add HEIC/HEIF/AVIF MIME detection signatures

- Add ftyp box signatures for heic, mif1, and avif brands
- Add tests for new image formats
- Fix nested if lint warning in lookup rate limit
- Update security docs: MKV uses WebM header, TAR needs offset 257

documentation/security-testing-status.md

@@ -125,11 +125,18 @@ Tested on production (2025-12-25):
 [x] MachO-32 (application/x-mach-binary) PASS
 [x] MachO-64 (application/x-mach-binary) PASS
 
+Added (2025-12-26):
+[x] HEIC (image/heic)                 PASS - ftyp box with heic brand
+[x] HEIF (image/heif)                 PASS - ftyp box with mif1 brand
+[x] AVIF (image/avif)                 PASS - ftyp box with avif brand
+[x] MKV (video/webm)                  PASS - Same EBML header as WebM
+
 Fallback to text/plain (safe default):
 [~] MOV  - ftyp offset varies
 [~] CAB  - Signature not implemented
 [~] DEB  - Signature not implemented
 [~] AR   - Signature not implemented
+[~] TAR  - ustar at offset 257 (beyond 16-byte check)
 
 Fixed (2025-12-25):
 [x] RPM  - Added signature (0xEDABEEDB)
@@ -140,7 +147,7 @@ Known issues:
 [!] JavaClass - Detected as Mach-O (0xCAFEBABE collision, unfixable)
 
 Not tested (no signature defined):
-[ ] AVIF, HEIC, MKV, TAR, DMG, ISO, DOCX/XLSX/PPTX, ODF
+[ ] DMG, ISO, DOCX/XLSX/PPTX, ODF
 ```
 
 ### Fuzzing Improvements