veza/CHANGELOG.md

# Changelog - Remediation "Full Audit Fix"

## [Unreleased] - 2024-12-07

### Security
- **chat-server**: Implemented JWT Authentication Middleware for HTTP API.
  - Secured `/api/messages` (POST) and `/api/messages/{id}` (GET).
  - Enforced permission checks (`can_send_message`, `can_read_conversation`).
  - Patched `sender_id` spoofing vulnerability by enforcing User ID from Token Claims.
- **backend**: Resolved `veza_errors_total` metric collision preventing proper monitoring initialization.

### Fixed
- **backend**: Fixed `JobWorker` starvation issue by replacing blocking `time.Sleep` with non-blocking scheduler.
- **stream-server**: Improved task safety by replacing unsafe `abort()` with graceful `join/await` for monitoring tasks.
- **chat-server**: Fixed resource leak by implementing 60s WebSocket inactivity/heartbeat timeout.
- **chat-server**: Implemented Graceful Shutdown handling for OS signals (SIGTERM/SIGINT).
- **backend-tests**: Fixed `RoomHandler` unit tests.
  - Refactored `RoomHandler` to use `RoomServiceInterface` for dependency injection.
  - Updated `CreateRoom` tests to match actual Service signatures.
  - Fixed `bitrate_handler_test.go` compilation errors.
  - Resolved global metric registration panics during testing.

### Removed
- **backend**: Deleted legacy maintenance code (`migrations_legacy/` and `src/cmd/main.go.legacy`).

### Known Issues
- **backend**: Some unit tests (`metrics_test.go`, `profile_handler_test.go`, `system_metrics_test.go`) are disabled due to bitrot/missing dependencies.
- **stream-server**: Compilation requires active Database connection (sqlx compile-time verification) or `sqlx-data.json`.
docs(remediation): add audit report, remediation plan and changelog skeleton 2025-12-06 12:25:54 +00:00			`# Changelog - Remediation "Full Audit Fix"`

			`## [Unreleased] - 2024-12-07`

			`### Security`
			`- chat-server: Implemented JWT Authentication Middleware for HTTP API.`
			- Secured `/api/messages` (POST) and `/api/messages/{id}` (GET).
			- Enforced permission checks (`can_send_message`, `can_read_conversation`).
			- Patched `sender_id` spoofing vulnerability by enforcing User ID from Token Claims.
			- backend: Resolved `veza_errors_total` metric collision preventing proper monitoring initialization.

			`### Fixed`
			- backend: Fixed `JobWorker` starvation issue by replacing blocking `time.Sleep` with non-blocking scheduler.
			- stream-server: Improved task safety by replacing unsafe `abort()` with graceful `join/await` for monitoring tasks.
			`- chat-server: Fixed resource leak by implementing 60s WebSocket inactivity/heartbeat timeout.`
			`- chat-server: Implemented Graceful Shutdown handling for OS signals (SIGTERM/SIGINT).`
			- backend-tests: Fixed `RoomHandler` unit tests.
			- Refactored `RoomHandler` to use `RoomServiceInterface` for dependency injection.
			- Updated `CreateRoom` tests to match actual Service signatures.
			- Fixed `bitrate_handler_test.go` compilation errors.
			`- Resolved global metric registration panics during testing.`

			`### Removed`
			- backend: Deleted legacy maintenance code (`migrations_legacy/` and `src/cmd/main.go.legacy`).

			`### Known Issues`
			- backend: Some unit tests (`metrics_test.go`, `profile_handler_test.go`, `system_metrics_test.go`) are disabled due to bitrot/missing dependencies.
			- stream-server: Compilation requires active Database connection (sqlx compile-time verification) or `sqlx-data.json`.