senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-docs/audit/AUDIT_01_INVENTAIRE.md

365 lines
18 KiB
Markdown
Raw Permalink Normal View History

docs: integrate audit roadmap into VEZA_VERSIONS_ROADMAP — v0.12.6.1 DONE, 14 versions added - Mark v0.12.6.1 (pentest remediation 30/30) as DONE - Add 14 new versions from audit: v0.12.6.2→v1.0.0-rc1 - Update tracking table with priorities P0→P3 - Update v0.12.6 checkboxes (all findings now resolved) - Add Phase P7 (Conformité) and Validation phases - Update AUDIT_05_ROADMAP_v1.0.md to reflect completed remediation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 05:34:52 +00:00
# AUDIT_01_INVENTAIRE.md -- Inventaire Complet du Code Existant
**Date** : 2026-03-11
**Auditeur** : Claude Opus 4.6 (audit automatise du code source)
---
## 1. VUE D'ENSEMBLE DU MONOREPO
| Composant | Technologie | Fichiers source | Fichiers test | Migrations SQL |
|-----------|-------------|-----------------|---------------|----------------|
| **Backend API** | Go 1.24 + Gin | 867 `.go` | 328 `_test.go` | 134 `.sql` |
| **Frontend Web** | React + TypeScript + Vite | 1,927 `.ts/.tsx` | ~574 test+stories | - |
| **Stream Server** | Rust | 131 `.rs` | ~25 avec `#[test]` | - |
| **Design System** | TypeScript | 1 (minimal) | - | - |
| **Total** | | **2,926** source | **~927** test | **134** |
### Structure racine
```
veza/
+-- apps/web/ # Frontend React + TypeScript + Vite
+-- packages/design-system/ # Design system SUMI (minimal)
+-- veza-backend-api/ # Go API (Gin, PostgreSQL, Redis, RabbitMQ)
+-- veza-stream-server/ # Rust stream server (audio HLS)
+-- veza-common/ # Shared utilities (Rust + Go)
+-- veza-docs/ORIGIN/ # Specifications (READ-ONLY)
+-- docker/ # Dockerfiles
+-- infra/ # Infrastructure configs
+-- k8s/ # Kubernetes manifests
+-- scripts/ # Utility scripts
+-- tests/ # E2E tests (Playwright)
+-- loadtests/ # k6 load tests
+-- proto/ # gRPC protobuf definitions
+-- .github/workflows/ # CI/CD pipelines (10 workflows)
+-- make/ # Makefile includes
+-- config/ # Shared configs
```
---
## 2. BACKEND API (Go)
### 2.1 Architecture
```
veza-backend-api/
+-- cmd/server/ # Entry point
+-- internal/
| +-- api/ # Route registration (30+ route files)
| +-- core/ # Domain modules (auth, track, feed, discover, analytics, moderation, etc.)
| +-- handlers/ # HTTP handlers (~100 handler files)
| +-- middleware/ # Middlewares (~40 files)
| +-- models/ # Data models (~40 files)
| +-- services/ # Business logic (~130 service files)
| +-- config/ # Configuration
| +-- database/ # DB connection
| +-- elasticsearch/ # Search service
| +-- websocket/chat/ # WebSocket handlers
| +-- testutils/ # Test utilities
+-- pkg/apierror/ # Standardized error package
+-- migrations/ # SQL migrations (134 files)
+-- tests/ # Integration tests
```
### 2.2 Route Files (Endpoints)
| Route File | Domain | Key Endpoints |
|------------|--------|---------------|
| `routes_auth.go` | Authentication | register, login, logout, refresh, verify-email, forgot-password, reset-password, 2FA |
| `routes_users.go` | Users | CRUD, profile, avatar, settings, sessions, privacy |
| `routes_tracks.go` | Tracks | CRUD, upload, stream, waveform, HLS, lyrics, stems |
| `routes_playlists.go` | Playlists | CRUD, collaboration, export, import, share |
| `routes_social.go` | Social | follow/unfollow, block, groups, reposts, likes |
| `routes_feed.go` | Feed | Chronological feed, suggestions |
| `routes_search.go` | Search | Fulltext, autocomplete, unified search |
| `routes_discover.go` | Discovery | Genre browse, tag browse, trending (ethical) |
| `routes_tag.go` | Tags | CRUD tags, genres |
| `routes_marketplace.go` | Marketplace | Products, orders, checkout, downloads, reviews, promo codes |
| `routes_subscription.go` | Subscriptions | Plans, upgrade, downgrade, cancel |
| `routes_analytics.go` | Analytics | Creator analytics, heatmap, comparison, audience |
| `routes_moderation.go` | Moderation | Reports, moderation queue, strikes, spam detection |
| `routes_admin_platform.go` | Admin | Platform metrics, user management, content, payments |
| `routes_live.go` | Livestream | Start/stop, RTMP callbacks, HLS live |
| `routes_co_listening.go` | Co-listening | WebSocket sessions, sync |
| `routes_distribution.go` | Distribution | Submit to platforms, track status, royalties |
| `routes_education.go` | Education | Courses, modules, lessons, certificates, video |
| `routes_gear.go` | Gear/Equipment | Inventory CRUD, warranty, documents |
| `routes_cloud.go` | Cloud storage | File sync, backup, sharing |
| `routes_queue.go` | Queue | Playback queue management |
| `routes_developer.go` | Developer API | API keys, rate limits |
| `routes_webhooks.go` | Webhooks | Payment webhooks (Hyperswitch) |
| `routes_core.go` | Core | Health, metrics, feature flags, config |
### 2.3 Key Handlers (sample)
- **Auth**: `auth.go`, `oauth_handlers.go`, `two_factor_handler.go`, `password_reset_handler.go`
- **User**: `profile_handler.go`, `avatar_handler.go`, `settings_handler.go`, `privacy_handler.go`
- **Track**: `track_crud_handler.go`, `track_upload_handler.go`, `track_hls_handler.go`, `track_social_handler.go`, `track_search_handler.go`, `track_waveform_handler.go`, `track_analytics_handler.go`, `track_stem_handler.go`
- **Chat**: `chat_handler.go`, `chat_websocket_handler.go`, `chat_reaction_handler.go`, `chat_search_handler.go`, `chat_attachment_handler.go`
- **Marketplace**: `marketplace_handler.go`, `sell_handler.go`, `payout_handler.go`
- **Analytics**: `creator_handler.go`, `advanced_handler.go`, `playback_analytics_handler.go`
- **Admin**: `admin/handler.go`, `admin_transfer_handler.go`, `announcement_handler.go`
- **Moderation**: `moderation/handler.go`, `report_handler.go`
- **Notifications**: `notification_handlers.go`
- **Live**: `live_stream_handler.go`, `live_stream_callback.go`
- **Education**: `education_handler.go`, `distribution_handler.go`
- **GDPR**: `gdpr_export_handler.go`, `account_deletion_handler.go`
- **Other**: `gear_handler.go`, `cloud_handler.go`, `co_listening_handler.go`, `queue_handler.go`, `social_group_handler.go`, `presence_handler.go`
### 2.4 Services (130+ files)
Major services include:
- **Core**: `jwt_service.go`, `user_service.go`, `session_service.go`, `password_service.go`, `email_service.go`, `email_verification_service.go`, `oauth_service.go`, `totp_service.go`, `rbac_service.go`, `permission_service.go`
- **Track**: `track_upload_service.go`, `track_validation_service.go`, `track_search_service.go`, `track_like_service.go`, `track_repost_service.go`, `track_share_service.go`, `track_stem_service.go`, `track_history_service.go`, `track_recommendation_service.go`, `track_export_service.go`, `track_version_service.go`
- **Audio**: `hls_service.go`, `hls_transcode_service.go`, `hls_streaming_service_enhanced.go`, `hls_playlist_generator.go`, `hls_cleanup_service.go`, `audio_transcode_service.go`, `bitrate_adaptation_service.go`, `bandwidth_detection_service.go`, `buffer_monitor_service.go`, `waveform_service.go`, `stream_service.go`, `video_transcode_service.go`
- **Playlist**: `playlist_service.go`, `playlist_analytics_service.go`, `playlist_follow_service.go`, `playlist_share_service.go`, `playlist_duplicate_service.go`, `playlist_version_service.go`, `playlist_recommendation_service.go`, `playlist_notification_service.go`
- **Chat**: `chat_service.go`, `chat_pubsub.go`, `co_listening_service.go`
- **Social**: `social_service.go`, `comment_service.go`, `comment_moderation_service.go`
- **Analytics**: `analytics_service.go`, `creator_analytics_service.go`, `advanced_analytics_service.go`, `analytics_aggregation_service.go`, `playback_analytics_service.go`, `playback_heatmap_service.go`, `playback_comparison_service.go`, `playback_export_service.go`, `playback_filter_service.go`, `playback_segmentation_service.go`, `playback_alerts_service.go`, `playback_retention_service.go`
- **Marketplace**: `core/marketplace/service.go`, `royalty_service.go`, `stripe_connect_service.go`, `track_download_license.go`
- **Distribution**: `core/distribution/service.go`
- **Education**: `core/education/service.go`
- **Subscription**: `core/subscription/service.go`
- **Moderation**: `moderation_service.go`
- **Notifications**: `notification_service.go`, `notification_service_enhanced.go`, `notification_digest_worker.go`, `push_service.go`
- **Storage**: `s3_storage_service.go`, `image_service.go`, `image_service_enhanced.go`, `cdn_service.go`, `cloud_service.go`, `cloud_backup.go`, `backup_service.go`
- **Infrastructure**: `cache_service.go`, `circuit_breaker.go`, `monitoring_alerting_service.go`, `job_service.go`, `webhook_service.go`, `feature_flag_service.go`, `crypto_service.go`, `token_blacklist.go`, `refresh_token_service.go`
- **GDPR**: `data_export_service.go`, `gdpr_export.go`
- **Payments**: `hyperswitch/client.go`, `hyperswitch/provider.go`, `hyperswitch/webhook.go`
- **Gear**: `gear_service.go`, `gear_document_service.go`, `gear_warranty_notifier.go`
### 2.5 Middleware (40+ files)
- **Security**: `auth.go`, `rbac_middleware.go`, `security_headers.go`, `csrf.go`, `cors.go`, `metrics_protection.go`, `stream_callback_auth.go`, `webhook_api_key.go`
- **Rate limiting**: `rate_limiter.go`, `ratelimit.go`, `ratelimit_redis.go`, `endpoint_limiter.go`, `user_rate_limiter.go`
- **Observability**: `request_logger.go`, `request_id.go`, `tracing.go`, `metrics.go`, `monitoring.go`, `audit.go`
- **Resilience**: `recovery.go`, `sentry_recover.go`, `timeout.go`, `error_handler.go`, `maintenance.go`
- **Other**: `cache_headers.go`, `response_cache.go`, `context_propagation.go`, `validation.go`, `versioning.go`, `playlist_permission.go`, `ccpa.go`
### 2.6 Migrations SQL (134 files)
Range: `000_mark_consolidated.sql` to `960_performance_indexes_v0124.sql`
Key migration groups:
- **000-050**: Core schema (auth, users, sessions, files, streaming, analytics, follows, notifications, search indexes)
- **051-095**: Chat, stats, audit, jobs, groups, social, webhooks, gear, live streams, payments, API keys, playlists
- **096-134**: Products, marketplace, seller balances, promo codes, chat reactions, mentions, search, threads, attachments, invitations, data exports, collaborative rooms, editorial playlists, quiet hours, notification grouping, digest prefs
- **900-960**: Triggers, audit logs, performance indexes, foreign keys, deletion fields, reports, announcements, feature flags, OAuth, co-listening, stems, creator analytics, advanced analytics, moderation, marketplace, subscriptions, distribution, education, performance indexes v0.12.4
### 2.7 Dependencies (Go)
Key dependencies: `gin-gonic/gin`, `golang-jwt/jwt/v5`, `lib/pq` (PostgreSQL), `redis/go-redis/v9`, `aws-sdk-go-v2` (S3/MinIO), `rabbitmq/amqp091-go`, `prometheus/client_golang`, `getsentry/sentry-go`, `go-playground/validator/v10`, `pquerna/otp` (TOTP), `SherClockHolmes/webpush-go`, `coder/websocket`, `dhowden/tag` (audio metadata), `disintegration/imaging`, `go-pdf/fpdf`, `DATA-DOG/go-sqlmock`, `fsnotify/fsnotify`
---
## 3. FRONTEND WEB (React + TypeScript)
### 3.1 Architecture
```
apps/web/
+-- src/
| +-- app/ # App entry point
| +-- components/ # Shared UI components (30+ dirs)
| +-- features/ # Feature modules (35 modules)
| +-- hooks/ # Global custom hooks
| +-- services/api/ # API client + interceptors
| +-- stores/ # State management (Zustand)
| +-- router/ # Route definitions
| +-- schemas/ # Zod validation schemas
| +-- types/ # TypeScript types + generated OpenAPI types
| +-- locales/ # i18n translations
| +-- mocks/ # MSW mocks
| +-- providers/ # Context providers
| +-- styles/ # Global styles
| +-- stories/ # Storybook stories
| +-- lib/ # Utility libraries
| +-- utils/ # Utility functions
| +-- config/ # Frontend config
| +-- context/ # React contexts (audio-context)
| +-- test/ # Test setup
```
### 3.2 Feature Modules (35)
| Module | Description | Has Pages | Has Tests |
|--------|-------------|-----------|-----------|
| `admin` | Admin dashboard, moderation, platform | Yes | - |
| `analytics` | Creator analytics views | Yes | Yes |
| `auth` | Login, register, sessions, 2FA, OAuth | Yes | Yes |
| `chat` | Chat rooms, DMs, reactions, search | Yes | Yes |
| `checkout` | Cart, checkout flow | Yes | - |
| `cloud` | Cloud storage management | Yes | - |
| `dashboard` | User dashboard | Yes | - |
| `developer` | API key management | Yes | - |
| `discover` | Genre/tag browsing | Yes | - |
| `distribution` | Platform distribution | Yes | - |
| `education` | Course catalog, learning | Yes | - |
| `error` | Error pages (404, 500) | Yes | - |
| `feed` | Chronological feed | Yes | - |
| `inventory` | Gear/equipment management | Yes | - |
| `library` | Track library, playlists | Yes | - |
| `live` | Livestream viewer/broadcaster | Yes | - |
| `marketplace` | Product listing, buying | Yes | - |
| `notifications` | Notification center, preferences | Yes | - |
| `player` | Audio player, queue | Yes | Yes |
| `playlists` | Playlist management, collaboration | Yes | Yes |
| `presence` | Online status, rich presence | - | - |
| `profile` | User profile view/edit | Yes | - |
| `purchases` | Purchase history | Yes | - |
| `roles` | Role management | Yes | - |
| `search` | Fulltext search | Yes | - |
| `seller` | Seller dashboard | Yes | - |
| `sessions` | Active sessions management | - | - |
| `settings` | User settings (account, security, data, etc.) | Yes | - |
| `social` | Follow, groups | Yes | - |
| `streaming` | Audio streaming hooks/services | - | - |
| `subscription` | Plan management | Yes | - |
| `tracks` | Track detail, upload | Yes | Yes |
| `upload` | File upload | - | - |
| `user` | User components | - | - |
### 3.3 Shared Components
- **UI primitives**: accordion, avatar-upload, content-transition, context-menu, data-list, date-picker, dialog, dropdown-menu, feature-highlight, file-upload, hover-card, lazy-component, optimized-image, select, tabs, tooltip, virtualized-list
- **Domain**: admin, analytics, auth, base, charts, commerce, dashboard, data, demo, developer, feedback, filters, forms, inventory, keyboard, layout, library, live, marketplace, modals, monitoring, navigation, notifications, player, pwa, search, seller, settings, share, social, theme, upload, user
### 3.4 State Management
- Zustand stores in `src/stores/`
- Feature-specific stores in `features/auth/store/`, `features/chat/store/`, `features/player/store/`
### 3.5 Testing
- Unit tests: Vitest
- E2E tests: Playwright (multiple configs: standard, mocks, visual regression)
- Visual regression: Playwright visual comparison
- MSW for API mocking
- 574 test + stories files
---
## 4. STREAM SERVER (Rust)
### 4.1 Architecture
```
veza-stream-server/
+-- src/
| +-- main.rs
| +-- lib.rs
| +-- config/
| +-- handlers/
| +-- services/
| +-- models/
| +-- middleware/
| +-- routes/
| +-- audio/ # Audio processing (HLS, transcoding)
| +-- storage/ # S3 integration
| +-- monitoring/ # Metrics, health
+-- Cargo.toml
```
- 131 Rust source files
- 25 files with `#[test]` blocks
- Handles: audio streaming, HLS segment serving, transcoding, S3 storage integration, metrics
---
## 5. INFRASTRUCTURE & DEVOPS
### 5.1 Docker
- `docker-compose.yml` (production)
- `docker-compose.dev.yml` (development: Postgres, Redis, RabbitMQ, ClamAV, MinIO)
- `docker-compose.staging.yml`
- `docker-compose.prod.yml`
- `docker-compose.test.yml`
- Dockerfiles in `docker/`
### 5.2 CI/CD (GitHub Actions - 10 workflows)
| Workflow | Description |
|----------|-------------|
| `ci.yml` | Main CI pipeline |
| `backend-ci.yml` | Go tests, lint, build |
| `frontend-ci.yml` | TypeScript checks, Vitest, ESLint |
| `rust-ci.yml` | Cargo test, clippy, fmt |
| `stream-ci.yml` | Stream server CI |
| `cd.yml` | Continuous deployment |
| `security-scan.yml` | Security scanning |
| `sast.yml` | Static analysis |
| `container-scan.yml` | Container vulnerability scan |
| `load-test-nightly.yml` | Nightly k6 load tests |
| `storybook-audit.yml` | Storybook validation |
### 5.3 Kubernetes
- Manifests in `k8s/` directory
### 5.4 Makefile
- Comprehensive Makefile with `make/` includes (build.mk, tools.mk, etc.)
- Key targets: `dev`, `build`, `test`, `lint`, `doctor`, `infra-up-dev`, `migrate-up`, etc.
### 5.5 Load Tests
- k6 load test scripts in `loadtests/`
### 5.6 Monitoring
- Prometheus metrics via Go middleware
- Sentry error tracking integration
---
## 6. DOCUMENTATION
### 6.1 ORIGIN Specs (24 files)
Complete specification suite in `veza-docs/ORIGIN/`:
- Architecture, features registry, API spec, security framework, business logic, UI/UX system
- Code standards, testing strategy, performance targets, error patterns, error prevention guide
- Quality metrics, feature validation, deployment guide, development phases
- Database schema, technical stack, implementation tasks, revision summary
### 6.2 Existing Audit Reports
- `103_audit_global_features_states.md`
- `103_RAPPORT_ETAT_FEATURES_2026_02_16.md`
- `AUDIT_TECHNIQUE_2026-02-22.md`
- `AUDIT_TECHNIQUE_VEZA_2026-03-04.md`
- `ORIGIN_GAP_ANALYSIS_2026-03-04.md`
- `PENTEST_REPORT_VEZA_v0.12.6.md`
- `REMEDIATION_MATRIX_v0.12.6.md`
- `ASVS_CHECKLIST_v0.12.6.md`
### 6.3 Other docs
- `docs/adr/` - Architecture Decision Records
- `docs/ENV_VARIABLES.md`
- `docs/SECRETS_AUDIT.md`
- `CHANGELOG.md`, `CONTRIBUTING.md`, `README.md`
- `VEZA_VERSIONS_ROADMAP.md` - Version tracking (source of truth)
---
## 7. CODE HEALTH INDICATORS
| Metric | Value | Notes |
|--------|-------|-------|
| TODO/FIXME in backend+rust | 2 | Very clean |
| TODO/FIXME in frontend | 43 | Acceptable |
| Banned code traces (AI/ML/Web3/Gamification) | **0** | Clean |
| Go test files | 328 (38% of Go files) | Good coverage |
| Frontend test+stories files | 574 (30% of TS/TSX files) | Acceptable |
| SQL migrations | 134 | Comprehensive schema |
| CI workflows | 10 | Including security scans |
| Middleware files | 40+ | Very comprehensive |
---
*Fin de l'inventaire Phase 1*
Reference in a new issue Copy permalink