Behavior**: 95% quality always used, then subsequent optimization may reduce further
 - **Recommendation**: Consider adding `HEIC_CONVERSION_QUALITY` config variable
 - **Severity**: Minor (95% is reasonable default; optimization handles size anyway)
 **M4: Missing Dimension Limit in Config**
 - **Location**: `starpunk/media.py` line 41
 - **Issue**: `MAX_DIMENSION = 12000` is hardcoded constant
 - **Impact**: Cannot adjust limit without code change
 - **Rationale**: Design doc shows this was intentional (comment says "v1.4.2 - supports modern phone cameras")
 - **Recommendation**: Consider making this configurable in future versions
 - **Severity**: Minor (12000px is generous; few use cases for larger)
 **M5: Incomplete Documentation of MPO Format**
 - **Location**: `starpunk/media.py` lines 163-165
 - **Issue**: Comment says "extract primary image" but doesn't explain multi-frame nature
 - **Missing Context**: MPO files contain multiple images (left/right for 3D, or depth map)
 - **Recommendation**: Enhance comment:
  ```python
  # MPO (Multi-Picture Object) conversion (v1.4.2)
  # MPO is used by iPhones for depth/portrait photos - contains multiple frames
  # (e.g., original + depth map). We extract only the primary/first frame as JPEG.
  # Depth information is discarded, which is acceptable for web display.
  ```
 - **Severity**: Minor (code works correctly; just documentation clarity)
 ## Security Review
 ### Findings
 **S1: Debug File Naming Could Leak Timing Information**
 - **Location**: `starpunk/media.py` line 135
 - **Issue**: Filename includes timestamp with second precision
 - **Pattern**: `failed_20251216_174532_photo.heic`
 - **Concern**: Timing could reveal upload attempt patterns
 - **Recommendation**: Use UUID instead of timestamp, or truncate to date only
 - **Severity**: Very Low (minimal actual risk; defense in depth)
 **S2: Increased Attack Surface from pillow-heif**
 - **Location**: `requirements.txt` line 38
 - **Issue**: New dependency increases vulnerability surface area
 - **Mitigation**: Version is pinned (`pillow-heif==0.18.*`)
 - **Recommendation**:
  - Monitor pillow-heif security advisories
  - Document in security policy that HEIC support requires this dependency
  - Consider making pillow-heif optional in future (already has graceful degradation)
 - **Severity**: Low (acceptable tradeoff for iPhone support)
 **S3: No Magic Bytes Validation for HEIC**
 - **Location**: `starpunk/media.py` lines 115-121
 - **Issue**: Fallback HEIC detection uses `pillow_heif.read_heif()` without verifying magic bytes first
 - **Risk**: Could attempt to parse arbitrary binary data as HEIC
 - **Current Mitigation**: Exception handling catches parse failures
 - **Recommendation**: Add magic bytes check before calling `read_heif()`:
  ```python
  # Check for HEIC/HEIF magic bytes (ftyp followed by heic/heix/hevc/etc)
  if file_data[4:8] == b'ftyp' and file_data[8:12] in [b'heic', b'heix', b'hevc', b'heim']:
      # Proceed with read_heif()
  ```
 - **Severity**: Very Low (existing exception handling prevents exploitation)
 ### Security Assessment: ACCEPTABLE
 No critical or major security issues identified. The increased attack surface from pillow-heif is an acceptable tradeoff for iPhone compatibility.
 ## Performance Analysis
 ### Observations
 1. **HEIC Conversion Overhead**: Implementation report notes ~100-300ms per image
 2. **In-Memory Processing**: Uses BytesIO (no temp files) - good for security and performance
 3. **Double Processing**: HEIC files processed twice (conversion + optimization)
   - Could be optimized by combining steps, but current approach is cleaner
 4. **Large File Handling**: 50MB files through HEIC conversion could spike memory
   - Current implementation acceptable (server-grade machines)
 ### Performance Assessment: ACCEPTABLE
 No significant performance concerns. The double-processing of HEIC files is a reasonable tradeoff for code simplicity and maintainability.
 ## Test Coverage Analysis
 ### Coverage Breakdown
 **HEIC Tests (5 cases):**
 - ✅ Basic detection and conversion
 - ✅ RGBA mode handling
 - ✅ Dimension preservation
 - ✅ Error without library
 - ✅ Full upload flow
 **Missing Tests:**
 - ❌ MPO format handling (see M1)
 - ❌ Large HEIC file (40MB+) conversion
 - ❌ Corrupted HEIC file handling
 - ❌ Debug file saving behavior
 - ❌ Fallback HEIC detection path (lines 115-121)
 ### Test Coverage Assessment: GOOD
 HEIC support is well-tested. MPO support is the main gap. Recommend adding tests for:
 1. MPO format (priority: high)
 2. Fallback HEIC detection path (priority: medium)
 3. Debug file saving (priority: low)
 ## Edge Cases Review
 ### Handled Correctly
 1. ✅ HEIC with alpha channel → RGB conversion
 2. ✅ HEIC with P mode → RGB conversion
 3. ✅ Missing pillow-heif library → Clear error
 4. ✅ HEIC files >50MB → Rejected at validation
 5. ✅ iOS mislabeled files (HEIC with .jpeg extension) → Fallback detection
 ### Not Handled / Unclear
 1. **Animated HEIC sequences**: Do they exist? If so, behavior undefined
   - Recommendation: Document that only first frame is used (like MPO)
 2. **HEIC with EXIF orientation**: Does conversion preserve EXIF?
   - Code re-opens image after conversion, so EXIF lost
   - Subsequent `optimize_image()` applies EXIF orientation, so this is OK
 3. **Very large dimension HEIC (8000x12000)**: Will conversion succeed?
   - Should work (within 12000px limit), but not explicitly tested
 ## Documentation Review
 ### CHANGELOG.md
 **Assessment**: GOOD
 - Clear feature descriptions
 - Mentions both HEIC and MPO
 - Documents dimension limit increase
 - Lists dependency changes
 **Suggestion**: Add upgrade notes section:
 ```markdown
 ### Upgrade Notes
 - Run `pip install -r requirements.txt` to install pillow-heif
 - No configuration changes required
 - Existing media uploads unaffected
 ```
 ### Inline Comments
 **Assessment**: GOOD
 - Clear version markers (v1.4.2)
 - Explains WHY (browsers can't display HEIC, iOS uses MPO for depth)
 - Links to relevant concepts (portrait mode, depth maps)
 ### Implementation Report
 **Assessment**: EXCELLENT
 - Comprehensive technical decisions documented
 - Clear before/after code examples
 - Deployment notes included
 - Performance considerations noted
 ## Technical Debt Assessment
 ### New Debt Introduced
 1. **Fallback HEIC Detection Complexity**: Lines 111-142 are complex nested exception handling
   - Could be refactored into separate function for clarity
   - Not urgent; works correctly
 2. **Debug File Accumulation**: See M2 above
 3. **Hardcoded Constants**: See M3 and M4 above
 ### Debt Assessment: LOW
 Minimal new technical debt. The complex error handling is justified by the real-world issue it solves (iOS mislabeling files).
 ## Dependencies Review
 ### New Dependencies
 **pillow-heif==0.18.***
 - Purpose: HEIC/HEIF format support
 - License: BSD-3-Clause (compatible)
 - Maintenance: Active (last release 2024)
 - Security: No known CVEs as of 2025-12-16
 **Pillow 10.0.* → 10.1.***
 - Reason: Required by pillow-heif
 - Risk: Minor version bump
 - Mitigation: Full test suite passed (879 tests)
 ### Dependencies Assessment: ACCEPTABLE
 Dependencies are well-maintained, properly licensed, and version-pinned.
 ## Recommendations
 ### Immediate (Before Production Deployment)
 **None** - Implementation is production-ready as-is
 ### Short-Term (Next Patch/Minor Release)
 1. **Add MPO test coverage** (M1) - Priority: HIGH
   - Advertised in CHANGELOG but untested
   - Create test case in `TestHEICSupport` class
 2. **Add debug file cleanup** (M2) - Priority: MEDIUM
   - Prevent disk exhaustion from failed uploads
   - Add size limit and age-based cleanup
 3. **Document edge cases in code** (M5) - Priority: LOW
   - Enhance MPO comment to explain multi-frame nature
   - Add comment about animated HEIC handling (if applicable)
 ### Long-Term (Future Versions)
 1. **Make HEIC quality configurable** (M3)
 2. **Make MAX_DIMENSION configurable** (M4)
 3. **Add magic bytes validation** (S3)
 4. **Refactor fallback detection** (Technical Debt #1)
 5. **Consider WebP conversion target** (Better compression than JPEG)
 ## Deployment Checklist
 - ✅ Dependencies updated in requirements.txt
 - ✅ Version number incremented
 - ✅ CHANGELOG.md updated
 - ✅ Tests pass (33/33 media tests, 879/879 total)
 - ✅ Backward compatibility maintained
 - ✅ No database migrations required
 - ✅ No configuration changes required
 - ⚠️ MPO format untested (see M1)
 ## Conclusion
 The v1.4.2 implementation successfully solves the iPhone photo upload problem with a clean, well-documented solution. The code quality is high, security concerns are minimal, and backward compatibility is maintained.
 **Recommendation**: **APPROVE for production deployment**
 The identified minor issues (particularly MPO test coverage) should be addressed in a follow-up patch, but do not block this release. The implementation solves a real user problem (iPhone uploads failing) and does so safely.
 ### Confidence Level
 - **Code Quality**: HIGH (clean implementation, follows project standards)
 - **Security**: MEDIUM-HIGH (acceptable risk from new dependency)
 - **Test Coverage**: MEDIUM (HEIC well-tested, MPO untested)
 - **Documentation**: HIGH (clear comments and design docs)
 - **Overall**: HIGH (ready for production use)
 ## Follow-Up Actions
 ### For Developer
 1. Consider adding MPO test case before next release
 2. Monitor pillow-heif for security updates
 3. Add debug directory cleanup in v1.4.3 or v1.5.0
 ### For Architect
 1. Review recommendation to make MAX_DIMENSION configurable
 2. Decide if WebP conversion should replace JPEG for HEIC (better compression)
 3. Consider documenting animated HEIC handling policy
 ---
 **Review completed**: 2025-12-16
 **Reviewed by**: Claude (Fullstack Developer Agent)
 **Status**: Implementation APPROVED with minor recommendations
--- a/docs/design/v1.4.2/2025-12-16-implementation-report.md
+++ b/docs/design/v1.4.2/2025-12-16-implementation-report.md
@@ -0,0 +1,170 @@
 # v1.4.2 Implementation Report - HEIC Image Support
 **Date**: 2025-12-16
 **Developer**: Claude (Fullstack Developer Agent)
 **Status**: Completed
 **Design Document**: `/home/phil/Projects/starpunk/docs/design/v1.4.2/heic-support-design.md`
 ## Summary
 Successfully implemented HEIC/HEIF image format support for iPhone photo uploads. HEIC images are automatically detected and converted to JPEG format (browsers cannot display HEIC natively). Implementation includes graceful error handling when pillow-heif library is not installed.
 ## Implementation Details
 ### Files Modified
 1. **`requirements.txt`**
   - Added `pillow-heif==0.18.*` dependency
   - Updated `Pillow` from `10.0.*` to `10.1.*` (required by pillow-heif)
 2. **`starpunk/media.py`**
   - Added conditional import for `pillow_heif` with `HEIC_SUPPORTED` flag
   - Modified `validate_image()` function:
     - Updated return type from `Tuple[str, int, int]` to `Tuple[bytes, str, int, int]`
     - Added HEIC detection after image verification
     - Implemented HEIC to JPEG conversion at quality 95
     - Handles RGBA/P mode conversion to RGB (JPEG doesn't support alpha)
     - Re-opens converted image for further processing
   - Updated `save_media()` call site to unpack 4-tuple instead of 3-tuple
 3. **`starpunk/__init__.py`**
   - Updated `__version__` from `"1.4.1"` to `"1.4.2"`
   - Updated `__version_info__` from `(1, 4, 1)` to `(1, 4, 2)`
 4. **`tests/test_media_upload.py`**
   - Added `HEIC_SUPPORTED` import
   - Created `create_test_heic()` helper function
   - Updated existing validation tests to handle new 4-tuple return signature
   - Added new `TestHEICSupport` class with 5 test cases:
     - `test_heic_detection_and_conversion` - Verifies HEIC to JPEG conversion
     - `test_heic_with_rgba_mode` - Tests alpha channel handling
     - `test_heic_dimensions_preserved` - Verifies dimensions unchanged
     - `test_heic_error_without_library` - Tests graceful degradation
     - `test_heic_full_upload_flow` - End-to-end upload test
 5. **`CHANGELOG.md`**
   - Added v1.4.2 release entry with:
     - Feature additions (HEIC support, automatic conversion, error handling)
     - Dependency updates (pillow-heif, Pillow version bump)
 ## Technical Decisions
 ### D1: Conversion Quality Setting
 - **Decision**: Use `quality=95` for HEIC to JPEG conversion
 - **Rationale**: Preserves maximum detail from original; subsequent `optimize_image()` call will further compress if needed per size-aware strategy
 ### D2: Return Signature Change
 - **Decision**: Change `validate_image()` from 3-tuple to 4-tuple return
 - **Rationale**: Cleanest way to return converted bytes without adding new parameters or breaking encapsulation
 - **Impact**: Updated all call sites (only `save_media()` affected)
 ### D3: Pillow Version Bump
 - **Challenge**: `pillow-heif==0.18.0` requires `Pillow>=10.1.0`
 - **Decision**: Bump Pillow from `10.0.*` to `10.1.*`
 - **Risk Assessment**: Minor version bump unlikely to introduce breaking changes
 - **Mitigation**: Ran full test suite - all 879 tests pass
 ## Test Results
 All tests pass:
 ```
 tests/test_media_upload.py - 33/33 PASSED
  - 7 validation tests (updated for new signature)
  - 5 HEIC-specific tests (new)
  - 4 optimization tests
  - 3 save tests
  - 4 attachment tests
  - 2 deletion tests
  - 3 security tests
  - 5 logging tests
 ```
 Media-related tests across all suites: 51/51 PASSED
 ## Code Changes Summary
 ### Key Changes in `validate_image()`
 **Before** (v1.4.1):
 ```python
 def validate_image(file_data: bytes, filename: str) -> Tuple[str, int, int]:
    # ... validation logic ...
    return mime_type, width, height
 ```
 **After** (v1.4.2):
 ```python
 def validate_image(file_data: bytes, filename: str) -> Tuple[bytes, str, int, int]:
    # ... validation logic ...
    # HEIC/HEIF conversion (v1.4.2)
    if img.format in ('HEIF', 'HEIC'):
        if not HEIC_SUPPORTED:
            raise ValueError("HEIC/HEIF images require pillow-heif library...")
        # Convert to JPEG
        output = io.BytesIO()
        if img.mode in ('RGBA', 'P'):
            img = img.convert('RGB')
        img.save(output, format='JPEG', quality=95)
        output.seek(0)
        file_data = output.getvalue()
        img = Image.open(io.BytesIO(file_data))
    return file_data, mime_type, width, height
 ```
 ## Deployment Notes
 1. **Dependency Installation**: Run `uv pip install -r requirements.txt` to install pillow-heif
 2. **Backward Compatibility**: Fully backward compatible - existing uploads unaffected
 3. **Database**: No schema changes required
 4. **Configuration**: No config changes required
 5. **Graceful Degradation**: If pillow-heif not installed, HEIC uploads fail with helpful error message
 ## Performance Considerations
 - **Conversion Overhead**: HEIC to JPEG conversion adds ~100-300ms per image
 - **Memory Usage**: Conversion happens in-memory (BytesIO) - no temp files
 - **Subsequent Optimization**: Converted JPEG flows through existing optimization pipeline
 - **File Size**: HEIC typically converts to larger JPEG initially, then optimization reduces to target
 ## Edge Cases Handled
 1. **HEIC with alpha channel** - Converted to RGB (JPEG doesn't support alpha)
 2. **HEIC in P mode** - Converted to RGB for JPEG compatibility
 3. **Missing library** - Graceful error with actionable message
 4. **Already JPEG misnamed as HEIC** - Pillow format detection handles correctly
 5. **Large HEIC files** - Flow through existing 50MB limit and size-aware optimization
 ## Security Considerations
 - **Pillow vulnerability surface**: Increased slightly by adding pillow-heif
 - **Mitigation**: Using pinned versions (`0.18.*`), regular updates needed
 - **Input validation**: HEIC files still go through Pillow's `verify()` check
 - **Conversion safety**: JPEG conversion happens in controlled environment
 ## Follow-up Items
 None required for this release. Future considerations:
 1. Monitor pillow-heif for security updates
 2. Consider WebP as conversion target (better compression, modern browser support)
 3. Track conversion time metrics if performance becomes concern
 ## Developer Notes
 Implementation closely followed the design document at `docs/design/v1.4.2/heic-support-design.md`. All checklist items completed:
 - [x] Add `pillow-heif==0.18.*` to requirements.txt
 - [x] Add HEIC import and registration to media.py
 - [x] Modify `validate_image()` return type to include bytes
 - [x] Add HEIC detection and conversion logic to `validate_image()`
 - [x] Update `save_media()` to handle new return value
 - [x] Update `__version__` to "1.4.2"
 - [x] Add HEIC test cases
 - [x] Update CHANGELOG.md
 - [x] Run full test suite
 ## Conclusion
 v1.4.2 successfully implements HEIC image support with minimal code changes (41 lines added/modified in media.py). Implementation is clean, well-tested, and maintains backward compatibility. iPhone users can now upload photos directly without manual conversion.
--- a/docs/design/v1.4.2/heic-support-design.md
+++ b/docs/design/v1.4.2/heic-support-design.md
@@ -0,0 +1,219 @@
 # HEIC Image Support Design - v1.4.2
 **Status**: Ready for Implementation
 **Type**: Patch Release (backward compatible bug fix)
 **Date**: 2025-12-16
 ## Problem Statement
 iPhones save photos in HEIC format by default (since iOS 11). When users upload photos from iPhones to StarPunk, they receive "Invalid image format" errors because:
 1. HEIC is not in `ALLOWED_MIME_TYPES`
 2. Pillow cannot open HEIC files without the `pillow-heif` plugin
 3. iOS sometimes renames `.heic` files to `.jpeg` without converting, causing confusion
 HEIC files cannot be displayed directly in browsers, so conversion to JPEG is required.
 ## Design Overview
 This is a minimal patch release with a single conceptual change: detect HEIC/HEIF images and convert them to JPEG before processing. The implementation requires:
 1. **Dependency Addition**: Add `pillow-heif` to requirements.txt
 2. **Code Change**: Modify `validate_image()` in `starpunk/media.py` to detect and convert HEIC
 ## Implementation Specification
 ### 1. Dependency Update
 **File**: `/home/phil/Projects/starpunk/requirements.txt`
 Add after Pillow:
 ```
 # HEIC/HEIF Support (v1.4.2 - iPhone photos)
 pillow-heif==0.18.*
 ```
 Note: `pillow-heif` automatically registers with Pillow on import, enabling HEIC support.
 ### 2. Code Changes
 **File**: `/home/phil/Projects/starpunk/starpunk/media.py`
 #### 2.1 Add Import (top of file, after existing imports)
 ```python
 # HEIC/HEIF support - import registers with Pillow automatically
 try:
    import pillow_heif
    pillow_heif.register_heif_opener()
    HEIC_SUPPORTED = True
 except ImportError:
    HEIC_SUPPORTED = False
 ```
 Rationale: Conditional import allows graceful degradation if pillow-heif is not installed (e.g., during development).
 #### 2.2 Modify `validate_image()` Function
 Insert HEIC detection and conversion immediately after the Pillow image verification (line ~99), before the format check (line ~104).
 **Insert after line 99** (after `img = Image.open(io.BytesIO(file_data))`):
 ```python
    # HEIC/HEIF conversion (v1.4.2)
    # HEIC cannot be displayed in browsers, convert to JPEG
    if img.format in ('HEIF', 'HEIC'):
        if not HEIC_SUPPORTED:
            raise ValueError(
                "HEIC/HEIF images require pillow-heif library. "
                "Please convert to JPEG before uploading."
            )
        # Convert HEIC to JPEG in memory
        output = io.BytesIO()
        # Convert to RGB if needed (HEIC may have alpha channel)
        if img.mode in ('RGBA', 'P'):
            img = img.convert('RGB')
        img.save(output, format='JPEG', quality=95)
        output.seek(0)
        # Re-open as JPEG for further processing
        file_data = output.getvalue()
        img = Image.open(io.BytesIO(file_data))
 ```
 **Modify the return statement** to return the potentially converted `file_data`:
 The current function signature returns `Tuple[str, int, int]` (mime_type, width, height). We need to also return the converted bytes when HEIC conversion occurs.
 **Change return type** (line 84):
 ```python
 def validate_image(file_data: bytes, filename: str) -> Tuple[bytes, str, int, int]:
 ```
 **Change return statement** (line 138):
 ```python
    return file_data, mime_type, width, height
 ```
 #### 2.3 Update `save_media()` to Handle New Return Value
 **Modify line 400** in `save_media()`:
 ```python
        # Validate image (returns 4-tuple with potentially converted bytes)
        try:
            file_data, mime_type, orig_width, orig_height = validate_image(file_data, filename)
        except ValueError as e:
 ```
 Note: The `file_data` variable is already in scope, so this reassignment handles the HEIC conversion case transparently.
 ## Design Decisions
 ### D1: Convert at Validation Time
 **Decision**: Convert HEIC to JPEG during `validate_image()` rather than in a separate step.
 **Rationale**:
 - Keeps the change minimal (single function modification)
 - Converted data flows naturally through existing `optimize_image()` pipeline
 - No new function signatures or abstractions needed
 - Validation is the logical place to normalize input formats
 ### D2: Convert to JPEG (not WebP or PNG)
 **Decision**: Convert HEIC to JPEG format.
 **Rationale**:
 - JPEG has universal browser support
 - HEIC photos are typically photographic content, which JPEG handles well
 - Quality 95 preserves detail while reducing file size
 - Consistent with existing JPEG optimization pipeline
 ### D3: Graceful Degradation
 **Decision**: Use conditional import with `HEIC_SUPPORTED` flag.
 **Rationale**:
 - Allows code to work without pillow-heif during development
 - Provides clear error message if HEIC upload attempted without library
 - No runtime crash if dependency missing
 ### D4: Quality Setting
 **Decision**: Use quality=95 for HEIC to JPEG conversion.
 **Rationale**:
 - Preserves most detail from the original
 - Subsequent `optimize_image()` call will further compress if needed
 - Matches existing optimization tier behavior for high-quality inputs
 ## Testing Requirements
 ### Unit Tests
 Add to existing media tests in `/home/phil/Projects/starpunk/tests/test_media.py`:
 1. **Test HEIC detection and conversion**
   - Upload valid HEIC file
   - Verify output is JPEG format
   - Verify dimensions preserved
 2. **Test HEIC with alpha channel**
   - Upload HEIC with transparency
   - Verify conversion to RGB (no alpha in JPEG)
 3. **Test error handling without pillow-heif**
   - Mock `HEIC_SUPPORTED = False`
   - Verify appropriate error message
 ### Test Files
 A sample HEIC file is needed for testing. Options:
 - Create programmatically using pillow-heif
 - Download from a public test file repository
 - Use iPhone simulator to generate
 ## Migration Notes
 - **Database**: No changes required
 - **Configuration**: No changes required
 - **Existing uploads**: Not affected (HEIC was previously rejected)
 - **Backward compatibility**: Fully backward compatible
 ## Files Changed
 | File | Change |
 |------|--------|
 | `requirements.txt` | Add `pillow-heif==0.18.*` |
 | `starpunk/media.py` | Add HEIC import, modify `validate_image()` |
 | `starpunk/__init__.py` | Update `__version__` to `"1.4.2"` |
 | `CHANGELOG.md` | Add v1.4.2 release notes |
 | `tests/test_media.py` | Add HEIC test cases |
 ## Changelog Entry
 ```markdown
 ## [1.4.2] - 2025-12-XX
 ### Added
 - HEIC/HEIF image format support for iPhone photo uploads
 - Automatic HEIC to JPEG conversion (browsers cannot display HEIC)
 ### Dependencies
 - Added `pillow-heif` for HEIC image processing
 ```
 ## Implementation Checklist
 - [ ] Add `pillow-heif==0.18.*` to requirements.txt
 - [ ] Add HEIC import and registration to media.py
 - [ ] Modify `validate_image()` return type to include bytes
 - [ ] Add HEIC detection and conversion logic to `validate_image()`
 - [ ] Update `save_media()` to handle new return value
 - [ ] Update `__version__` to "1.4.2"
 - [ ] Add HEIC test cases
 - [ ] Update CHANGELOG.md
 - [ ] Run full test suite
--- a/docs/projectplan/BACKLOG.md
+++ b/docs/projectplan/BACKLOG.md
@@ -1,9 +1,20 @@
 # StarPunk Backlog
-**Last Updated**: 2025-12-10
+**Last Updated**: 2025-12-16
 ## Recently Completed
 ### v1.4.2 - HEIC/MPO Support and Dimension Limit Increase (Complete)
 - HEIC/HEIF format detection and conversion to JPEG
 - MPO (Multi-Picture Object) format support for iPhone depth photos
 - MAX_DIMENSION increased from 4096 to 12000 pixels
 - Enhanced debug logging for failed uploads
 ### v1.4.0/v1.4.1 - Media Variants (Complete)
 - Image variant generation (thumb, small, medium, large)
 - Micropub media endpoint
 - Enhanced feed media support with Media RSS
 ### v1.3.0 - Microformats2 Compliance and Tags (Complete)
 - Tag/Category system with database schema
 - p-category microformats2 markup
@@ -29,31 +40,63 @@
 ## High
-### Enhanced Feed Media Support *(Scheduled: v1.4.0)*
+### MPO Format Test Coverage
- Multiple image sizes/thumbnails (150px, 320px, 640px, 1280px)
+- **Description**: MPO conversion code exists but has no test coverage. MPO is advertised in the CHANGELOG but the handling is untested.
- Full Media RSS implementation (media:group, all attributes)
+- **Location**: `starpunk/media.py` lines 163-173
- Enhanced JSON Feed attachments
+- **Source**: Developer Review (M1)
- ATOM enclosure links for all media
+- **Approach**: Add `test_mpo_detection_and_conversion()` to `TestHEICSupport` class in `tests/test_media_upload.py`. Create an MPO test image using Pillow's MPO support.
 - See: ADR-059
-### POSSE 
+### POSSE
 - Native syndication to social networks
 - Supported networks:
-  - First iteration: 
+  - First iteration:
    - Mastodon (and compatible services)
    - Bluesky
-  - Second iteration 
+  - Second iteration
-    - TBD 
+    - TBD
 - Solution should include a configuration UI for setup
 ---
 ## Medium
-### Default slug change 
+### Debug File Storage Without Cleanup Mechanism
- The default slug should be a date time stamp 
+- **Description**: Failed uploads are saved to `data/debug/` directory for analysis, but there is no mechanism to clean up these files. This could consume significant disk space, especially if under attack.
 - **Location**: `starpunk/media.py` lines 133-137
 - **Source**: Developer Review (M2), Architect Review (Issue 1.2.2)
 - **Approach**:
  1. Add `DEBUG_SAVE_FAILED_UPLOADS` config option (default: false in production)
  2. Implement automatic cleanup (files older than 7 days)
  3. Add disk space check or size limit (e.g., 100MB max)
 ### Filename Not Sanitized in Debug Path (Security)
 - **Description**: The original filename is used directly in the debug file path without sanitization, which could cause path traversal or special character issues.
 - **Location**: `starpunk/media.py` line 135
 - **Source**: Architect Review (Issue 1.2.3)
 - **Approach**: Sanitize filename before use: `safe_filename = "".join(c for c in filename if c.isalnum() or c in "._-")[:50]`
 ### N+1 Query Pattern in Feed Generation
 - **Description**: In `_get_cached_notes()`, media and tags are loaded per-note in separate queries. For 50 notes, this is 100 additional database queries, degrading performance.
 - **Location**: `starpunk/routes/public.py` lines 68-74
 - **Source**: Architect Review (Issue 2.2.9)
 - **Approach**: Implement batch loading function `get_media_for_notes(note_ids: List[int])` using a single query with `WHERE note_id IN (...)`.
 ### Transaction Not Atomic in Variant Generation
 - **Description**: Files are written to disk before database commit. If the database commit fails, orphaned files remain on disk.
 - **Location**: `starpunk/media.py` lines 404-440
 - **Source**: Architect Review (Issue 2.2.6)
 - **Approach**: Write variant files to a temporary location first, then move to final location after successful database commit.
 ### Rate Limiting on Upload Endpoints
 - **Description**: No rate limiting exists on media upload endpoints, making them vulnerable to abuse.
 - **Location**: `/admin/new` (admin.py), `/media` (micropub.py)
 - **Source**: Architect Review (Security Assessment)
 - **Approach**: Implement Flask-Limiter or similar rate limiting middleware for upload routes.
 ### Default Slug Change
 - The default slug should be a date time stamp
 - YYYYMMDDHHMMSS
- Edge case, if the slug would somehow be a duplicate append a "-x" e.g. -1 
+- Edge case, if the slug would somehow be a duplicate append a "-x" e.g. -1
 ### Tag Enhancements (v1.3.0 Follow-up)
 - Tag pagination on archive pages (when note count exceeds threshold)
@@ -105,6 +148,42 @@
 ## Low
 ### HEIC/MPO Conversion Quality Not Configurable
 - **Description**: HEIC and MPO to JPEG conversion uses hardcoded `quality=95`. Users with different quality/size tradeoff preferences cannot adjust this.
 - **Location**: `starpunk/media.py` line 157
 - **Source**: Developer Review (M3)
 - **Approach**: Add `HEIC_CONVERSION_QUALITY` config variable with 95 as default.
 ### MAX_DIMENSION Not Configurable
 - **Description**: `MAX_DIMENSION = 12000` is a hardcoded constant. Cannot adjust limit without code change.
 - **Location**: `starpunk/media.py` line 41
 - **Source**: Developer Review (M4)
 - **Approach**: Make configurable via config variable, keeping 12000 as default.
 ### Animated WebP Not Detected
 - **Description**: Animated GIF detection exists but animated WebP is not handled, potentially bypassing animated image size checks.
 - **Location**: `starpunk/media.py` (validate_image function)
 - **Source**: Architect Review (Issue 2.2.2)
 - **Approach**: Add animated WebP detection similar to existing GIF handling.
 ### Caption Not Escaped in RSS HTML
 - **Description**: In RSS generation, caption is used directly in alt attribute without HTML escaping. Could break markup if caption contains `"` or other special characters.
 - **Location**: `starpunk/feeds/rss.py` line 136
 - **Source**: Architect Review (Issue 2.2.10)
 - **Approach**: Use `html.escape()` for caption when generating HTML content.
 ### Incomplete MPO Documentation
 - **Description**: Code comment says "extract primary image" but doesn't explain the multi-frame nature of MPO files (contain multiple images for 3D or depth maps).
 - **Location**: `starpunk/media.py` lines 163-165
 - **Source**: Developer Review (M5)
 - **Approach**: Enhance inline comment to document that MPO files contain multiple frames and only the primary frame is extracted.
 ### Module Docstring Stale
 - **Description**: Module docstring still states "4096x4096 max dimensions" but MAX_DIMENSION was updated to 12000 in v1.4.2.
 - **Location**: `starpunk/media.py` lines 1-12
 - **Source**: Architect Review (Issue 1.2.1)
 - **Approach**: Update docstring to reflect current 12000px limit.
 ### Flaky Migration Race Condition Tests
 - Improve `test_migration_race_condition.py::TestGraduatedLogging::test_debug_level_for_early_retries`
 - Test expects DEBUG retry messages but passes when migration succeeds without retries
--- a/requirements.txt
+++ b/requirements.txt
@@ -31,5 +31,8 @@ pytest==8.0.*
 # System Monitoring (v1.1.2)
 psutil==5.9.*
-# Image Processing (v1.2.0)
+# Image Processing (v1.2.0, updated v1.4.2 for HEIC support)
-Pillow==10.0.*
+Pillow==10.1.*
 # HEIC/HEIF Support (v1.4.2 - iPhone photos)
 pillow-heif==0.18.*
--- a/starpunk/init.py
+++ b/starpunk/init.py
@@ -325,5 +325,5 @@ def create_app(config=None):
 # Package version (Semantic Versioning 2.0.0)
 # See docs/standards/versioning-strategy.md for details
-__version__ = "1.4.0rc1"
+__version__ = "1.4.2"
-__version_info__ = (1, 4, 0, "rc1")
+__version_info__ = (1, 4, 2)
--- a/starpunk/config.py
+++ b/starpunk/config.py
@@ -86,6 +86,10 @@ def load_config(app, config_override=None):
    app.config["FEED_CACHE_ENABLED"] = os.getenv("FEED_CACHE_ENABLED", "true").lower() == "true"
    app.config["FEED_CACHE_MAX_SIZE"] = int(os.getenv("FEED_CACHE_MAX_SIZE", "50"))
    # Upload limits (v1.4.2)
    # Flask MAX_CONTENT_LENGTH limits request body size (matches media.py MAX_FILE_SIZE)
    app.config["MAX_CONTENT_LENGTH"] = 50 * 1024 * 1024  # 50MB
    # Metrics configuration (v1.1.2 Phase 1)
    app.config["METRICS_ENABLED"] = os.getenv("METRICS_ENABLED", "true").lower() == "true"
    app.config["METRICS_SLOW_QUERY_THRESHOLD"] = float(os.getenv("METRICS_SLOW_QUERY_THRESHOLD", "1.0"))
--- a/starpunk/media.py
+++ b/starpunk/media.py
@@ -7,7 +7,7 @@ Per ADR-057 and ADR-058:
 - 50MB max upload, 10MB max output (v1.4.0)
 - Image variants: thumb, small, medium, large (v1.4.0)
 - Tiered resize strategy based on input size (v1.4.0)
- 4096x4096 max dimensions
+- 12000x12000 max dimensions (v1.4.2)
 - 4 images max per note
 """
@@ -19,6 +19,14 @@ import io
 from typing import Optional, List, Dict, Tuple
 from flask import current_app
 # HEIC/HEIF support - import registers with Pillow automatically
 try:
    import pillow_heif
    pillow_heif.register_heif_opener()
    HEIC_SUPPORTED = True
 except ImportError:
    HEIC_SUPPORTED = False
 # Allowed MIME types per Q11
 ALLOWED_MIME_TYPES = {
    'image/jpeg': ['.jpg', '.jpeg'],
@@ -30,7 +38,7 @@ ALLOWED_MIME_TYPES = {
 # Limits per Q&A and ADR-058 (updated in v1.4.0)
 MAX_FILE_SIZE = 50 * 1024 * 1024  # 50MB (v1.4.0)
 MAX_OUTPUT_SIZE = 10 * 1024 * 1024  # 10MB target after optimization (v1.4.0)
-MAX_DIMENSION = 4096              # 4096x4096 max
+MAX_DIMENSION = 12000             # 12000x12000 max input (v1.4.2 - supports modern phone cameras)
 RESIZE_DIMENSION = 2048           # Auto-resize to 2048px (default)
 MIN_QUALITY = 70                  # Minimum JPEG quality before rejection (v1.4.0)
 MIN_DIMENSION = 640               # Minimum dimension before rejection (v1.4.0)
@@ -68,19 +76,21 @@ def get_optimization_params(file_size: int) -> Tuple[int, int]:
        return (1280, 85)
-def validate_image(file_data: bytes, filename: str) -> Tuple[str, int, int]:
+def validate_image(file_data: bytes, filename: str) -> Tuple[bytes, str, int, int]:
    """
    Validate image file
    Per Q11: Validate MIME type using Pillow
    Per Q6: Reject if >50MB or >4096px (updated v1.4.0)
    Per v1.4.2: Convert HEIC to JPEG (browsers cannot display HEIC)
    Args:
        file_data: Raw file bytes
        filename: Original filename
    Returns:
-        Tuple of (mime_type, width, height)
+        Tuple of (file_data, mime_type, width, height)
        Note: file_data may be converted (e.g., HEIC to JPEG)
    Raises:
        ValueError: If file is invalid
@@ -98,7 +108,69 @@ def validate_image(file_data: bytes, filename: str) -> Tuple[str, int, int]:
        # Re-open after verify (verify() closes the file)
        img = Image.open(io.BytesIO(file_data))
    except Exception as e:
-        raise ValueError(f"Invalid or corrupted image: {e}")
+        # v1.4.2: If Pillow can't open, try explicitly as HEIC
        # iOS sometimes saves HEIC with .jpeg extension
        if HEIC_SUPPORTED:
            try:
                heif_file = pillow_heif.read_heif(file_data)
                img = Image.frombytes(
                    heif_file.mode,
                    heif_file.size,
                    heif_file.data,
                    "raw",
                )
                # Mark as HEIF so conversion happens below
                img.format = 'HEIF'
            except Exception as heic_error:
                # Log the magic bytes and save file for debugging (if in app context)
                try:
                    magic = file_data[:12].hex() if len(file_data) >= 12 else file_data.hex()
                    current_app.logger.warning(
                        f'Media upload failed both Pillow and HEIC: filename="{filename}", '
                        f'magic_bytes={magic}, pillow_error="{e}", heic_error="{heic_error}"'
                    )
                    # Save failed file for analysis
                    debug_dir = Path(current_app.config.get('DATA_PATH', 'data')) / 'debug'
                    debug_dir.mkdir(parents=True, exist_ok=True)
                    debug_file = debug_dir / f"failed_{datetime.now().strftime('%Y%m%d_%H%M%S')}_{filename}"
                    debug_file.write_bytes(file_data)
                    current_app.logger.info(f'Saved failed upload for analysis: {debug_file}')
                except RuntimeError:
                    pass  # Outside app context (e.g., tests)
                raise ValueError(f"Invalid or corrupted image: {e}")
        else:
            raise ValueError(f"Invalid or corrupted image: {e}")
    # HEIC/HEIF conversion (v1.4.2)
    # HEIC cannot be displayed in browsers, convert to JPEG
    if img.format in ('HEIF', 'HEIC'):
        if not HEIC_SUPPORTED:
            raise ValueError(
                "HEIC/HEIF images require pillow-heif library. "
                "Please convert to JPEG before uploading."
            )
        # Convert HEIC to JPEG in memory
        output = io.BytesIO()
        # Convert to RGB if needed (HEIC may have alpha channel)
        if img.mode in ('RGBA', 'P'):
            img = img.convert('RGB')
        img.save(output, format='JPEG', quality=95)
        output.seek(0)
        # Re-open as JPEG for further processing
        file_data = output.getvalue()
        img = Image.open(io.BytesIO(file_data))
    # MPO (Multi-Picture Object) conversion (v1.4.2)
    # MPO is used by iPhones for depth/portrait photos - extract primary image as JPEG
    if img.format == 'MPO':
        output = io.BytesIO()
        # Convert to RGB if needed
        if img.mode in ('RGBA', 'P'):
            img = img.convert('RGB')
        img.save(output, format='JPEG', quality=95)
        output.seek(0)
        file_data = output.getvalue()
        img = Image.open(io.BytesIO(file_data))
    # Check format is allowed
    if img.format:
@@ -110,11 +182,20 @@ def validate_image(file_data: bytes, filename: str) -> Tuple[str, int, int]:
            mime_type = 'image/jpeg'
        if mime_type not in ALLOWED_MIME_TYPES:
-            raise ValueError(f"Invalid image format. Accepted: JPEG, PNG, GIF, WebP")
+            # Log the detected format for debugging (v1.4.2)
            try:
                current_app.logger.warning(
                    f'Media upload rejected format: filename="{filename}", '
                    f'detected_format="{img.format}", mime_type="{mime_type}"'
                )
            except RuntimeError:
                pass  # Outside app context
            raise ValueError(f"Invalid image format '{img.format}'. Accepted: JPEG, PNG, GIF, WebP")
    else:
        raise ValueError("Could not determine image format")
-    # Check dimensions
+    # Check dimensions (v1.4.2: increased to 12000px to support modern phone cameras)
    # Images will be resized by optimize_image() anyway
    width, height = img.size
    if max(width, height) > MAX_DIMENSION:
        raise ValueError(f"Image dimensions too large. Maximum is {MAX_DIMENSION}x{MAX_DIMENSION} pixels")
@@ -135,7 +216,7 @@ def validate_image(file_data: bytes, filename: str) -> Tuple[str, int, int]:
            # Not animated, continue normally
            pass
-    return mime_type, width, height
+    return file_data, mime_type, width, height
 def optimize_image(image_data: bytes, original_size: int = None) -> Tuple[Image.Image, int, int, bytes]:
@@ -391,81 +472,123 @@ def save_media(file_data: bytes, filename: str) -> Dict:
    """
    from starpunk.database import get_db
-    # Validate image (returns 3-tuple, signature unchanged)
+    # Capture file size for logging
    mime_type, orig_width, orig_height = validate_image(file_data, filename)
    # Compute file size for optimization strategy
    file_size = len(file_data)
-    # Optimize image with size-aware strategy (now returns 4-tuple with bytes)
+    try:
-    optimized_img, width, height, optimized_bytes = optimize_image(file_data, file_size)
+        # Validate image (returns 4-tuple with potentially converted bytes)
        try:
            file_data, mime_type, orig_width, orig_height = validate_image(file_data, filename)
        except ValueError as e:
            current_app.logger.warning(
                f'Media upload validation failed: filename="{filename}", '
                f'size={file_size}b, error="{e}"'
            )
            raise
-    # Generate UUID-based filename (per Q5)
+        # Optimize image with size-aware strategy (now returns 4-tuple with bytes)
-    file_ext = Path(filename).suffix.lower()
+        try:
-    if not file_ext:
+            optimized_img, width, height, optimized_bytes = optimize_image(file_data, file_size)
-        # Determine extension from MIME type
+        except ValueError as e:
-        for mime, exts in ALLOWED_MIME_TYPES.items():
+            current_app.logger.warning(
-            if mime == mime_type:
+                f'Media upload optimization failed: filename="{filename}", '
-                file_ext = exts[0]
+                f'size={file_size}b, error="{e}"'
-                break
+            )
            raise
-    stored_filename = f"{uuid.uuid4()}{file_ext}"
+        # Generate UUID-based filename (per Q5)
        file_ext = Path(filename).suffix.lower()
        if not file_ext:
            # Determine extension from MIME type
            for mime, exts in ALLOWED_MIME_TYPES.items():
                if mime == mime_type:
                    file_ext = exts[0]
                    break
-    # Create date-based path (per Q2)
+        stored_filename = f"{uuid.uuid4()}{file_ext}"
    now = datetime.now()
    year = now.strftime('%Y')
    month = now.strftime('%m')
    relative_path = f"{year}/{month}/{stored_filename}"
-    # Get media directory from app config
+        # Create date-based path (per Q2)
-    media_dir = Path(current_app.config.get('DATA_PATH', 'data')) / 'media'
+        now = datetime.now()
-    full_dir = media_dir / year / month
+        year = now.strftime('%Y')
-    full_dir.mkdir(parents=True, exist_ok=True)
+        month = now.strftime('%m')
        relative_path = f"{year}/{month}/{stored_filename}"
-    # Save optimized image (using bytes from optimize_image to avoid re-encoding)
+        # Get media directory from app config
-    full_path = full_dir / stored_filename
+        media_dir = Path(current_app.config.get('DATA_PATH', 'data')) / 'media'
-    full_path.write_bytes(optimized_bytes)
+        full_dir = media_dir / year / month
        full_dir.mkdir(parents=True, exist_ok=True)
-    # Get actual file size (from optimized bytes)
+        # Save optimized image (using bytes from optimize_image to avoid re-encoding)
-    actual_size = len(optimized_bytes)
+        full_path = full_dir / stored_filename
        full_path.write_bytes(optimized_bytes)
-    # Insert into database
+        # Get actual file size (from optimized bytes)
-    db = get_db(current_app)
+        actual_size = len(optimized_bytes)
    cursor = db.execute(
        """
        INSERT INTO media (filename, stored_filename, path, mime_type, size, width, height)
        VALUES (?, ?, ?, ?, ?, ?, ?)
        """,
        (filename, stored_filename, relative_path, mime_type, actual_size, width, height)
    )
    db.commit()
    media_id = cursor.lastrowid
-    # Generate variants (synchronous) - v1.4.0 Phase 2
+        # Insert into database
-    # Pass year, month, and optimized_bytes to avoid fragile path traversal and file I/O
+        db = get_db(current_app)
-    base_filename = stored_filename.rsplit('.', 1)[0]
+        cursor = db.execute(
-    variants = generate_all_variants(
+            """
-        optimized_img,
+            INSERT INTO media (filename, stored_filename, path, mime_type, size, width, height)
-        full_dir,
+            VALUES (?, ?, ?, ?, ?, ?, ?)
-        base_filename,
+            """,
-        file_ext,
+            (filename, stored_filename, relative_path, mime_type, actual_size, width, height)
-        media_id,
+        )
-        year,
+        db.commit()
-        month,
+        media_id = cursor.lastrowid
        optimized_bytes
    )
-    return {
+        # Generate variants (synchronous) - v1.4.0 Phase 2
-        'id': media_id,
+        # Pass year, month, and optimized_bytes to avoid fragile path traversal and file I/O
-        'filename': filename,
+        base_filename = stored_filename.rsplit('.', 1)[0]
-        'stored_filename': stored_filename,
+        variants = []
-        'path': relative_path,
+        try:
-        'mime_type': mime_type,
+            variants = generate_all_variants(
-        'size': actual_size,
+                optimized_img,
-        'width': width,
+                full_dir,
-        'height': height,
+                base_filename,
-        'variants': variants
+                file_ext,
-    }
+                media_id,
                year,
                month,
                optimized_bytes
            )
        except Exception as e:
            current_app.logger.warning(
                f'Media upload variant generation failed: filename="{filename}", '
                f'media_id={media_id}, error="{e}"'
            )
            # Continue - original image is still usable
        # Log success
        was_optimized = len(optimized_bytes) < file_size
        current_app.logger.info(
            f'Media upload successful: filename="{filename}", '
            f'stored="{stored_filename}", size={len(optimized_bytes)}b, '
            f'optimized={was_optimized}, variants={len(variants)}'
        )
        return {
            'id': media_id,
            'filename': filename,
            'stored_filename': stored_filename,
            'path': relative_path,
            'mime_type': mime_type,
            'size': actual_size,
            'width': width,
            'height': height,
            'variants': variants
        }
    except ValueError:
        # Already logged at WARNING level in validation/optimization blocks
        raise
    except Exception as e:
        current_app.logger.error(
            f'Media upload failed unexpectedly: filename="{filename}", '
            f'error_type="{type(e).__name__}", error="{e}"'
        )
        raise
 def attach_media_to_note(note_id: int, media_ids: List[int], captions: List[str]) -> None:
--- a/starpunk/routes/micropub.py
+++ b/starpunk/routes/micropub.py
@@ -199,5 +199,4 @@ def media_endpoint():
        return error_response("invalid_request", str(e), 400)
    except Exception as e:
        current_app.logger.error(f"Media upload failed: {e}")
        return error_response("server_error", "Failed to process upload", 500)
--- a/tests/test_media_upload.py
+++ b/tests/test_media_upload.py
@@ -21,6 +21,7 @@ from starpunk.media import (
    MAX_DIMENSION,
    RESIZE_DIMENSION,
    MAX_IMAGES_PER_NOTE,
    HEIC_SUPPORTED,
 )
@@ -45,44 +46,75 @@ def create_test_image(width=800, height=600, format='PNG'):
    return buffer.getvalue()
 def create_test_heic(width=800, height=600):
    """
    Generate test HEIC image using pillow-heif
    Args:
        width: Image width in pixels
        height: Image height in pixels
    Returns:
        Bytes of HEIC image data
    """
    if not HEIC_SUPPORTED:
        pytest.skip("pillow-heif not available")
    import pillow_heif
    # Create a simple RGB image
    img = Image.new('RGB', (width, height), color='blue')
    # Convert to HEIC
    buffer = io.BytesIO()
    heif_file = pillow_heif.from_pillow(img)
    heif_file.save(buffer, format='HEIF')
    buffer.seek(0)
    return buffer.getvalue()
 class TestImageValidation:
    """Test validate_image function"""
    def test_valid_jpeg(self):
        """Test validation of valid JPEG image"""
        image_data = create_test_image(800, 600, 'JPEG')
-        mime_type, width, height = validate_image(image_data, 'test.jpg')
+        file_data, mime_type, width, height = validate_image(image_data, 'test.jpg')
        assert mime_type == 'image/jpeg'
        assert width == 800
        assert height == 600
        assert file_data == image_data  # No conversion
    def test_valid_png(self):
        """Test validation of valid PNG image"""
        image_data = create_test_image(800, 600, 'PNG')
-        mime_type, width, height = validate_image(image_data, 'test.png')
+        file_data, mime_type, width, height = validate_image(image_data, 'test.png')
        assert mime_type == 'image/png'
        assert width == 800
        assert height == 600
        assert file_data == image_data  # No conversion
    def test_valid_gif(self):
        """Test validation of valid GIF image"""
        image_data = create_test_image(800, 600, 'GIF')
-        mime_type, width, height = validate_image(image_data, 'test.gif')
+        file_data, mime_type, width, height = validate_image(image_data, 'test.gif')
        assert mime_type == 'image/gif'
        assert width == 800
        assert height == 600
        assert file_data == image_data  # No conversion
    def test_valid_webp(self):
        """Test validation of valid WebP image"""
        image_data = create_test_image(800, 600, 'WEBP')
-        mime_type, width, height = validate_image(image_data, 'test.webp')
+        file_data, mime_type, width, height = validate_image(image_data, 'test.webp')
        assert mime_type == 'image/webp'
        assert width == 800
        assert height == 600
        assert file_data == image_data  # No conversion
    def test_file_too_large(self):
        """Test rejection of >10MB file (per Q6)"""
@@ -95,8 +127,8 @@ class TestImageValidation:
        assert "File too large" in str(exc_info.value)
    def test_dimensions_too_large(self):
-        """Test rejection of >4096px image (per ADR-058)"""
+        """Test rejection of >12000px image (v1.4.2: increased from 4096)"""
-        large_image = create_test_image(5000, 5000, 'PNG')
+        large_image = create_test_image(13000, 13000, 'PNG')
        with pytest.raises(ValueError) as exc_info:
            validate_image(large_image, 'huge.png')
@@ -113,6 +145,96 @@ class TestImageValidation:
        assert "Invalid or corrupted" in str(exc_info.value)
 class TestHEICSupport:
    """Test HEIC/HEIF image format support (v1.4.2)"""
    def test_heic_detection_and_conversion(self):
        """Test HEIC file is detected and converted to JPEG"""
        heic_data = create_test_heic(800, 600)
        file_data, mime_type, width, height = validate_image(heic_data, 'test.heic')
        # Should be converted to JPEG
        assert mime_type == 'image/jpeg'
        assert width == 800
        assert height == 600
        # file_data should be different (converted to JPEG)
        assert file_data != heic_data
        # Verify it's actually JPEG by opening it
        img = Image.open(io.BytesIO(file_data))
        assert img.format == 'JPEG'
    def test_heic_with_rgba_mode(self):
        """Test HEIC with alpha channel is converted to RGB JPEG"""
        if not HEIC_SUPPORTED:
            pytest.skip("pillow-heif not available")
        import pillow_heif
        # Create image with alpha channel
        img = Image.new('RGBA', (800, 600), color=(255, 0, 0, 128))
        buffer = io.BytesIO()
        heif_file = pillow_heif.from_pillow(img)
        heif_file.save(buffer, format='HEIF')
        buffer.seek(0)
        heic_data = buffer.getvalue()
        file_data, mime_type, width, height = validate_image(heic_data, 'test.heic')
        # Should be converted to JPEG (no alpha)
        assert mime_type == 'image/jpeg'
        # Verify it's RGB (no alpha)
        img = Image.open(io.BytesIO(file_data))
        assert img.mode == 'RGB'
    def test_heic_dimensions_preserved(self):
        """Test HEIC conversion preserves dimensions"""
        heic_data = create_test_heic(1024, 768)
        file_data, mime_type, width, height = validate_image(heic_data, 'photo.heic')
        assert width == 1024
        assert height == 768
        assert mime_type == 'image/jpeg'
    def test_heic_error_without_library(self, monkeypatch):
        """Test appropriate error when HEIC uploaded but pillow-heif not available"""
        # Mock HEIC_SUPPORTED to False
        from starpunk import media
        monkeypatch.setattr(media, 'HEIC_SUPPORTED', False)
        # Create a mock HEIC file (just needs to be recognized as HEIC by Pillow)
        # We'll create a real HEIC if library is available, otherwise skip
        if not HEIC_SUPPORTED:
            pytest.skip("pillow-heif not available to create test HEIC")
        heic_data = create_test_heic(800, 600)
        with pytest.raises(ValueError) as exc_info:
            validate_image(heic_data, 'test.heic')
        assert "HEIC/HEIF images require pillow-heif library" in str(exc_info.value)
        assert "convert to JPEG" in str(exc_info.value)
    def test_heic_full_upload_flow(self, app):
        """Test complete HEIC upload through save_media"""
        heic_data = create_test_heic(800, 600)
        with app.app_context():
            media_info = save_media(heic_data, 'iphone_photo.heic')
            # Should be saved as JPEG
            assert media_info['mime_type'] == 'image/jpeg'
            assert media_info['width'] == 800
            assert media_info['height'] == 600
            # Verify file was saved
            media_path = Path(app.config['DATA_PATH']) / 'media' / media_info['path']
            assert media_path.exists()
            # Verify it's actually a JPEG file
            saved_img = Image.open(media_path)
            assert saved_img.format == 'JPEG'
 class TestImageOptimization:
    """Test optimize_image function"""
@@ -430,6 +552,126 @@ class TestMediaSecurityEscaping:
            assert '&lt;img' in html
 class TestMediaLogging:
    """Test media upload logging (v1.4.1)"""
    def test_save_media_logs_success(self, app, caplog):
        """Test successful upload logs at INFO level"""
        import logging
        image_data = create_test_image(800, 600, 'PNG')
        with app.app_context():
            with caplog.at_level(logging.INFO):
                media_info = save_media(image_data, 'test.png')
            # Check success log exists
            assert "Media upload successful" in caplog.text
            assert 'filename="test.png"' in caplog.text
            assert f'stored="{media_info["stored_filename"]}"' in caplog.text
            assert f'size={media_info["size"]}b' in caplog.text
            # optimized flag should be present
            assert 'optimized=' in caplog.text
            # variants count should be present
            assert 'variants=' in caplog.text
    def test_save_media_logs_validation_failure(self, app, caplog):
        """Test validation failure logs at WARNING level"""
        import logging
        # Create invalid data (corrupted image)
        invalid_data = b'not an image'
        with app.app_context():
            with caplog.at_level(logging.WARNING):
                with pytest.raises(ValueError):
                    save_media(invalid_data, 'corrupt.jpg')
            # Check validation failure log
            assert "Media upload validation failed" in caplog.text
            assert 'filename="corrupt.jpg"' in caplog.text
            assert f'size={len(invalid_data)}b' in caplog.text
            assert 'error=' in caplog.text
    def test_save_media_logs_optimization_failure(self, app, caplog, monkeypatch):
        """Test optimization failure logs at WARNING level"""
        import logging
        from starpunk import media
        # Mock optimize_image to raise ValueError
        def mock_optimize_image(image_data, original_size=None):
            raise ValueError("Image cannot be optimized to target size. Please use a smaller or lower-resolution image.")
        monkeypatch.setattr(media, 'optimize_image', mock_optimize_image)
        image_data = create_test_image(800, 600, 'PNG')
        with app.app_context():
            with caplog.at_level(logging.WARNING):
                with pytest.raises(ValueError):
                    save_media(image_data, 'test.png')
            # Check optimization failure log
            assert "Media upload optimization failed" in caplog.text
            assert 'filename="test.png"' in caplog.text
            assert f'size={len(image_data)}b' in caplog.text
            assert 'error=' in caplog.text
    def test_save_media_logs_variant_failure(self, app, caplog, monkeypatch):
        """Test variant generation failure logs at WARNING level but continues"""
        import logging
        from starpunk import media
        # Mock generate_all_variants to raise an exception
        def mock_generate_all_variants(*args, **kwargs):
            raise RuntimeError("Variant generation failed")
        monkeypatch.setattr(media, 'generate_all_variants', mock_generate_all_variants)
        image_data = create_test_image(800, 600, 'PNG')
        with app.app_context():
            with caplog.at_level(logging.INFO):  # Need INFO level to capture success log
                # Should succeed despite variant failure
                media_info = save_media(image_data, 'test.png')
            # Check variant failure log
            assert "Media upload variant generation failed" in caplog.text
            assert 'filename="test.png"' in caplog.text
            assert f'media_id={media_info["id"]}' in caplog.text
            assert 'error=' in caplog.text
            # But success log should also be present
            assert "Media upload successful" in caplog.text
            # And variants should be 0
            assert 'variants=0' in caplog.text
    def test_save_media_logs_unexpected_error(self, app, caplog, monkeypatch):
        """Test unexpected error logs at ERROR level"""
        import logging
        from starpunk import media
        from pathlib import Path as OriginalPath
        # Mock Path.write_bytes to raise OSError (simulating disk full)
        def mock_write_bytes(self, data):
            raise OSError("[Errno 28] No space left on device")
        monkeypatch.setattr(Path, 'write_bytes', mock_write_bytes)
        image_data = create_test_image(800, 600, 'PNG')
        with app.app_context():
            with caplog.at_level(logging.ERROR):
                with pytest.raises(OSError):
                    save_media(image_data, 'test.png')
            # Check unexpected error log
            assert "Media upload failed unexpectedly" in caplog.text
            assert 'filename="test.png"' in caplog.text
            assert 'error_type="OSError"' in caplog.text
            assert 'error=' in caplog.text
@pytest.fixture
 def sample_note(app):
    """Create a sample note for testing"""
Author	SHA1	Message	Date
Phil Skentelbery	730eb8d58c	docs: Add v1.4.2 review documents and update backlog Some checks failed Build Container / build (push) Failing after 15s Details - Fix stale docstring in media.py (4096 -> 12000) - Add developer review document - Add architect review document - Update backlog with identified issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 18:57:39 -07:00
Phil Skentelbery	6682339a86	fix(media): Increase max dimension to 12000px for modern phone cameras Modern iPhones (48MP) and other phones produce images larger than 4096px. Since optimize_image() resizes them anyway, the input limit was too restrictive. Increased from 4096x4096 to 12000x12000. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 18:29:21 -07:00
Phil Skentelbery	d416463242	fix(media): Add MPO format support for iPhone portrait photos iPhones use MPO (Multi-Picture Object) format for depth/portrait photos. This format contains multiple JPEG images (main + depth map). Pillow opens these as MPO format which wasn't in our allowed types. Added automatic MPO to JPEG conversion by extracting the primary image. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 18:23:23 -07:00
Phil Skentelbery	25b8cbd79d	chore: Add format detection logging for debugging Logs the detected image format when a file is rejected to help diagnose why iPhone uploads are being rejected. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 18:14:05 -07:00
Phil Skentelbery	042505d5a6	fix(media): Add MAX_CONTENT_LENGTH and debug file capture - v1.4.2 - Set Flask MAX_CONTENT_LENGTH to 50MB (matches MAX_FILE_SIZE) - Save failed uploads to data/debug/ for analysis - Log magic bytes when both Pillow and HEIC parsers fail 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 18:08:36 -07:00
Phil Skentelbery	72f3d4a55e	fix(media): Save failed uploads to debug/ for analysis - v1.4.2 When an image fails both Pillow and HEIC parsing, save the file to data/debug/ for manual analysis. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 18:06:51 -07:00
Phil Skentelbery	e8ff0a0dcb	fix(media): Add debug logging for unrecognized image formats - v1.4.2 Logs magic bytes when both Pillow and HEIC parsers fail, to help diagnose what format the file actually is. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 18:06:09 -07:00
Phil Skentelbery	9bc6780a8e	fix(media): Handle HEIC files with wrong extension - v1.4.2 iOS sometimes saves HEIC with .jpeg extension. Pillow fails to open these as JPEG, so now we fallback to trying pillow-heif directly when initial open fails. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 17:54:50 -07:00
Phil Skentelbery	e4e481d7cf	feat(media): Add HEIC/HEIF image support - v1.4.2 - Add pillow-heif dependency for iPhone photo support - Auto-convert HEIC to JPEG (browsers can't display HEIC) - Graceful error if pillow-heif not installed - Handles RGBA/P mode conversion to RGB 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 17:45:53 -07:00
Phil Skentelbery	07f351fef7	feat(media): Add comprehensive logging for media uploads - v1.4.1 Implements media upload logging per docs/design/v1.4.1/media-logging-design.md Changes: - Add logging to save_media() in starpunk/media.py: * INFO: Successful uploads with file details * WARNING: Validation/optimization/variant failures * ERROR: Unexpected system errors - Remove duplicate logging in Micropub media endpoint - Add 5 comprehensive logging tests in TestMediaLogging class - Bump version to 1.4.1 - Update CHANGELOG.md All media upload operations now logged for debugging and observability. Validation errors, optimization failures, and variant generation issues are tracked at appropriate log levels. Original functionality unchanged. Test results: 28/28 media tests pass, 5 new logging tests pass 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-16 17:22:22 -07:00