Two bugs found via headless Claude CLI integration testing:
1. Colormap ID extraction: _detect_colormap returned the layer
identifier as colormap_id, but GIBS layers often share colormaps
under different filenames (e.g., AMSRU2_Sea_Ice_Concentration_12km
-> colormap AMSR2_Sea_Ice_Concentration.xml). Now parses the actual
filename from the metadata xlink:href.
2. Entries wrapper: GIBS v1.3 colormap XML nests ColorMapEntry elements
inside an <Entries> wrapper. The parser only searched direct children
of <ColorMap>, finding zero entries from live data. Now checks
Entries/ColorMapEntry first, falling back to direct children.
Updated test fixture to use the real <Entries> wrapper structure.
Address 20 findings from safety-critical review:
CRITICAL:
- C1: Replace ET.fromstring with defusedxml across all XML parsers
- C2: Fix client init failure leaving half-initialized state; clean
up HTTP client on startup failure so next connection can retry
HIGH:
- H1: Replace unbounded dicts with LRU caches (maxsize=500)
- H2: Move Nominatim rate limiter from module globals to per-instance
state on GIBSClient, eliminating shared mutable state
- H3: Validate _parse_rgb input, return (0,0,0) on malformed data
- H4: Add exponential backoff retry for capabilities loading
- H5: Invert WMS error detection to verify image content-type
- H6: Clamp image dimensions to 4096 max to prevent OOM
MEDIUM:
- M1: Convert images to RGB mode in compare_dates for RGBA safety
- M2: Narrow DescribeDomains XML matching to TimeDomain elements
- M3: Add BBox model_validator for coordinate range validation
- M4: Add ET.ParseError to colormap fetch exception handling
- M5: Replace bare except Exception with specific types in server
- M6: Catch ValueError from _resolve_bbox in imagery tools for
consistent error returns
- M7: Only cache successful geocoding lookups (no negative caching)
LOW:
- L3: Derive USER_AGENT version from package __version__
- L5: Remove unused start_date/end_date params from check_layer_dates
