Release Camera Snapshot Processor 1.0.0

Professional Home Assistant integration for advanced camera snapshot processing with web-based configuration UI.

Features:
- Image processing: Flexible resize, crop, quality control (JPEG 1-100%)
- Professional web UI: Live preview, interactive crop tool, tabbed configuration
- Advanced overlays: Date/time stamps, custom text with HA templates
- State icons: Multi-state rules with 7000+ MDI icons (CDN-powered)
  - Complex conditions: equals, contains, gt/lt, in list, etc.
  - Per-state customization: icons, text, colors, backgrounds
  - Real-time template rendering with error detection
- Stream support: RTSP passthrough with credential sanitization
- Performance: In-memory processing, font caching, zero disk I/O
- Security: Daily CVE scans, CodeQL analysis, proper auth

Tested with Home Assistant ≥ 2025.9.4, Python ≥ 3.11

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: Patras3

.github/SECURITY.md

@@ -0,0 +1,109 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.9.x   | :white_check_mark: |
+| < 0.9   | :x:                |
+
+## Security Model
+
+**Important**: This integration relies primarily on **Home Assistant's security model**. Camera Snapshot Processor is a lightweight image processing layer that:
+
+- Does not store credentials (Home Assistant does)
+- Does not handle authentication (Home Assistant does)
+- Does not expose additional network endpoints
+- Simply processes images from cameras already configured in Home Assistant
+
+The main security is provided by Home Assistant itself. This integration is as secure as your Home Assistant installation.
+
+## Reporting a Vulnerability
+
+This is an open source hobby project maintained in spare time. If you find a security issue:
+
+1. **For critical issues**: Use [GitHub Security Advisory](https://github.com/Patras3/camera-snapshot-processor/security/advisories/new)
+2. **For non-critical issues**: Regular [GitHub Issues](https://github.com/Patras3/camera-snapshot-processor/issues) are fine
+
+### What to Include
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Any suggested fixes (optional)
+
+### Response Timeline
+
+This is a hobby project, so:
+- **Response**: Best effort, when time allows
+- **Fixes**: Will be included in next scheduled release
+- **Critical CVEs**: May warrant immediate patch release if severe
+
+We use automated tools (pip-audit, CodeQL, Dependabot) to catch known vulnerabilities, but fixes are released on a regular schedule rather than emergency basis (unless critical).
+
+## Automated Security Scanning
+
+While this is a hobby project, we still care about security:
+
+- **pip-audit**: Daily scans for known CVEs in dependencies
+- **CodeQL**: Automated code analysis
+- **Dependabot**: Automatic PR for dependency updates
+
+These tools catch issues automatically, but fixes are released on a normal schedule.
+
+## Security Through Design
+
+### Minimal Attack Surface
+
+- **Only one dependency**: Pillow (Python Imaging Library)
+- No network listeners, no external services
+- No custom authentication or credential storage
+- Runs entirely within Home Assistant's security context
+
+### Home Assistant Integration
+
+This integration inherits Home Assistant's security:
+- **Authentication**: Handled by Home Assistant
+- **Credential Storage**: Home Assistant's encrypted database
+- **Template Execution**: Home Assistant's sandboxed template engine
+- **Network Security**: Home Assistant's web server and SSL
+
+### What We Do
+
+- ✅ Redact credentials from debug logs
+- ✅ Validate user inputs
+- ✅ Use minimal dependencies
+- ✅ Automated CVE scanning
+
+### What Home Assistant Does
+
+- 🔐 User authentication
+- 🔐 Credential encryption
+- 🔐 Template sandboxing
+- 🔐 HTTPS/SSL
+- 🔐 Access control
+
+## Best Practices for Users
+
+**Most important**: Keep Home Assistant updated!
+
+Other tips:
+- Use strong camera passwords
+- Enable HTTPS on Home Assistant
+- Don't share RTSP URLs publicly
+- Review templates before adding them
+
+## Known Design Choices
+
+- **Stream URLs forwarded as-is**: Required for streaming to work
+- **Credentials in logs**: Automatically sanitized (shown as `***:***@`)
+- **Minimal validation**: Relies on Home Assistant's validation
+- **No caching**: Always fresh images, no stale data
+
+## Contact
+
+Found a bug or have a security concern?
+- [GitHub Issues](https://github.com/Patras3/camera-snapshot-processor/issues)
+- [GitHub Discussions](https://github.com/Patras3/camera-snapshot-processor/discussions)
+
+Remember: This is a hobby project maintained in spare time. Be patient and kind! 😊

.github/dependabot.yml

@@ -0,0 +1,31 @@
+# Dependabot configuration for automatic dependency updates
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
+
+version: 2
+updates:
+  # Monitor GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "dependencies"
+      - "github-actions"
+
+  # Monitor Python dependencies
+  # Note: Dependabot will look for requirements files
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps"
+    labels:
+      - "dependencies"
+      - "python"
+    # Only create PRs for security updates
+    open-pull-requests-limit: 5
+    reviewers:
+      - "Patras3"

.github/workflows/codeql.yml

@@ -0,0 +1,42 @@
+name: CodeQL Security Analysis
+
+on:
+  push:
+    branches: [ master, main ]
+  pull_request:
+    branches: [ master, main ]
+  schedule:
+    # Run weekly on Monday at midnight UTC
+    - cron: '0 0 * * 1'
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python', 'javascript' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/security.yml

@@ -0,0 +1,101 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ master, main ]
+  pull_request:
+    branches: [ master, main ]
+  schedule:
+    # Run daily at 6 AM UTC
+    - cron: '0 6 * * *'
+  workflow_dispatch:
+
+jobs:
+  pip-audit:
+    name: Scan Python Dependencies for CVEs
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install pip-audit
+        run: |
+          python -m pip install --upgrade pip
+          pip install pip-audit
+
+      - name: Create requirements file from manifest
+        run: |
+          # Extract requirements from manifest.json
+          python -c "
+          import json
+          with open('custom_components/camera_snapshot_processor/manifest.json') as f:
+              manifest = json.load(f)
+          requirements = manifest.get('requirements', [])
+          with open('requirements-manifest.txt', 'w') as f:
+              for req in requirements:
+                  f.write(req + '\n')
+          "
+          echo "Requirements from manifest.json:"
+          cat requirements-manifest.txt
+
+      - name: Run pip-audit on manifest requirements
+        run: |
+          pip-audit -r requirements-manifest.txt --desc --format json > audit-results.json || true
+
+      - name: Display audit results
+        run: |
+          if [ -f audit-results.json ]; then
+            python -c "
+          import json
+          with open('audit-results.json') as f:
+              results = json.load(f)
+
+          vulnerabilities = results.get('vulnerabilities', [])
+          if vulnerabilities:
+              print(f'❌ Found {len(vulnerabilities)} vulnerabilities:')
+              for vuln in vulnerabilities:
+                  pkg = vuln.get('name', 'unknown')
+                  version = vuln.get('version', 'unknown')
+                  vuln_id = vuln.get('id', 'unknown')
+                  desc = vuln.get('description', 'No description')
+                  fixed = vuln.get('fix_versions', [])
+                  print(f'  - {pkg} {version}: {vuln_id}')
+                  print(f'    {desc}')
+                  if fixed:
+                      print(f'    Fix: Upgrade to {fixed}')
+              exit(1)
+          else:
+              print('✅ No vulnerabilities found!')
+          "
+          else
+            echo "✅ No vulnerabilities found!"
+          fi
+
+      - name: Upload audit results as artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-audit-results
+          path: audit-results.json
+          retention-days: 30
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate
+          comment-summary-in-pr: true

.gitignore

@@ -0,0 +1,79 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+*.manifest
+*.spec
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# IDEs
+.idea/
+.vscode/
+.claude/
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Home Assistant
+home-assistant.log
+home-assistant_v2.db
+*.db-shm
+*.db-wal
+.storage/
+deps/
+tts/
+www/
+
+# Drafts and work-in-progress documents
+drafts/
+
+# Test environment
+test_config/*
+!test_config/configuration.yaml
+
+# Test outputs
+test_icon_output.png