docs: update API_REFERENCE, CHANGELOG, FEATURE_STATUS, PROJECT_STATE for v0.803

2026-03-03 09:25:20 +01:00 · 2026-03-03 09:25:20 +01:00 · 1e4ed6ef87
commit 1e4ed6ef87
parent 354c747cce
5 changed files with 37 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -69,10 +69,12 @@
 - MSW handlers: reports, announcements, feature flags, maintenance
 - Swagger annotations: privacy opt-out, account deletion
 - Unit tests: CCPA, reports, announcements, feature flags handlers
+- DDoS rate limiting (SEC1-04): global 1000 req/s, per-IP 100 req/s, Redis sliding window 1s
+- AdminSettingsView: SETTINGS tab in AdminDashboardView (announcements, feature flags, maintenance)

 ### Changed
 - AdminSettingsView: local state replaced by API calls for maintenance, feature flags, announcements
- AdminModerationView: mock replaced by GET /admin/reports, resolve via POST
+- AdminModerationView: mock replaced by GET /admin/reports, resolve via POST; actions aligned to dismiss/warn/ban

 ---

--- a/docs/API_REFERENCE.md
+++ b/docs/API_REFERENCE.md
@ -709,10 +709,22 @@ Request GDPR data export. Returns 202 Accepted; export runs asynchronously. User

 ## Security & Compliance (v0.803)

+### Security Headers (SEC1)
+
+All responses include: `Content-Security-Policy`, `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `Permissions-Policy`. In production: `Strict-Transport-Security` (HSTS).
+
+### DDoS Rate Limiting (SEC1-04)
+
+Global: 1000 req/s. Per-IP: 100 req/s. Window: 1 second. Excluded: `/health`, `/swagger`, auth endpoints. Headers: `X-RateLimit-Limit`, `X-RateLimit-Remaining`.
+
 ### Audit Middleware

 All POST, PUT, DELETE requests are automatically logged to the audit service (user, action, resource, IP). Skipped paths: `/health`, `/metrics`, `/swagger`, `/api/v1/admin`.

+### API Keys (DEV1)
+
+Alternative to Bearer token: send `X-API-Key: veza_sk_...` header. Create via `POST /developer/api-keys`. Raw key returned only on create.
+
 ### CCPA / Sec-GPC

 When the client sends `Sec-GPC: 1` (Global Privacy Control), the server sets `do_not_sell=true` in context and responds with `GPC: 1`.
--- a/docs/FEATURE_STATUS.md
+++ b/docs/FEATURE_STATUS.md
@ -240,14 +240,22 @@ Voir [V0_703_RELEASE_SCOPE.md](V0_703_RELEASE_SCOPE.md) pour le détail.

 | Lot | Feature |
 |-----|---------|
-| SEC1 | Audit middleware : auto-log POST/PUT/DELETE |
+| SEC1 | Security headers : CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy |
+| SEC1 | DDoS rate limiting : global 1000 req/s, per-IP 100 req/s (Redis sliding window 1s) |
+| SEC2 | Audit : middleware auto-log POST/PUT/DELETE, migration audit_logs, GET /admin/audit/logs |
 | SEC2 | CCPA : Sec-GPC header, POST /users/me/privacy/opt-out |
-| SEC3 | Account deletion : anonymisation, S3 cleanup, session revocation |
-| ADM1 | Modération : reports CRUD, GET /admin/reports, POST /admin/reports/:id/resolve |
-| ADM2 | Maintenance mode : middleware 503, PUT/GET /admin/maintenance |
-| ADM3 | Annonces : CRUD, GET /announcements/active (public) |
-| ADM4 | Feature flags : DB persistence, GET/PUT /admin/feature-flags |
-| FE1 | AdminSettingsView, AdminModerationView, AnnouncementBanner connectés |
+| SEC2 | Account deletion : DELETE /users/me, anonymisation, S3 cleanup, session revocation |
+| DEV1 | OpenAPI/Swagger : GET /swagger/*, annotations handlers |
+| DEV1 | API keys : POST/GET/DELETE /developer/api-keys, auth via X-API-Key header |
+| ADM1 | Modération : reports CRUD, GET /admin/reports, POST /admin/reports/:id/resolve (dismiss, warn, ban) |
+| ADM1 | Maintenance mode : middleware 503, PUT/GET /admin/maintenance |
+| ADM1 | Annonces : CRUD admin, GET /announcements/active (public) |
+| ADM1 | Feature flags : DB persistence, GET/PUT /admin/feature-flags |
+| FE1 | AdminSettingsView (onglet SETTINGS) : maintenance, feature flags, annonces |
+| FE1 | AdminModerationView : actions dismiss/warn/ban alignées backend |
+| FE1 | AnnouncementBanner global, AccountSettingsDeleteCard (type DELETE to confirm) |
+
+Voir [V0_803_RELEASE_SCOPE.md](V0_803_RELEASE_SCOPE.md) pour le détail.

 ## Prévu en v0.403 (Phase 4 Commerce — suite)

--- a/docs/PLAN_V0_803_IMPLEMENTATION.md
+++ b/docs/PLAN_V0_803_IMPLEMENTATION.md
@ -1,6 +1,6 @@
 # Plan d'implémentation v0.803 — Sécurité, Compliance & Outillage Dev

-**Statut** : En cours
+**Statut** : Terminé
 **Date de création** : 2026-02-25
 **Estimation révisée** : ~2 sprints (10 jours ouvrés) — réduit car beaucoup de features déjà partiellement implémentées

--- a/docs/PROJECT_STATE.md
+++ b/docs/PROJECT_STATE.md
@ -74,10 +74,14 @@
 - Sécurité : Trivy container scanning CI

 ### v0.803 (Phase 8 — Sécurité, Compliance & Outillage Dev)
- Audit middleware HTTP (POST/PUT/DELETE auto-log)
+- Security headers (CSP, HSTS, X-Frame-Options, etc.)
+- DDoS rate limiting: global 1000 req/s, per-IP 100 req/s
+- Audit middleware HTTP (POST/PUT/DELETE auto-log), GET /admin/audit/logs
 - CCPA Sec-GPC, opt-out endpoint
 - Account deletion hardening (anonymisation, S3, sessions)
- Moderation queue (reports CRUD)
+- Moderation queue (reports CRUD, actions dismiss/warn/ban)
+- Maintenance mode, announcements, feature flags
+- AdminSettingsView (onglet SETTINGS) : maintenance, feature flags, annonces
 - Maintenance mode (503, admin toggle)
 - Announcements CRUD, GET /announcements/active
 - Feature flags DB persistence