veza/docker-compose.dev.yml

# =============================================================================
# VEZA - Development Infrastructure (TASK-QA-010)
# =============================================================================
# Infra-only stack for local development. Applications (backend, stream, web)
# run locally with hot reload via make dev, make dev-full, etc.
#
# Usage:
#   docker compose -f docker-compose.dev.yml up -d
#   make dev   # uses infra-up which can target this file via COMPOSE_FILE
#
# Override: COMPOSE_FILE=docker-compose.dev.yml make infra-up
# =============================================================================

services:
  postgres:
    image: postgres:16-alpine
    container_name: veza_postgres
    restart: unless-stopped
    environment:
      POSTGRES_USER: ${POSTGRES_USER:-veza}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-devpassword}
      POSTGRES_DB: ${POSTGRES_DB:-veza}
    ports:
      - "${PORT_POSTGRES:-15432}:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U veza"]
      interval: 5s
      timeout: 5s
      retries: 5
    networks:
      - veza-net
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 256M
        reservations:
          memory: 128M

  redis:
    image: redis:7-alpine
    container_name: veza_redis
    restart: unless-stopped
    ports:
      - "${PORT_REDIS:-16379}:6379"
    volumes:
      - redis_data:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 5s
      timeout: 3s
      retries: 5
    networks:
      - veza-net
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 64M
        reservations:
          memory: 32M

  rabbitmq:
    image: rabbitmq:3-management-alpine
    container_name: veza_rabbitmq
    restart: unless-stopped
    environment:
      RABBITMQ_DEFAULT_USER: ${RABBITMQ_DEFAULT_USER:-veza}
      RABBITMQ_DEFAULT_PASS: ${RABBITMQ_DEFAULT_PASS:-devpassword}
    ports:
      - "${PORT_RABBITMQ_AMQP:-15672}:5672"
      - "${PORT_RABBITMQ_MGMT:-25672}:15672"
    volumes:
      - rabbitmq_data:/var/lib/rabbitmq
    healthcheck:
      test: rabbitmq-diagnostics -q check_port_connectivity
      interval: 5s
      timeout: 5s
      retries: 12
      start_period: 40s
    networks:
      - veza-net
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 512M
        reservations:
          memory: 256M

  # SECURITY(MEDIUM-003): Pin ClamAV image to specific version instead of :latest
  clamav:
    image: clamav/clamav:1.4
    container_name: veza_clamav
    restart: unless-stopped
    ports:
      - "${PORT_CLAMAV:-13310}:3310"
    networks:
      - veza-net
    healthcheck:
      test: ["CMD", "clamdscan", "--ping", "1"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 180s
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 1G

  # MailHog - Local SMTP capture (dev only)
  # Backend points SMTP_HOST=localhost:1025 (when running on host) or mailhog:1025
  # (container) and outbound mail shows up in the web UI on port 8025.
  mailhog:
    image: mailhog/mailhog:v1.0.1
    container_name: veza_mailhog
    restart: unless-stopped
    ports:
      - "${PORT_MAILHOG_SMTP:-1025}:1025"
      - "${PORT_MAILHOG_UI:-8025}:8025"
    networks:
      - veza-net
    deploy:
      resources:
        limits:
          cpus: '0.10'
          memory: 64M

  minio:
    image: minio/minio:RELEASE.2025-09-07T16-13-09Z
    container_name: veza_minio
    restart: unless-stopped
    command: server /data --console-address ":9001"
    environment:
      MINIO_ROOT_USER: ${AWS_ACCESS_KEY_ID:-minioadmin}
      MINIO_ROOT_PASSWORD: ${AWS_SECRET_ACCESS_KEY:-minioadmin}
    ports:
      - "${PORT_MINIO:-19000}:9000"
      - "${PORT_MINIO_CONSOLE:-19001}:9001"
    volumes:
      - minio_data:/data
    healthcheck:
      test: ["CMD", "mc", "ready", "local"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - veza-net

  minio-init:
    image: minio/mc:RELEASE.2025-09-07T05-25-40Z
    depends_on:
      minio:
        condition: service_healthy
    entrypoint: >
      /bin/sh -c "
      mc alias set veza http://minio:9000 $${MINIO_ROOT_USER:-minioadmin} $${MINIO_ROOT_PASSWORD:-minioadmin};
      mc mb --ignore-existing veza/veza-files;
      mc anonymous set download veza/veza-files/public;
      exit 0;
      "
    environment:
      MINIO_ROOT_USER: ${AWS_ACCESS_KEY_ID:-minioadmin}
      MINIO_ROOT_PASSWORD: ${AWS_SECRET_ACCESS_KEY:-minioadmin}
    networks:
      - veza-net

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.11.0
    container_name: veza_elasticsearch
    restart: unless-stopped
    environment:
      - discovery.type=single-node
      # SECURITY(LOW-004): Enable xpack security. Set ELASTIC_PASSWORD in .env for dev.
      - xpack.security.enabled=true
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD:-devpassword}
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ports:
      - "${PORT_ELASTICSEARCH:-19200}:9200"
    volumes:
      - elasticsearch_data:/usr/share/elasticsearch/data
    healthcheck:
      test: ["CMD-SHELL", "curl -s http://localhost:9200/_cluster/health || exit 1"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 60s
    networks:
      - veza-net
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 1G

volumes:
  postgres_data:
  redis_data:
  rabbitmq_data:
  minio_data:
  elasticsearch_data:

networks:
  veza-net:
    driver: bridge
v0.9.3 2026-03-05 18:35:57 +00:00			`# =============================================================================`
			`# VEZA - Development Infrastructure (TASK-QA-010)`
			`# =============================================================================`
			`# Infra-only stack for local development. Applications (backend, stream, web)`
			`# run locally with hot reload via make dev, make dev-full, etc.`
			`#`
			`# Usage:`
			`# docker compose -f docker-compose.dev.yml up -d`
			`# make dev # uses infra-up which can target this file via COMPOSE_FILE`
			`#`
			`# Override: COMPOSE_FILE=docker-compose.dev.yml make infra-up`
			`# =============================================================================`

			`services:`
			`postgres:`
			`image: postgres:16-alpine`
			`container_name: veza_postgres`
			`restart: unless-stopped`
			`environment:`
			`POSTGRES_USER: ${POSTGRES_USER:-veza}`
			`POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-devpassword}`
			`POSTGRES_DB: ${POSTGRES_DB:-veza}`
			`ports:`
			`- "${PORT_POSTGRES:-15432}:5432"`
			`volumes:`
			`- postgres_data:/var/lib/postgresql/data`
			`healthcheck:`
			`test: ["CMD-SHELL", "pg_isready -U veza"]`
			`interval: 5s`
			`timeout: 5s`
			`retries: 5`
			`networks:`
			`- veza-net`
			`deploy:`
			`resources:`
			`limits:`
			`cpus: '0.50'`
			`memory: 256M`
			`reservations:`
			`memory: 128M`

			`redis:`
			`image: redis:7-alpine`
			`container_name: veza_redis`
			`restart: unless-stopped`
			`ports:`
			`- "${PORT_REDIS:-16379}:6379"`
			`volumes:`
			`- redis_data:/data`
			`healthcheck:`
			`test: ["CMD", "redis-cli", "ping"]`
			`interval: 5s`
			`timeout: 3s`
			`retries: 5`
			`networks:`
			`- veza-net`
			`deploy:`
			`resources:`
			`limits:`
			`cpus: '0.25'`
			`memory: 64M`
			`reservations:`
			`memory: 32M`

			`rabbitmq:`
			`image: rabbitmq:3-management-alpine`
			`container_name: veza_rabbitmq`
			`restart: unless-stopped`
			`environment:`
			`RABBITMQ_DEFAULT_USER: ${RABBITMQ_DEFAULT_USER:-veza}`
			`RABBITMQ_DEFAULT_PASS: ${RABBITMQ_DEFAULT_PASS:-devpassword}`
			`ports:`
			`- "${PORT_RABBITMQ_AMQP:-15672}:5672"`
			`- "${PORT_RABBITMQ_MGMT:-25672}:15672"`
			`volumes:`
			`- rabbitmq_data:/var/lib/rabbitmq`
			`healthcheck:`
chore: infrastructure — docker, makefile, dependencies Update docker-compose configs (dev + main). Refine infra makefile. Update npm dependencies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-23 15:05:48 +00:00			`test: rabbitmq-diagnostics -q check_port_connectivity`
v0.9.3 2026-03-05 18:35:57 +00:00			`interval: 5s`
			`timeout: 5s`
chore: infrastructure — docker, makefile, dependencies Update docker-compose configs (dev + main). Refine infra makefile. Update npm dependencies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-23 15:05:48 +00:00			`retries: 12`
v0.9.3 2026-03-05 18:35:57 +00:00			`start_period: 40s`
			`networks:`
			`- veza-net`
			`deploy:`
			`resources:`
			`limits:`
			`cpus: '0.50'`
			`memory: 512M`
			`reservations:`
			`memory: 256M`

fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go, use c.ClientIP() only (respects SetTrustedProxies) MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod MEDIUM-009: Add trial-already-used check in subscription service MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections MEDIUM-011: Mask email in auth handler logs with maskEmail() helper MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats LOW-001: Align frontend password policy to 12 chars (matching backend) LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server LOW-004: Enable xpack.security in Elasticsearch dev/local compose files LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background() LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests) 29/30 findings remediated. 1 noted (LOW-002). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-12 05:13:38 +00:00			`# SECURITY(MEDIUM-003): Pin ClamAV image to specific version instead of :latest`
v0.9.3 2026-03-05 18:35:57 +00:00			`clamav:`
fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go, use c.ClientIP() only (respects SetTrustedProxies) MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod MEDIUM-009: Add trial-already-used check in subscription service MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections MEDIUM-011: Mask email in auth handler logs with maskEmail() helper MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats LOW-001: Align frontend password policy to 12 chars (matching backend) LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server LOW-004: Enable xpack.security in Elasticsearch dev/local compose files LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background() LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests) 29/30 findings remediated. 1 noted (LOW-002). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-12 05:13:38 +00:00			`image: clamav/clamav:1.4`
v0.9.3 2026-03-05 18:35:57 +00:00			`container_name: veza_clamav`
			`restart: unless-stopped`
			`ports:`
			`- "${PORT_CLAMAV:-13310}:3310"`
			`networks:`
			`- veza-net`
			`healthcheck:`
			`test: ["CMD", "clamdscan", "--ping", "1"]`
			`interval: 30s`
			`timeout: 10s`
			`retries: 5`
			`start_period: 180s`
			`deploy:`
			`resources:`
			`limits:`
			`cpus: '0.5'`
			`memory: 1G`

fix(backend,infra): send real verification emails + fail-loud in prod Registration was setting `IsVerified: true` at user-create time and the "send email" block was a `logger.Info("Sending verification email")` — no SMTP call. On production this meant any attacker-typo or typosquat email got a fully-verified account because the user never had to prove ownership. In development the hack let people "log in" without checking MailHog, masking SMTP misconfiguration. Changes: * `core/auth/service.go`: new users start with `IsVerified: false`. The existing `POST /auth/verify-email` flow (unchanged) flips the bit when the user clicks the link. * Registration now calls `emailService.SendVerificationEmail(...)` for real. On SMTP failure the handler returns `500` in production (no stuck account with no recovery path) and logs a warning in development (local sign-ups keep flowing). * Same treatment for `password_reset_handler.RequestPasswordReset` — production fails loud instead of returning the generic success message after a silent SMTP drop. * New helper `isProductionEnv()` centralises the `APP_ENV=="production"` check in both `core/auth` and `handlers`. * `docker-compose.yml` + `docker-compose.dev.yml` now ship MailHog (`mailhog/mailhog:v1.0.1`, SMTP 1025, UI 8025). Backend dev env vars `SMTP_HOST=mailhog SMTP_PORT=1025` pre-wired so dev sign-ups actually deliver. Tests: auth test mocks updated (`expectRegister` adds a `SendVerificationEmail` mock). `TestAuthService_Login_Success` + `TestAuthHandler_Login_Success` flip `is_verified` directly after `Register` to simulate the verification click. `TestLogin_EmailNotVerified` now asserts `403` (previously asserted `200` — the test was codifying the bug this commit fixes). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-16 12:52:46 +00:00			`# MailHog - Local SMTP capture (dev only)`
			`# Backend points SMTP_HOST=localhost:1025 (when running on host) or mailhog:1025`
			`# (container) and outbound mail shows up in the web UI on port 8025.`
			`mailhog:`
			`image: mailhog/mailhog:v1.0.1`
			`container_name: veza_mailhog`
			`restart: unless-stopped`
			`ports:`
			`- "${PORT_MAILHOG_SMTP:-1025}:1025"`
			`- "${PORT_MAILHOG_UI:-8025}:8025"`
			`networks:`
			`- veza-net`
			`deploy:`
			`resources:`
			`limits:`
			`cpus: '0.10'`
			`memory: 64M`

v0.9.3 2026-03-05 18:35:57 +00:00			`minio:`
chore(docker): pin MinIO + mc to dated release tags MinIO images were pinned to `:latest` in 4 compose files — supply- chain risk (auto-updates on every `docker compose pull`, bit-rot if upstream changes behavior). Pin to dated RELEASE.* tags documented by MinIO (conservative Sep 2025 release). Changed: docker-compose.yml ×2 (minio + mc) docker-compose.dev.yml ×2 docker-compose.prod.yml ×2 docker-compose.staging.yml ×2 Tags: minio/minio:RELEASE.2025-09-07T16-13-09Z minio/mc:RELEASE.2025-09-07T05-25-40Z Operator should bump to latest verified release when they next revisit infra. Tag chosen conservatively — if it does not exist in local Docker cache, `docker compose pull` will surface the error immediately (safer than silent drift). Refs: AUDIT_REPORT.md §6.1 Dette 1 (MinIO :latest 4 occurrences). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-20 18:32:01 +00:00			`image: minio/minio:RELEASE.2025-09-07T16-13-09Z`
v0.9.3 2026-03-05 18:35:57 +00:00			`container_name: veza_minio`
			`restart: unless-stopped`
			`command: server /data --console-address ":9001"`
			`environment:`
			`MINIO_ROOT_USER: ${AWS_ACCESS_KEY_ID:-minioadmin}`
			`MINIO_ROOT_PASSWORD: ${AWS_SECRET_ACCESS_KEY:-minioadmin}`
			`ports:`
			`- "${PORT_MINIO:-19000}:9000"`
			`- "${PORT_MINIO_CONSOLE:-19001}:9001"`
			`volumes:`
			`- minio_data:/data`
			`healthcheck:`
			`test: ["CMD", "mc", "ready", "local"]`
			`interval: 10s`
			`timeout: 5s`
			`retries: 5`
			`networks:`
			`- veza-net`

			`minio-init:`
chore(docker): pin MinIO + mc to dated release tags MinIO images were pinned to `:latest` in 4 compose files — supply- chain risk (auto-updates on every `docker compose pull`, bit-rot if upstream changes behavior). Pin to dated RELEASE.* tags documented by MinIO (conservative Sep 2025 release). Changed: docker-compose.yml ×2 (minio + mc) docker-compose.dev.yml ×2 docker-compose.prod.yml ×2 docker-compose.staging.yml ×2 Tags: minio/minio:RELEASE.2025-09-07T16-13-09Z minio/mc:RELEASE.2025-09-07T05-25-40Z Operator should bump to latest verified release when they next revisit infra. Tag chosen conservatively — if it does not exist in local Docker cache, `docker compose pull` will surface the error immediately (safer than silent drift). Refs: AUDIT_REPORT.md §6.1 Dette 1 (MinIO :latest 4 occurrences). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-20 18:32:01 +00:00			`image: minio/mc:RELEASE.2025-09-07T05-25-40Z`
v0.9.3 2026-03-05 18:35:57 +00:00			`depends_on:`
			`minio:`
			`condition: service_healthy`
			`entrypoint: >`
			`/bin/sh -c "`
			`mc alias set veza http://minio:9000 $${MINIO_ROOT_USER:-minioadmin} $${MINIO_ROOT_PASSWORD:-minioadmin};`
			`mc mb --ignore-existing veza/veza-files;`
			`mc anonymous set download veza/veza-files/public;`
			`exit 0;`
			`"`
			`environment:`
			`MINIO_ROOT_USER: ${AWS_ACCESS_KEY_ID:-minioadmin}`
			`MINIO_ROOT_PASSWORD: ${AWS_SECRET_ACCESS_KEY:-minioadmin}`
			`networks:`
			`- veza-net`

feat(v0.10.2): Recherche fulltext Elasticsearch - F361-F365 - Elasticsearch 8.x dans docker-compose.dev - Package internal/elasticsearch: client, config, mappings, indices - Sync PG→ES: reindex tracks/users/playlists, IndexTrack/DeleteTrack - SearchService ES: multi_match + fuzziness (typo tolerance), highlighting - Fallback gracieux: PostgreSQL si ELASTICSEARCH_URL absent - Routes: GET /search, GET /search/suggestions, POST /admin/search/reindex - Frontend: searchApi cursor/limit params (extensibilité) - docs/ENV_VARIABLES: ELASTICSEARCH_URL, ELASTICSEARCH_INDEX, ELASTICSEARCH_AUTO_INDEX - Roadmap v0.10.2 → DONE 2026-03-09 09:13:18 +00:00			`elasticsearch:`
			`image: docker.elastic.co/elasticsearch/elasticsearch:8.11.0`
			`container_name: veza_elasticsearch`
			`restart: unless-stopped`
			`environment:`
			`- discovery.type=single-node`
fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go, use c.ClientIP() only (respects SetTrustedProxies) MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod MEDIUM-009: Add trial-already-used check in subscription service MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections MEDIUM-011: Mask email in auth handler logs with maskEmail() helper MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats LOW-001: Align frontend password policy to 12 chars (matching backend) LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server LOW-004: Enable xpack.security in Elasticsearch dev/local compose files LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background() LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests) 29/30 findings remediated. 1 noted (LOW-002). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-12 05:13:38 +00:00			`# SECURITY(LOW-004): Enable xpack security. Set ELASTIC_PASSWORD in .env for dev.`
			`- xpack.security.enabled=true`
			`- ELASTIC_PASSWORD=${ELASTIC_PASSWORD:-devpassword}`
feat(v0.10.2): Recherche fulltext Elasticsearch - F361-F365 - Elasticsearch 8.x dans docker-compose.dev - Package internal/elasticsearch: client, config, mappings, indices - Sync PG→ES: reindex tracks/users/playlists, IndexTrack/DeleteTrack - SearchService ES: multi_match + fuzziness (typo tolerance), highlighting - Fallback gracieux: PostgreSQL si ELASTICSEARCH_URL absent - Routes: GET /search, GET /search/suggestions, POST /admin/search/reindex - Frontend: searchApi cursor/limit params (extensibilité) - docs/ENV_VARIABLES: ELASTICSEARCH_URL, ELASTICSEARCH_INDEX, ELASTICSEARCH_AUTO_INDEX - Roadmap v0.10.2 → DONE 2026-03-09 09:13:18 +00:00			`- "ES_JAVA_OPTS=-Xms512m -Xmx512m"`
			`ports:`
			`- "${PORT_ELASTICSEARCH:-19200}:9200"`
			`volumes:`
			`- elasticsearch_data:/usr/share/elasticsearch/data`
			`healthcheck:`
			`test: ["CMD-SHELL", "curl -s http://localhost:9200/_cluster/health \|\| exit 1"]`
			`interval: 10s`
			`timeout: 5s`
			`retries: 10`
			`start_period: 60s`
			`networks:`
			`- veza-net`
			`deploy:`
			`resources:`
			`limits:`
			`cpus: '0.5'`
			`memory: 1G`

v0.9.3 2026-03-05 18:35:57 +00:00			`volumes:`
			`postgres_data:`
			`redis_data:`
			`rabbitmq_data:`
			`minio_data:`
feat(v0.10.2): Recherche fulltext Elasticsearch - F361-F365 - Elasticsearch 8.x dans docker-compose.dev - Package internal/elasticsearch: client, config, mappings, indices - Sync PG→ES: reindex tracks/users/playlists, IndexTrack/DeleteTrack - SearchService ES: multi_match + fuzziness (typo tolerance), highlighting - Fallback gracieux: PostgreSQL si ELASTICSEARCH_URL absent - Routes: GET /search, GET /search/suggestions, POST /admin/search/reindex - Frontend: searchApi cursor/limit params (extensibilité) - docs/ENV_VARIABLES: ELASTICSEARCH_URL, ELASTICSEARCH_INDEX, ELASTICSEARCH_AUTO_INDEX - Roadmap v0.10.2 → DONE 2026-03-09 09:13:18 +00:00			`elasticsearch_data:`
v0.9.3 2026-03-05 18:35:57 +00:00
			`networks:`
			`veza-net:`
			`driver: bridge`