PictaBase

Show HN

Show HN: PictaBase – A Relational DAM Built by a Film Editor

I spent 30 years in film editing suites (IMDb). I got tired of “dumb” folders that couldn’t find a continuity shot and “enterprise” tools that required a sales call to see a price. I built PictaBase because photos aren’t just decorative assets—they are working records that need relational context.

If you’ve ever tried to find “all photos of the hero prop from Scene 12 on a Night shoot,” you know that folders are an operational bottleneck. PictaBase connects assets to a user-defined taxonomy, not a fixed schema.

The Architecture: 38K Lines of Strict Types

I chose WordPress as a “boring” foundation for auth and sessions so I could spend my innovation budget on the custom S3 integration and the metadata engine. This is PHP 8.4 with 100% strict_types coverage.

287 PHP Files38,500 lines, PHP 8.4+
PHPStan Level 8Zero errors tolerated
131 Frontend Files26,967 lines TS/TSX
17 Custom TablesRelational, no EAV bloat
57 REST Routes72 permission callbacks
488 Unit Tests1,741 assertions

Pixel-Blind & Fail-Closed

Image bytes never transit my server. We use S3 Presigned POST for direct browser-to-bucket uploads. This keeps infrastructure lean and your data private.

Sustainability: The “LTD killer” is egress. We solved this via browser-side Canvas thumbnails and CloudFront-backed delivery with signed cookies. If CloudFront signing fails, the system fails closed (503) rather than silently falling back to expensive S3 fetches.

No Data Ransom: Sidecar Metadata

Every tag, note, or AI label is written to a .meta.json file in your bucket alongside the original. If my database disappears, your metadata lives on in standard JSON. This is the same anti-lock-in guarantee I’ve always valued as a user.

Adversarial Review

The codebase underwent six total adversarial security reviews across three models (Gemini, GPT, Opus). We disabled legacy WP attack surfaces (XML-RPC, author enumeration) and enforced rate-limiting via Redis-backed atomic counters.

Test drive the architecture (No credit card required)

Our Free Tier (250 MB) has zero feature gating. Create an account and start pushing the S3 pipeline immediately.

Register and explore →

Informal Bug Bounty

I’m a solo founder and a Gulf War vet. I’ve tried to harden this—MySQL advisory locks for race prevention, fail-closed CDN posture, and strict multi-tenancy. But I know this crowd can find things I haven’t thought of. If you can bypass the rate-limiter or find a cross-tenant leak, I want to know about it.

Report it via the support portal. I’ll trade LTD codes for any valid security finding.

Chris Conlee

Chris Conlee

30-year film editor (IMDb) • U.S. Army veteran, Gulf War

Building the tool I needed because folders weren’t enough.