veza/.env.example

# Veza Environment - Copy to .env and customize
# =============================================
# PORT ISOLATION: Veza uses 15xxx/16xxx ports by default to avoid conflicts
# with other projects (postgres 5432, redis 6379, rabbitmq 5672, backend 8080).
#
# Backend on HOST connects to Docker via these mapped ports.
# Backend in DOCKER uses internal names (postgres:5432, redis:6379, rabbitmq:5672).

# Domain (must match /etc/hosts: 127.0.0.1 veza.fr)
APP_DOMAIN=veza.fr

# Docker Compose - host port mappings (override if needed)
PORT_POSTGRES=15432
PORT_REDIS=16379
PORT_RABBITMQ_AMQP=15672
PORT_RABBITMQ_MGMT=25672
PORT_BACKEND=18080

# Database (used when backend runs on host; matches docker-compose)
DB_USER=veza
DB_PASSWORD=password
DB_NAME=veza

# Frontend URL (OAuth redirect, password reset links, email links)
# Backend reads FRONTEND_URL or VITE_FRONTEND_URL; fallback: http://localhost:5173
FRONTEND_URL=http://veza.fr:5173

# --- JWT (v0.9.1 RS256) ---
# REQUIRED for production: RSA key paths (generate with scripts/generate-jwt-keys.sh)
# JWT_PRIVATE_KEY_PATH=/path/to/jwt-private.pem
# JWT_PUBLIC_KEY_PATH=/path/to/jwt-public.pem
# REQUIRED: JWT_SECRET must be set (no default fallback in docker-compose)
JWT_SECRET=min-32-characters-secret-for-development
# JWT_ISSUER=veza-api
# JWT_AUDIENCE=veza-platform

# OAuth Security (v0.902 Sentinel)
# OAUTH_ENCRYPTION_KEY: 32+ bytes for AES-256-GCM (hex or base64). REQUIRED in production.
# OAUTH_ALLOWED_REDIRECT_DOMAINS: comma-separated whitelist (e.g. https://app.veza.com,https://veza.fr:5173)
# OAUTH_ENCRYPTION_KEY=<32-byte-hex-or-base64-key>
# OAUTH_ALLOWED_REDIRECT_DOMAINS=https://veza.fr:5173,https://app.veza.com

# CHAT_JWT_SECRET: Must differ from JWT_SECRET in production. Use a separate secret for the Chat Server.
# CHAT_JWT_SECRET=<32+ character secret different from JWT_SECRET>

# For veza-backend-api/.env (backend on host):
# DATABASE_URL=postgres://veza:password@veza.fr:15432/veza?sslmode=disable
# REDIS_URL=redis://:password@veza.fr:16379
# REDIS_PASSWORD=devpassword
# RABBITMQ_URL=amqp://veza:password@veza.fr:15672/
#
# Stripe Connect (seller payout, optional):
# STRIPE_CONNECT_ENABLED=true
# STRIPE_SECRET_KEY=sk_xxx
# STRIPE_CONNECT_WEBHOOK_SECRET=whsec_xxx
#
# Platform fee rate on marketplace sales (0.10 = 10%)
# PLATFORM_FEE_RATE=0.10
#
# Transfer Retry Worker (v0.701, default: enabled, 3 max retries, 5m interval)
# TRANSFER_RETRY_ENABLED=true
# TRANSFER_RETRY_MAX=3
# TRANSFER_RETRY_INTERVAL=5m
#
# Live Streaming (v0.10.6 F471) — Nginx-RTMP callbacks & HLS URL
# RTMP_CALLBACK_SECRET: shared secret for Nginx-RTMP on_publish/publish_done callbacks
# STREAM_HLS_BASE_URL: base URL for HLS playlists (e.g. http://localhost:18083/live)
# NGINX_RTMP_HOST: host for rtmp_url shown to streamers (e.g. stream.veza.app)
# RTMP_CALLBACK_SECRET=<shared-secret>
# STREAM_HLS_BASE_URL=http://localhost:18083/live
# NGINX_RTMP_HOST=localhost
chore: playwright workflow, docs, rapports audit, visual-tests, tmt unit Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-11 21:19:34 +00:00			`# Veza Environment - Copy to .env and customize`
			`# =============================================`
			`# PORT ISOLATION: Veza uses 15xxx/16xxx ports by default to avoid conflicts`
			`# with other projects (postgres 5432, redis 6379, rabbitmq 5672, backend 8080).`
			`#`
			`# Backend on HOST connects to Docker via these mapped ports.`
			`# Backend in DOCKER uses internal names (postgres:5432, redis:6379, rabbitmq:5672).`

			`# Domain (must match /etc/hosts: 127.0.0.1 veza.fr)`
			`APP_DOMAIN=veza.fr`

			`# Docker Compose - host port mappings (override if needed)`
			`PORT_POSTGRES=15432`
			`PORT_REDIS=16379`
			`PORT_RABBITMQ_AMQP=15672`
			`PORT_RABBITMQ_MGMT=25672`
			`PORT_BACKEND=18080`

			`# Database (used when backend runs on host; matches docker-compose)`
			`DB_USER=veza`
			`DB_PASSWORD=password`
			`DB_NAME=veza`

feat(backend): OAuth FRONTEND_URL from config, docs update - Add FrontendURL to config (FRONTEND_URL or VITE_FRONTEND_URL) - OAuth handlers use config instead of os.Getenv - Update TODOS_AUDIT: mark UUID migration items as resolved - Add ISSUES_P2_BACKLOG.md for GitHub issues - Add ROUTES_ORPHANES.md for routes without UI - Document FRONTEND_URL in .env.example 2026-02-17 15:42:23 +00:00			`# Frontend URL (OAuth redirect, password reset links, email links)`
			`# Backend reads FRONTEND_URL or VITE_FRONTEND_URL; fallback: http://localhost:5173`
			`FRONTEND_URL=http://veza.fr:5173`

v0.9.1 2026-03-05 18:22:31 +00:00			`# --- JWT (v0.9.1 RS256) ---`
			`# REQUIRED for production: RSA key paths (generate with scripts/generate-jwt-keys.sh)`
			`# JWT_PRIVATE_KEY_PATH=/path/to/jwt-private.pem`
			`# JWT_PUBLIC_KEY_PATH=/path/to/jwt-public.pem`
fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files CRITICAL fixes: - Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002) - IDOR on analytics endpoint — ownership check enforced (CRITICAL-003) - CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004) - Mass assignment on user self-update — strip privileged fields (CRITICAL-005) HIGH fixes: - Path traversal in marketplace upload — UUID filenames (HIGH-001) - IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002) - Popularity metrics (followers, likes) set to json:"-" (HIGH-003) - bcrypt cost hardened to 12 everywhere (HIGH-004) - Refresh token lock made mandatory (HIGH-005) - Stream token replay prevention with access_count (HIGH-006) - Subscription trial race condition fixed (HIGH-007) - License download expiration check (HIGH-008) - Webhook amount validation (HIGH-009) - pprof endpoint removed from production (HIGH-010) MEDIUM fixes: - WebSocket message size limit 64KB (MEDIUM-010) - HSTS header in nginx production (MEDIUM-001) - CORS origin restricted in nginx-rtmp (MEDIUM-002) - Docker alpine pinned to 3.21 (MEDIUM-003/004) - Redis authentication enforced (MEDIUM-005) - GDPR account deletion expanded (MEDIUM-006) - .gitignore hardened (MEDIUM-007) LOW/INFO fixes: - GitHub Actions SHA pinning on all workflows (LOW-001) - .env.example security documentation (INFO-001) - Production CORS set to HTTPS (LOW-002) All tests pass. Go and Rust compile clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-13 23:44:46 +00:00			`# REQUIRED: JWT_SECRET must be set (no default fallback in docker-compose)`
			`JWT_SECRET=min-32-characters-secret-for-development`
v0.9.1 2026-03-05 18:22:31 +00:00			`# JWT_ISSUER=veza-api`
			`# JWT_AUDIENCE=veza-platform`

release(v0.902): Sentinel - PKCE OAuth, token encryption, redirect validation, CHAT_JWT_SECRET - PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL - CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest - OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS - CHAT_JWT_SECRET must differ from JWT_SECRET in production - Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens - Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010 2026-02-26 18:49:15 +00:00			`# OAuth Security (v0.902 Sentinel)`
			`# OAUTH_ENCRYPTION_KEY: 32+ bytes for AES-256-GCM (hex or base64). REQUIRED in production.`
			`# OAUTH_ALLOWED_REDIRECT_DOMAINS: comma-separated whitelist (e.g. https://app.veza.com,https://veza.fr:5173)`
			`# OAUTH_ENCRYPTION_KEY=<32-byte-hex-or-base64-key>`
			`# OAUTH_ALLOWED_REDIRECT_DOMAINS=https://veza.fr:5173,https://app.veza.com`

			`# CHAT_JWT_SECRET: Must differ from JWT_SECRET in production. Use a separate secret for the Chat Server.`
			`# CHAT_JWT_SECRET=<32+ character secret different from JWT_SECRET>`

chore: playwright workflow, docs, rapports audit, visual-tests, tmt unit Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-11 21:19:34 +00:00			`# For veza-backend-api/.env (backend on host):`
			`# DATABASE_URL=postgres://veza:password@veza.fr:15432/veza?sslmode=disable`
fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files CRITICAL fixes: - Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002) - IDOR on analytics endpoint — ownership check enforced (CRITICAL-003) - CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004) - Mass assignment on user self-update — strip privileged fields (CRITICAL-005) HIGH fixes: - Path traversal in marketplace upload — UUID filenames (HIGH-001) - IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002) - Popularity metrics (followers, likes) set to json:"-" (HIGH-003) - bcrypt cost hardened to 12 everywhere (HIGH-004) - Refresh token lock made mandatory (HIGH-005) - Stream token replay prevention with access_count (HIGH-006) - Subscription trial race condition fixed (HIGH-007) - License download expiration check (HIGH-008) - Webhook amount validation (HIGH-009) - pprof endpoint removed from production (HIGH-010) MEDIUM fixes: - WebSocket message size limit 64KB (MEDIUM-010) - HSTS header in nginx production (MEDIUM-001) - CORS origin restricted in nginx-rtmp (MEDIUM-002) - Docker alpine pinned to 3.21 (MEDIUM-003/004) - Redis authentication enforced (MEDIUM-005) - GDPR account deletion expanded (MEDIUM-006) - .gitignore hardened (MEDIUM-007) LOW/INFO fixes: - GitHub Actions SHA pinning on all workflows (LOW-001) - .env.example security documentation (INFO-001) - Production CORS set to HTTPS (LOW-002) All tests pass. Go and Rust compile clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-13 23:44:46 +00:00			`# REDIS_URL=redis://:password@veza.fr:16379`
			`# REDIS_PASSWORD=devpassword`
chore: playwright workflow, docs, rapports audit, visual-tests, tmt unit Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-11 21:19:34 +00:00			`# RABBITMQ_URL=amqp://veza:password@veza.fr:15672/`
feat(seller): add Stripe Connect config 2026-02-23 21:09:23 +00:00			`#`
			`# Stripe Connect (seller payout, optional):`
			`# STRIPE_CONNECT_ENABLED=true`
			`# STRIPE_SECRET_KEY=sk_xxx`
			`# STRIPE_CONNECT_WEBHOOK_SECRET=whsec_xxx`
feat(commerce): add PLATFORM_FEE_RATE config (default 10%) 2026-02-23 21:54:50 +00:00			`#`
			`# Platform fee rate on marketplace sales (0.10 = 10%)`
			`# PLATFORM_FEE_RATE=0.10`
feat(config): add transfer retry configuration (v0.701) 2026-02-23 22:31:09 +00:00			`#`
			`# Transfer Retry Worker (v0.701, default: enabled, 3 max retries, 5m interval)`
			`# TRANSFER_RETRY_ENABLED=true`
			`# TRANSFER_RETRY_MAX=3`
			`# TRANSFER_RETRY_INTERVAL=5m`
feat(v0.10.6): Livestreaming basique F471-F476 - Backend: callbacks on_publish/on_publish_done, UpdateStreamURL, GetByStreamKey - Nginx-RTMP: config infra, docker-compose service (profil live) - Frontend: stream_url dans LiveStream, HLS.js dans LiveViewPlayer, état Stream terminé - Chat: rate limit send_live_message 1 msg/3s pour rooms live_streams - Env: RTMP_CALLBACK_SECRET, STREAM_HLS_BASE_URL, NGINX_RTMP_HOST - Roadmap v0.10.6 marquée DONE 2026-03-10 09:21:57 +00:00			`#`
			`# Live Streaming (v0.10.6 F471) — Nginx-RTMP callbacks & HLS URL`
			`# RTMP_CALLBACK_SECRET: shared secret for Nginx-RTMP on_publish/publish_done callbacks`
			`# STREAM_HLS_BASE_URL: base URL for HLS playlists (e.g. http://localhost:18083/live)`
			`# NGINX_RTMP_HOST: host for rtmp_url shown to streamers (e.g. stream.veza.app)`
			`# RTMP_CALLBACK_SECRET=<shared-secret>`
			`# STREAM_HLS_BASE_URL=http://localhost:18083/live`
			`# NGINX_RTMP_HOST=localhost`