feat(v0.923): API contract tests, OpenAPI generation, CI type sync check

2026-02-27 20:23:10 +01:00 · 2026-02-27 20:23:10 +01:00 · 72d40990c5
commit 72d40990c5
parent 7cb4ef56e1
68 changed files with 9308 additions and 4702 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -143,9 +143,15 @@ jobs:
        ./scripts/generate-types.sh
      continue-on-error: false
      # This step ensures types are generated before typecheck
      # If types don't match spec, CI will fail
      # Cache keyed on openapi.yaml hash, so types regenerate when spec changes
    - name: Check types sync with OpenAPI spec
      run: |
        if ! git diff --exit-code apps/web/src/types/generated/; then
          echo "::error::Types are out of sync with openapi.yaml. Run 'make openapi' then 'cd apps/web && ./scripts/generate-types.sh' and commit the updated types."
          exit 1
        fi
    - name: Lint
      run: npx turbo run lint --filter=veza-frontend
--- a/2
+++ b/2
@ -1 +1 @@
-0.912
+0.923
--- a/apps/web/package.json
+++ b/apps/web/package.json
@ -42,6 +42,7 @@
    "report:arbitrary": "node scripts/report-arbitrary-values.mjs",
    "typecheck": "tsc --noEmit",
    "generate:types": "bash ./scripts/generate-types.sh",
    "check:types-sync": "bash ./scripts/check-types-sync.sh",
    "validate:schemas": "vitest run src/schemas",
    "validate:types": "npm run typecheck",
    "validate:all": "npm run validate:types && npm run validate:schemas",
--- a/apps/web/scripts/check-types-sync.sh
+++ b/apps/web/scripts/check-types-sync.sh
@ -0,0 +1,24 @@
 #!/bin/bash
 # Check that generated TypeScript types match the committed version.
 # Fails if openapi.yaml changed without regenerating types.
 # Usage: ./scripts/check-types-sync.sh (from apps/web)
 set -e
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 cd "$PROJECT_ROOT"
 # Regenerate types
 ./scripts/generate-types.sh
 # Check for uncommitted changes
 if ! git diff --exit-code src/types/generated/; then
  echo "Error: Types are out of sync with openapi.yaml."
  echo "Run: make openapi && cd apps/web && ./scripts/generate-types.sh"
  echo "Then commit the updated types."
  exit 1
 fi
 echo "Types are in sync with openapi.yaml."
--- a/apps/web/src/features/cloud/components/CloudFileVersions.stories.tsx
+++ b/apps/web/src/features/cloud/components/CloudFileVersions.stories.tsx
@ -38,3 +38,20 @@ export const Empty: Story = {
    },
  },
 };
 export const Loading: Story = {
  args: {
    ...WithVersions.args,
    fileId: 'loading-file-id',
  },
  parameters: {
    msw: {
      handlers: [
        http.get('*/api/v1/cloud/files/:id/versions', async () => {
          await new Promise((r) => setTimeout(r, 2000));
          return HttpResponse.json({ versions: [] });
        }),
      ],
    },
  },
 };
--- a/apps/web/src/features/inventory/components/gear/GearCard.stories.tsx
+++ b/apps/web/src/features/inventory/components/gear/GearCard.stories.tsx
@ -0,0 +1,38 @@
 import type { Meta, StoryObj } from '@storybook/react';
 import { GearCard } from './GearCard';
 import { mockGearInventory } from './mockGear';
 const meta: Meta<typeof GearCard> = {
  title: 'Components/Features/Inventory/GearCard',
  component: GearCard,
  parameters: {
    layout: 'centered',
  },
 };
 export default meta;
 type Story = StoryObj<typeof GearCard>;
 export const Default: Story = {
  args: {
    item: mockGearInventory[0],
    onClick: () => {},
  },
 };
 export const WarrantyExpiringSoon: Story = {
  args: {
    item: {
      ...mockGearInventory[0],
      warrantyExpire: new Date(Date.now() + 15 * 24 * 60 * 60 * 1000).toISOString().slice(0, 10),
    },
    onClick: () => {},
  },
 };
 export const Maintenance: Story = {
  args: {
    item: mockGearInventory[2],
    onClick: () => {},
  },
 };
--- a/apps/web/src/features/inventory/components/gear/GearCard.tsx
+++ b/apps/web/src/features/inventory/components/gear/GearCard.tsx
@ -20,8 +20,11 @@ export function GearCard({ item, onClick, className }: GearCardProps) {
      className={cn('group cursor-pointer hover:border-border transition-colors', className)}
      onClick={onClick}
    >
-      <div className="flex items-start justify-between mb-4">
+      <div className="flex items-start justify-between mb-4 gap-2 flex-wrap">
        <Badge label={item.category} variant="terminal" />
        {warranty.daysLeft != null && warranty.daysLeft >= 0 && warranty.daysLeft <= 30 && (
          <Badge label={`Warranty ${warranty.daysLeft}d`} variant="warning" size="sm" />
        )}
        <div className={cn('px-2 py-0.5 rounded text-xs font-bold uppercase', statusBg)}>{item.status}</div>
      </div>
--- a/apps/web/src/features/inventory/components/gear/GearDetailModal.tsx
+++ b/apps/web/src/features/inventory/components/gear/GearDetailModal.tsx
@ -322,7 +322,7 @@ export function GearDetailModal({
                    variant="ghost"
                    size="sm"
                    className="w-full mt-2 text-xs border border-dashed border-border"
-                    onClick={() => onUploadDocument?.(item)}
+                    onClick={() => setActiveTab('documents')}
                  >
                    <Plus className="w-3 h-3 mr-1" /> Upload Document
                  </Button>
--- a/apps/web/src/types/generated/.openapi-generator/FILES
+++ b/apps/web/src/types/generated/.openapi-generator/FILES
@ -4,15 +4,7 @@ api.ts
 base.ts
 common.ts
 configuration.ts
-docs/AnalyticsApi.md
+docs/ApiV1DashboardGet200Response.md
 docs/AnalyticsEventsPost200Response.md
 docs/AnalyticsEventsPost200ResponseAllOfData.md
 docs/AnalyticsGet200Response.md
 docs/AnalyticsGet200ResponseAllOfData.md
 docs/AnalyticsTracksIdGet200Response.md
 docs/AnalyticsTracksIdGet200ResponseAllOfData.md
 docs/AnalyticsTracksTopGet200Response.md
 docs/AnalyticsTracksTopGet200ResponseAllOfData.md
 docs/ApiV1LogsFrontendPost200Response.md
 docs/ApiV1LogsFrontendPost200ResponseAllOfData.md
 docs/AuditActivityGet200Response.md
@ -22,6 +14,8 @@ docs/AuditLogsGet200Response.md
 docs/AuditLogsGet200ResponseAllOfData.md
 docs/AuditStatsGet200Response.md
 docs/AuditStatsGet200ResponseAllOfData.md
 docs/Auth2faDisablePost200Response.md
 docs/Auth2faDisablePost200ResponseAllOfData.md
 docs/Auth2faSetupPost200Response.md
 docs/Auth2faStatusGet200Response.md
 docs/Auth2faStatusGet200ResponseAllOfData.md
@ -38,26 +32,33 @@ docs/CommentsIdPut200Response.md
 docs/CommentsIdPut200ResponseAllOfData.md
 docs/CommentsIdRepliesGet200Response.md
 docs/CommentsIdRepliesGet200ResponseAllOfData.md
-docs/InternalCoreTrackBatchDeleteRequest.md
+docs/DashboardApi.md
 docs/InternalCoreTrackCompleteChunkedUploadRequest.md
 docs/InternalCoreTrackInitiateChunkedUploadRequest.md
 docs/InternalCoreTrackUpdateTrackRequest.md
 docs/InternalHandlersAPIResponse.md
 docs/InternalHandlersCreateCommentRequest.md
 docs/InternalHandlersCreateOrderRequest.md
 docs/InternalHandlersCreateOrderRequestItemsInner.md
 docs/InternalHandlersCreatePlaylistRequest.md
 docs/InternalHandlersCreateProductRequest.md
 docs/InternalHandlersCreateProductRequestLicensesInner.md
 docs/InternalHandlersDashboardResponse.md
 docs/InternalHandlersDashboardStats.md
 docs/InternalHandlersDeleteAccountRequest.md
 docs/InternalHandlersDisableTwoFactorRequest.md
 docs/InternalHandlersFrontendLogRequest.md
-docs/InternalHandlersRecordEventRequest.md
+docs/InternalHandlersLibraryPreview.md
-docs/InternalHandlersRecordPlayRequest.md
+docs/InternalHandlersRecentActivity.md
 docs/InternalHandlersReorderTracksRequest.md
 docs/InternalHandlersSetupTwoFactorResponse.md
 docs/InternalHandlersStreamTokenResponse.md
 docs/InternalHandlersTrackPreview.md
 docs/InternalHandlersUpdateCommentRequest.md
 docs/InternalHandlersUpdatePlaylistRequest.md
 docs/InternalHandlersUpdateProductRequest.md
 docs/InternalHandlersUpdateProfileRequest.md
 docs/InternalHandlersValidateRequest.md
 docs/InternalHandlersValidateResponse.md
 docs/InternalHandlersVerifyTwoFactorRequest.md
 docs/LoggingApi.md
 docs/MarketplaceApi.md
@ -68,19 +69,12 @@ docs/PlaylistsIdTracksPostRequest.md
 docs/PlaylistsPost201Response.md
 docs/PlaylistsPost201ResponseAllOfData.md
 docs/TrackApi.md
 docs/TracksBatchDeletePost200Response.md
 docs/TracksBatchDeletePost200ResponseAllOfData.md
 docs/TracksChunkPost200Response.md
 docs/TracksChunkPost200ResponseAllOfData.md
 docs/TracksCompletePost201Response.md
 docs/TracksCompletePost201ResponseAllOfData.md
 docs/TracksGet200Response.md
 docs/TracksGet200ResponseAllOfData.md
 docs/TracksIdAnalyticsPlaysGet200Response.md
 docs/TracksIdAnalyticsPlaysGet200ResponseAllOfData.md
 docs/TracksIdCommentsGet200Response.md
 docs/TracksIdCommentsGet200ResponseAllOfData.md
 docs/TracksIdDelete200Response.md
 docs/TracksIdStatusGet200Response.md
 docs/TracksIdStatusGet200ResponseAllOfData.md
 docs/TracksInitiatePost200Response.md
@ -92,14 +86,19 @@ docs/TracksQuotaIdGet200ResponseAllOfData.md
 docs/TracksResumeUploadIdGet200Response.md
 docs/TracksResumeUploadIdGet200ResponseAllOfData.md
 docs/UserApi.md
 docs/UsersApi.md
 docs/UsersGet200Response.md
 docs/UsersGet200ResponseAllOfData.md
 docs/UsersIdGet200Response.md
 docs/UsersIdGet200ResponseAllOfData.md
 docs/ValidationApi.md
 docs/VezaBackendApiInternalCoreMarketplaceLicenseType.md
 docs/VezaBackendApiInternalCoreMarketplaceOrder.md
 docs/VezaBackendApiInternalCoreMarketplaceOrderItem.md
 docs/VezaBackendApiInternalCoreMarketplaceProduct.md
 docs/VezaBackendApiInternalCoreMarketplaceProductImage.md
 docs/VezaBackendApiInternalCoreMarketplaceProductLicense.md
 docs/VezaBackendApiInternalCoreMarketplaceProductPreview.md
 docs/VezaBackendApiInternalCoreMarketplaceProductStatus.md
 docs/VezaBackendApiInternalDtoLoginRequest.md
 docs/VezaBackendApiInternalDtoLoginResponse.md
@ -109,6 +108,7 @@ docs/VezaBackendApiInternalDtoRegisterResponse.md
 docs/VezaBackendApiInternalDtoResendVerificationRequest.md
 docs/VezaBackendApiInternalDtoTokenResponse.md
 docs/VezaBackendApiInternalDtoUserResponse.md
 docs/VezaBackendApiInternalDtoValidationError.md
 docs/VezaBackendApiInternalModelsPlaylist.md
 docs/VezaBackendApiInternalModelsPlaylistCollaborator.md
 docs/VezaBackendApiInternalModelsPlaylistPermission.md
--- a/apps/web/src/types/generated/api.ts
+++ b/apps/web/src/types/generated/api.ts
--- a/apps/web/src/types/generated/docs/ApiV1DashboardGet200Response.md
+++ b/apps/web/src/types/generated/docs/ApiV1DashboardGet200Response.md
@ -0,0 +1,24 @@
 # ApiV1DashboardGet200Response
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **data** | [**InternalHandlersDashboardResponse**](InternalHandlersDashboardResponse.md) |  | [optional] [default to undefined]
 **error** | **object** |  | [optional] [default to undefined]
 **success** | **boolean** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { ApiV1DashboardGet200Response } from './api';
 const instance: ApiV1DashboardGet200Response = {
    data,
    error,
    success,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/Auth2faDisablePost200Response.md
+++ b/apps/web/src/types/generated/docs/Auth2faDisablePost200Response.md
@ -0,0 +1,24 @@
 # Auth2faDisablePost200Response
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **data** | [**Auth2faDisablePost200ResponseAllOfData**](Auth2faDisablePost200ResponseAllOfData.md) |  | [optional] [default to undefined]
 **error** | **object** |  | [optional] [default to undefined]
 **success** | **boolean** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { Auth2faDisablePost200Response } from './api';
 const instance: Auth2faDisablePost200Response = {
    data,
    error,
    success,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/Auth2faDisablePost200ResponseAllOfData.md
+++ b/apps/web/src/types/generated/docs/Auth2faDisablePost200ResponseAllOfData.md
@ -0,0 +1,20 @@
 # Auth2faDisablePost200ResponseAllOfData
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **message** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { Auth2faDisablePost200ResponseAllOfData } from './api';
 const instance: Auth2faDisablePost200ResponseAllOfData = {
    message,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/AuthApi.md
+++ b/apps/web/src/types/generated/docs/AuthApi.md
@ -15,10 +15,11 @@ All URIs are relative to *http://localhost:8080/api/v1*
 |[**authRefreshPost**](#authrefreshpost) | **POST** /auth/refresh | Refresh Token|
 |[**authRegisterPost**](#authregisterpost) | **POST** /auth/register | User Registration|
 |[**authResendVerificationPost**](#authresendverificationpost) | **POST** /auth/resend-verification | Resend Verification Email|
 |[**authStreamTokenPost**](#authstreamtokenpost) | **POST** /auth/stream-token | Get ephemeral stream token|
 |[**authVerifyEmailPost**](#authverifyemailpost) | **POST** /auth/verify-email | Verify Email|
 # **auth2faDisablePost**
-> AnalyticsEventsPost200Response auth2faDisablePost(request)
+> Auth2faDisablePost200Response auth2faDisablePost(request)
 Disable 2FA for user (requires password confirmation)
@ -50,7 +51,7 @@ const { status, data } = await apiInstance.auth2faDisablePost(
 ### Return type
-**AnalyticsEventsPost200Response**
+**Auth2faDisablePost200Response**
 ### Authorization
@ -166,7 +167,7 @@ This endpoint does not have any parameters.
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **auth2faVerifyPost**
-> AnalyticsEventsPost200Response auth2faVerifyPost(request)
+> Auth2faDisablePost200Response auth2faVerifyPost(request)
 Verify 2FA code and enable 2FA for user
@ -198,7 +199,7 @@ const { status, data } = await apiInstance.auth2faVerifyPost(
 ### Return type
-**AnalyticsEventsPost200Response**
+**Auth2faDisablePost200Response**
 ### Authorization
@ -590,6 +591,51 @@ No authorization required
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **authStreamTokenPost**
 > InternalHandlersStreamTokenResponse authStreamTokenPost()
 Returns a 5-minute JWT for HLS and WebSocket authentication (httpOnly cookies prevent direct token access)
 ### Example
 ```typescript
 import {
    AuthApi,
    Configuration
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new AuthApi(configuration);
 const { status, data } = await apiInstance.authStreamTokenPost();
 ```
 ### Parameters
 This endpoint does not have any parameters.
 ### Return type
 **InternalHandlersStreamTokenResponse**
 ### Authorization
 [BearerAuth](../README.md#BearerAuth)
 ### HTTP request headers
 - **Content-Type**: Not defined
 - **Accept**: */*
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | OK |  -  |
 |**401** | Unauthorized |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **authVerifyEmailPost**
 > InternalHandlersAPIResponse authVerifyEmailPost()
--- a/apps/web/src/types/generated/docs/CommentApi.md
+++ b/apps/web/src/types/generated/docs/CommentApi.md
@ -131,7 +131,7 @@ No authorization required
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **tracksIdCommentsCommentIdDelete**
-> AnalyticsEventsPost200Response tracksIdCommentsCommentIdDelete()
+> Auth2faDisablePost200Response tracksIdCommentsCommentIdDelete()
 Delete a comment (only by owner or admin)
@ -165,7 +165,7 @@ const { status, data } = await apiInstance.tracksIdCommentsCommentIdDelete(
 ### Return type
-**AnalyticsEventsPost200Response**
+**Auth2faDisablePost200Response**
 ### Authorization
--- a/apps/web/src/types/generated/docs/DashboardApi.md
+++ b/apps/web/src/types/generated/docs/DashboardApi.md
@ -0,0 +1,67 @@
 # DashboardApi
 All URIs are relative to *http://localhost:8080/api/v1*
 |Method | HTTP request | Description|
 |------------- | ------------- | -------------|
 |[**apiV1DashboardGet**](#apiv1dashboardget) | **GET** /api/v1/dashboard | Get Dashboard Data|
 # **apiV1DashboardGet**
 > ApiV1DashboardGet200Response apiV1DashboardGet()
 Get aggregated dashboard data including stats, recent activity, and library preview
 ### Example
 ```typescript
 import {
    DashboardApi,
    Configuration
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new DashboardApi(configuration);
 let activityLimit: number; //Number of recent activity items (default: 10) (optional) (default to undefined)
 let libraryLimit: number; //Number of library items (default: 5) (optional) (default to undefined)
 let statsPeriod: string; //Time period for statistics: 7d, 30d, 90d, all (default: 30d) (optional) (default to undefined)
 const { status, data } = await apiInstance.apiV1DashboardGet(
    activityLimit,
    libraryLimit,
    statsPeriod
 );
 ```
 ### Parameters
 |Name | Type | Description  | Notes|
 |------------- | ------------- | ------------- | -------------|
 | **activityLimit** | [**number**] | Number of recent activity items (default: 10) | (optional) defaults to undefined|
 | **libraryLimit** | [**number**] | Number of library items (default: 5) | (optional) defaults to undefined|
 | **statsPeriod** | [**string**] | Time period for statistics: 7d, 30d, 90d, all (default: 30d) | (optional) defaults to undefined|
 ### Return type
 **ApiV1DashboardGet200Response**
 ### Authorization
 [BearerAuth](../README.md#BearerAuth)
 ### HTTP request headers
 - **Content-Type**: Not defined
 - **Accept**: application/json
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | OK |  -  |
 |**401** | Unauthorized |  -  |
 |**500** | Internal server error |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersCreateOrderRequest.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersCreateOrderRequest.md
@ -6,6 +6,7 @@
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **items** | [**Array&lt;InternalHandlersCreateOrderRequestItemsInner&gt;**](InternalHandlersCreateOrderRequestItemsInner.md) |  | [default to undefined]
 **promo_code** | **string** |  | [optional] [default to undefined]
 ## Example
@ -14,6 +15,7 @@ import { InternalHandlersCreateOrderRequest } from './api';
 const instance: InternalHandlersCreateOrderRequest = {
    items,
    promo_code,
 };
 ```
--- a/apps/web/src/types/generated/docs/InternalHandlersCreateProductRequest.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersCreateProductRequest.md
@ -5,8 +5,12 @@
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **bpm** | **number** | v0.401 M1 | [optional] [default to undefined]
 **category** | **string** |  | [optional] [default to undefined]
 **description** | **string** |  | [optional] [default to undefined]
 **license_type** | **string** |  | [optional] [default to undefined]
 **licenses** | [**Array&lt;InternalHandlersCreateProductRequestLicensesInner&gt;**](InternalHandlersCreateProductRequestLicensesInner.md) | v0.401 M2: Product licenses (streaming, personal, commercial, exclusive) | [optional] [default to undefined]
 **musical_key** | **string** |  | [optional] [default to undefined]
 **price** | **number** |  | [default to undefined]
 **product_type** | **string** |  | [default to undefined]
 **title** | **string** |  | [default to undefined]
@ -18,8 +22,12 @@ Name | Type | Description | Notes
 import { InternalHandlersCreateProductRequest } from './api';
 const instance: InternalHandlersCreateProductRequest = {
    bpm,
    category,
    description,
    license_type,
    licenses,
    musical_key,
    price,
    product_type,
    title,
--- a/apps/web/src/types/generated/docs/InternalHandlersCreateProductRequestLicensesInner.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersCreateProductRequestLicensesInner.md
@ -0,0 +1,24 @@
 # InternalHandlersCreateProductRequestLicensesInner
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **license_type** | **string** |  | [default to undefined]
 **price_cents** | **number** |  | [default to undefined]
 **terms_text** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersCreateProductRequestLicensesInner } from './api';
 const instance: InternalHandlersCreateProductRequestLicensesInner = {
    license_type,
    price_cents,
    terms_text,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersDashboardResponse.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersDashboardResponse.md
@ -0,0 +1,24 @@
 # InternalHandlersDashboardResponse
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **library_preview** | [**InternalHandlersLibraryPreview**](InternalHandlersLibraryPreview.md) |  | [optional] [default to undefined]
 **recent_activity** | [**Array&lt;InternalHandlersRecentActivity&gt;**](InternalHandlersRecentActivity.md) |  | [optional] [default to undefined]
 **stats** | [**InternalHandlersDashboardStats**](InternalHandlersDashboardStats.md) |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersDashboardResponse } from './api';
 const instance: InternalHandlersDashboardResponse = {
    library_preview,
    recent_activity,
    stats,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersDashboardStats.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersDashboardStats.md
@ -0,0 +1,36 @@
 # InternalHandlersDashboardStats
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **active_friends** | **number** |  | [optional] [default to undefined]
 **active_friends_change** | **string** |  | [optional] [default to undefined]
 **favorites** | **number** |  | [optional] [default to undefined]
 **favorites_change** | **string** |  | [optional] [default to undefined]
 **messages_sent** | **number** |  | [optional] [default to undefined]
 **messages_sent_change** | **string** |  | [optional] [default to undefined]
 **period** | **string** |  | [optional] [default to undefined]
 **tracks_played** | **number** |  | [optional] [default to undefined]
 **tracks_played_change** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersDashboardStats } from './api';
 const instance: InternalHandlersDashboardStats = {
    active_friends,
    active_friends_change,
    favorites,
    favorites_change,
    messages_sent,
    messages_sent_change,
    period,
    tracks_played,
    tracks_played_change,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersDeleteAccountRequest.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersDeleteAccountRequest.md
@ -0,0 +1,24 @@
 # InternalHandlersDeleteAccountRequest
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **confirm_text** | **string** |  | [default to undefined]
 **password** | **string** |  | [default to undefined]
 **reason** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersDeleteAccountRequest } from './api';
 const instance: InternalHandlersDeleteAccountRequest = {
    confirm_text,
    password,
    reason,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersLibraryPreview.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersLibraryPreview.md
@ -0,0 +1,24 @@
 # InternalHandlersLibraryPreview
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **has_more** | **boolean** |  | [optional] [default to undefined]
 **items** | [**Array&lt;InternalHandlersTrackPreview&gt;**](InternalHandlersTrackPreview.md) |  | [optional] [default to undefined]
 **total_count** | **number** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersLibraryPreview } from './api';
 const instance: InternalHandlersLibraryPreview = {
    has_more,
    items,
    total_count,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersRecentActivity.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersRecentActivity.md
@ -0,0 +1,32 @@
 # InternalHandlersRecentActivity
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **description** | **string** |  | [optional] [default to undefined]
 **icon** | **string** |  | [optional] [default to undefined]
 **id** | **string** |  | [optional] [default to undefined]
 **metadata** | **{ [key: string]: any; }** |  | [optional] [default to undefined]
 **timestamp** | **string** |  | [optional] [default to undefined]
 **title** | **string** |  | [optional] [default to undefined]
 **type** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersRecentActivity } from './api';
 const instance: InternalHandlersRecentActivity = {
    description,
    icon,
    id,
    metadata,
    timestamp,
    title,
    type,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersStreamTokenResponse.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersStreamTokenResponse.md
@ -0,0 +1,22 @@
 # InternalHandlersStreamTokenResponse
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **expires_in** | **number** | seconds | [optional] [default to undefined]
 **token** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersStreamTokenResponse } from './api';
 const instance: InternalHandlersStreamTokenResponse = {
    expires_in,
    token,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersTrackPreview.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersTrackPreview.md
@ -0,0 +1,34 @@
 # InternalHandlersTrackPreview
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **artist** | **string** |  | [optional] [default to undefined]
 **cover_art_path** | **string** |  | [optional] [default to undefined]
 **created_at** | **string** |  | [optional] [default to undefined]
 **duration** | **number** |  | [optional] [default to undefined]
 **id** | **string** |  | [optional] [default to undefined]
 **like_count** | **number** |  | [optional] [default to undefined]
 **play_count** | **number** |  | [optional] [default to undefined]
 **title** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersTrackPreview } from './api';
 const instance: InternalHandlersTrackPreview = {
    artist,
    cover_art_path,
    created_at,
    duration,
    id,
    like_count,
    play_count,
    title,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersUpdateProductRequest.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersUpdateProductRequest.md
@ -5,7 +5,11 @@
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **bpm** | **number** |  | [optional] [default to undefined]
 **category** | **string** |  | [optional] [default to undefined]
 **description** | **string** |  | [optional] [default to undefined]
 **licenses** | [**Array&lt;InternalHandlersCreateProductRequestLicensesInner&gt;**](InternalHandlersCreateProductRequestLicensesInner.md) | v0.401 M2: Product licenses | [optional] [default to undefined]
 **musical_key** | **string** |  | [optional] [default to undefined]
 **price** | **number** |  | [optional] [default to undefined]
 **status** | **string** |  | [optional] [default to undefined]
 **title** | **string** |  | [optional] [default to undefined]
@ -16,7 +20,11 @@ Name | Type | Description | Notes
 import { InternalHandlersUpdateProductRequest } from './api';
 const instance: InternalHandlersUpdateProductRequest = {
    bpm,
    category,
    description,
    licenses,
    musical_key,
    price,
    status,
    title,
--- a/apps/web/src/types/generated/docs/InternalHandlersUpdateProfileRequest.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersUpdateProfileRequest.md
@ -5,10 +5,12 @@
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **banner_url** | **string** |  | [optional] [default to undefined]
 **bio** | **string** |  | [optional] [default to undefined]
 **birthdate** | **string** |  | [optional] [default to undefined]
 **first_name** | **string** |  | [optional] [default to undefined]
 **gender** | **string** |  | [optional] [default to undefined]
 **is_public** | **boolean** |  | [optional] [default to undefined]
 **last_name** | **string** |  | [optional] [default to undefined]
 **location** | **string** |  | [optional] [default to undefined]
 **social_links** | **{ [key: string]: any; }** |  | [optional] [default to undefined]
@ -20,10 +22,12 @@ Name | Type | Description | Notes
 import { InternalHandlersUpdateProfileRequest } from './api';
 const instance: InternalHandlersUpdateProfileRequest = {
    banner_url,
    bio,
    birthdate,
    first_name,
    gender,
    is_public,
    last_name,
    location,
    social_links,
--- a/apps/web/src/types/generated/docs/InternalHandlersValidateRequest.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersValidateRequest.md
@ -0,0 +1,22 @@
 # InternalHandlersValidateRequest
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **data** | **Array&lt;number&gt;** | The data to validate | [default to undefined]
 **type** | **string** | e.g., \&quot;RegisterRequest\&quot;, \&quot;LoginRequest\&quot; | [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersValidateRequest } from './api';
 const instance: InternalHandlersValidateRequest = {
    data,
    type,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/InternalHandlersValidateResponse.md
+++ b/apps/web/src/types/generated/docs/InternalHandlersValidateResponse.md
@ -0,0 +1,24 @@
 # InternalHandlersValidateResponse
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **errors** | [**Array&lt;VezaBackendApiInternalDtoValidationError&gt;**](VezaBackendApiInternalDtoValidationError.md) |  | [optional] [default to undefined]
 **message** | **string** |  | [optional] [default to undefined]
 **valid** | **boolean** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { InternalHandlersValidateResponse } from './api';
 const instance: InternalHandlersValidateResponse = {
    errors,
    message,
    valid,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/PlaylistApi.md
+++ b/apps/web/src/types/generated/docs/PlaylistApi.md
@ -72,7 +72,7 @@ const { status, data } = await apiInstance.playlistsGet(
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **playlistsIdDelete**
-> AnalyticsEventsPost200Response playlistsIdDelete()
+> Auth2faDisablePost200Response playlistsIdDelete()
 Permanently delete a playlist
@ -103,7 +103,7 @@ const { status, data } = await apiInstance.playlistsIdDelete(
 ### Return type
-**AnalyticsEventsPost200Response**
+**Auth2faDisablePost200Response**
 ### Authorization
@ -238,7 +238,7 @@ const { status, data } = await apiInstance.playlistsIdPut(
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **playlistsIdTracksPost**
-> AnalyticsEventsPost200Response playlistsIdTracksPost(trackId)
+> Auth2faDisablePost200Response playlistsIdTracksPost(trackId)
 Add a track to the playlist
@ -273,7 +273,7 @@ const { status, data } = await apiInstance.playlistsIdTracksPost(
 ### Return type
-**AnalyticsEventsPost200Response**
+**Auth2faDisablePost200Response**
 ### Authorization
@ -295,7 +295,7 @@ const { status, data } = await apiInstance.playlistsIdTracksPost(
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **playlistsIdTracksReorderPut**
-> AnalyticsEventsPost200Response playlistsIdTracksReorderPut(order)
+> Auth2faDisablePost200Response playlistsIdTracksReorderPut(order)
 Reorder tracks in the playlist
@ -330,7 +330,7 @@ const { status, data } = await apiInstance.playlistsIdTracksReorderPut(
 ### Return type
-**AnalyticsEventsPost200Response**
+**Auth2faDisablePost200Response**
 ### Authorization
@ -351,7 +351,7 @@ const { status, data } = await apiInstance.playlistsIdTracksReorderPut(
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **playlistsIdTracksTrackIdDelete**
-> AnalyticsEventsPost200Response playlistsIdTracksTrackIdDelete()
+> Auth2faDisablePost200Response playlistsIdTracksTrackIdDelete()
 Remove a track from the playlist
@ -385,7 +385,7 @@ const { status, data } = await apiInstance.playlistsIdTracksTrackIdDelete(
 ### Return type
-**AnalyticsEventsPost200Response**
+**Auth2faDisablePost200Response**
 ### Authorization
--- a/apps/web/src/types/generated/docs/TrackApi.md
+++ b/apps/web/src/types/generated/docs/TrackApi.md
@ -4,73 +4,14 @@ All URIs are relative to *http://localhost:8080/api/v1*
 |Method | HTTP request | Description|
 |------------- | ------------- | -------------|
 |[**tracksBatchDeletePost**](#tracksbatchdeletepost) | **POST** /tracks/batch/delete | Batch Delete Tracks|
 |[**tracksChunkPost**](#trackschunkpost) | **POST** /tracks/chunk | Upload Chunk|
 |[**tracksCompletePost**](#trackscompletepost) | **POST** /tracks/complete | Complete Chunked Upload|
 |[**tracksGet**](#tracksget) | **GET** /tracks | List Tracks|
 |[**tracksIdDelete**](#tracksiddelete) | **DELETE** /tracks/{id} | Delete Track|
 |[**tracksIdGet**](#tracksidget) | **GET** /tracks/{id} | Get Track by ID|
 |[**tracksIdPut**](#tracksidput) | **PUT** /tracks/{id} | Update Track|
 |[**tracksIdStatusGet**](#tracksidstatusget) | **GET** /tracks/{id}/status | Get Upload Status|
 |[**tracksInitiatePost**](#tracksinitiatepost) | **POST** /tracks/initiate | Initiate Chunked Upload|
 |[**tracksPost**](#trackspost) | **POST** /tracks | Upload Track|
 |[**tracksQuotaIdGet**](#tracksquotaidget) | **GET** /tracks/quota/{id} | Get Upload Quota|
 |[**tracksResumeUploadIdGet**](#tracksresumeuploadidget) | **GET** /tracks/resume/{uploadId} | Resume Upload|
 # **tracksBatchDeletePost**
 > TracksBatchDeletePost200Response tracksBatchDeletePost(request)
 Delete multiple tracks at once
 ### Example
 ```typescript
 import {
    TrackApi,
    Configuration,
    InternalCoreTrackBatchDeleteRequest
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new TrackApi(configuration);
 let request: InternalCoreTrackBatchDeleteRequest; //List of Track IDs
 const { status, data } = await apiInstance.tracksBatchDeletePost(
    request
 );
 ```
 ### Parameters
 |Name | Type | Description  | Notes|
 |------------- | ------------- | ------------- | -------------|
 | **request** | **InternalCoreTrackBatchDeleteRequest**| List of Track IDs | |
 ### Return type
 **TracksBatchDeletePost200Response**
 ### Authorization
 [BearerAuth](../README.md#BearerAuth)
 ### HTTP request headers
 - **Content-Type**: application/json
 - **Accept**: application/json
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | OK |  -  |
 |**400** | Validation Error |  -  |
 |**500** | Internal Error |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **tracksChunkPost**
 > TracksChunkPost200Response tracksChunkPost()
@ -193,242 +134,6 @@ const { status, data } = await apiInstance.tracksCompletePost(
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **tracksGet**
 > TracksGet200Response tracksGet()
 Get a paginated list of tracks with filters
 ### Example
 ```typescript
 import {
    TrackApi,
    Configuration
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new TrackApi(configuration);
 let page: number; //Page number (optional) (default to 1)
 let limit: number; //Items per page (optional) (default to 20)
 let userId: string; //Filter by User ID (optional) (default to undefined)
 let genre: string; //Filter by Genre (optional) (default to undefined)
 let format: string; //Filter by Format (optional) (default to undefined)
 let sortBy: string; //Sort field (optional) (default to 'created_at')
 let sortOrder: string; //Sort order (asc/desc) (optional) (default to 'desc')
 const { status, data } = await apiInstance.tracksGet(
    page,
    limit,
    userId,
    genre,
    format,
    sortBy,
    sortOrder
 );
 ```
 ### Parameters
 |Name | Type | Description  | Notes|
 |------------- | ------------- | ------------- | -------------|
 | **page** | [**number**] | Page number | (optional) defaults to 1|
 | **limit** | [**number**] | Items per page | (optional) defaults to 20|
 | **userId** | [**string**] | Filter by User ID | (optional) defaults to undefined|
 | **genre** | [**string**] | Filter by Genre | (optional) defaults to undefined|
 | **format** | [**string**] | Filter by Format | (optional) defaults to undefined|
 | **sortBy** | [**string**] | Sort field | (optional) defaults to 'created_at'|
 | **sortOrder** | [**string**] | Sort order (asc/desc) | (optional) defaults to 'desc'|
 ### Return type
 **TracksGet200Response**
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: Not defined
 - **Accept**: application/json
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | OK |  -  |
 |**500** | Internal Error |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **tracksIdDelete**
 > TracksIdDelete200Response tracksIdDelete()
 Permanently delete a track
 ### Example
 ```typescript
 import {
    TrackApi,
    Configuration
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new TrackApi(configuration);
 let id: string; //Track ID (default to undefined)
 const { status, data } = await apiInstance.tracksIdDelete(
    id
 );
 ```
 ### Parameters
 |Name | Type | Description  | Notes|
 |------------- | ------------- | ------------- | -------------|
 | **id** | [**string**] | Track ID | defaults to undefined|
 ### Return type
 **TracksIdDelete200Response**
 ### Authorization
 [BearerAuth](../README.md#BearerAuth)
 ### HTTP request headers
 - **Content-Type**: Not defined
 - **Accept**: application/json
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | OK |  -  |
 |**401** | Unauthorized |  -  |
 |**403** | Forbidden |  -  |
 |**404** | Track not found |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **tracksIdGet**
 > TracksPost201Response tracksIdGet()
 Get detailed information about a track
 ### Example
 ```typescript
 import {
    TrackApi,
    Configuration
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new TrackApi(configuration);
 let id: string; //Track ID (default to undefined)
 const { status, data } = await apiInstance.tracksIdGet(
    id
 );
 ```
 ### Parameters
 |Name | Type | Description  | Notes|
 |------------- | ------------- | ------------- | -------------|
 | **id** | [**string**] | Track ID | defaults to undefined|
 ### Return type
 **TracksPost201Response**
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: Not defined
 - **Accept**: application/json
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | OK |  -  |
 |**400** | Invalid ID |  -  |
 |**404** | Track not found |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **tracksIdPut**
 > TracksPost201Response tracksIdPut(track)
 Update track metadata
 ### Example
 ```typescript
 import {
    TrackApi,
    Configuration,
    InternalCoreTrackUpdateTrackRequest
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new TrackApi(configuration);
 let id: string; //Track ID (default to undefined)
 let track: InternalCoreTrackUpdateTrackRequest; //Track Metadata
 const { status, data } = await apiInstance.tracksIdPut(
    id,
    track
 );
 ```
 ### Parameters
 |Name | Type | Description  | Notes|
 |------------- | ------------- | ------------- | -------------|
 | **track** | **InternalCoreTrackUpdateTrackRequest**| Track Metadata | |
 | **id** | [**string**] | Track ID | defaults to undefined|
 ### Return type
 **TracksPost201Response**
 ### Authorization
 [BearerAuth](../README.md#BearerAuth)
 ### HTTP request headers
 - **Content-Type**: application/json
 - **Accept**: application/json
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | OK |  -  |
 |**400** | Validation Error |  -  |
 |**401** | Unauthorized |  -  |
 |**403** | Forbidden |  -  |
 |**404** | Track not found |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **tracksIdStatusGet**
 > TracksIdStatusGet200Response tracksIdStatusGet()
--- a/apps/web/src/types/generated/docs/UsersApi.md
+++ b/apps/web/src/types/generated/docs/UsersApi.md
@ -0,0 +1,110 @@
 # UsersApi
 All URIs are relative to *http://localhost:8080/api/v1*
 |Method | HTTP request | Description|
 |------------- | ------------- | -------------|
 |[**usersMeDelete**](#usersmedelete) | **DELETE** /users/me | Delete account|
 |[**usersMePrivacyOptOutPost**](#usersmeprivacyoptoutpost) | **POST** /users/me/privacy/opt-out | CCPA Do Not Sell opt-out|
 # **usersMeDelete**
 > { [key: string]: any; } usersMeDelete(body)
 Permanently delete user account with anonymization, session revocation, audit log
 ### Example
 ```typescript
 import {
    UsersApi,
    Configuration,
    InternalHandlersDeleteAccountRequest
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new UsersApi(configuration);
 let body: InternalHandlersDeleteAccountRequest; //Password, reason, confirm_text (must be DELETE)
 const { status, data } = await apiInstance.usersMeDelete(
    body
 );
 ```
 ### Parameters
 |Name | Type | Description  | Notes|
 |------------- | ------------- | ------------- | -------------|
 | **body** | **InternalHandlersDeleteAccountRequest**| Password, reason, confirm_text (must be DELETE) | |
 ### Return type
 **{ [key: string]: any; }**
 ### Authorization
 [BearerAuth](../README.md#BearerAuth)
 ### HTTP request headers
 - **Content-Type**: Not defined
 - **Accept**: */*
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | OK |  -  |
 |**400** | Bad Request |  -  |
 |**401** | Unauthorized |  -  |
 |**500** | Internal Server Error |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **usersMePrivacyOptOutPost**
 > { [key: string]: any; } usersMePrivacyOptOutPost()
 Saves the user\'s Do Not Sell preference (CCPA compliance)
 ### Example
 ```typescript
 import {
    UsersApi,
    Configuration
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new UsersApi(configuration);
 const { status, data } = await apiInstance.usersMePrivacyOptOutPost();
 ```
 ### Parameters
 This endpoint does not have any parameters.
 ### Return type
 **{ [key: string]: any; }**
 ### Authorization
 [BearerAuth](../README.md#BearerAuth)
 ### HTTP request headers
 - **Content-Type**: Not defined
 - **Accept**: */*
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | OK |  -  |
 |**401** | Unauthorized |  -  |
 |**500** | Internal Server Error |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/ValidationApi.md
+++ b/apps/web/src/types/generated/docs/ValidationApi.md
@ -0,0 +1,61 @@
 # ValidationApi
 All URIs are relative to *http://localhost:8080/api/v1*
 |Method | HTTP request | Description|
 |------------- | ------------- | -------------|
 |[**validatePost**](#validatepost) | **POST** /validate | Validate request body|
 # **validatePost**
 > InternalHandlersValidateResponse validatePost(request)
 Validates request data against known DTO types without executing the actual operation
 ### Example
 ```typescript
 import {
    ValidationApi,
    Configuration,
    InternalHandlersValidateRequest
 } from './api';
 const configuration = new Configuration();
 const apiInstance = new ValidationApi(configuration);
 let request: InternalHandlersValidateRequest; //Validation request with type and data
 const { status, data } = await apiInstance.validatePost(
    request
 );
 ```
 ### Parameters
 |Name | Type | Description  | Notes|
 |------------- | ------------- | ------------- | -------------|
 | **request** | **InternalHandlersValidateRequest**| Validation request with type and data | |
 ### Return type
 **InternalHandlersValidateResponse**
 ### Authorization
 No authorization required
 ### HTTP request headers
 - **Content-Type**: application/json
 - **Accept**: application/json
 ### HTTP response details
 | Status code | Description | Response headers |
 |-------------|-------------|------------------|
 |**200** | Validation result |  -  |
 |**400** | Invalid request format |  -  |
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceOrder.md
+++ b/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceOrder.md
@ -8,10 +8,14 @@ Name | Type | Description | Notes
 **buyer_id** | **string** |  | [optional] [default to undefined]
 **created_at** | **string** |  | [optional] [default to undefined]
 **currency** | **string** |  | [optional] [default to undefined]
 **discount_amount_cents** | **number** |  | [optional] [default to undefined]
 **hyperswitch_payment_id** | **string** |  | [optional] [default to undefined]
 **id** | **string** |  | [optional] [default to undefined]
 **items** | [**Array&lt;VezaBackendApiInternalCoreMarketplaceOrderItem&gt;**](VezaBackendApiInternalCoreMarketplaceOrderItem.md) |  | [optional] [default to undefined]
-**payment_intent** | **string** | Stripe PaymentIntent ID | [optional] [default to undefined]
+**payment_intent** | **string** | Legacy / Stripe PaymentIntent ID | [optional] [default to undefined]
-**status** | **string** | pending, paid, failed, refunded | [optional] [default to undefined]
+**payment_status** | **string** | Hyperswitch payment status | [optional] [default to undefined]
 **promo_code_id** | **string** |  | [optional] [default to undefined]
 **status** | **string** | pending, completed, failed, refunded | [optional] [default to undefined]
 **total_amount** | **number** |  | [optional] [default to undefined]
 **updated_at** | **string** |  | [optional] [default to undefined]
@ -24,9 +28,13 @@ const instance: VezaBackendApiInternalCoreMarketplaceOrder = {
    buyer_id,
    created_at,
    currency,
    discount_amount_cents,
    hyperswitch_payment_id,
    id,
    items,
    payment_intent,
    payment_status,
    promo_code_id,
    status,
    total_amount,
    updated_at,
--- a/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceProduct.md
+++ b/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceProduct.md
@ -5,13 +5,21 @@
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **avg_rating** | **number** | v0.403 R1: Computed from product_reviews (not stored in DB) | [optional] [default to undefined]
 **bpm** | **number** | v0.401 M1: Métadonnées musicales et catégorie | [optional] [default to undefined]
 **category** | **string** | sample, beat, preset, pack | [optional] [default to undefined]
 **created_at** | **string** |  | [optional] [default to undefined]
 **currency** | **string** |  | [optional] [default to undefined]
 **description** | **string** |  | [optional] [default to undefined]
 **id** | **string** |  | [optional] [default to undefined]
 **images** | [**Array&lt;VezaBackendApiInternalCoreMarketplaceProductImage&gt;**](VezaBackendApiInternalCoreMarketplaceProductImage.md) |  | [optional] [default to undefined]
 **license_type** | [**VezaBackendApiInternalCoreMarketplaceLicenseType**](VezaBackendApiInternalCoreMarketplaceLicenseType.md) |  | [optional] [default to undefined]
 **licenses** | [**Array&lt;VezaBackendApiInternalCoreMarketplaceProductLicense&gt;**](VezaBackendApiInternalCoreMarketplaceProductLicense.md) |  | [optional] [default to undefined]
 **musical_key** | **string** |  | [optional] [default to undefined]
 **previews** | [**Array&lt;VezaBackendApiInternalCoreMarketplaceProductPreview&gt;**](VezaBackendApiInternalCoreMarketplaceProductPreview.md) | Relations | [optional] [default to undefined]
 **price** | **number** |  | [optional] [default to undefined]
 **product_type** | **string** | \&quot;track\&quot;, \&quot;pack\&quot;, \&quot;service\&quot; | [optional] [default to undefined]
 **review_count** | **number** |  | [optional] [default to undefined]
 **seller_id** | **string** |  | [optional] [default to undefined]
 **status** | [**VezaBackendApiInternalCoreMarketplaceProductStatus**](VezaBackendApiInternalCoreMarketplaceProductStatus.md) |  | [optional] [default to undefined]
 **title** | **string** |  | [optional] [default to undefined]
@ -24,13 +32,21 @@ Name | Type | Description | Notes
 import { VezaBackendApiInternalCoreMarketplaceProduct } from './api';
 const instance: VezaBackendApiInternalCoreMarketplaceProduct = {
    avg_rating,
    bpm,
    category,
    created_at,
    currency,
    description,
    id,
    images,
    license_type,
    licenses,
    musical_key,
    previews,
    price,
    product_type,
    review_count,
    seller_id,
    status,
    title,
--- a/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceProductImage.md
+++ b/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceProductImage.md
@ -0,0 +1,28 @@
 # VezaBackendApiInternalCoreMarketplaceProductImage
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **created_at** | **string** |  | [optional] [default to undefined]
 **id** | **string** |  | [optional] [default to undefined]
 **product_id** | **string** |  | [optional] [default to undefined]
 **sort_order** | **number** |  | [optional] [default to undefined]
 **url** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { VezaBackendApiInternalCoreMarketplaceProductImage } from './api';
 const instance: VezaBackendApiInternalCoreMarketplaceProductImage = {
    created_at,
    id,
    product_id,
    sort_order,
    url,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceProductLicense.md
+++ b/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceProductLicense.md
@ -0,0 +1,30 @@
 # VezaBackendApiInternalCoreMarketplaceProductLicense
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **created_at** | **string** |  | [optional] [default to undefined]
 **id** | **string** |  | [optional] [default to undefined]
 **license_type** | **string** | streaming, personal, commercial, exclusive | [optional] [default to undefined]
 **price_cents** | **number** |  | [optional] [default to undefined]
 **product_id** | **string** |  | [optional] [default to undefined]
 **terms_text** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { VezaBackendApiInternalCoreMarketplaceProductLicense } from './api';
 const instance: VezaBackendApiInternalCoreMarketplaceProductLicense = {
    created_at,
    id,
    license_type,
    price_cents,
    product_id,
    terms_text,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceProductPreview.md
+++ b/apps/web/src/types/generated/docs/VezaBackendApiInternalCoreMarketplaceProductPreview.md
@ -0,0 +1,28 @@
 # VezaBackendApiInternalCoreMarketplaceProductPreview
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **created_at** | **string** |  | [optional] [default to undefined]
 **duration_sec** | **number** |  | [optional] [default to undefined]
 **file_path** | **string** |  | [optional] [default to undefined]
 **id** | **string** |  | [optional] [default to undefined]
 **product_id** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { VezaBackendApiInternalCoreMarketplaceProductPreview } from './api';
 const instance: VezaBackendApiInternalCoreMarketplaceProductPreview = {
    created_at,
    duration_sec,
    file_path,
    id,
    product_id,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/VezaBackendApiInternalDtoValidationError.md
+++ b/apps/web/src/types/generated/docs/VezaBackendApiInternalDtoValidationError.md
@ -0,0 +1,24 @@
 # VezaBackendApiInternalDtoValidationError
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **field** | **string** |  | [optional] [default to undefined]
 **message** | **string** |  | [optional] [default to undefined]
 **value** | **string** |  | [optional] [default to undefined]
 ## Example
 ```typescript
 import { VezaBackendApiInternalDtoValidationError } from './api';
 const instance: VezaBackendApiInternalDtoValidationError = {
    field,
    message,
    value,
 };
 ```
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
--- a/apps/web/src/types/generated/docs/VezaBackendApiInternalModelsTrack.md
+++ b/apps/web/src/types/generated/docs/VezaBackendApiInternalModelsTrack.md
@ -8,6 +8,7 @@ Name | Type | Description | Notes
 **album** | **string** |  | [optional] [default to undefined]
 **artist** | **string** |  | [optional] [default to undefined]
 **bitrate** | **number** | kbps | [optional] [default to undefined]
 **bpm** | **number** |  | [optional] [default to undefined]
 **cover_art_path** | **string** |  | [optional] [default to undefined]
 **created_at** | **string** |  | [optional] [default to undefined]
 **creator_id** | **string** |  | [optional] [default to undefined]
@ -20,15 +21,18 @@ Name | Type | Description | Notes
 **id** | **string** |  | [optional] [default to undefined]
 **is_public** | **boolean** |  | [optional] [default to undefined]
 **like_count** | **number** |  | [optional] [default to undefined]
 **musical_key** | **string** |  | [optional] [default to undefined]
 **play_count** | **number** |  | [optional] [default to undefined]
 **sample_rate** | **number** | Hz | [optional] [default to undefined]
 **status** | [**VezaBackendApiInternalModelsTrackStatus**](VezaBackendApiInternalModelsTrackStatus.md) |  | [optional] [default to undefined]
 **status_message** | **string** |  | [optional] [default to undefined]
 **stream_manifest_url** | **string** |  | [optional] [default to undefined]
 **stream_status** | **string** | pending, processing, ready, error | [optional] [default to undefined]
 **tags** | **Array&lt;string&gt;** |  | [optional] [default to undefined]
 **title** | **string** |  | [optional] [default to undefined]
 **updated_at** | **string** |  | [optional] [default to undefined]
 **waveform_path** | **string** |  | [optional] [default to undefined]
 **waveform_url** | **string** |  | [optional] [default to undefined]
 **year** | **number** |  | [optional] [default to undefined]
 ## Example
@ -40,6 +44,7 @@ const instance: VezaBackendApiInternalModelsTrack = {
    album,
    artist,
    bitrate,
    bpm,
    cover_art_path,
    created_at,
    creator_id,
@ -52,15 +57,18 @@ const instance: VezaBackendApiInternalModelsTrack = {
    id,
    is_public,
    like_count,
    musical_key,
    play_count,
    sample_rate,
    status,
    status_message,
    stream_manifest_url,
    stream_status,
    tags,
    title,
    updated_at,
    waveform_path,
    waveform_url,
    year,
 };
 ```
--- a/apps/web/src/types/generated/docs/VezaBackendApiInternalModelsUser.md
+++ b/apps/web/src/types/generated/docs/VezaBackendApiInternalModelsUser.md
@ -6,6 +6,7 @@
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **avatar** | **string** |  | [optional] [default to undefined]
 **banner_url** | **string** |  | [optional] [default to undefined]
 **bio** | **string** |  | [optional] [default to undefined]
 **birthdate** | **string** |  | [optional] [default to undefined]
 **created_at** | **string** |  | [optional] [default to undefined]
@ -38,6 +39,7 @@ import { VezaBackendApiInternalModelsUser } from './api';
 const instance: VezaBackendApiInternalModelsUser = {
    avatar,
    banner_url,
    bio,
    birthdate,
    created_at,
--- a/apps/web/src/types/generated/docs/WebhookApi.md
+++ b/apps/web/src/types/generated/docs/WebhookApi.md
@ -58,7 +58,7 @@ This endpoint does not have any parameters.
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **webhooksIdDelete**
-> AnalyticsEventsPost200Response webhooksIdDelete()
+> Auth2faDisablePost200Response webhooksIdDelete()
 Delete a webhook by ID
@ -89,7 +89,7 @@ const { status, data } = await apiInstance.webhooksIdDelete(
 ### Return type
-**AnalyticsEventsPost200Response**
+**Auth2faDisablePost200Response**
 ### Authorization
@ -167,7 +167,7 @@ const { status, data } = await apiInstance.webhooksIdRegenerateKeyPost(
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 # **webhooksIdTestPost**
-> AnalyticsEventsPost200Response webhooksIdTestPost()
+> Auth2faDisablePost200Response webhooksIdTestPost()
 Send a test event to a webhook to verify it\'s working
@ -198,7 +198,7 @@ const { status, data } = await apiInstance.webhooksIdTestPost(
 ### Return type
-**AnalyticsEventsPost200Response**
+**Auth2faDisablePost200Response**
 ### Authorization
--- a/docs/AUDIT_TECHNIQUE_V0803.md
+++ b/docs/AUDIT_TECHNIQUE_V0803.md
@ -0,0 +1,580 @@
 # AUDIT TECHNIQUE — VEZA MONOREPO
 | Champ | Valeur |
 |-------|--------|
 | **Date** | 2026-02-26 |
 | **Auditeur** | Claude 4.6 Opus — Architecte senior / Expert sécurité |
 | **Version analysée** | v0.803 (tag 2026-02-25) |
 | **Périmètre** | Go backend, Rust stream server, React frontend, Infrastructure |
 | **Méthodologie** | Audit statique exhaustif du code source, 6 passes parallèles |
 | **Classification** | Confidentiel — Usage interne |
 ---
 ## EXECUTIVE SUMMARY
 ### Verdict global
 Veza est un projet **techniquement ambitieux et remarquablement structuré** pour ce qui semble être une petite équipe. Avec **435 833 LOC** répartis sur 3 langages (Go, TypeScript, Rust), 26 versions taguées, ~353 features déclarées, et une infrastructure CI/CD complète, le volume de travail est impressionnant.
 Cependant, l'audit révèle un **décalage significatif entre l'ambition fonctionnelle et la maturité de production**. Le produit n'est **pas prêt pour un déploiement commercial** en l'état — principalement en raison de vulnérabilités de sécurité identifiées, d'un flux OAuth cassé, et d'un ratio features/tests qui reflète une priorité donnée à la couverture fonctionnelle plutôt qu'à la robustesse.
 ### Top 5 risques
 1. **CRITIQUE** — Le flux OAuth génère des JWT invalides qui ne passent pas l'auth middleware → OAuth login cassé
 2. **ÉLEVÉ** — `PasswordService.GenerateJWT` crée des tokens sans issuer/audience/token_version → contournement potentiel si utilisé hors contexte
 3. **ÉLEVÉ** — Absence de PKCE dans le flux OAuth → vulnérable à l'interception de code d'autorisation
 4. **ÉLEVÉ** — Tokens OAuth providers stockés en clair en base → compromission des comptes liés si la DB fuite
 5. **ÉLEVÉ** — Vérification des webhooks Hyperswitch désactivable quand le secret est vide → forgery de webhooks de paiement possible
 ### Top 5 forces
 1. **Architecture backend exemplaire** — Séparation handler/service/repository, middleware chain complète, configuration validée par environnement
 2. **Sécurité proactive** — httpOnly cookies, CSRF Redis-based, security headers complets, account lockout, bcrypt cost 12, CSP stricte
 3. **Infrastructure CI/CD mature** — 14 workflows GitHub Actions, Trivy, CodeQL, Gitleaks, govulncheck, cargo-audit, cosign signing
 4. **Frontend bien structuré** — Feature-based architecture, Zustand + TanStack Query, 306 Storybook stories, 196 MSW endpoints, Zod validation
 5. **Ops-ready** — Kubernetes manifests avec network policies, Prometheus/Grafana, External Secrets Operator, blue-green deployment
 ### Recommandation GO / NO-GO
 **NO-GO pour production commerciale en l'état.** GO conditionnel après correction des 5 vulnérabilités critiques/élevées (effort estimé : 2-3 jours) et validation du flux OAuth end-to-end.
 ---
 ## 1️⃣ CARTOGRAPHIE GLOBALE
 ### 1.1 Stack réelle
 | Élément | Valeur vérifiée | Commentaire |
 |---------|----------------|-------------|
 | **Go** | 1.24.0 (`go.mod`) | Dernière stable, OK |
 | **Rust** | 2021 edition, stable toolchain (`rust-toolchain.toml`) | OK |
 | **TypeScript** | 5.9.3 (`package.json`) | Dernière stable, OK |
 | **React** | 18.2.0 | Stable, pas encore React 19 |
 | **Vite** | 7.1.5 | Dernière version |
 | **Gin** | 1.11.0 | Framework web Go, maintenu |
 | **Axum** | 0.8 | Framework web Rust, maintenu |
 | **GORM** | 1.30.0 | ORM Go, dernière version |
 | **SQLx** | 0.8 | Query builder Rust, runtime mode (pas offline) |
 | **PostgreSQL** | 16-alpine | Dernière LTS, extensions: `pg_trgm`, `uuid-ossp` |
 | **Redis** | 7-alpine | Dernière stable |
 | **RabbitMQ** | 3-management-alpine | Message queue, optionnel |
 | **MinIO** | S3-compatible storage | Object storage |
 | **JWT** | `golang-jwt/v5` (Go), `jsonwebtoken 10` (Rust) | HS256, 5 min access / 14 jours refresh |
 | **Paiement** | Hyperswitch (`Juspay/hyper.js 2.1.0`) | SDK frontend, webhook HMAC-SHA512 |
 | **Streaming** | HLS réel (FFmpeg transcoding, `m3u8-rs`) | Pas un stub |
 | **WebSocket** | `coder/websocket` (Go), `tokio-tungstenite` (Rust) | Chat en Go, streaming en Rust |
 | **WebRTC** | Signalisation uniquement dans le chat store | Pas de TURN/STUN configuré |
 | **CI/CD** | GitHub Actions, 14 workflows | Complet |
 | **Docker** | Multi-stage, alpine, non-root | Bonnes pratiques suivies |
 | **Monitoring** | Prometheus + Grafana + alerting | Configuré et dashboardé |
 ### 1.2 Organisation du monorepo
 | Dossier | Rôle réel | Fichiers estimés | Couplage |
 |---------|-----------|-----------------|----------|
 | `apps/web/` | Frontend React SPA | ~2000+ | Consomme l'API Go via REST |
 | `veza-backend-api/` | API REST Go — cœur du produit | ~1111 | PostgreSQL, Redis, RabbitMQ, S3 |
 | `veza-stream-server/` | Serveur de streaming HLS + WebSocket | ~109 RS | PostgreSQL, Redis, gRPC vers backend |
 | `veza-common/` | Bibliothèque Rust partagée | ~28 RS | Importée par stream-server |
 | `veza-docs/` | Site Docusaurus | - | Indépendant |
 | `packages/` | Packages npm partagés | - | Workspace npm |
 | `k8s/` | Manifests Kubernetes | ~50+ | Référence les images Docker |
 | `config/` | Configs Docker, Prometheus, Grafana | ~20 | Référencé par docker-compose |
 | `migrations/` | Migrations SQL (racine) | ~90 | Dupliqué dans `veza-backend-api/migrations/` |
 | `docs/` | Documentation technique | ~50+ | Indépendant |
 | `make/` | Modules Makefile | ~10 | Orchestration build |
 | `scripts/` | Scripts utilitaires | ~10 | Outillage |
 | `fixtures/` | Données de test | - | Tests uniquement |
 | `loadtests/` | Scripts de charge | - | Tests uniquement |
 | `proto/` | Définitions Protobuf | ~5 | gRPC entre Go et Rust |
 **Packages orphelins identifiés :**
 - `veza-docs/` — Site Docusaurus, potentiellement non déployé (pas référencé dans CI/CD principal)
 - `sub_task_agents/` — Documentation d'agents, pas du code
 **Packages fantômes identifiés :**
 - `veza-chat-server/` — **ABSENT** du repo malgré des mentions dans la documentation et les `.cursorrules`. Le chat a été migré vers le backend Go en v0.502 (confirmé dans `PROJECT_STATE.md`)
 **Duplications :**
 - Le dossier `migrations/` existe à la racine ET dans `veza-backend-api/migrations/` — risque de désynchronisation
 ### 1.3 Métriques de taille
 | Service | LOC | Test files | Stories | Ratio test/code |
 |---------|-----|-----------|---------|----------------|
 | **Go backend** | 184 501 | 292 | - | ~1:1.6 (élevé) |
 | **React frontend** | 211 929 | 299 | 306 | ~1:1.4 (élevé) |
 | **Rust stream** | 39 403 | 6 | - | ~1:43 (faible) |
 | **TOTAL** | **435 833** | **597** | **306** | - |
 ### 1.4 Schémas de flux critiques
 ```mermaid
 graph TB
    subgraph "Auth Flow"
        A[Frontend] -->|POST /auth/login| B[Go API]
        B -->|Validate credentials| C[PostgreSQL]
        B -->|Check lockout| D[Redis]
        B -->|Set httpOnly cookies| A
        A -->|Auto-send cookies| B
        B -->|Verify JWT + Session| D
    end
 ```
 ```mermaid
 graph TB
    subgraph "Upload & Playback Flow"
        A[Frontend] -->|POST /uploads| B[Go API]
        B -->|ClamAV scan| C[Virus Scanner]
        B -->|Store file| D[MinIO S3]
        B -->|Queue transcode| E[RabbitMQ]
        E -->|Consume job| F[Go Worker]
        F -->|FFmpeg transcode| G[HLS Segments]
        G -->|Store segments| D
        H[Frontend Player] -->|GET /stream/:id| I[Rust Stream Server]
        I -->|Validate token| J[PostgreSQL]
        I -->|Serve HLS| H
    end
 ```
 ```mermaid
 graph TB
    subgraph "Payment Flow"
        A[Frontend] -->|POST /commerce/cart/checkout| B[Go API]
        B -->|Create payment| C[Hyperswitch]
        C -->|Webhook| B
        B -->|Verify HMAC-SHA512| D{Signature OK?}
        D -->|Yes| E[Update Order]
        D -->|No| F[Reject]
    end
 ```
 **Points de défaillance unique (SPOF) identifiés :**
 - **PostgreSQL** — Pas de réplication configurée dans docker-compose. Single instance.
 - **Redis** — Utilisé pour CSRF, rate limiting, sessions, cache, presence. Si Redis tombe, les utilisateurs sont déconnectés et ne peuvent plus faire de requêtes mutantes (CSRF fail-secure → 503).
 - **RabbitMQ** — Optionnel (fallback in-process), bon design.
 - **MinIO** — Storage des fichiers audio. Pas de réplication visible.
 **Timeouts :**
 - HTTP server : 30s read/write ✅
 - Request middleware timeout : configuré ✅
 - `exec.CommandContext` : context-based ✅
 - Redis operations : timeout configuré ✅
 - External HTTP calls : à vérifier cas par cas
 ---
 ## 2️⃣ CE QUE LE PRODUIT PERMET RÉELLEMENT
 ### 2.1 Classification des features
 #### ✅ Fonctionnelles (backend + frontend + DB + MSW)
 | Feature | Backend | Frontend | DB | Tests |
 |---------|---------|----------|-----|-------|
 | Auth (register, login, JWT, refresh) | ✅ Complet | ✅ Complet | ✅ Migrations 010-020 | ✅ |
 | 2FA (TOTP) | ✅ Complet | ✅ Complet | ✅ Migration MFA | ✅ |
 | Sessions management | ✅ Complet | ✅ Complet | ✅ Migration 020 | ✅ |
 | Track CRUD + upload | ✅ Complet | ✅ Complet | ✅ Migration 030-040 | ✅ |
 | HLS Streaming | ✅ Réel (FFmpeg) | ✅ HLS.js | ✅ Migration 040 | ✅ |
 | Playlists (CRUD, collab, share) | ✅ Complet | ✅ Complet | ✅ Migrations 044 | ✅ |
 | Search (pg_trgm) | ✅ Complet | ✅ Complet | ✅ Migration 048-085 | ✅ |
 | Notifications | ✅ Complet | ✅ Complet | ✅ Migration 047 | ✅ |
 | Chat (WebSocket, Go) | ✅ Migré en Go | ✅ Complet | ✅ Migration 051+ | ✅ |
 | Social (feed, posts, groups) | ✅ Complet | ✅ Complet | ✅ Migrations 069-070 | ✅ |
 | Marketplace (products, orders) | ✅ Complet | ✅ Complet | ✅ Migrations + Hyperswitch | ✅ |
 | Cloud Storage (files, folders, quota) | ✅ Complet | ✅ Complet | ✅ Migrations 105-106 | ✅ |
 | Gear/Inventory | ✅ Complet | ✅ Complet | ✅ Migrations 076+ | ✅ |
 | Analytics (creator dashboard) | ✅ Complet | ✅ Complet | ✅ Migration 081 | ✅ |
 | Admin panel | ✅ Complet | ✅ Complet | ✅ | ✅ |
 | Developer portal (API keys, webhooks) | ✅ Complet | ✅ Complet | ✅ Migrations 075, 082 | ✅ |
 | RBAC (roles, permissions) | ✅ Complet | ✅ Complet | ✅ Migration 021 | ✅ |
 | Audit logs | ✅ Complet | ✅ Admin UI | ✅ Migration 910 | ✅ |
 | Feature flags (DB-backed) | ✅ Complet | ✅ Admin UI | ✅ Migration 935 | ✅ |
 #### ⚠️ Partiellement implémentées
 | Feature | État | Détail |
 |---------|------|--------|
 | **OAuth** | Backend ⚠️ | `generateJWT` produit des tokens invalides (manque issuer/audience). Le flux OAuth callback est probablement cassé. |
 | **Live Streaming** | Backend ✅, Frontend ⚠️ | Routes API complètes, UI existante, mais pas de serveur RTMP/WebRTC de diffusion réel |
 | **WebRTC Audio Calls** | Frontend store ✅ | Signalisation dans le chat store, mais pas de TURN/STUN server configuré. P2P audio non fonctionnel en conditions réseau réelles. |
 | **Cloud file versioning** | ✅ Backend + DB | Frontend stories en cours (fichier modifié dans git status) |
 | **Stripe Connect** | Backend ✅ | Seller onboarding, transfers, balance — mais Hyperswitch SDK côté frontend (pas Stripe Elements) |
 #### 👻 Features fantômes
 | Feature | Déclarée dans | Réalité |
 |---------|--------------|---------|
 | **Studio** | Anciennes versions | Explicitement retiré du scope (FEATURE_STATUS.md) |
 | **Education** | Anciennes versions | Explicitement retiré du scope |
 | **Gamification** | FEATURE_STATUS.md | "MSW-only" — mocks existent, pas de backend |
 | **veza-chat-server** (Rust) | `.cursorrules`, docs | Répertoire absent. Chat migré en Go v0.502. Documentation pas mise à jour. |
 #### 💀 Code mort identifié
 | Élément | Localisation | LOC estimé |
 |---------|-------------|-----------|
 | `PasswordService.GenerateJWT` | `password_service.go:260-267` | 8 LOC — Jamais appelé hors tests |
 | Routes `/internal/tracks/:id/stream-ready` | `routes_core.go` | Marquées "deprecated" |
 | Routes `/internal/stream-events` | `routes_core.go` | Marquées "deprecated" |
 | `TokenBlacklist` service | `token_blacklist.go` | ~100 LOC — Implémenté mais non connecté au middleware auth |
 | Références au chat-server Rust | `.cursorrules`, docs | Documentation obsolète |
 ### 2.2 Incohérences produit/code
 1. **`.cursorrules` mentionne `veza-chat-server`** avec des instructions de compilation (`cargo build --release`) — ce service n'existe plus depuis v0.502.
 2. **`.cursorrules` mentionne "Chat Server: ❌ Erreurs compilation SQLx"** — service supprimé.
 3. **`VERSION` file dit `0.101.0`** mais le projet est en `v0.803` selon CHANGELOG et git tags — incohérence de versioning.
 4. **Dockerfile dev utilise Go 1.23** mais `go.mod` et Dockerfile.production utilisent Go 1.24 — incohérence de version.
 ---
 ## 3️⃣ VALIDATION FONCTIONNELLE
 ### 3.1 Couverture de tests
 | Service | Test files | LOC test estimé | Tests désactivés | Commentaire |
 |---------|-----------|----------------|-----------------|-------------|
 | **Go backend** | 292 | ~55 000 | ~134 `t.Skip` | Majorité conditionnels (infra-dependent), pas hard-disabled |
 | **React frontend** | 299 | ~45 000 | 12 `test.skip` | E2E principalement, conditionnels |
 | **Rust stream** | 6 | ~3 000 | 0 | Couverture très faible |
 | **Storybook** | 306 stories | - | - | Excellente couverture UI |
 **Points positifs :**
 - 897 artefacts de test au total
 - Go : ratio test/code ~1:3.3 → bon
 - Frontend : tests unitaires + E2E Playwright + Storybook + MSW → pipeline complet
 - 196 endpoints MSW mockés → couverture quasi-totale des API calls
 **Points négatifs :**
 - Rust stream server : 6 fichiers de test pour 109 fichiers source → risque élevé de régressions
 - 134 tests Go conditionnellement skippés → la couverture effective dépend de l'infrastructure de test
 - Pas de tests de contrat API formalisés (pas d'OpenAPI validation automatique)
 ### 3.2 Points de rupture probables
 | Scénario | Risque | Impact |
 |----------|--------|--------|
 | Redis down | ÉLEVÉ | CSRF → 503 sur toutes les requêtes mutantes. Sessions non validables. Rate limiting dégradé (fallback in-memory). |
 | 10K tracks pour un utilisateur | MOYEN | Pagination implémentée, mais ORDER BY dynamique + OFFSET peut devenir lent. Cursor-based pagination absente. |
 | Fichier audio de 10GB uploadé | FAIBLE | Taille max validée par `UploadValidator`. ClamAV scanner en place. |
 | 1000 WebSocket simultanées | MOYEN | Go chat: goroutines, devrait tenir. Rust stream: `websocket.rs` a un connection manager mais pas de test de charge prouvé. |
 | Webhook Hyperswitch en triple | FAIBLE | Les orders ont des statuts idempotents. Pas de déduplication explicite par webhook ID visible. |
 | Token expiré mid-session | FAIBLE | Refresh token flow implémenté. Axios interceptor pour auto-refresh. httpOnly cookies. |
 | Migration qui échoue à moitié | MOYEN | Pas de transactions explicites visibles autour des migrations. Pas de `BEGIN/COMMIT` wrapper. |
 ---
 ## 4️⃣ AUDIT DE SÉCURITÉ
 ### Registre des vulnérabilités
 | ID | Catégorie | Gravité | Fichier(s) | Description | Impact | Correctif | Effort |
 |----|-----------|---------|-----------|-------------|--------|-----------|--------|
 | **VEZA-SEC-001** | A07 Auth | **CRITIQUE** | `oauth_service.go:585-593` | `generateJWT` crée un JWT sans `iss`, `aud`, `token_version`, `session_id`. Ce token échoue à la validation dans `auth.go:191` (version mismatch) et possiblement `auth.go:166` (claims parsing). | OAuth login probablement non fonctionnel. Si un consommateur accepte ces tokens sans validation complète, contournement d'auth possible. | Remplacer par un appel à `JWTService.GenerateAccessToken()` + `GenerateRefreshToken()` avec création de session. | M |
 | **VEZA-SEC-002** | A07 Auth | **ÉLEVÉ** | `password_service.go:260-267` | `GenerateJWT` crée un token 24h sans issuer/audience/token_version. Bien que non appelé en production (aucun appel trouvé hors tests), sa présence est un risque si un développeur l'utilise par erreur. | Contournement potentiel des contrôles de sécurité si utilisé. | Supprimer cette méthode ou la faire passer par `JWTService`. | S |
 | **VEZA-SEC-003** | A07 Auth | **ÉLEVÉ** | `oauth_service.go:252` | Pas de PKCE (Proof Key for Code Exchange) dans le flux OAuth. Authorization Code flow sans PKCE. | Vulnérable à l'interception du code d'autorisation sur des clients publics (SPA). | Implémenter PKCE (S256). Ajouter `code_verifier` / `code_challenge`. | M |
 | **VEZA-SEC-004** | A02 Crypto | **ÉLEVÉ** | `oauth_service.go:577-579` | `access_token` et `refresh_token` des providers OAuth stockés en clair dans `federated_identities`. | Si la base est compromise, l'attaquant a accès aux comptes OAuth liés (Google, GitHub, etc.). | Chiffrer les tokens au repos avec une clé de chiffrement séparée (AES-GCM). | M |
 | **VEZA-SEC-005** | A08 Integrity | **ÉLEVÉ** | `hyperswitch/routes_webhooks.go:65-73` | Si `HyperswitchWebhookSecret` est vide, la vérification de signature est sautée (log warn seulement). En dev/staging, un attaquant peut forger des webhooks de paiement. | Création de commandes frauduleuses, confirmation de paiements non effectués. | Rendre la vérification obligatoire dans tous les environnements, ou bloquer les webhooks si le secret n'est pas configuré. | S |
 | **VEZA-SEC-006** | A03 Injection | **MOYEN** | `waveform_service.go:72,82` | `inputPath` passé directement à `exec.CommandContext` sans appel à `ValidateExecPath()`. D'autres services (transcode, backup, export) l'appellent systématiquement. | Si `inputPath` contient des caractères spéciaux, path traversal possible (pas command injection car pas de shell). | Ajouter `utils.ValidateExecPath(inputPath)` avant les appels `exec.CommandContext`. | S |
 | **VEZA-SEC-007** | A04 Design | **MOYEN** | `token_blacklist.go`, `auth.go` | Le `TokenBlacklist` service est implémenté (Redis-backed, SHA-256 hashed) mais n'est **jamais appelé** dans le middleware d'auth. La révocation repose uniquement sur `TokenVersion`. | Impossible de révoquer un token spécifique — seule la révocation de tous les tokens d'un utilisateur (via token version increment) est possible. | Connecter `TokenBlacklist.IsBlacklisted()` dans `authenticate()` après la validation JWT. | S |
 | **VEZA-SEC-008** | A04 Design | **MOYEN** | `ratelimit.go:49-50` | `/auth/login` et `/auth/register` sont exclus du rate limiter global (100 req/min par IP). Ils ont des rate limiters endpoint-spécifiques (5/15min login, 3/h register) mais pas le plafond global. | Un attaquant peut potentiellement contourner la protection globale en ciblant ces endpoints. Les limites endpoint-spécifiques restent en place. | Appliquer le rate limiter global en amont des rate limiters spécifiques, ou documenter le choix. | S |
 | **VEZA-SEC-009** | A02 Crypto | **FAIBLE** | `config.go:293` | `CHAT_JWT_SECRET` fallback au `JWT_SECRET` principal. Si non configuré séparément, un JWT crafté pour le chat pourrait être accepté par l'API principale (si les claims matchent). | Escalade potentielle entre services. | Documenter ou forcer des secrets séparés. | S |
 | **VEZA-SEC-010** | A07 Auth | **FAIBLE** | `oauth_service.go` | Pas de validation whitelist pour l'URL de redirection OAuth post-callback. | Open redirect potentiel après OAuth. | Valider l'URL de redirection contre une whitelist de domaines autorisés. | S |
 ### Points de sécurité positifs (bonnes pratiques confirmées)
 | Domaine | Implémentation | Fichier |
 |---------|---------------|---------|
 | **Tokens** | httpOnly cookies, non accessibles depuis JS | `tokenStorage.ts` (no-op class), backend sets cookies |
 | **Passwords** | bcrypt cost 12, min 12 chars, complexity rules, 72-byte limit enforced | `password_service.go:23,311` |
 | **JWT** | HS256 algorithm pinning, 5 min TTL, issuer/audience validation, token version | `jwt_service.go:126-131,37` |
 | **CSRF** | Redis-backed, 32-byte random, timing-safe comparison, fail-secure | `csrf.go:131,115-127` |
 | **CORS** | Wildcard blocked in production, credentials-aware, origin reflection | `cors.go:29,125` |
 | **Headers** | HSTS, CSP, X-Frame-Options DENY, COEP, COOP, CORP, Permissions-Policy | `security_headers.go` |
 | **Rate limiting** | Multi-layer (global IP, per-endpoint, per-user), Redis with in-memory fallback | `ratelimit*.go`, `endpoint_limiter.go` |
 | **Account lockout** | 5 attempts / 15 min, 30 min lockout, fail-secure | `account_lockout_service.go` |
 | **File upload** | ClamAV scanning, type validation, concurrent limiting, fail-secure (503) | `upload.go:182-197` |
 | **SQL** | Parameterized queries throughout, ORDER BY fields whitelisted | `user_service_search.go:147-155` |
 | **Exec** | `ValidateExecPath()` on most services, context-based exec | `utils/sanitizer.go:29-43` |
 | **Secrets** | No hardcoded secrets, env vars required, masking in logs | `config.go`, `secrets.go` |
 | **Audit** | Comprehensive audit middleware for sensitive actions | `middleware/audit.go` |
 | **Bypass protection** | `validateNoBypassFlagsInProduction` blocks CSRF_DISABLED, DISABLE_RATE_LIMIT | `config/validation.go` |
 | **Frontend XSS** | No `dangerouslySetInnerHTML`, DOMPurify available, no localStorage for tokens | Grep results |
 | **Docker** | Non-root users (UID 1001), minimal alpine bases, health checks | All Dockerfiles |
 ---
 ## 5️⃣ DETTE TECHNIQUE
 ### 5.1 Registre de la dette
 | Cat. | Description | Impact | Fichier(s) | Effort |
 |------|------------|--------|-----------|--------|
 | 🔴 | OAuth `generateJWT` produit des tokens invalides | OAuth login cassé | `oauth_service.go:585` | M |
 | 🔴 | `TokenBlacklist` déconnecté de l'auth | Révocation granulaire impossible | `token_blacklist.go` | S |
 | 🟠 | Rust stream server : 6 fichiers de test pour 109 sources | Régressions non détectées | `veza-stream-server/src/` | L |
 | 🟠 | 134 tests Go conditionnellement skippés (infra-dependent) | Couverture effective incertaine sans CI complet | `*_test.go` | XL |
 | 🟠 | `veza-chat-server` référencé dans `.cursorrules` mais absent | Confusion pour nouveaux développeurs | `.cursorrules` | S |
 | 🟠 | VERSION file (0.101.0) incohérent avec CHANGELOG (v0.803) | Confusion de versioning | `VERSION` | S |
 | 🟠 | Migrations : 122 fichiers, numérotation non contiguë (001→122 puis 900→935) | Consolidation nécessaire avant scaling de l'équipe | `migrations/` | L |
 | 🟠 | 40 fichiers Go > 500 lignes | Complexité, maintenabilité réduite | Voir liste section 3 | L |
 | 🟡 | `docs.go` généré : 5482 lignes | Swagger spec dans le code source, alourdit le repo | `docs/docs.go` | S |
 | 🟡 | Duplication `migrations/` racine vs `veza-backend-api/migrations/` | Risque de désynchronisation | Racine + backend | S |
 | 🟡 | Go 1.23 dans Dockerfile dev vs 1.24 dans go.mod et Dockerfile.production | Comportement différent dev/prod | Dockerfiles | S |
 | 🟡 | 21 TODO/FIXME/HACK dans le codebase | Minor mais à nettoyer | Distribués | S |
 | 🟡 | Pas de cursor-based pagination | Performance dégradée sur grands datasets avec OFFSET | Services de listing | M |
 | ⚪ | `soundcloud/` directory dans Rust stream server | Purpose unclear, naming confusion with SoundCloud brand | `veza-stream-server/src/soundcloud/` | S |
 ### 5.2 Quantification
 | Métrique | Go | TypeScript | Rust | Total |
 |----------|-----|-----------|------|-------|
 | **LOC** | 184 501 | 211 929 | 39 403 | **435 833** |
 | **LOC mort estimé** | ~200 | ~500 (generated types) | ~3000 (generated protobuf + soundcloud) | **~3 700** |
 | **Fichiers de test** | 292 | 299 | 6 | **597** |
 | **Stories** | - | 306 | - | **306** |
 | **TODO/FIXME/HACK** | 9 | 8 | 4 | **21** |
 | **Fichiers > 500 lignes** | 40 (1 generated) | 20 (1 generated) | 19 (1 generated) | **79** |
 | **Dépendances directes** | ~35 | 82 (35 prod + 47 dev) | ~60 | **177** |
 ### 5.3 Hétérogénéité Go + Rust
 Le choix de Go pour le backend API et Rust pour le streaming est **architecturalement justifié** :
 - Go excelle en HTTP/REST APIs avec GORM, handlers, middleware
 - Rust est pertinent pour le traitement audio temps-réel et HLS
 Cependant, le chat server Rust a été migré en Go (v0.502), validant que Rust n'était pas nécessaire pour le WebSocket chat. La réduction à 2 langages (Go + Rust stream) est rationnelle.
 Le coût réel : deux toolchains, deux CI pipelines, deux sets de dépendances à maintenir. Pour une équipe < 3 devs, c'est un overhead significatif.
 ---
 ## 6️⃣ QUALITÉ ARCHITECTURALE
 ### 6.1 Monorepo
 | Critère | Évaluation |
 |---------|-----------|
 | **Outil** | Turbo 2.3.0 + npm workspaces | 
 | **Build** | Parallélisable via Turbo, outputs cachés |
 | **Versioning** | Incohérent (VERSION file ≠ CHANGELOG tags) |
 | **Workspace** | npm workspaces, Cargo workspace partiel |
 | **Makefile** | Excellent — 10 modules, orchestration complète |
 ### 6.2 Frontend
 | Critère | Score | Détail |
 |---------|-------|--------|
 | **Structure** | ✅ | Feature-based, clean separation |
 | **State** | ✅ | Zustand + TanStack Query, persist + broadcast sync |
 | **Data fetching** | ✅ | TanStack Query avec cache/invalidation |
 | **Routing** | ✅ | React Router 6.30, lazy loading, code splitting |
 | **Design system** | ✅ | SUMI v2.0, 207+ UI components, Tailwind + CSS tokens |
 | **TypeScript** | ✅ | Strict mode probable, minimal `any` usage |
 | **Storybook** | ✅ | 306 stories, MSW addon, a11y addon |
 | **MSW** | ✅ | 196 endpoints, 11 handler modules, catch-all |
 | **Security** | ✅ | httpOnly cookies, no dangerouslySetInnerHTML, DOMPurify, Zod validation |
 | **Env validation** | ✅ | Zod schema for env vars |
 ### 6.3 Backend Go
 | Critère | Score | Détail |
 |---------|-------|--------|
 | **Architecture** | ✅ | Layered: handler → service → repository. Domain-driven (core/auth, core/track, core/marketplace) |
 | **Error handling** | ✅ | Wrapped errors, structured responses, recovery middleware |
 | **Middleware** | ✅ | 26 middlewares, correct ordering, comprehensive coverage |
 | **Database** | ✅ | GORM with connection pooling, parameterized queries, 122 migrations |
 | **Concurrency** | ✅ | Context propagation, graceful shutdown manager, goroutine management |
 | **Config** | ✅ | Environment-based, validated at startup, production-specific checks |
 | **API versioning** | ✅ | `/api/v1/` consistently |
 | **OpenAPI** | ⚠️ | Swagger generated (`docs.go`) but not validated against code automatically |
 ### 6.4 Rust Stream Server
 | Critère | Score | Détail |
 |---------|-------|--------|
 | **Architecture** | ✅ | Modular (auth, streaming, transcoding, codecs, monitoring) |
 | **Error handling** | ✅ | Custom `AppError` enum, 30+ variants, `IntoResponse` |
 | **Safety** | ✅ | 0 `unsafe` blocks, ~15 `expect()` only in initialization |
 | **Tests** | ❌ | 6 test files for 109 source files — critical gap |
 | **Compilation** | ⚠️ | No `sqlx-data.json` — requires live DB for compilation check |
 ### 6.5 Base de données
 | Critère | Score | Détail |
 |---------|-------|--------|
 | **Schema** | ✅ | Well-normalized, UUID primary keys, FK constraints |
 | **Indexes** | ✅ | `pg_trgm`, composite indexes, performance indexes (migration 920) |
 | **Migrations** | ⚠️ | 122 migrations, non-contiguous numbering (1-122, 900-935), no consolidation |
 | **Relations** | ✅ | FK constraints, cascades in migration 930 |
 | **Redis usage** | ✅ | Cache, CSRF, sessions, rate limiting, presence, blacklist — well-defined roles |
 ### 6.6 Scorecard
 | Dimension | Score | Justification |
 |-----------|-------|---------------|
 | **Architecture** | **8/10** | Excellente séparation des concerns, patterns cohérents, middleware chain exemplaire. -1 pour OAuth JWT bypass, -1 pour TokenBlacklist déconnecté. |
 | **Maintenabilité** | **7/10** | Code lisible, conventions respectées, 21 TODO seulement. -1 pour 79 fichiers > 500 lignes, -1 pour incohérences de version, -1 pour documentation obsolète (chat-server). |
 | **Sécurité** | **7/10** | Excellentes pratiques (httpOnly, bcrypt, CSRF, CSP, rate limiting). -1 pour OAuth cassé, -1 pour PKCE absent, -1 pour tokens OAuth en clair. |
 | **Scalabilité** | **6/10** | Architecture horizontalement scalable en théorie. -1 pour SPOF PostgreSQL/Redis, -1 pour OFFSET pagination, -1 pour 134 tests conditionnels, -1 pour Rust tests insuffisants. |
 | **Testabilité** | **7/10** | 897 artefacts de test, pipeline complet. -1 pour Rust coverage, -1 pour tests infra-dependent, -1 pour pas de contrat API formel. |
 | **Opérabilité** | **8/10** | Prometheus, Grafana, alerting, structured logging, health checks, K8s manifests, blue-green. -1 pour monitoring chat non couvert, -1 pour pas de runbook opérationnel complet. |
 | **Vélocité dev** | **7/10** | Makefile complet, MSW, Storybook, hot reload. -1 pour 3 langages, -1 pour onboarding multi-toolchain, -1 pour documentation incohérente. |
 | **Maturité produit** | **6/10** | 19 features opérationnelles, 5 partielles, 4 fantômes. -1 pour OAuth cassé, -1 pour WebRTC non fonctionnel, -1 pour live streaming partiel, -1 pour gamification fantôme. |
 **Score moyen : 7.0 / 10**
 ---
 ## 7️⃣ INFRA & DEVOPS
 ### 7.1 Docker
 | Critère | Status |
 |---------|--------|
 | **Multi-stage builds** | ✅ Tous les services |
 | **Images de base** | ✅ Alpine (Go, Rust, Node, Nginx) |
 | **Non-root** | ✅ UID 1001 partout |
 | **Health checks** | ✅ Configurés |
 | **Secrets en build args** | ✅ Aucun — env vars au runtime |
 | **Taille optimisée** | ✅ Static binaries, stripped |
 | **ClamAV** | ⚠️ Installé dans l'image backend — augmente la taille |
 ### 7.2 CI/CD
 | Critère | Status |
 |---------|--------|
 | **Lint** | ✅ ESLint, Clippy, gofmt, go vet |
 | **Tests** | ✅ Unit + integration + E2E + Storybook |
 | **Security scanning** | ✅ Gitleaks, CodeQL, Trivy, govulncheck, cargo-audit, npm audit |
 | **Container scanning** | ✅ Trivy CRITICAL/HIGH |
 | **SBOM** | ✅ CycloneDX |
 | **Signing** | ✅ Cosign (configurable) |
 | **Deployment** | ✅ Blue-green via docker-compose.prod.yml |
 | **Environments** | ✅ Dev, staging, production séparés |
 | **Secrets** | ✅ GitHub Secrets + External Secrets Operator (Vault) |
 | **Pre-commit** | ✅ Husky hooks (typecheck, lint, tests) |
 ### 7.3 Reproductibilité
 | Critère | Status |
 |---------|--------|
 | **Single command build** | ✅ `make dev` ou `docker compose up` |
 | **Lock files** | ✅ `go.sum`, `Cargo.lock`, `package-lock.json` |
 | **Toolchain pinning** | ✅ `rust-toolchain.toml`, Go version in `go.mod` |
 | **Onboarding doc** | ✅ `ONBOARDING.md` existe |
 ---
 ## 8️⃣ PERFORMANCE & SCALABILITÉ
 | Composant | Risque | Seuil estimé | Mitigation |
 |-----------|--------|-------------|------------|
 | **PostgreSQL** | N+1 queries possibles via GORM | > 5K req/min | GORM `Preload` utilisé, mais à profiler |
 | **Redis** | SPOF pour CSRF/sessions/rate-limit | Si Redis down → 503 global | Sentinelle ou cluster non configuré |
 | **Chat WebSocket (Go)** | Goroutine per connection | > 5K connexions simultanées | Goroutine-safe, mais backpressure à valider |
 | **Stream server** | HLS segment serving | > 500 streams simultanés | Rust + Tokio devrait tenir, mais 6 tests |
 | **File storage (MinIO)** | Single instance | > 5TB | Pas de réplication configurée |
 | **OFFSET pagination** | O(n) scan | > 100K records | Migrer vers cursor-based pagination |
 **Scalabilité horizontale :**
 - ✅ Backend Go : stateless (sessions en Redis), scalable
 - ✅ Frontend : statique, CDN-ready
 - ⚠️ Stream server : WebSocket = session affinity nécessaire
 - ⚠️ Chat : WebSocket = session affinity nécessaire
 - ❌ PostgreSQL : single instance, pas de sharding
 - ❌ Redis : single instance
 ---
 ## 9️⃣ RISQUES BUSINESS
 ### 9.1 Verdict catégorique
 | Question | Réponse | Justification |
 |----------|---------|---------------|
 | Peut-on lancer en production tel quel ? | **NON** | OAuth cassé, webhook verification optionnelle, TokenBlacklist déconnecté |
 | Peut-on vendre/monétiser tel quel ? | **NON** | Flux de paiement dépend de Hyperswitch webhook non vérifié en staging. OAuth non fonctionnel empêche le social login. |
 | Peut-on maintenir avec 2 devs ? | **Conditionnel** | Oui si Go + TS. Le Rust stream server est un risque si le dev Rust part. |
 | Faut-il refactorer avant prod ? | **OUI** | Corriger les 5 vulnérabilités, consolider les migrations, connecter le TokenBlacklist |
 | Faut-il réécrire certains services ? | **NON** | L'architecture est saine. Corrections ciblées suffisent. |
 | La vélocité (353 features) est-elle un red flag ? | **Attention** | Le volume est impressionnant mais le ratio features/tests sur le Rust server et la présence de features fantômes suggèrent que certaines "features" sont des endpoints avec MSW mocks mais pas de validation E2E réelle. |
 ### 9.2 Point de vue investisseur
 | Question | Réponse |
 |----------|---------|
 | Le produit est-il fonctionnel ou une démo ? | **Fonctionnel** pour 80% des features. Les 19 features opérationnelles ont du code backend réel, des migrations, des handlers, des services, des tests. Ce n'est pas un prototype Figma ni du mock-only. |
 | Risques d'incident public ? | **Oui** — les tokens OAuth providers en clair et le webhook payment non vérifié sont exploitables. Correctifs estimés à 2-3 jours. |
 | Code repris par une autre équipe ? | **Oui** avec 2-3 semaines d'onboarding. Architecture claire, conventions cohérentes, documentation existante. La multi-stack Go+Rust+TS nécessite des profils polyvalents. |
 | Coût pour v1.0 production-ready ? | **4-8 semaines** pour corrections sécurité + tests Rust + consolidation migrations + monitoring complet + load testing. |
 | IP technique défendable ? | **Oui** — le pipeline HLS complet (upload → transcode → streaming), le système de chat WebSocket intégré, le marketplace avec Hyperswitch, et le système d'analytics constituent une plateforme cohérente. |
 | Ratio features/qualité ? | **Quantité priorisée** sur la qualité pour le stream server Rust (6 tests). Backend Go et frontend React ont un bon équilibre. |
 ### 9.3 Score de rachetabilité
 **7/10** — Code bien structuré, architecture claire, documentation existante. Points de friction : multi-stack (3 langages), 122 migrations à comprendre, quelques incohérences documentaires.
 ---
 ## 🔟 PLAN D'ACTION PRIORISÉ
 ### Phase 1 — Critique (semaines 1-2)
 | # | Action | Pourquoi | Fichiers | Effort |
 |---|--------|----------|---------|--------|
 | 1 | **Corriger OAuth `generateJWT`** — utiliser `JWTService.GenerateAccessToken()` + créer une session | OAuth login cassé | `oauth_service.go:585-593`, `oauth_service.go:307` | M (1-2j) |
 | 2 | **Supprimer `PasswordService.GenerateJWT`** | Code mort à risque | `password_service.go:260-267` | S (<1j) |
 | 3 | **Rendre webhook Hyperswitch verification obligatoire** dans tous les envs | Forgery de paiement possible | `routes_webhooks.go:65-73` | S (<1j) |
 | 4 | **Connecter `TokenBlacklist` au middleware auth** | Révocation granulaire non fonctionnelle | `auth.go`, `token_blacklist.go` | S (<1j) |
 | 5 | **Ajouter `ValidateExecPath` dans `waveform_service.go`** | Path traversal sur FFmpeg | `waveform_service.go:72,82` | S (<1j) |
 | 6 | **Chiffrer les tokens OAuth providers au repos** | Compromission DB = accès aux comptes liés | `oauth_service.go:577-579` | M (1-2j) |
 ### Phase 2 — Stabilisation (semaines 3-6)
 | # | Action | Pourquoi | Effort |
 |---|--------|----------|--------|
 | 7 | **Implémenter PKCE dans le flux OAuth** | OWASP A07 compliance | M |
 | 8 | **Ajouter des tests au Rust stream server** — objectif 50% coverage | 6 tests pour 109 fichiers = risque | XL |
 | 9 | **Valider l'URL de redirection OAuth** contre whitelist | Open redirect prevention | S |
 | 10 | **Harmoniser VERSION file** avec les tags git | Confusion de versioning | S |
 | 11 | **Mettre à jour `.cursorrules`** — retirer les références au chat-server Rust | Documentation obsolète | S |
 | 12 | **Harmoniser Go version** dans tous les Dockerfiles (1.24) | Comportement dev ≠ prod | S |
 | 13 | **Load testing du stream server** sous charge (1000 connexions WebSocket) | Pas de preuve de performance | L |
 ### Phase 3 — Consolidation (semaines 7-12)
 | # | Action | Pourquoi | Effort |
 |---|--------|----------|--------|
 | 14 | **Consolider les migrations** — squash 1-122 en un schéma initial | 122 migrations = lent au setup, risque d'erreur | L |
 | 15 | **Implémenter cursor-based pagination** sur les listings à volume | OFFSET O(n) ne scale pas | L |
 | 16 | **Configurer Redis Sentinel/Cluster** pour HA | Redis = SPOF pour auth/CSRF | M |
 | 17 | **Refactorer les 10 fichiers Go > 1000 lignes** | Complexité, maintenabilité | L |
 | 18 | **Tests de contrat API** — valider OpenAPI spec contre le code | Drift API documentation | M |
 | 19 | **Configurer PostgreSQL replication** | SPOF pour toutes les données | L |
 | 20 | **Déduplication des migrations** racine vs backend | Source unique de vérité | S |
 ### Phase 4 — Évolution (mois 4+)
 | # | Action | Effort |
 |---|--------|--------|
 | 21 | WebRTC avec TURN/STUN pour audio calls | XL |
 | 22 | Live streaming réel (RTMP ingestion) | XL |
 | 23 | Gamification (backend, pas juste MSW) | L |
 | 24 | Multi-region deployment | XL |
 | 25 | CDN pour assets audio | M |
 ---
 ## CONCLUSION STRATÉGIQUE
 Veza est un projet **techniquement solide dans sa conception** mais qui souffre d'un déséquilibre classique des projets early-stage : **trop de features, pas assez de profondeur sur chacune**. L'architecture est saine, les patterns sont cohérents, la sécurité est proactive dans 90% des cas — mais les 10% restants contiennent des vulnérabilités exploitables.
 Le **backend Go est le point fort** du projet : layered architecture, 292 test files, middleware chain exemplaire, configuration validée. Le **frontend React** est également bien structuré avec son approche Storybook-first et ses 306 stories. Le **Rust stream server** est le point faible : fonctionnel mais insuffisamment testé (6 fichiers de test).
 **Recommandation : Investir, mais conditionné à la correction des 6 actions Phase 1 (2-3 jours de travail).** Le coût de mise en production complète est estimé à 4-8 semaines. Le rapport qualité/ambition est favorable pour un projet de cette taille. L'architecture ne nécessite pas de réécriture — des corrections ciblées suffisent.
 La question stratégique n'est pas technique mais organisationnelle : **cette vélocité est-elle soutenable ?** 26 versions en quelques mois avec une petite équipe suggère soit une productivité exceptionnelle, soit une accumulation de dette invisible. L'audit montre que la dette est **quantifiable et gérable** (21 TODO, ~3700 LOC mortes, 79 fichiers volumineux) — ce n'est pas un projet en perdition technique, c'est un projet qui a besoin de passer du mode "sprint feature" au mode "hardening for production".
--- a/docs/PLAN_V0_803_IMPLEMENTATION.md
+++ b/docs/PLAN_V0_803_IMPLEMENTATION.md
@ -1,20 +1,28 @@
 # Plan d'implémentation v0.803 — Sécurité, Compliance & Outillage Dev
-## État des lieux
+**Statut** : En cours
 **Date de création** : 2026-02-25
 **Estimation révisée** : ~2 sprints (10 jours ouvrés) — réduit car beaucoup de features déjà partiellement implémentées
-| Feature | Backend | Frontend | Tests |
+---
-|---------|---------|----------|-------|
+
-| Rate limiting | ✅ Redis | — | ✅ |
+## Audit du code existant (gap analysis réel)
-| CORS | ✅ | — | ❌ |
+
-| CSP/HSTS/security headers | ❌ | — | ❌ |
+| Feature | Backend | Frontend | Tests | Gap réel |
-| Audit logs | ❌ | ❌ | ❌ |
+|---------|---------|----------|-------|----------|
-| Account deletion | ❌ | ❌ | ❌ |
+| Security headers (CSP, HSTS, etc.) | ✅ `security_headers.go` (118L) | — | ✅ `security_headers_test.go` | **DONE** — rien à faire |
-| OpenAPI/Swagger | ❌ | — | ❌ |
+| Rate limiting per-IP/user | ✅ `rate_limiter.go` (475L) + `endpoint_limiter.go` (352L) | — | ✅ | Ajouter global limit (1000/s) |
-| API keys | ⚠️ basic | ⚠️ developer page | ❌ |
+| Audit logs (table, service, handler) | ✅ migration 910, `handlers/audit.go` (588L), routes `/audit/*` + `/admin/audit/*` | ✅ `AdminAuditLogsView.tsx` | ✅ MSW | **DONE** — rien à faire |
-| Moderation queue | ❌ | ❌ | ❌ |
+| Audit middleware (auto-log POST/PUT/DELETE) | ❌ Absent | — | ❌ | **À CRÉER** |
-| Maintenance mode | ❌ | — | ❌ |
+| Account deletion | ✅ `DELETE /users/me` dans `internal/api/user/routes.go` | ✅ `AccountSettingsDeleteCard.tsx` | ❌ | Vérifier handler, ajouter tests |
-| Announcements | ❌ | ❌ | ❌ |
+| CCPA / "Do Not Sell" | ❌ Absent | ❌ | ❌ | **À CRÉER** |
-| Feature flags UI | ❌ | ❌ | ❌ |
+| OpenAPI/Swagger | ✅ Routes `/swagger/*any` dans `router.go`, swaggo importé | ✅ `SwaggerUI.tsx` dans developer | ❌ | Compléter annotations handlers |
 | API keys CRUD | ✅ `api_key_handler.go` (74L), model, migration 082, routes | ✅ `DeveloperDashboardView.tsx` + `CreateAPIKeyModal.tsx` | ❌ | Ajouter tests backend |
 | API key auth (X-API-Key) | ✅ Supporté dans `auth.go` | — | ❌ | Ajouter tests |
 | Moderation queue | ❌ Backend absent (frontend utilise mocks) | ✅ `AdminModerationView.tsx` (196L, connecté à `adminService`) | ❌ | **Backend + migration + connecter frontend** |
 | Maintenance mode | ❌ Backend absent | ⚠️ Toggle local dans `AdminSettingsView.tsx` | ❌ | **Middleware + endpoint + connecter** |
 | Announcements | ❌ Backend absent | ⚠️ Textarea locale dans `AdminSettingsView.tsx` | ❌ | **Backend CRUD + migration + banner + connecter** |
 | Feature flags UI | ❌ `features/features.go` = stub vide | ⚠️ Liste statique hardcodée dans `AdminSettingsView.tsx` | ❌ | **Backend CRUD + migration + connecter** |
 ---
--- a/docs/ROADMAP_V09XX_TO_V1.md
+++ b/docs/ROADMAP_V09XX_TO_V1.md
--- a/docs/archive/V0_802_RELEASE_SCOPE.md
+++ b/docs/archive/V0_802_RELEASE_SCOPE.md
@ -1,24 +1,51 @@
-# V0.802 Release Scope — Placeholder
+# V0.802 Release Scope — Cloud Complet, Fichiers & Gear Avancé
-**Statut** : À définir
+**Statut** : Livré
 **Phase** : 8 (Polish & Scale — Lot 2)
 **Prérequis** : v0.801 (taguée)
-**Date cible** : TBD
+**Date** : 2026-02-25
-**Précédente** : [v0.801](archive/V0_801_RELEASE_SCOPE.md)
+**Précédente** : [v0.801](V0_801_RELEASE_SCOPE.md)
 ---
 ## 1. Objectif
-À définir. Candidats potentiels (hors scope v0.801) :
+Cloud Storage avancé (versioning, sharing, GDPR export, backup), Gear documents/repairs, Tags suggest.
 - Cloud Storage avancé
 - Gear warranty tracking
 - Autres améliorations UX/UI identifiées post-v0.801
 ---
-## 2. Références
+## 2. Livré
- [SCOPE_CONTROL.md](SCOPE_CONTROL.md)
+### Cloud (CL1)
- [V0_801_RELEASE_SCOPE.md](archive/V0_801_RELEASE_SCOPE.md)
+- Migrations 119 : cloud_file_versions, cloud_file_shares
- [RETROSPECTIVE_V0801.md](archive/RETROSPECTIVE_V0801.md)
+- CreateVersion, ListVersions, RestoreVersion
 - ShareFile, GetSharedFile (GET /cloud/shared/:token public)
 - GDPR export : POST /users/me/export (202 Accepted, async ZIP)
 - CloudBackupWorker : ticker 24h, copie vers backup/
 ### Tags (FM1-03)
 - GET /tags/suggest?q=...&limit=10
 - audio/aiff, audio/x-aiff dans AllowedMimeTypes
 ### Gear (GR1)
 - Migrations 120–122 : warranty_start, warranty_notes, gear_documents, gear_repairs
 - Documents CRUD : upload, list, delete
 - Repairs CRUD : create, list, delete
 - GearWarrantyNotifier : ticker 24h, notifications warranty ≤ 30 jours
 ### Frontend
 - CloudFileVersions, CloudShareModal
 - GearDocumentsTab, GearRepairsTab, warranty badge sur GearCard
 - Bouton Upload Document → onglet Documents
 ### MSW & Storybook
 - Handlers : cloud versions/share, gear documents/repairs, tags suggest
 - Stories : CloudFileVersions (Empty, Loading), GearDetailModal (WithDocuments, WithRepairs, WarrantyExpiring), GearCard (WarrantyExpiringSoon)
 ---
 ## 3. Références
 - [SCOPE_CONTROL.md](../SCOPE_CONTROL.md)
 - [V0_801_RELEASE_SCOPE.md](V0_801_RELEASE_SCOPE.md)
 - [RETROSPECTIVE_V0802.md](RETROSPECTIVE_V0802.md)
--- a/full_veza_audit_data/cursor_analyze_feature_status_and_tests.md
+++ b/full_veza_audit_data/cursor_analyze_feature_status_and_tests.md
@ -0,0 +1,205 @@
 # Analyze feature status and tests
 _Exported on 2/26/2026 at 09:59:55 GMT+1 from Cursor (2.5.17)_
 ---
 **Cursor**
 I'll gather all the data in parallel batches. Let me start with all the document reads and shell commands at once.
 Now let me run the remaining searches: disabled tests, TODO/FIXME/HACK counts, and files >500 lines. I'll also read the individual MSW handler files to see what endpoints are mocked.
 Let me now read the MSW handler files to catalog which endpoints are mocked, and get the exact TODO/FIXME totals.
 Let me use the proper tools for the remaining data.
 Now I have all the data. Here's the complete raw report:
 ---
 ## Complete Project Health Report — Veza v0.803
 ---
 ### 1. DOCUMENT CONTENTS (summarized above — full text was read)
 **`docs/FEATURE_STATUS.md`** — 19 operational features, 3 ghost features (Studio removed, Education removed, Gamification MSW-only), 4 feature-flagged features, 2 known limitations (2FA SMS, Passkeys). Full version history from v0.202 through v0.803.
 **`docs/PROJECT_STATE.md`** — Current tag: **v0.803**, Phase 8 (Polish & Scale). Next: v0.901. Cumulative: ~353/600 features. Maturity: 5/10. Streaming: 55%, Cloud: 30%, Gear: 60%.
 **`apps/web/docs/FEATURE_STATUS.md`** — Exists. Documents frontend-specific route status, feature flags in `src/config/features.ts`, and Coming Soon routes (all now operational since v0.102).
 **`docs/V0_803_RELEASE_SCOPE.md`** — 5 lots: SEC1 (security headers), SEC2 (audit & compliance), DEV1 (API/dev tools), ADM1 (admin improvements), QA1 (tests & release). Status: planned/delivered.
 **`docs/SCOPE_CONTROL.md`** — Active reference now points to **v0.901**. Lists 26 tagged versions from v0.101 through v0.803.
 ---
 ### 2. CHANGELOG (latest 3 versions)
 | Version | Date | Highlights |
 |---------|------|------------|
 | **v0.803** | 2026-02-25 | Audit middleware, CCPA, account deletion, moderation, maintenance mode, announcements, feature flags DB, admin views |
 | **v0.802** | 2026-02-25 | Cloud versioning/sharing, GDPR export, backup cron, batch upload, tags suggest, gear docs/repairs/warranty |
 | **v0.801** | 2026-02-25 | User preferences, high contrast, density, accent color, font size, accessibility, PWA, wake lock |
 ---
 ### 3. CODEBASE SIZE (Lines of Code)
 | Component | LOC |
 |-----------|-----|
 | **Go** (backend) | **184,501** |
 | **TypeScript/TSX** (frontend) | **211,929** |
 | **Rust** (stream server) | **39,403** |
 | **TOTAL** | **435,833** |
 ---
 ### 4. TEST FILE COUNTS
 | Type | Count |
 |------|-------|
 | Go test files (`*_test.go`) | **292** |
 | Frontend test files (`.test.ts(x)`, `.spec.ts(x)`) | **299** |
 | Storybook story files (`.stories.ts(x)`) | **306** |
 | **Total test/story artifacts** | **897** |
 ---
 ### 5. DISABLED / SKIPPED TESTS
 **Go (`t.Skip`)** — Very heavy usage, breakdown by reason:
 | Reason | Approximate count |
 |--------|-------------------|
 | "Skipping integration test in short mode" | ~65 |
 | "Skipping performance/load test in short mode" | ~18 |
 | PostgreSQL testcontainer not available | ~12 |
 | Redis not available | ~14 |
 | SQLite limitations (ILIKE, @>, NOW()) | ~12 |
 | "requires real database/multipart/FFmpeg" | ~5 |
 | Golden file `-update` flag | ~3 |
 | Other conditional skips | ~5 |
 | **Total `t.Skip` calls in Go** | **~134** |
 **Frontend (`test.skip`)** — 12 instances:
 - E2E auth (1 — needs 2FA code)
 - E2E chat (3 — conditional on WebSocket/channels)
 - E2E visual (2 — conditional on locator visibility)
 - E2E profile (3 — unconditional skips)
 - E2E playlists (1 — unconditional skip)
 - E2E storybook (1 — requires pre-built storybook)
 - E2E navigation (2 — unconditional skips)
 - E2E smoke (1 — API health)
 Most Go skips are **conditional** (infrastructure-dependent, not hard-disabled). The frontend skips are in E2E tests, mostly conditional.
 ---
 ### 6. TODO / FIXME / HACK COUNTS
 | Marker | Go | TypeScript/TSX | Rust | Total |
 |--------|-----|----------------|------|-------|
 | **TODO** | 9 (across 7 files) | 7 (across 4 files) | 4 (across 4 files) | **20** |
 | **FIXME** | 0 | 0 | 0 | **0** |
 | **HACK** | 0 | 1 (`PlayerExpanded.tsx`) | 0 | **1** |
 | **TOTAL** | | | | **21** |
 Very clean codebase — only 21 markers total.
 ---
 ### 7. FILES EXCEEDING 500 LINES
 **Go (40 files >500 lines)** — Top offenders:
 | LOC | File |
 |-----|------|
 | 5,482 | `docs/docs.go` (generated Swagger) |
 | 1,291 | `internal/core/track/service.go` |
 | 1,142 | `internal/core/marketplace/service.go` |
 | 1,137 | `internal/handlers/playlist_handler.go` |
 | 1,099 | `tests/search/search_test.go` |
 | 1,042 | `internal/services/playback_analytics_service_test.go` |
 | 1,019 | `internal/core/auth/service.go` |
 | 1,012 | `internal/config/config.go` |
 | 919 | `internal/handlers/marketplace.go` |
 | 915 | `internal/services/playlist_service.go` |
 **TypeScript/TSX (20 files >500 lines)** — Top offenders:
 | LOC | File |
 |-----|------|
 | 7,123 | `types/generated/api.ts` (generated) |
 | 869 | `features/tracks/api/trackApi.ts` |
 | 780 | `features/playlists/services/playlistService.test.ts` |
 | 761 | `features/tracks/hooks/useTrackList.test.ts` |
 | 750 | `features/auth/pages/LoginPage.test.tsx` |
 | 747 | `features/auth/pages/RegisterPage.test.tsx` |
 | 738 | `mocks/handlers-misc.ts` |
 | 683 | `utils/optimisticUpdates.ts` |
 | 670 | `features/streaming/services/playbackAnalyticsService.ts` |
 **Rust (19 files >500 lines)** — Top offenders:
 | LOC | File |
 |-----|------|
 | 1,925 | `generated/veza.stream.rs` (generated protobuf) |
 | 1,183 | `core/sync.rs` |
 | 1,181 | `soundcloud/discovery.rs` |
 | 996 | `streaming/websocket.rs` |
 | 932 | `codecs/mp3.rs` |
 | 876 | `soundcloud/management.rs` |
 ---
 ### 8. MSW MOCK HANDLERS — Full Endpoint Inventory
 The MSW layer is split into **11 handler files** with a **catch-all fallback** for unhandled `/api/v1/*` routes.
 | Handler File | Mocked Endpoints | Key Routes |
 |-------------|-----------------|------------|
 | **handlers-auth** (21 endpoints) | Login, 2FA, refresh, register, logout, password reset, OAuth providers, sessions, email verify | All auth flows mocked |
 | **handlers-admin** (24 endpoints) | Audit logs/stats, dashboard, roles, users list, monitoring, webhooks, API keys, transfers, reports, feature flags, maintenance, announcements | Full admin coverage |
 | **handlers-misc** (48 endpoints) | Queue CRUD+sessions, analytics creator, search+suggestions, streaming bitrate, notifications, user profiles/settings/preferences/presence, follow/block, chat token/stats/conversations, gear CRUD+documents+repairs, tags suggest, live streams, developer API keys | Largest handler file |
 | **handlers-marketplace** (21 endpoints) | Product CRUD, reviews, seller stats/balance/transfers/sales, licenses, wishlist, cart, promo codes, orders/refunds/invoices, checkout | Full commerce mocked |
 | **handlers-tracks** (19 endpoints) | Track CRUD, lyrics, comments/replies, recommendations, suggested tags, playback heatmap/dashboard/stats, search, download, like, share | Full track coverage |
 | **handlers-playlists** (14 endpoints) | Playlist CRUD, recommendations, search, duplicate, share, collaborators, export, analytics | Full playlist coverage |
 | **handlers-social** (19 endpoints) | Explore, trending, feed, posts, groups CRUD, group requests/approve/reject/invite, role management, join/leave, like, comment | Full social coverage |
 | **handlers-cloud** (16 endpoints) | Folders CRUD, files CRUD+stream+publish, versioning (list/create/restore), sharing (create/get), quota | Full cloud coverage |
 | **handlers-streaming** (4 endpoints) | HLS info, status, master playlist, quality playlist | HLS mocked |
 | **handlers-live** (4 endpoints) | Stream key (get/regenerate), my streams, update stream | Live streaming mocked |
 | **handlers-common** (6 endpoints) | External images (picsum, pravatar, dicebear, unsplash, textures), CSRF token | External resource mocking |
 **Total mocked endpoints: ~196**
 All endpoints are mock-only (MSW) for Storybook. The frontend connects to the real backend API in dev/staging/prod mode.
 ---
 ### 9. SUMMARY DASHBOARD
 | Metric | Value |
 |--------|-------|
 | Current version | **v0.803** |
 | Total tagged versions | **26** |
 | Operational features | **19** |
 | Ghost features | **3** (2 removed, 1 MSW-only) |
 | Feature-flagged | **4** |
 | Total LOC | **435,833** |
 | Go test files | **292** |
 | Frontend test files | **299** |
 | Storybook stories | **306** |
 | Skipped Go tests | **~134** (mostly infrastructure-conditional) |
 | Skipped frontend E2E | **12** (mostly conditional) |
 | TODO markers | **20** |
 | FIXME markers | **0** |
 | HACK markers | **1** |
 | Go files >500 LOC | **40** (1 generated) |
 | TS/TSX files >500 LOC | **20** (1 generated) |
 | Rust files >500 LOC | **19** (1 generated) |
 | MSW mocked endpoints | **~196** |
 | Maturity score | **5/10** (self-assessed) |
 | Next version | **v0.901** |
--- a/full_veza_audit_data/cursor_deep_security_audit_go_backend.md
+++ b/full_veza_audit_data/cursor_deep_security_audit_go_backend.md
@ -0,0 +1,364 @@
 # Deep security audit Go backend
 _Exported on 2/26/2026 at 10:01:27 GMT+1 from Cursor (2.5.17)_
 ---
 **Cursor**
 I'll perform a comprehensive security audit of the Go backend. Let me start by reading all the key files in parallel.
 Now let me read the remaining files and run the security searches.
 Now let me search for the security patterns - SQL injection, command injection, secrets in logs, pprof, and the router setup.
 Now let me look at the router setup and the Hyperswitch webhook verification, plus the specific files with `exec.Command` and SQL patterns.
 Now let me check the router middleware chain, the `testutils/db.go` for SQL injection, and search for dynamic SQL construction.
 Let me check a few more critical areas - the SQL dynamic ordering, the bypass flags validation, password validator, and the `PasswordService.GenerateJWT` method.
 ---
 # Security Audit Report — Go Backend (`veza-backend-api`)
 ## 1. Auth Middleware (`internal/middleware/auth.go`)
 **JWT Validation:** Thorough multi-layer authentication:
 1. Cookie `access_token` checked first, fallback to `Authorization: Bearer` header
 2. JWT validated via `JWTService.ValidateToken()` (checks signature, expiry, issuer, audience, algorithm)
 3. TokenVersion compared against database (immediate revocation support)
 4. Session validated in Redis/DB
 5. Session user ID must match token user ID
 **Invalid token handling:** Properly returns 401 with `c.Abort()` on every failure path.
 **Findings:**
 - **[LOW] `OptionalAuth` skips session validation silently on error** (lines 337-340): If `ValidateToken` fails, the request continues unauthenticated with no logging. This is by design for optional auth, but could mask attack attempts.
 - **[INFO] API key auth bypass path** (lines 126-137, 156-163): API keys with `vza_` prefix bypass JWT+session validation entirely. If `apiKeyService` is set, a Bearer token starting with `vza_` is tried as API key first. This is correctly designed but increases the attack surface.
 - **[LOW] Presence update goroutine uses `context.Background()`** (line 304): The presence update fires a goroutine with unbounded context. If presence service is slow, this leaks goroutines. Not a security vulnerability but a stability concern.
 ---
 ## 2. CORS Middleware (`internal/middleware/cors.go`)
 **Findings:**
 - **[GOOD] Production wildcard blocked:** `ValidateCORSConfiguration` (line 29) returns a hard error if `*` is in allowed origins in production. `CORSDefault()` panics if `APP_ENV=production`.
 - **[GOOD] Credentials-aware:** `Access-Control-Allow-Credentials: true` is always set, and the middleware reflects the specific origin rather than `*`, which is correct per CORS spec.
 - **[GOOD] Empty list = reject all:** `isAllowedOrigin` returns false for empty allowed list (line 125-127).
 - **[INFO] Preflight cache is 24h** (line 111): `Access-Control-Max-Age: 86400` — acceptable but means CORS policy changes take up to 24h to propagate to clients.
 ---
 ## 3. Rate Limiting (`internal/middleware/ratelimit.go`, `ratelimit_redis.go`, `endpoint_limiter.go`)
 **Global rate limiter:** IP-based sliding window (simple) or Redis-backed atomic Lua script.
 **Endpoint-specific limits:**
 - Login: 5 attempts/15min per IP
 - Register: 3 accounts/hour per IP
 - Password reset: 3/hour
 - Upload: 10/hour per user
 - Verify email: 5/hour
 - Resend verification: 3/hour
 - Check username: 30/min (anti-enumeration)
 - Token refresh: 10/min (anti-grinding)
 - Validate: 10/min
 **Findings:**
 - **[GOOD] Production bypass impossible:** `DISABLE_RATE_LIMIT_FOR_TESTS=true` is blocked in production by `validateNoBypassFlagsInProduction` (config/validation.go).
 - **[GOOD] Fail-secure on Redis failure:** Both `EndpointLimiter` and `RedisRateLimiter` fall back to in-memory limiting (or block) when Redis is unavailable.
 - **[MEDIUM] Login/register excluded from global rate limiter** (lines 49-50 in ratelimit.go): `/api/v1/auth/register` and `/api/v1/auth/login` are in `excludedRateLimitPaths`, meaning they bypass the global IP rate limiter. They are covered by `EndpointLimiter` separately, but this creates a gap where the global 100 req/min limit doesn't apply.
 - **[LOW] Health/swagger excluded from rate limiting** (lines 41-56): Expected behavior but worth noting that `/swagger` and `/docs` have no rate limiting.
 ---
 ## 4. JWT Service (`internal/services/jwt_service.go`)
 **Findings:**
 - **[GOOD] Algorithm pinning:** `ValidateToken` (lines 126-131) validates `*jwt.SigningMethodHMAC` AND checks `Alg() == "HS256"`. Prevents algorithm confusion attacks.
 - **[GOOD] Strict validation options:** Uses `jwt.WithIssuer()`, `jwt.WithAudience()`, `jwt.WithExpirationRequired()`.
 - **[GOOD] Minimum secret length:** Enforced 32-character minimum (line 25-27).
 - **[GOOD] Short-lived access tokens:** 5 minutes TTL (line 37).
 - **[GOOD] Refresh token family tracking:** Each refresh token gets a unique `TokenFamily` UUID (line 81).
 - **[CRITICAL] `PasswordService.GenerateJWT` bypasses all security controls** (`password_service.go` line 260-267): This method generates a JWT with 24h expiry, **no issuer, no audience, no token version, no token type**. If this token reaches `ValidateToken`, it will be **rejected** (issuer/audience mismatch), but if another consumer parses it without those checks, it's a problem.
 - **[HIGH] `OAuthService.generateJWT` also bypasses controls** (`oauth_service.go` lines 585-593): Same issue — generates a JWT with 24h expiry, no issuer, no audience, no token version. This JWT will fail validation at `auth.go:166` since `ValidateToken` requires issuer/audience. **If this JWT is used for the OAuth login flow, the user cannot authenticate.** This appears to be dead code or a bug in the OAuth callback flow.
 - **[MEDIUM] `GenerateStreamToken` uses different issuer/audience** (lines 195-196): `"veza-platform"` and `"veza-services"` instead of `"veza-api"` and `"veza-app"`. This is intentional for cross-service auth, but means the main API's `ValidateToken` will reject stream tokens. Ensure the stream server validates independently.
 ---
 ## 5. Password Service (`internal/services/password_service.go`)
 **Findings:**
 - **[GOOD] bcrypt cost 12:** Constant `bcryptCost = 12` (line 23), used consistently.
 - **[GOOD] 72-byte limit enforced:** `Hash()` (line 311) explicitly rejects passwords >72 bytes to prevent silent bcrypt truncation.
 - **[GOOD] Password reset tokens stored hashed:** SHA-256 hash stored in DB (line 101), plain token returned to user. Token expires in 1 hour.
 - **[GOOD] Single-use tokens:** Reset tokens marked as `used = TRUE` after successful reset (line 177).
 - **[GOOD] Password validation:** Uses comprehensive `PasswordValidator` requiring 12+ chars, uppercase, lowercase, numbers, special chars, no common passwords, no sequential/repetitive patterns, max 128 chars.
 - **[LOW] Token invalidation not atomic with password update** (lines 166-187): The password update and token mark-as-used are separate queries without a transaction. A crash between them could leave a used token unmarked. Low impact since the password was already changed.
 ---
 ## 6. Security Headers (`internal/middleware/security_headers.go`)
 **Findings:**
 - **[GOOD] Comprehensive headers:** HSTS (production only), X-Content-Type-Options, X-Frame-Options (DENY), X-XSS-Protection, Referrer-Policy, Permissions-Policy, CSP, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, X-Permitted-Cross-Domain-Policies.
 - **[GOOD] Strict CSP for API routes:** `default-src 'none'; frame-ancestors 'none'` — very restrictive for a REST API.
 - **[INFO] Swagger routes get relaxed CSP** (lines 64-88): `unsafe-inline`, `unsafe-eval` allowed for scripts/styles. `frame-ancestors` includes localhost origins in development. This is expected for Swagger UI.
 ---
 ## 7. CSRF Middleware (`internal/middleware/csrf.go`)
 **Findings:**
 - **[GOOD] Timing-safe comparison:** Uses `crypto/subtle.ConstantTimeCompare` (line 131).
 - **[GOOD] Redis-backed tokens:** 32-byte random tokens stored in Redis with 1-hour TTL.
 - **[GOOD] Safe methods excluded:** GET, HEAD, OPTIONS bypass CSRF (line 54).
 - **[GOOD] API key auth skips CSRF** (line 60): Correct — API keys are stateless and don't use cookies.
 - **[GOOD] Production bypass impossible:** `CSRF_DISABLED=true` only works in dev/test environments (line 47), and `validateNoBypassFlagsInProduction` blocks it in production.
 - **[MEDIUM] Redis failure returns 503, not fail-open** (lines 115-127): When Redis is unavailable, CSRF validation returns 503 "Service temporarily unavailable." This is fail-secure, which is good, but could cause denial of service if Redis goes down.
 - **[LOW] Unauthenticated mutating requests bypass CSRF** (lines 66-69): If `user_id` is not in context, CSRF is skipped. Login/register are public and don't have `user_id` set — but neither do they need CSRF since they create sessions rather than consume them.
 ---
 ## 8. Account Lockout (`internal/services/account_lockout_service.go`)
 **Findings:**
 - **[GOOD] Defaults:** 5 attempts in 15-minute window, 30-minute lockout.
 - **[GOOD] Fail-secure fallback:** In-memory lockout when Redis is unavailable (line 103-105).
 - **[GOOD] Exempt accounts configurable:** `ExemptEmails` allows test accounts to bypass lockout.
 - **[INFO] Lockout by email, not IP:** Lockout is keyed by email address, not IP. This means an attacker can lock out any account by repeatedly trying wrong passwords. Consider adding IP-based rate limiting on top (which exists via `EndpointLimiter.LoginRateLimit` — 5/15min per IP).
 ---
 ## 9. SQL Injection Search
 **Findings:**
 - **[GOOD] Parameterized queries throughout:** All `SELECT`, `INSERT`, `UPDATE`, `DELETE` use `$1`, `$2` placeholders (PostgreSQL style) or GORM's `?` placeholders.
 - **[MEDIUM] Dynamic ORDER BY with `fmt.Sprintf`** — Multiple locations:
  - `track_search_service.go:187`: `fmt.Sprintf("%s %s", sortBy, sortOrder)` — **mitigated** by the `switch` statement on lines 163-193 that whitelists `sortBy` values. `sortOrder` is constrained to "ASC"/"DESC" on line 153-156.
  - `playback_filter_service.go:211`: `fmt.Sprintf("%s %s", sortBy, sortOrder)` — **mitigated** by `validSortFields` whitelist map (lines 188-194) and `sortOrder` constrained to "asc"/"desc" (lines 206-208).
  - `user_service_search.go:165`: `fmt.Sprintf("%s %s", sortBy, strings.ToUpper(sortOrder))` — **needs verification** that `sortBy` is whitelisted before this line.
  - `core/track/service.go:611`: `fmt.Sprintf("%s %s", sortBy, sortOrder)` — **needs verification** of whitelist.
 - **[GOOD] Audit service uses parameterized queries:** `audit_service.go:522` uses `$N` placeholders correctly even though it builds queries dynamically.
 - **[GOOD] Admin search uses parameterized queries:** `admin/service.go:63` uses `$N` with `ILIKE`.
 - **[LOW] `testutils/db.go:158,257`: `fmt.Sprintf("DELETE FROM %s", table)`** — This uses string interpolation for table names, but it's in test utilities only, not production code.
 ---
 ## 10. Command Injection Search (`exec.Command`)
 **Findings:**
 - **[GOOD] Path validation before exec:** `track_export_service.go:66-71`, `backup_service.go:85`, `audio_transcode_service.go:99`, `hls_transcode_service.go:116` all call `utils.ValidateExecPath()` before executing commands.
 - **[GOOD] `ValidateExecPath` implementation** (`utils/sanitizer.go:29-43`): Rejects null bytes, `..`, and shell metacharacters (`|&;$``()<>\n\r`).
 - **[MEDIUM] `waveform_service.go:72,82,127`: No `ValidateExecPath` call:** `inputPath` is passed directly to `exec.CommandContext` for ffmpeg/audiowaveform without path validation. If `inputPath` comes from user-controlled data (e.g., track upload path), this could be exploitable. However, since `exec.CommandContext` doesn't use a shell, this limits the attack to path traversal rather than command injection.
 - **[MEDIUM] `upload_validator.go:139,519`: `clamdPath` passed to `exec.CommandContext`:** The ClamAV scanner path is used in commands. If `clamdPath` is configurable, it should be validated. Since it's likely set from server config, risk is low.
 - **[INFO] All exec calls use `exec.CommandContext`:** Context-based cancellation prevents runaway processes.
 ---
 ## 11. Hyperswitch Webhook Verification (`internal/services/hyperswitch/webhook.go`, `routes_webhooks.go`)
 **Findings:**
 - **[GOOD] HMAC-SHA512 verification:** Uses `crypto/hmac` with `sha512.New` and `hmac.Equal` for timing-safe comparison (webhook.go lines 20-24).
 - **[HIGH] Webhook verification is optional in non-production** (`routes_webhooks.go:65-73`): If `HyperswitchWebhookSecret` is empty, signature verification is **skipped entirely** with only a warn log. An attacker could forge payment webhooks if the secret isn't configured.
  In production, `ValidateRequiredEnvironmentVariables` (config.go:209-214) requires the secret when Hyperswitch is enabled — this mitigates the risk, but only if `HYPERSWITCH_ENABLED=true` is set.
 - **[INFO] Webhook endpoint is public** (routes_webhooks.go:38): No auth middleware — correct for payment provider webhooks, but means the signature is the only protection.
 ---
 ## 12. OAuth Service (`internal/services/oauth_service.go`)
 **Findings:**
 - **[GOOD] State token CSRF protection:** 32-byte random tokens stored in DB with 10-minute expiry (line 165). Single-use: deleted after validation (line 210).
 - **[HIGH] No PKCE implementation:** The OAuth flow uses standard Authorization Code flow without PKCE (`oauth2.AccessTypeOffline` only). For public clients, PKCE (Proof Key for Code Exchange) is recommended to prevent authorization code interception attacks.
 - **[HIGH] OAuth `generateJWT` bypasses main JWT service** (lines 585-593): As noted in section 4, this generates a JWT without issuer/audience/token_version. This JWT will fail `ValidateToken` in the auth middleware. **This appears to be a bug** — the OAuth callback should use `JWTService.GenerateAccessToken()` instead.
 - **[MEDIUM] OAuth tokens stored in plaintext** (line 567): `access_token` and `refresh_token` from providers are stored unencrypted in the `federated_identities` table. If the database is compromised, attacker gains access to all linked provider tokens.
 - **[LOW] No redirect URL validation:** OAuth state stores `redirect_url` but doesn't validate it against a whitelist. If an attacker can control the redirect URL in the state, they could redirect the user to a malicious site after OAuth.
 ---
 ## 13. Config Defaults (`internal/config/config.go`)
 **Findings:**
 - **[GOOD] JWT_SECRET required:** `getEnvRequired("JWT_SECRET")` — no default, fails hard if missing.
 - **[GOOD] DATABASE_URL required:** Same treatment.
 - **[GOOD] Minimum 32-char JWT secret enforced:** Both in config validation and JWTService constructor.
 - **[GOOD] Production-specific validation:** `ValidateForEnvironment()` blocks wildcards in CORS, DEBUG log level, missing RabbitMQ URL, disabled ClamAV.
 - **[GOOD] Bypass flags blocked in production:** `validateNoBypassFlagsInProduction` checks `BYPASS_CONTENT_CREATOR_ROLE`, `CSRF_DISABLED`, `DISABLE_RATE_LIMIT_FOR_TESTS`.
 - **[LOW] `ChatJWTSecret` falls back to main JWT secret** (line 293): `getEnv("CHAT_JWT_SECRET", jwtSecret)`. If not set separately, the chat server shares the same secret. This means a JWT crafted for chat could be used for the main API if claims match.
 - **[INFO] `HYPERSWITCH_WEBHOOK_SECRET` defaults to empty string** (line 363): Acceptable since Hyperswitch is opt-in, but as noted, this makes webhook verification optional.
 ---
 ## 14. Secret Exposure in Logs
 **Findings:**
 - **[GOOD] Secret masking in config logs:** `MaskConfigValue()` masks JWT_SECRET, DATABASE_URL, REDIS_URL, RABBITMQ_URL, SENTRY_DSN in `logConfigInitialized()`.
 - **[GOOD] Secret filter wrapper:** `logging.WrapLoggerWithSecretFilter(logger)` applied globally (config.go:505).
 - **[GOOD] No `fmt.Printf` in production code:** `FIX #5` comments indicate they were replaced with structured logging. The remaining `fmt.Printf` calls are in CLI tools (`cmd/backup`, `cmd/tools`) which don't run in production API.
 - **[LOW] `cmd/tools/create_test_user/main.go:100` logs password:** `log.Printf("   Password: %s", password)` — This is a dev tool, not production code, but could leak if logs are captured.
 ---
 ## 15. Auth Middleware Chain Order (Router)
 **From `internal/api/router.go` lines 186-232:**
 ```
 1. CORS
 2. MaintenanceGin (503 for maintenance mode)
 3. RequestLogger
 4. Metrics (Prometheus)
 5. SentryRecover
 6. SecurityHeaders
 7. CCPA
 8. AuditMiddleware (POST/PUT/DELETE)
 9. APIMonitoringMiddleware
 10. ErrorHandler
 11. Recovery
 12. RequestID
 13. Timeout
 14. RateLimiter (global)
 15. VersionMiddleware
 ```
 **Per-route auth** is applied via `r.config.AuthMiddleware.RequireAuth()` on route groups.
 **Findings:**
 - **[GOOD] CORS before everything:** Preflight OPTIONS handled early.
 - **[GOOD] Rate limiting before auth:** Prevents auth processing on rate-limited requests.
 - **[GOOD] Security headers on all responses:** Applied globally.
 - **[GOOD] Recovery middleware present:** Catches panics.
 ---
 ## 16. Token Blacklist (`internal/services/token_blacklist.go`)
 **Findings:**
 - **[GOOD] SHA-256 hashing:** Tokens stored as hashes, not plaintext (line 87-89).
 - **[GOOD] TTL-based expiration:** Redis keys expire automatically with the token's TTL.
 - **[MEDIUM] Blacklist not checked in auth middleware:** The `authenticate()` method in `auth.go` does **not** call `TokenBlacklist.IsBlacklisted()`. Token revocation relies solely on `TokenVersion` comparison (lines 191-201). The blacklist service exists but appears disconnected from the auth flow. If logout only increments TokenVersion, all prior tokens are revoked (good). But the blacklist provides more granular per-token revocation that isn't being utilized.
 ---
 ## 17. RBAC / Admin Route Protection (`internal/middleware/rbac_middleware.go`, `routes_core.go`)
 **Findings:**
 - **[GOOD] Admin routes double-protected:** `admin.Use(RequireAuth())` followed by `admin.Use(RequireAdmin())` (routes_core.go:402-403). `RequireAdmin` includes its own call to `authenticate()`, so it independently verifies authentication.
 - **[GOOD] RBAC is real permission check:** `HasRole` queries the database via `PermissionService`, not a simple JWT claim check.
 ---
 ## 18. pprof Endpoint Protection (`routes_core.go:460-464`)
 **Findings:**
 - **[GOOD] Disabled in production:** `r.config.Env != config.EnvProduction && r.config.Env != "prod"` guards the pprof endpoints.
 - **[GOOD] Behind admin auth:** pprof is registered under the `admin` group which requires `RequireAuth() + RequireAdmin()`.
 ---
 ## 19. File Upload Validation (`internal/handlers/upload.go`)
 **Findings:**
 - **[GOOD] ClamAV virus scanning:** Files are scanned before persistence (line 182).
 - **[GOOD] Fail-secure on ClamAV unavailable:** Returns 503, not a silent pass (lines 185-197).
 - **[GOOD] Concurrent upload limiting:** Semaphore-based backpressure with configurable limit (lines 119-143).
 - **[GOOD] File type validation:** `UploadValidator.ValidateFile()` checks type and size.
 - **[GOOD] Ownership verification:** `GetUploadStatus` verifies the requesting user owns the upload (lines 332-343).
 - **[INFO] Path traversal via `ValidatePathInBase` and `ValidateExecPath`:** Available in `utils/sanitizer.go` for use by services that handle file paths.
 ---
 ## Summary of Critical/High Findings
 | Severity | Finding | Location |
 |----------|---------|----------|
 | **CRITICAL** | `PasswordService.GenerateJWT` creates JWTs without issuer/audience/token_version — bypasses all security controls | `password_service.go:260-267` |
 | **HIGH** | `OAuthService.generateJWT` creates non-standard JWTs that fail auth middleware validation — likely a bug preventing OAuth login | `oauth_service.go:585-593` |
 | **HIGH** | No PKCE in OAuth flow — vulnerable to authorization code interception | `oauth_service.go:252` |
 | **HIGH** | Hyperswitch webhook signature verification skipped when secret is empty (non-production) | `routes_webhooks.go:65-73` |
 | **MEDIUM** | Token blacklist service exists but is not connected to auth middleware | `token_blacklist.go` / `auth.go` |
 | **MEDIUM** | OAuth provider tokens stored in plaintext in database | `oauth_service.go:567` |
 | **MEDIUM** | `waveform_service.go` doesn't validate paths before `exec.Command` | `waveform_service.go:72,82,127` |
 | **MEDIUM** | Dynamic ORDER BY with `fmt.Sprintf` in some services needs whitelist verification | `user_service_search.go:165`, `core/track/service.go:611` |
 | **MEDIUM** | Login/register routes excluded from global rate limiter (only endpoint-specific limits apply) | `ratelimit.go:49-50` |
--- a/full_veza_audit_data/cursor_explore_ci_cd_and_docker_infra.md
+++ b/full_veza_audit_data/cursor_explore_ci_cd_and_docker_infra.md
@ -0,0 +1,254 @@
 # Explore CI/CD and Docker infra
 _Exported on 2/26/2026 at 09:58:27 GMT+1 from Cursor (2.5.17)_
 ---
 **Cursor**
 Exploring the infrastructure setup. Locating and reading the specified files.
 Reading the critical infrastructure files in batches:
 Reading Docker Compose files and Dockerfiles:
 Reading Kubernetes manifests, Makefile, config files, and other infrastructure files:
 Reading key Makefile includes and additional config files:
 ## Infrastructure audit report
 ### 1. CI/CD workflows
 **Main workflows:**
 - `.github/workflows/ci.yml` - Main CI pipeline (Go, Rust, Frontend, Storybook, E2E)
 - `.github/workflows/cd.yml` - CD pipeline with Trivy scanning, SBOM generation, cosign signing
 - `.github/workflows/security-scan.yml` - Gitleaks secret scanning
 - `.github/workflows/sast.yml` - CodeQL SAST (Go, JavaScript/TypeScript)
 - `.github/workflows/container-scan.yml` - Trivy container scanning
 - `.github/workflows/frontend-ci.yml` - Frontend-specific CI
 - `.github/workflows/backend-ci.yml` - Backend CI with unit/integration tests
 - `.github/workflows/stream-ci.yml` - Stream server CI
 - `.github/workflows/rust-ci.yml` - Rust linting
 - `.github/workflows/storybook-audit.yml` - Storybook validation
 - `.github/workflows/load-test-nightly.yml` - Nightly load tests
 - `veza-backend-api/.github/workflows/test-coverage.yml` - Coverage reporting
 - `veza-backend-api/.github/workflows/vulnerability-scan.yml` - Go vulnerability scanning (govulncheck + Trivy)
 - `veza-stream-server/.github/workflows/production-deploy.yml` - Production deployment pipeline
 **Coverage:**
 - Lint: ESLint, Clippy, gofmt, go vet
 - Tests: Unit, integration, E2E (Playwright)
 - Security: Gitleaks, CodeQL, Trivy, govulncheck, cargo-audit, npm audit
 - Build: All services build in CI
 - Deployment: Staging/production with health checks
 ### 2. Docker Compose files
 **Files:**
 - `docker-compose.yml` - Development (default passwords OK for dev)
 - `docker-compose.prod.yml` - Production (blue-green, requires env vars)
 - `docker-compose.staging.yml` - Staging (requires env vars)
 - `docker-compose.test.yml` - Test environment (tmpfs for speed)
 **Secrets management:**
 - Development: Default passwords (`devpassword`, `minioadmin`) - acceptable for local dev
 - Production: Uses `${VAR:?VAR must be set}` - fails if not set
 - Staging: Uses `${STAGING_VAR:?STAGING_VAR must be set}` - fails if not set
 - No hardcoded production secrets found
 **Findings:**
 - Production compose uses environment variable validation
 - Blue-green deployment setup in production
 - Health checks configured for all services
 - Resource limits set appropriately
 ### 3. Dockerfiles
 **Backend API (`veza-backend-api/`):**
 - `Dockerfile` - Dev build (Go 1.23-alpine)
 - `Dockerfile.production` - Production (Go 1.24-alpine, multi-stage, optimized)
 **Frontend (`apps/web/`):**
 - `Dockerfile` - Dev build (Node 20-alpine)
 - `Dockerfile.production` - Production (Node 20-alpine → nginx:1.27-alpine, multi-stage)
 - `Dockerfile.dev` - Dev server with hot reload
 **Stream Server (`veza-stream-server/`):**
 - `Dockerfile` - Dev build (rust:alpine)
 - `Dockerfile.production` - Production (rust:1.84-alpine → alpine:3.21, multi-stage)
 **Security:**
 - All production Dockerfiles use non-root users (UID 1001, GID 1001)
 - Minimal base images (alpine)
 - Health checks configured
 - Multi-stage builds to reduce image size
 - Static binaries where possible (CGO_ENABLED=0 for Go, musl for Rust)
 - Stripped binaries in production
 **Issues:**
 - Backend production Dockerfile installs `clamav` (large dependency) - acceptable if required for virus scanning
 ### 4. Kubernetes manifests
 **Structure:**
 - `k8s/` - Main Kubernetes configs
 - `k8s/backend-api/deployment.yaml` - Backend deployment (non-root, security context)
 - `k8s/frontend/deployment.yaml` - Frontend deployment
 - `k8s/secrets/` - Secrets management (External Secrets Operator, Vault integration)
 - `k8s/environments/` - Environment-specific configs (production, staging, development)
 - `k8s/network-policies/` - Network policies (default-deny, component-specific allows)
 - `k8s/monitoring/` - Prometheus, Grafana, Loki, Promtail
 - `k8s/autoscaling/` - HPA and VPA configs
 - `k8s/backups/` - Backup CronJobs
 - `k8s/disaster-recovery/` - Runbooks
 **Security:**
 - Pods run as non-root (runAsNonRoot: true, runAsUser: 1001)
 - Network policies enforce default-deny
 - Secrets via External Secrets Operator (Vault/AWS/GCP)
 - Resource limits configured
 - Readiness/liveness probes configured
 - Security contexts set
 **Secrets:**
 - `k8s/secrets.yaml.example` - Template (not committed)
 - External Secrets Operator configured for Vault/AWS/GCP
 - Environment-specific secrets (dev/staging/production)
 - No hardcoded secrets in manifests
 ### 5. Makefile and config
 **Main Makefile:**
 - Modular structure (`make/*.mk`)
 - Includes: `config.mk`, `build.mk`, `infra.mk`, `dev.mk`, `test.mk`, `services.mk`, `tools.mk`, `help.mk`, `incus.mk`, `high.mk`
 **Key features:**
 - Service-specific targets (`dev-web`, `test-backend-api`, etc.)
 - Infrastructure management (`infra-up`, `infra-down`, `db-migrate`)
 - Build targets for all services
 - Port isolation (15xxx/16xxx ranges)
 ### 6. Environment files
 **`.env.example` files:**
 - Root `.env.example` - Port mappings, domain config
 - `apps/web/.env.example` - Frontend environment variables
 - `veza-stream-server/.env.example` - Stream server config
 **Findings:**
 - No secrets in example files
 - Clear documentation
 - Port isolation documented
 ### 7. Monitoring and alerting
 **Prometheus:**
 - `config/prometheus.yml` - Scrape configs for backend, stream server
 - `config/prometheus/alert_rules.yml` - Alert rules (ServiceDown, HighErrorRate, HighLatencyP99, RedisUnreachable)
 **Alertmanager:**
 - `config/alertmanager/alertmanager.yml` - Slack integration (webhook URL from env)
 **Grafana:**
 - `config/grafana/dashboards/` - Dashboards (api-overview, commerce-overview, chat-overview, system-overview)
 - `config/grafana/datasources/prometheus.yml` - Prometheus datasource config
 **Kubernetes monitoring:**
 - Prometheus deployment
 - Grafana deployment
 - Loki for logs
 - Promtail for log collection
 ### 8. Pre-commit hooks
 **Hooks:**
 - `.husky/pre-commit` - Root hook (generates types, typecheck, lint, tests)
 - `apps/web/.husky/pre-commit` - Frontend hook (runs tests)
 **Features:**
 - TypeScript type generation from OpenAPI
 - Type checking before commit
 - Linting before commit
 - Tests before commit (can skip with `SKIP_TESTS=1`)
 ### 9. Version management
 **VERSION file:**
 - Current version: `0.101.0`
 - Single source of truth for versioning
 ### 10. Security scanning configs
 **CI/CD security:**
 - Gitleaks for secret scanning
 - CodeQL SAST (Go, JavaScript/TypeScript)
 - Trivy for container scanning (CRITICAL/HIGH severity)
 - govulncheck for Go vulnerabilities
 - cargo-audit for Rust dependencies
 - npm audit for Node.js dependencies
 **Container scanning:**
 - Trivy scans all Docker images in CD pipeline
 - SBOM generation (CycloneDX format)
 - Cosign signing (optional, configurable)
 **No separate config files found:**
 - No `.trivyignore` or `.snyk` files (using GitHub Actions integrations)
 ### 11. Build reproducibility
 **Turbo.json:**
 - Monorepo build orchestration
 - Task dependencies configured
 - Output caching configured
 **Docker builds:**
 - Go: `-trimpath` flag for reproducible builds
 - Rust: `--locked` flag for reproducible builds
 - Node: `npm ci` for deterministic installs
 **Version pinning:**
 - Go version: 1.24 (production), 1.23 (some workflows)
 - Node version: 20
 - Rust: stable toolchain
 - Base images pinned (alpine:3.21, nginx:1.27-alpine)
 ### Summary of findings
 **Strengths:**
 1. Comprehensive CI/CD with security scanning
 2. Secrets properly managed (no hardcoded production secrets)
 3. Docker images use non-root users and minimal bases
 4. Kubernetes manifests follow security best practices
 5. Network policies enforce default-deny
 6. Monitoring and alerting configured
 7. Pre-commit hooks enforce quality
 8. Environment separation (dev/staging/production)
 **Areas for improvement:**
 1. Go version inconsistency (1.23 vs 1.24) - standardize
 2. ClamAV in backend image increases size - consider alternatives if not critical
 3. Some workflows use `@master` tags (e.g., Trivy) - pin to specific versions
 4. Load test workflow uses Go 1.23 while main CI uses 1.24 - align versions
 5. Frontend production Dockerfile removes source maps - consider keeping for debugging
 **Security assessment:**
 - Secrets: Properly managed via environment variables and External Secrets Operator
 - Docker images: Secure (non-root, minimal base, health checks)
 - CI/CD: Comprehensive (lint, test, security scan, build)
 - Environments: Properly separated with different configs
 - Build reproducibility: Good (version pinning, locked dependencies)
 **Overall assessment:** Infrastructure setup is solid with strong security practices. The main improvements would be version consistency and potentially optimizing the Docker image sizes.
--- a/full_veza_audit_data/cursor_explore_go_backend_structure.md
+++ b/full_veza_audit_data/cursor_explore_go_backend_structure.md
@ -0,0 +1,620 @@
 # Explore Go backend structure
 _Exported on 2/26/2026 at 09:57:42 GMT+1 from Cursor (2.5.17)_
 ---
 **Cursor**
 Exploring the Go backend. Starting with an overview, then proceeding through each task.
 Continuing exploration: reading the entry point and exploring handlers, services, models, and other key areas.
 Reading router setup, middleware, and config files, then scanning handlers, services, and models.
 Reading handler, service, model, and middleware files, plus config files:
 Reading handler files and remaining route files to map all routes:
 Reading the remaining route files, then compiling a summary:
 Gathering final details and compiling the report:
 ## Go Backend Exploration Report - veza-backend-api
 ### 1. go.mod - Dependencies and Go Version
 **Go Version**: 1.24.0
 **Key Dependencies**:
 - **Web Framework**: `gin-gonic/gin v1.11.0`
 - **Database**: `gorm.io/gorm v1.30.0`, `gorm.io/driver/postgres v1.6.0`, `lib/pq v1.10.9`
 - **Authentication**: `golang-jwt/jwt/v5 v5.3.0`
 - **Caching**: `redis/go-redis/v9 v9.16.0`
 - **Message Queue**: `rabbitmq/amqp091-go v1.10.0`
 - **Logging**: `uber.org/zap v1.27.0`
 - **Monitoring**: `prometheus/client_golang v1.22.0`
 - **Error Tracking**: `getsentry/sentry-go v0.40.0`
 - **Validation**: `go-playground/validator/v10 v10.27.0`
 - **Crypto**: `golang.org/x/crypto v0.47.0`
 - **AWS S3**: `aws/aws-sdk-go-v2` (multiple packages)
 - **WebSocket**: `coder/websocket v1.8.14`
 - **Testing**: `stretchr/testify v1.11.1`, `DATA-DOG/go-sqlmock v1.5.2`
 ### 2. Project Structure
 **Total Files**: 1111 files found recursively
 **Key Directories**:
 - `cmd/` - Entry points (api, tools, migrate_tool, backup, generate-config-docs)
 - `internal/` - Main application code
  - `handlers/` - HTTP handlers (107 files)
  - `services/` - Business logic (187 files)
  - `models/` - Data models (72 files)
  - `middleware/` - HTTP middleware (56 files)
  - `api/` - Route setup (19 files)
  - `config/` - Configuration (30 files)
  - `database/` - Database layer
  - `core/` - Core domain logic (auth, track, marketplace, analytics, social)
 - `migrations/` - SQL migration files (90 files)
 - `tests/` - Integration tests
 - `docs/` - Documentation
 ### 3. Entry Point
 **Main Entry**: `cmd/api/main.go`
 **Key Features**:
 - Environment detection and validation
 - Database initialization with retry logic
 - Redis initialization
 - RabbitMQ EventBus setup
 - Sentry error tracking
 - Job Worker startup
 - Transfer Retry Worker (v0.701)
 - Cloud Backup Worker (v0.802)
 - Gear Warranty Notifier (v0.802)
 - Graceful shutdown manager
 - HTTP server with timeouts (30s read/write)
 - Prometheus metrics collection
 ### 4. All Routes (from route files)
 **Public Routes**:
 - `GET /health`, `/healthz`, `/readyz`, `/health/deep`
 - `GET /metrics`, `/metrics/aggregated`, `/system/metrics`
 - `GET /api/v1/health`, `/api/v1/status`
 - `GET /api/v1/upload/limits`, `/api/v1/upload/validate-type`
 - `GET /api/v1/announcements/active`
 - `GET /swagger/*`, `/docs/*`
 - `GET /api/versions`
 - `GET /api/v1/search`, `/api/v1/search/suggestions`
 - `GET /api/v1/tracks`, `/api/v1/tracks/:id`, `/api/v1/tracks/:id/stats`
 - `GET /api/v1/users/:id`, `/api/v1/users/by-username/:username`
 - `GET /api/v1/marketplace/products`, `/api/v1/marketplace/products/:id`
 - `GET /api/v1/live/streams`, `/api/v1/live/streams/:id`
 - `GET /api/v1/users/:id/gear` (public gear profile)
 - `GET /api/v1/cloud/shared/:token`
 - `GET /api/v1/queue/session/:token`
 - `POST /api/v1/logs/frontend`
 - `POST /api/v1/webhooks/hyperswitch` (public webhook)
 **Auth Routes** (`/api/v1/auth`):
 - `POST /register` (rate limited)
 - `POST /login`, `/login/2fa` (rate limited)
 - `POST /refresh` (rate limited)
 - `POST /verify-email`, `/resend-verification` (rate limited)
 - `GET /check-username` (rate limited)
 - `POST /password/reset-request`, `/password/reset` (rate limited)
 - `GET /oauth/providers`, `/oauth/:provider`, `/oauth/:provider/callback`
 - `POST /logout` (protected)
 - `GET /me` (protected)
 - `POST /stream-token` (protected)
 - `POST /2fa/setup`, `/2fa/verify`, `/2fa/disable`, `GET /2fa/status` (protected)
 **Protected Routes** (require authentication):
 - **Sessions**: `POST /sessions/logout`, `/sessions/logout-all`, `/sessions/logout-others`, `GET /sessions`, `DELETE /sessions/:session_id`, `GET /sessions/stats`, `POST /sessions/refresh`
 - **Uploads**: `POST /uploads`, `/uploads/batch`, `GET /uploads/:id/status`, `/uploads/:id/progress`, `DELETE /uploads/:id`, `GET /uploads/stats`
 - **Tracks**: `GET /tracks/recommendations`, `POST /tracks`, `PUT /tracks/:id`, `DELETE /tracks/:id`, `POST /tracks/:id/like`, `DELETE /tracks/:id/like`, `POST /tracks/:id/share`, `POST /tracks/:id/play`, `POST /tracks/initiate`, `/tracks/chunk`, `/tracks/complete`, `GET /tracks/resume/:uploadId`, `POST /tracks/batch/delete`, `/tracks/batch/update`, `POST /tracks/:id/versions/:versionId/restore`
 - **Comments**: `GET /tracks/:id/comments`, `POST /tracks/:id/comments`, `DELETE /comments/:id`
 - **Users**: `GET /users`, `/users/search`, `PUT /users/:id`, `DELETE /users/:id`, `GET /users/settings`, `PUT /users/settings`, `GET /users/:id/completion`, `PUT /users/me/presence`, `GET /users/:id/presence`, `POST /users/:id/follow`, `DELETE /users/:id/follow`, `POST /users/:id/block`, `DELETE /users/:id/block`, `POST /users/:id/avatar`, `DELETE /users/:id/avatar`, `GET /users/:id/likes`, `GET /users/me/export`, `POST /users/me/export`, `DELETE /users/me`, `POST /users/me/privacy/opt-out`
 - **Playlists**: `GET /playlists`, `POST /playlists`, `GET /playlists/search`, `/playlists/recommendations`, `GET /playlists/:id`, `PUT /playlists/:id`, `DELETE /playlists/:id`, `POST /playlists/:id/tracks`, `DELETE /playlists/:id/tracks/:track_id`, `PUT /playlists/:id/tracks/reorder`, `POST /playlists/:id/collaborators`, `GET /playlists/:id/collaborators`, `PUT /playlists/:id/collaborators/:userId`, `DELETE /playlists/:id/collaborators/:userId`, `POST /playlists/:id/share`, `GET /playlists/:id/export/json`, `/playlists/:id/export/csv`, `POST /playlists/:id/duplicate`
 - **Cloud Storage**: `GET /cloud/folders`, `POST /cloud/folders`, `PUT /cloud/folders/:id`, `DELETE /cloud/folders/:id`, `GET /cloud/files`, `POST /cloud/files`, `GET /cloud/files/:id`, `DELETE /cloud/files/:id`, `GET /cloud/files/:id/stream`, `POST /cloud/files/:id/publish`, `GET /cloud/files/:id/versions`, `POST /cloud/files/:id/versions`, `POST /cloud/files/:id/restore/:version`, `POST /cloud/files/:id/share`, `GET /cloud/quota`
 - **Marketplace**: `POST /marketplace/products` (content creator), `PUT /marketplace/products/:id`, `PUT /marketplace/products/:id/images`, `GET /marketplace/orders`, `GET /marketplace/orders/:id`, `GET /marketplace/orders/:id/invoice`, `POST /marketplace/orders/:id/refund`, `POST /marketplace/orders`, `GET /marketplace/download/:product_id`, `GET /marketplace/licenses/mine`, `POST /marketplace/products/:id/reviews`, `GET /marketplace/wishlist`, `POST /marketplace/wishlist`, `DELETE /marketplace/wishlist/:productId`
 - **Sell**: `GET /sell/stats`, `/sell/stats/evolution`, `/sell/stats/top-products`, `/sell/sales`, `POST /sell/connect/onboard`, `GET /sell/connect/callback`, `GET /sell/balance`, `GET /sell/transfers`
 - **Commerce**: `GET /commerce/cart`, `GET /commerce/promo/:code`, `POST /commerce/cart/items`, `DELETE /commerce/cart/items/:id`, `POST /commerce/cart/checkout`
 - **Webhooks**: `POST /webhooks`, `GET /webhooks`, `DELETE /webhooks/:id`, `GET /webhooks/stats`, `POST /webhooks/:id/test`, `POST /webhooks/:id/regenerate-key`
 - **Analytics**: `GET /analytics/creator/stats`, `/analytics/creator/charts`, `/analytics/creator/export`, `GET /analytics`, `POST /analytics/events`, `GET /analytics/tracks/:id`, `/analytics/traffic-sources`, `/analytics/device-breakdown`
 - **Social**: `GET /social/feed`, `POST /social/posts`, `POST /social/like`, `POST /social/comments`, `GET /social/groups`, `GET /social/groups/mine`, `GET /social/groups/:id`, `POST /social/groups`, `/social/groups/:id/join`, `/social/groups/:id/leave`, `/social/groups/:id/request`, `/social/groups/:id/requests`, `/social/groups/:id/requests/:request_id/approve`, `/social/groups/:id/requests/:request_id/reject`, `/social/groups/:id/invite`, `PUT /social/groups/:id/members/:user_id/role`
 - **Queue**: `GET /queue`, `PUT /queue`, `POST /queue/items`, `DELETE /queue/items/:id`, `DELETE /queue`, `POST /queue/session`, `DELETE /queue/session/:token`, `POST /queue/session/:token/items`, `DELETE /queue/session/:token/items/:id`
 - **Live Streams**: `GET /live/streams/me`, `/live/streams/me/key`, `POST /live/streams/me/key/regenerate`, `POST /live/streams`, `PUT /live/streams/:id`
 - **Gear/Inventory**: `GET /inventory/gear`, `POST /inventory/gear`, `GET /inventory/gear/:id`, `PUT /inventory/gear/:id`, `DELETE /inventory/gear/:id`, `POST /inventory/gear/:id/images`, `DELETE /inventory/gear/:id/images/:img_id`, `POST /inventory/gear/:id/documents`, `GET /inventory/gear/:id/documents`, `DELETE /inventory/gear/:id/documents/:docId`, `POST /inventory/gear/:id/repairs`, `GET /inventory/gear/:id/repairs`, `DELETE /inventory/gear/:id/repairs/:repairId`
 - **Tags**: `GET /tags/suggest`
 - **Roles**: `GET /roles`, `/roles/:id`, `POST /roles`, `PUT /roles/:id`, `DELETE /roles/:id`
 - **Chat**: `POST /chat/token`, `GET /chat/stats`
 - **WebSocket**: `GET /ws` (chat WebSocket)
 - **Notifications**: `GET /notifications`, `/notifications/unread-count`, `/notifications/preferences`, `PUT /notifications/preferences`, `POST /notifications/push/subscribe`, `POST /notifications/:id/read`, `/notifications/read-all`, `DELETE /notifications/:id`, `/notifications`
 - **Reports**: `POST /reports`
 - **Audit**: `GET /audit/logs`, `/audit/stats`, `/audit/activity`, `/audit/suspicious`, `/audit/ip/:ip`, `/audit/logs/:id`, `POST /audit/cleanup`
 - **Dashboard**: `GET /dashboard`
 - **Conversations**: `GET /conversations`, `POST /conversations`, `GET /conversations/:id`, `PUT /conversations/:id`, `DELETE /conversations/:id`, `POST /conversations/:id/members`, `/conversations/:id/participants`, `DELETE /conversations/:id/participants/:userId`, `GET /conversations/:id/history`
 - **Developer Portal**: `GET /developer/api-keys`, `POST /developer/api-keys`, `DELETE /developer/api-keys/:id`
 - **CSRF**: `GET /csrf-token`
 **Admin Routes** (`/api/v1/admin`):
 - `GET /admin/audit/logs`, `/admin/audit/stats`, `/admin/audit/suspicious`
 - `GET /admin/reports`, `POST /admin/reports/:id/resolve`
 - `PUT /admin/maintenance`, `GET /admin/maintenance`
 - `GET /admin/announcements`, `POST /admin/announcements`, `DELETE /admin/announcements/:id`
 - `GET /admin/feature-flags`, `PUT /admin/feature-flags/:name`
 - `GET /admin/transfers`, `POST /admin/transfers/:id/retry`
 - `POST /admin/auth/unlock-account`
 - `ANY /admin/debug/pprof/*path` (non-production only)
 **Internal Routes** (`/internal` and `/api/v1/internal`):
 - `POST /internal/tracks/:id/stream-ready` (deprecated)
 - `POST /internal/stream-events` (deprecated)
 - `POST /api/v1/internal/tracks/:id/stream-ready`
 - `POST /api/v1/internal/stream-events`
 ### 5. Handler Files (107 files)
 **Key Handlers**:
 - `auth.go`, `auth_handler_test.go` - Authentication
 - `session.go`, `session_test.go` - Session management
 - `password_reset_handler.go` - Password reset
 - `two_factor_handler.go` - 2FA
 - `profile_handler.go` - User profiles
 - `track_handler.go` (in core/track) - Track management
 - `playlist_handler.go` - Playlist management
 - `cloud_handler.go` - Cloud storage
 - `marketplace.go`, `marketplace_handler.go` - Marketplace
 - `webhook_handlers.go` - Webhooks
 - `notification_handlers.go` - Notifications
 - `chat_handler.go`, `chat_websocket_handler.go` - Chat
 - `gear_handler.go` - Gear/inventory
 - `live_stream_handler.go` - Live streaming
 - `queue_handler.go`, `queue_session_handler.go` - Playback queue
 - `analytics` (in core/analytics) - Analytics
 - `social.go`, `social_group_handler.go` - Social features
 - `role_handler.go` - Role management
 - `api_key_handler.go` - Developer API keys
 - `audit.go` - Audit logging
 - `report_handler.go` - Content reports
 - `announcement_handler.go` - Announcements
 - `feature_flag_handler.go` - Feature flags
 - `admin_transfer_handler.go` - Admin transfer management
 ### 6. Service Files (187 files)
 **Key Services**:
 - `jwt_service.go` - JWT token generation/validation
 - `password_service.go` - Password hashing/validation
 - `session_service.go` - Session management
 - `refresh_token_service.go` - Refresh token handling
 - `email_service.go` - Email sending
 - `email_verification_service.go` - Email verification
 - `password_reset_service.go` - Password reset
 - `totp_service.go` - TOTP for 2FA
 - `user_service.go`, `user_service_search.go` - User management
 - `track_service.go` (in core/track) - Track business logic
 - `track_upload_service.go` - Track upload handling
 - `track_search_service.go` - Track search
 - `track_validation_service.go` - Track validation
 - `playlist_service.go` - Playlist management
 - `cloud_service.go` - Cloud storage
 - `s3_storage_service.go` - S3 integration
 - `cloud_backup.go` - Cloud backup worker
 - `marketplace` (in core/marketplace) - Marketplace logic
 - `stripe_connect_service.go` - Stripe Connect integration
 - `webhook_service.go` - Webhook delivery
 - `notification_service.go` - Notifications
 - `push_service.go` - Web push notifications
 - `chat_service.go` - Chat functionality
 - `gear_service.go` - Gear management
 - `gear_document_service.go` - Gear documents
 - `gear_warranty_notifier.go` - Warranty notifications
 - `live_stream_service.go` - Live streaming
 - `queue_service.go`, `queue_session_service.go` - Queue management
 - `analytics_service.go` - Analytics
 - `playback_analytics_service.go` - Playback tracking
 - `social_service.go` - Social features
 - `role_service.go` - Role management
 - `permission_service.go` - Permission checking
 - `api_key_service.go` - API key management
 - `audit_service.go` - Audit logging
 - `report_service.go` - Content reports
 - `announcement_service.go` - Announcements
 - `feature_flag_service.go` - Feature flags
 - `oauth_service.go` - OAuth integration
 - `account_lockout_service.go` - Account lockout
 - `cache_service.go` - Caching
 - `image_service.go` - Image processing
 - `audio_transcode_service.go` - Audio transcoding
 - `hls_streaming_service_enhanced.go` - HLS streaming
 - `waveform_service.go` - Waveform generation
 - `tag_suggest_service.go` - Tag suggestions
 - `search_service.go` - Unified search
 - `monitoring_alerting_service.go` - Monitoring
 ### 7. Model Files (72 files)
 **Key Models**:
 - `user.go` - User model (UUID primary key)
 - `track.go` - Track model
 - `playlist.go` - Playlist model
 - `session.go` - Session model
 - `refresh_token.go` - Refresh token
 - `api_key.go` - API key model
 - `role.go` - Role model
 - `notification.go` - Notification model
 - `message.go`, `chat_message.go` - Chat messages
 - `room.go` - Chat rooms
 - `gear.go` - Gear/inventory items
 - `gear_document.go`, `gear_image.go`, `gear_repair.go` - Gear related
 - `hardware.go` - Hardware model
 - `live_stream.go` - Live stream model
 - `queue.go`, `queue_session.go` - Queue models
 - `playback_analytics.go` - Playback analytics
 - `track_history.go` - Track play history
 - `track_like.go`, `track_share.go` - Track interactions
 - `track_comment.go` - Track comments
 - `track_version.go` - Track versions
 - `playlist_collaborator.go`, `playlist_share_link.go`, `playlist_follow.go` - Playlist relations
 - `user_file.go`, `user_folder.go` - Cloud storage
 - `cloud_file_version.go` - File versioning
 - `cloud_file_share.go` - File sharing
 - `storage_quota.go` - Storage quotas
 - `mfa_config.go` - MFA configuration
 - `recovery_code.go` - Recovery codes
 - `webhook.go` - Webhook model
 - `announcement.go` - Announcements
 - `feature_flag.go` - Feature flags
 - `report.go` - Content reports
 - `custom_claims.go` - JWT custom claims
 - `federated_identity.go` - OAuth identities
 - `seller_stripe_account.go` - Stripe Connect accounts
 - `royalty.go` - Royalties
 - `read_receipt.go`, `delivered_status.go`, `message_reaction.go` - Chat features
 - `user_presence.go` - User presence
 - `user_settings.go` - User settings
 - `bitrate_adaptation.go` - Bitrate adaptation
 - `hls_stream.go`, `hls_transcode_queue.go` - HLS streaming
 ### 8. Migration Files (90 files)
 **Migration Range**: `001_extensions_and_types.sql` to `122_gear_repairs.sql`
 **Key Migrations**:
 - `010_auth_and_users.sql` - Auth and users tables
 - `020_create_sessions.sql` - Sessions
 - `021_rbac_and_profiles.sql` - RBAC
 - `030_files_management.sql` - File management
 - `040_streaming_core.sql` - Streaming infrastructure
 - `041_streaming_analytics.sql` - Analytics
 - `042_media_processing.sql` - Media processing
 - `043_analytics_events.sql` - Analytics events
 - `044_playlist_share_links.sql` - Playlist sharing
 - `045_user_follows.sql` - User follows
 - `046_user_blocks.sql` - User blocking
 - `047_notifications.sql` - Notifications
 - `048_search_indexes.sql` - Search indexes
 - `049_composite_indexes.sql` - Composite indexes
 - `050_data_validation_constraints.sql` - Validation
 - `051_legacy_chat.sql` - Chat tables
 - `052_stats_views.sql` - Statistics views
 - `053_audit_triggers.sql` - Audit triggers
 - `060_job_queue.sql` - Job queue
 - `069_groups_and_members.sql` - Social groups
 - `070_create_social_tables.sql` - Social features
 - `075_create_webhooks.sql` - Webhooks
 - `076_create_gear_items.sql` - Gear/inventory
 - `077_create_live_streams.sql` - Live streaming
 - `081_create_playback_analytics.sql` - Playback analytics
 - `082_create_api_keys.sql` - API keys
 - `084_add_track_lyrics.sql` - Track lyrics
 - `085_add_pg_trgm.sql` - PostgreSQL trigram extension
 - `087_queue_sessions.sql` - Queue sessions
 - `088_user_presence.sql` - User presence
 - `089_group_join_requests.sql` - Group join requests
 - `090_push_subscriptions.sql` - Push subscriptions
 - `105_user_files.sql` - User files (cloud storage)
 - `106_user_storage_quotas.sql` - Storage quotas
 - `107_gear_is_public.sql` - Public gear profiles
 - `108_gear_images.sql` - Gear images
 - `109_read_receipts.sql` - Read receipts
 - `110_delivered_status.sql` - Delivered status
 - `111_message_reactions.sql` - Message reactions
 - `112_messages_extra_columns.sql` - Message columns
 - `113_messages_fts.sql` - Full-text search for messages
 - `114_seller_stripe_accounts.sql` - Stripe Connect
 - `115_seller_transfers.sql` - Seller transfers
 - `116_seller_transfers_retry.sql` - Transfer retry
 - `117_live_streams_go_live.sql` - Go live feature
 - `118_user_preferences.sql` - User preferences
 - `119_cloud_file_versions.sql` - File versioning
 - `120_gear_warranty.sql` - Gear warranty
 - `121_gear_documents.sql` - Gear documents
 - `122_gear_repairs.sql` - Gear repairs
 - `900_triggers_and_functions.sql` - Database triggers/functions
 - `910_create_audit_logs.sql` - Audit logs
 - `920_add_performance_indexes.sql` - Performance indexes
 - `930_add_missing_foreign_keys.sql` - Foreign keys
 - `931_add_refresh_tokens_updated_at.sql` - Refresh token updates
 - `932_add_user_deletion_fields.sql` - User deletion
 - `933_reports.sql` - Reports
 - `934_announcements.sql` - Announcements
 - `935_feature_flags.sql` - Feature flags
 ### 9. Middleware Files (56 files)
 **Key Middleware**:
 - `auth.go` - Authentication middleware (JWT, API keys, session validation)
 - `cors.go` - CORS handling
 - `csrf.go` - CSRF protection (Redis-based)
 - `ratelimit.go`, `ratelimit_redis.go` - Rate limiting
 - `user_rate_limiter.go` - Per-user rate limiting
 - `endpoint_limiter.go` - Endpoint-specific rate limits
 - `security_headers.go` - Security headers (HSTS, CSP, X-Frame-Options, etc.)
 - `error_handler.go` - Error handling
 - `recovery.go` - Panic recovery
 - `request_logger.go` - Request logging
 - `metrics.go` - Prometheus metrics
 - `timeout.go` - Request timeout
 - `validation.go` - Input validation
 - `rbac_middleware.go` - RBAC authorization
 - `playlist_permission.go` - Playlist permissions
 - `audit.go` - Audit logging middleware
 - `request_id.go` - Request ID generation
 - `tracing.go` - Distributed tracing
 - `monitoring.go` - Monitoring middleware
 - `maintenance.go` - Maintenance mode
 - `ccpa.go` - CCPA compliance
 - `versioning.go` - API versioning
 - `context_propagation.go` - Context propagation
 - `stream_callback_auth.go` - Stream callback authentication
 - `webhook_api_key.go` - Webhook API key auth
 - `upload_rate_limit.go` - Upload rate limiting
 ### 10. Router Setup
 **Main Router File**: `internal/api/router.go`
 **Route Setup Functions**:
 - `Setup()` - Main setup function
 - `setupCorePublicRoutes()` - Health, metrics, status
 - `setupCoreProtectedRoutes()` - Sessions, uploads, audit, admin
 - `setupAuthRoutes()` - Authentication routes
 - `setupUserRoutes()` - User management
 - `setupTrackRoutes()` - Track management
 - `setupPlaylistRoutes()` - Playlist management
 - `setupCloudRoutes()` - Cloud storage
 - `setupMarketplaceRoutes()` - Marketplace
 - `setupWebhookRoutes()` - Webhooks
 - `setupAnalyticsRoutes()` - Analytics
 - `setupSocialRoutes()` - Social features
 - `setupQueueRoutes()` - Playback queue
 - `setupLiveRoutes()` - Live streaming
 - `setupGearRoutes()` - Gear/inventory
 - `setupTagRoutes()` - Tag suggestions
 - `setupSearchRoutes()` - Unified search
 - `setupRoleRoutes()` - Role management
 - `setupChatRoutes()` - Chat
 - `setupChatWebSocket()` - Chat WebSocket
 - `setupDeveloperRoutes()` - Developer portal
 - `setupInternalRoutes()` - Internal callbacks
 - `setupValidateRoutes()` - Validation endpoint
 **Middleware Order**:
 1. CORS (first)
 2. Maintenance mode
 3. Request logger
 4. Metrics
 5. Sentry recovery
 6. Security headers
 7. CCPA
 8. Audit middleware
 9. API monitoring
 10. Error handler
 11. Recovery
 12. Request ID
 13. Timeout
 14. Rate limiting
 15. Version middleware
 16. Auth middleware (on protected routes)
 17. CSRF (on protected routes)
 ### 11. Test Files
 **Test File Count**: ~292 test files found (based on grep results)
 **Test Coverage Areas**:
 - Handler tests (107 handler files, many have tests)
 - Service tests (187 service files, many have tests)
 - Middleware tests (56 middleware files, many have tests)
 - Model tests (72 model files, some have tests)
 - Integration tests (`tests/` directory)
 - Security tests (`tests/security/`)
 - Contract tests (`tests/contract/`)
 - Load tests (`tests/load/`)
 ### 12. Security-Related Code
 **Password Hashing**:
 - **File**: `internal/services/password_service.go`
 - **Method**: bcrypt with cost 12
 - **Functions**: `Hash()`, `Compare()`, `ChangePassword()`, `UpdatePassword()`
 - **Validation**: Uses `PasswordValidator` for strength checks
 **JWT Handling**:
 - **File**: `internal/services/jwt_service.go`
 - **Algorithm**: HS256
 - **Secret Validation**: Minimum 32 characters
 - **Token Types**: Access token (5 min TTL), Refresh token (14 days), Remember-me refresh (30 days)
 - **Claims Validation**: Issuer, Audience, Expiration, TokenVersion (for revocation)
 - **Stream Tokens**: Short-lived tokens for HLS/WebSocket (5 min)
 **Input Validation**:
 - **Password**: `internal/validators/password_validator.go`
 - **Email**: `internal/validators/email_validator.go`
 - **URL**: `internal/validators/url_validator.go`
 - **General**: `internal/middleware/validation.go`
 - **Config**: `internal/config/validator.go`
 **CSRF Protection**:
 - **File**: `internal/middleware/csrf.go`
 - **Storage**: Redis
 - **TTL**: 1 hour
 - **Bypass**: Only in dev/test with explicit flag
 - **Skip**: GET/HEAD/OPTIONS, API key auth
 **Rate Limiting**:
 - **Simple**: `internal/middleware/ratelimit.go` (in-memory)
 - **Redis**: `internal/middleware/ratelimit_redis.go`
 - **Per-user**: `internal/middleware/user_rate_limiter.go`
 - **Per-endpoint**: `internal/middleware/endpoint_limiter.go`
 - **Upload**: `internal/middleware/upload_rate_limit.go`
 **Account Lockout**:
 - **File**: `internal/services/account_lockout_service.go`
 - **Config**: Max 5 attempts, 30 min lockout, 15 min window
 - **Exempt Emails**: Configurable list
 **Security Headers**:
 - **File**: `internal/middleware/security_headers.go`
 - **Headers**: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Cross-Origin policies
 **Secret Management**:
 - **File**: `internal/config/secrets.go`
 - **Masking**: Secrets masked in logs
 - **Provider**: `SecretsProvider` interface
 **Token Blacklist**:
 - **File**: `internal/services/token_blacklist.go`
 - **Storage**: Redis
 - **Purpose**: Immediate token revocation
 ### 13. Configuration Loading
 **Main Config File**: `internal/config/config.go`
 **Key Functions**:
 - `NewConfig()` - Main config initialization
 - `LoadEnvFiles()` - Load .env files
 - `DetectEnvironment()` - Auto-detect environment
 - `ValidateRequiredEnvironmentVariables()` - Pre-startup validation
 - `ValidateForEnvironment()` - Environment-specific validation
 - `Validate()` - General validation
 **Config Sources**:
 - Environment variables (primary)
 - `.env.{env}` files (e.g., `.env.production`)
 - `.env` file (fallback)
 - Defaults (for non-critical values)
 **Required Variables** (production):
 - `JWT_SECRET` (min 32 chars)
 - `DATABASE_URL`
 - `CORS_ALLOWED_ORIGINS` (production)
 - `RABBITMQ_URL` (if RabbitMQ enabled)
 **Config Sections**:
 - Database (PostgreSQL)
 - Redis
 - RabbitMQ
 - S3 Storage
 - JWT (secret, issuer, audience)
 - CORS origins
 - Rate limiting
 - Logging (level, aggregation, file rotation)
 - Sentry
 - SMTP
 - Stripe Connect
 - Hyperswitch
 - HLS Streaming
 - Cookie security
 - Feature flags
 ### 14. TODO/FIXME/HACK Comments
 **Count**: ~15 occurrences found in Go source files (excluding test files and documentation)
 **Key TODOs**:
 - `internal/handlers/dashboard.go:338` - "TODO: Calculate change percentages"
 - `internal/logging/logger.go:186` - "TODO: Implémenter avec AtomicLevel"
 - `internal/database/database.go:580,586,593` - "TODO: Implémenter avec vraie DB" (3 occurrences)
 - `internal/config/middlewares_init.go:85` - "TODO: Améliorer la configuration CORS"
 - `internal/api/handlers/chat_handlers.go:4` - "TODO: Réactiver chat_handlers après stabilisation"
 - `tests/api_routes_integration_test.go:228` - "TODO: Fix router configuration"
 **Note**: Many TODOs are in documentation/audit files, not actual code.
 ### 15. Hardcoded Secrets Search
 **Search Results**: Found references to "password", "secret", "key" in:
 - **Config files**: All secrets loaded from environment variables
 - **Test files**: Test secrets (e.g., `test-jwt-secret-key-minimum-32-characters-long`)
 - **Model fields**: Field names like `PasswordHash`, `HashedKey`, `Secret` (stored values, not hardcoded)
 - **Service files**: Secret handling code (reading from config, not hardcoded)
 - **Documentation**: References in docs/swagger
 **No Hardcoded Secrets Found**: All secrets are loaded from environment variables or config. Test files use test values which is acceptable.
 ### 16. Dockerfile
 **Files**:
 - `Dockerfile` - Development Dockerfile
 - `Dockerfile.production` - Production Dockerfile
 **Dockerfile (Development)**:
 - **Base**: `golang:1.23-alpine`
 - **Build**: Static binary with `CGO_ENABLED=0`
 - **Runtime**: `alpine:latest`
 - **Dependencies**: `ca-certificates`, `tzdata`, `wget`, `clamav`
 - **User**: Non-root user (app:app, UID 1001)
 - **Port**: 8080
 - **Health Check**: `/api/v1/health`
 - **Includes**: Binary, docs, migrations
 **Dockerfile.production**:
 - **Base**: `golang:1.24-alpine`
 - **Build**: Optimized with `-trimpath`, static linking
 - **Runtime**: `alpine:3.21`
 - **Dependencies**: Same as dev
 - **User**: Non-root user
 - **Port**: 8080
 - **Health Check**: `/api/v1/health`
 - **Optimizations**: Smaller image, cleaned apk cache
 ---
 ## Summary Statistics
 - **Go Version**: 1.24.0
 - **Total Files**: 1111
 - **Handler Files**: 107
 - **Service Files**: 187
 - **Model Files**: 72
 - **Middleware Files**: 56
 - **Route Files**: 19
 - **Migration Files**: 90
 - **Test Files**: ~292
 - **TODO Comments**: ~15 in source code
 - **Hardcoded Secrets**: None found (all from env/config)
 The backend is a REST API with authentication, authorization, file uploads, streaming, marketplace, social features, and analytics. It uses PostgreSQL, Redis, RabbitMQ, and S3, with security measures including CSRF, rate limiting, JWT, and security headers.
--- a/full_veza_audit_data/cursor_explore_monorepo_root_structure.md
+++ b/full_veza_audit_data/cursor_explore_monorepo_root_structure.md
@ -0,0 +1,400 @@
 # Explore monorepo root structure
 _Exported on 2/26/2026 at 09:57:18 GMT+1 from Cursor (2.5.17)_
 ---
 **Cursor**
 Exploring the monorepo. Gathering top-level structure, key configs, and documentation in parallel.
 Reading key files and exploring the structure:
 Continuing exploration: reading more key files and exploring the directory structure:
 Reading key documentation and exploring directory structures:
 Compiling directory structure and file counts. Gathering remaining details:
 Reading the VERSION file and compiling the final report:
 # COMPREHENSIVE MONOREPO CARTOGRAPHY - VEZA
 ## 1. TOP-LEVEL DIRECTORY STRUCTURE
 **Root Path:** `/home/senke/git/talas/veza`
 ### Top-Level Directories:
 - `apps/` - Frontend applications (React/Vite)
 - `packages/` - Shared npm packages
 - `veza-backend-api/` - Go backend API service
 - `veza-stream-server/` - Rust streaming server
 - `veza-common/` - Shared Rust library
 - `veza-docs/` - Docusaurus documentation site
 - `config/` - Configuration files (Docker, Incus, scripts)
 - `docker/` - Docker certificates/config
 - `docs/` - Project documentation
 - `k8s/` - Kubernetes manifests
 - `make/` - Makefile modules
 - `scripts/` - Utility scripts
 - `tests/` - Test files
 - `migrations/` - Database migrations
 - `fixtures/` - Test fixtures package
 - `tools/` - Development tools
 - `dev-environment/` - Dev environment configs
 - `infra/` - Infrastructure configs
 - `tmt/` - Test management tool configs
 - `loadtests/` - Load testing scripts
 - `proto/` - Protocol buffer definitions
 - `sub_task_agents/` - Agent-related documentation
 ### Top-Level Files:
 - `package.json` - Root workspace config
 - `turbo.json` - Turbo build config
 - `Makefile` - Main Makefile (includes modules)
 - `docker-compose.yml` - Main dev compose
 - `docker-compose.prod.yml` - Production compose
 - `docker-compose.staging.yml` - Staging compose
 - `docker-compose.test.yml` - Test compose
 - `.env.example` - Environment template
 - `.gitignore` - Git ignore rules
 - `CHANGELOG.md` - Version history
 - `README.md` - Project overview
 - `VERSION` - Current version (0.101.0)
 - `LICENSE` - License file
 ---
 ## 2. KEY CONFIGURATION FILES
 ### Package Management:
 - **Root `package.json`**: npm workspaces, Turbo 2.3.0, TypeScript 5.9.3
 - **Workspaces**: `apps/web`, `packages/*`, `veza-backend-api`, `veza-stream-server`
 - **Frontend `apps/web/package.json`**: React 18.2.0, Vite 7.1.5, TypeScript 5.9.3
 - **Backend `veza-backend-api/go.mod`**: Go 1.24.0, Gin, GORM, PostgreSQL driver
 - **Stream Server `veza-stream-server/Cargo.toml`**: Rust 2021 edition, Axum 0.8, Tokio 1.35
 - **Common `veza-common/Cargo.toml`**: Shared Rust library
 ### Build Tools:
 - **`turbo.json`**: Task dependencies, outputs, global dependencies
 - **No `nx.json`**, **No `lerna.json`**, **No `pnpm-workspace.yaml`** (uses npm workspaces)
 ### Docker:
 - **7 docker-compose files**: main, prod, staging, test, plus service-specific
 - **Multiple Dockerfiles**: Backend (dev + production), Frontend (dev + production), Stream Server (dev + production)
 ### CI/CD:
 - **14 GitHub Actions workflows**:
  - `.github/workflows/ci.yml` - Main CI pipeline
  - `.github/workflows/cd.yml` - Deployment pipeline
  - `.github/workflows/frontend-ci.yml` - Frontend-specific CI
  - `.github/workflows/backend-ci.yml` - Backend-specific CI
  - `.github/workflows/rust-ci.yml` - Rust services CI
  - `.github/workflows/stream-ci.yml` - Stream server CI
  - `.github/workflows/container-scan.yml` - Security scanning
  - `.github/workflows/sast.yml` - SAST scanning
  - `.github/workflows/security-scan.yml` - Security checks
  - `.github/workflows/storybook-audit.yml` - Storybook validation
  - `.github/workflows/load-test-nightly.yml` - Load testing
  - Plus service-specific workflows
 ### Makefiles:
 - **Root `Makefile`**: Orchestrates modules
 - **`make/config.mk`**: Configuration (ports, services, paths)
 - **`make/ui.mk`**: UI/colors
 - **`make/help.mk`**: Help system
 - **`make/tools.mk`**: Tool checks
 - **`make/infra.mk`**: Infrastructure commands
 - **`make/dev.mk`**: Development commands
 - **`make/build.mk`**: Build commands
 - **`make/test.mk`**: Test commands
 - **`make/services.mk`**: Service management
 - **`make/high.mk`**: High-level commands
 - **`make/incus.mk`**: Incus/LXD commands
 - **Service Makefiles**: `veza-backend-api/Makefile`, `veza-stream-server/Makefile`, `veza-docs/Makefile`
 ---
 ## 3. VERSION & STATUS FILES
 ### Version Information:
 - **`VERSION`**: `0.101.0` (file version)
 - **`CHANGELOG.md`**: Complete history from v0.803 back to unreleased
 - **Latest Release**: v0.803 (2026-02-25) - Security, Compliance, Moderation, Maintenance, Announcements, Feature flags
 ### Status Documents:
 - **`docs/FEATURE_STATUS.md`**: Feature status by domain
 - **`docs/PROJECT_STATE.md`**: Current project state (v0.803, Phase 8)
 - **`docs/CHANGELOG.md`**: Version history
 - **`apps/web/docs/FEATURE_STATUS.md`**: Frontend-specific status
 ---
 ## 4. ENVIRONMENT CONFIGURATION
 ### `.env.example` Files:
 1. **Root `.env.example`**: Port mappings (15xxx/16xxx), domain config, Docker ports
 2. **`apps/web/.env.example`**: Frontend env vars (VITE_*), API URLs, feature flags
 3. **`veza-stream-server/.env.example`**: Stream server config (SECRET_KEY, DATABASE_URL, CORS)
 ### Key Environment Variables:
 - **Domain**: `APP_DOMAIN=veza.fr`
 - **Ports**: PostgreSQL 15432, Redis 16379, RabbitMQ 15672, Backend 18080
 - **Database**: PostgreSQL 16-alpine
 - **Cache**: Redis 7-alpine
 - **Message Queue**: RabbitMQ 3-management-alpine
 - **Storage**: MinIO (S3-compatible)
 ---
 ## 5. ARCHITECTURE DOCUMENTATION
 ### Main Architecture Docs:
 - **`veza-backend-api/docs/ARCHITECTURE.md`**: Backend architecture (layered, domains, patterns)
 - **`docs/PROJECT_STATE.md`**: Project status and roadmap
 - **`docs/FEATURE_STATUS.md`**: Feature completion status
 - **`docs/MONOREPO_ORCHESTRATION.md`**: Monorepo structure
 - **`docs/ONBOARDING.md`**: Developer onboarding
 - **`docs/README.md`**: Documentation index
 ### Architecture Diagrams:
 - **`veza-docs/docs/arch/current.mmd`**: Current architecture (Mermaid)
 - **`veza-docs/docs/arch/target.mmd`**: Target architecture (Mermaid)
 - **`docs-assets/mermaid/architecture-current.mmd`**: Visual architecture
 ### ADRs (Architectural Decision Records):
 - **`docs/adr/ADR-001-rust-services.md`**: Rust services decision
 - **`veza-backend-api/docs/architecture/ADR-001-backend-architecture.md`**: Backend architecture decision
 ---
 ## 6. GIT CONFIGURATION
 ### `.gitignore` Files:
 - **Root `.gitignore`**: Node, Rust, Go, Python, editors, temp files, secrets, Docker data
 - **Service-specific**: `apps/web/.gitignore`, `veza-docs/.gitignore`, `veza-stream-server/.gitignore`
 ### Git Status (from snapshot):
 - **Modified**: CloudFileVersions.stories.tsx, GearCard.tsx, GearDetailModal.tsx, PLAN_V0_803_IMPLEMENTATION.md, gear_warranty_notifier.go
 - **New**: GearCard.stories.tsx, gear_warranty_notifier_test.go, tag_suggest_service_test.go
 ---
 ## 7. MAJOR DIRECTORY CONTENTS SUMMARY
 ### `apps/web/` (Frontend):
 - **Structure**: React + Vite + TypeScript
 - **Features**: auth, tracks, playlists, player, chat, marketplace, inventory, cloud, admin, analytics
 - **Components**: UI library, feature components, layout components
 - **Services**: API service layer
 - **Stores**: Zustand state management
 - **Tests**: Vitest unit tests, Playwright E2E, Storybook
 - **Docs**: Design tokens, Storybook contract, architecture guides
 ### `veza-backend-api/` (Backend):
 - **Language**: Go 1.24.0
 - **Framework**: Gin
 - **Structure**: 
  - `cmd/api/` - Entry point
  - `internal/core/` - Domain logic (auth, track, marketplace, social)
  - `internal/handlers/` - HTTP handlers
  - `internal/services/` - Business logic
  - `internal/models/` - GORM models
  - `internal/middleware/` - HTTP middleware
  - `migrations/` - Database migrations (118+ migrations)
 - **Tests**: Go test suite
 - **Docs**: Architecture, API reference, deployment guides
 ### `veza-stream-server/` (Streaming):
 - **Language**: Rust (2021 edition)
 - **Framework**: Axum 0.8
 - **Features**: HLS streaming, transcoding, WebRTC, audio processing, waveform generation
 - **Structure**: Streaming modules, transcoding pipeline, codecs, monitoring
 - **Tests**: Cargo test suite
 ### `veza-common/` (Shared Rust):
 - **Purpose**: Shared types and utilities for Rust services
 - **Dependencies**: Serde, UUID, Chrono, SQLx, Tracing
 ### `docs/`:
 - **Main docs**: Onboarding, architecture, deployment, feature status
 - **Archive**: Historical audits and reports
 - **Release scopes**: Version-specific documentation
 ### `config/`:
 - **Docker configs**: docker-compose variants
 - **Incus configs**: LXD deployment configs
 - **SSL configs**: Certificate management
 ### `k8s/`:
 - **Kubernetes manifests**: Deployments, services, configs, secrets, monitoring, autoscaling
 ### `make/`:
 - **Modular Makefiles**: Config, UI, help, tools, infra, dev, build, test, services, high-level, Incus
 ---
 ## 8. TECHNOLOGY STACK SUMMARY
 ### Frontend:
 - **Framework**: React 18.2.0
 - **Build**: Vite 7.1.5
 - **Language**: TypeScript 5.9.3
 - **State**: Zustand 4.5.0
 - **UI**: Tailwind CSS 4.0.0, Radix UI, Lucide React
 - **HTTP**: Axios 1.13.5
 - **Query**: TanStack React Query 5.17.0
 - **Testing**: Vitest, Playwright, Storybook
 ### Backend:
 - **Language**: Go 1.24.0
 - **Framework**: Gin
 - **ORM**: GORM
 - **Database**: PostgreSQL 16
 - **Cache**: Redis 7
 - **Queue**: RabbitMQ 3
 - **Storage**: MinIO (S3-compatible)
 - **Logging**: Zap
 - **Metrics**: Prometheus
 ### Streaming:
 - **Language**: Rust (2021 edition)
 - **Framework**: Axum 0.8
 - **Runtime**: Tokio 1.35
 - **Database**: SQLx (PostgreSQL)
 - **Cache**: Redis
 - **Audio**: Symphonia, Hound, MinimP3
 ### Infrastructure:
 - **Containerization**: Docker, Docker Compose
 - **Orchestration**: Kubernetes (manifests in `k8s/`)
 - **Reverse Proxy**: HAProxy, Caddy
 - **Monitoring**: Prometheus, Grafana
 - **CI/CD**: GitHub Actions
 - **Build System**: Turbo (npm workspaces)
 ---
 ## 9. RECENT ACTIVITY (from git status)
 ### Modified Files:
 - `apps/web/src/features/cloud/components/CloudFileVersions.stories.tsx`
 - `apps/web/src/features/inventory/components/gear/GearCard.tsx`
 - `apps/web/src/features/inventory/components/gear/GearDetailModal.tsx`
 - `docs/PLAN_V0_803_IMPLEMENTATION.md`
 - `docs/archive/V0_802_RELEASE_SCOPE.md`
 - `veza-backend-api/internal/services/gear_warranty_notifier.go`
 ### New Files:
 - `apps/web/src/features/inventory/components/gear/GearCard.stories.tsx`
 - `veza-backend-api/internal/services/gear_warranty_notifier_test.go`
 - `veza-backend-api/internal/services/tag_suggest_service_test.go`
 **Focus**: Gear warranty notifications, tag suggestions, Cloud file versions (v0.802/v0.803 features)
 ---
 ## 10. DOCUMENTATION STRUCTURE
 ### Main Documentation (`docs/`):
 - **Onboarding**: `ONBOARDING.md`
 - **Architecture**: `PROJECT_STATE.md`, `FEATURE_STATUS.md`
 - **Deployment**: `PRODUCTION_DEPLOYMENT.md`, `MONITORING_SETUP.md`
 - **Development**: `SCOPE_CONTROL.md`, `PR_READY_CHECKLIST.md`
 - **Database**: `DB_MIGRATIONS_STRATEGY_FINAL.md`, `UUID_DB_MIGRATION_PLAN.md`
 - **Security**: `SECRETS_VERIFICATION.md`, `SECRET_ROTATION.md`
 - **API**: `API_REFERENCE.md`
 - **Archive**: Historical audits and reports
 ### Frontend Documentation (`apps/web/docs/`):
 - Design tokens, Storybook contract, visual testing, architecture guides
 ### Backend Documentation (`veza-backend-api/docs/`):
 - Architecture, API reference, deployment guides, test reports
 ---
 ## 11. MONOREPO ORGANIZATION
 ### Workspace Structure:
 - **Type**: npm workspaces (not Turbo/Nx/Lerna)
 - **Root**: `package.json` defines workspaces
 - **Build**: Turbo for task orchestration
 - **Services**: Independent build/test/lint per service
 ### Key Services:
 1. **`apps/web`** - Frontend React app
 2. **`veza-backend-api`** - Go backend API
 3. **`veza-stream-server`** - Rust streaming server
 4. **`veza-common`** - Shared Rust library
 5. **`veza-docs`** - Documentation site
 6. **`fixtures`** - Test fixtures
 ### Build Commands:
 - `npm run build` - Build all (via Turbo)
 - `npm run test` - Test all (via Turbo)
 - `npm run lint` - Lint all (via Turbo)
 - `make dev-web` - Start frontend dev server
 - `make dev-backend-api` - Start backend dev server
 - `make infra-up` - Start infrastructure (Docker)
 ---
 ## 12. SUMMARY STATISTICS
 ### File Counts (approximate from exploration):
 - **Frontend**: 500+ TypeScript/TSX files
 - **Backend**: 200+ Go files
 - **Stream Server**: 100+ Rust files
 - **Documentation**: 500+ Markdown files
 - **Tests**: 100+ test files across services
 - **Config**: 50+ configuration files
 ### Key Metrics:
 - **Current Version**: v0.803 (2026-02-25)
 - **Database Migrations**: 118+ migrations
 - **GitHub Workflows**: 14 workflows
 - **Docker Compose Files**: 7+ compose files
 - **Makefile Modules**: 10+ modules
 - **Documentation Files**: 500+ markdown files
 ---
 ## 13. ARCHITECTURE OVERVIEW
 ### System Architecture:
 - **Frontend**: React SPA served via Vite dev server or Nginx in production
 - **Backend API**: Go/Gin REST API (port 8080)
 - **Stream Server**: Rust/Axum streaming service (port 3001/8082)
 - **Chat**: Integrated into backend API WebSocket (`/api/v1/ws`) - migrated from Rust in v0.502
 - **Database**: PostgreSQL 16 (primary), Redis 7 (cache), RabbitMQ (queue)
 - **Storage**: MinIO (S3-compatible object storage)
 ### Communication Patterns:
 - **REST API**: Frontend ↔ Backend API
 - **WebSocket**: Frontend ↔ Backend API (`/api/v1/ws` for chat)
 - **HTTP Streaming**: Frontend ↔ Stream Server (HLS)
 - **gRPC**: Backend ↔ Stream Server (internal)
 - **Message Queue**: RabbitMQ for async jobs
 ### Deployment:
 - **Development**: Docker Compose (all services)
 - **Staging**: Docker Compose with HAProxy
 - **Production**: Kubernetes (manifests in `k8s/`) or Docker Compose with blue-green deployment
 ---
 This cartography covers the monorepo structure, configuration, documentation, and architecture. The project is actively developed (v0.803), with a multi-language stack (Go, Rust, TypeScript) and a modular monorepo organization.
--- a/full_veza_audit_data/cursor_explore_react_frontend_structure.md
+++ b/full_veza_audit_data/cursor_explore_react_frontend_structure.md
@ -0,0 +1,418 @@
 # Explore React frontend structure
 _Exported on 2/26/2026 at 09:58:06 GMT+1 from Cursor (2.5.17)_
 ---
 **Cursor**
 Exploring the React frontend. Gathering configuration files, listing directories, and running searches in parallel.
 Continuing with entry points, routing, stores, and searches:
 Continuing with more files and searches:
 Reading config files and counting files:
 Finding the correct config files and gathering more data:
 Using grep to count files and reading the correct config files:
 Compiling the final report. Gathering a few more details:
 ## React Frontend Exploration Report - `/home/senke/git/talas/veza/apps/web`
 ### 1. Package.json Dependencies & Scripts
 **Dependencies (35):**
 - React 18.2.0, React DOM 18.2.0
 - React Router DOM 6.30.3
 - Zustand 4.5.0
 - TanStack React Query 5.17.0, React Virtual 3.13.12
 - Axios 1.13.5
 - Zod 3.25.76
 - React Hook Form 7.49.3, @hookform/resolvers 3.3.4
 - Framer Motion 12.29.2
 - i18next 25.5.2, react-i18next 15.7.3
 - DOMPurify 3.3.0
 - HLS.js 1.6.14
 - Recharts 3.7.0
 - Radix UI (Dialog, Slot)
 - Lucide React 0.321.0
 - Date-fns 4.1.0
 - React Hot Toast 2.6.0
 - Sentry React 10.32.1
 - DnD Kit (core, sortable, utilities)
 - Emoji Picker React 4.16.1
 - React Dropzone 14.3.8
 - Class Variance Authority 0.7.0
 - Tailwind Merge 2.2.1
 - Immer 10.0.3
 - Hyper.js (Juspay) 2.1.0
 **Dev Dependencies (47):**
 - Vite 7.1.5, @vitejs/plugin-react 4.2.1
 - TypeScript 5.9.3
 - Vitest 3.2.4, @vitest/browser, @vitest/coverage-v8
 - Testing Library (React, Jest DOM, User Event)
 - Playwright 1.58.1
 - Storybook 8.6.15 (with addons: a11y, essentials, interactions)
 - MSW 2.11.2, msw-storybook-addon 2.0.6
 - ESLint 9.0.0, TypeScript ESLint 8.0.0
 - Prettier 3.2.5
 - Tailwind CSS 4.0.0, @tailwindcss/postcss 4.0.0
 - Autoprefixer 10.4.17
 - Husky 9.1.7
 - OpenAPI Generator CLI 2.27.0
 - Rollup Plugin Visualizer 6.0.5
 **Scripts:**
 - Dev: `dev`, `dev:with-api`, `dev:mocks`, `dev:lab`
 - Test: `test`, `test:ui`, `test:e2e`, `test:visual`, `test:storybook`
 - Build: `build`, `build-storybook`
 - Lint: `lint`, `lint:fix`, `lint:ui`
 - Format: `fmt`, `format`, `format:check`
 - Typecheck: `typecheck`, `generate:types`
 - Visual: `visual:capture`, `visual:compare`, `visual:update`
 - Storybook: `storybook`, `build-storybook`, `test:storybook`
 ### 2. Configuration Files
 **vite.config.ts:**
 - React plugin, path aliases (@, @components, @features, etc.)
 - Proxy config for `/api`, `/swagger`, `/ws`, `/stream`, `/hls`
 - Manual chunks for vendor splitting
 - Test config with jsdom
 - Build output: `dist_verification`
 **tsconfig.json:**
 - Not read (file path issue)
 **pnpm-workspace.yaml:**
 - Monorepo workspace config (read from root)
 ### 3. All Files in src/ (Recursive List)
 Total files found: ~2000+ files
 **Key directories:**
 - `src/components/` - UI components
 - `src/features/` - Feature modules (986 files)
 - `src/stores/` - Zustand stores
 - `src/services/` - API services
 - `src/hooks/` - Custom hooks
 - `src/utils/` - Utilities
 - `src/types/` - TypeScript types (including generated OpenAPI types)
 - `src/router/` - Routing configuration
 - `src/mocks/` - MSW handlers
 - `src/config/` - Configuration
 - `src/lib/` - Libraries (i18n, sentry, utils)
 - `src/context/` - React contexts
 - `src/schemas/` - Zod schemas
 - `src/app/` - App component
 - `src/__tests__/` - Test utilities
 ### 4. Entry Point
 **main.tsx:**
 - React 18 StrictMode
 - BrowserRouter with React Router v7 flags
 - QueryClientProvider (TanStack Query)
 - ThemeProvider (dark default)
 - MSW initialization (conditional)
 - Sentry initialization
 - Global error handlers
 - Stylesheet loading wait logic
 - LazyToaster for notifications
 - Grid overlay utility (dev only)
 ### 5. Routing Configuration
 **routeConfig.tsx:**
 - Public routes: `/login`, `/register`, `/forgot-password`, `/verify-email`, `/reset-password`
 - Public standalone: `/design-system`, `/u/:username`
 - Protected routes:
  - Dashboard: `/dashboard`
  - Marketplace: `/marketplace`, `/marketplace/products/:id`, `/sell`, `/wishlist`, `/purchases`, `/checkout/complete`
  - Social: `/social`
  - Chat: `/chat`
  - Library: `/library`
  - Profile: `/profile`, `/settings`, `/settings/sessions`
  - Tracks: `/tracks/:id`
  - Playlists: `/playlists/*` (nested routes)
  - Search: `/search`
  - Notifications: `/notifications`
  - Analytics: `/analytics`
  - Admin: `/admin`, `/admin/roles`, `/admin/transfers`
  - Developer: `/developer`, `/webhooks`
  - Queue: `/queue`
  - Gear: `/gear`
  - Live: `/live`, `/live/go-live`
  - Cloud: `/cloud`
 - Error routes: `/404`, `/500`
 - Lazy loading for all routes
 - ProtectedRoute wrapper with auth check
 - ProtectedLayoutRoute wrapper
 **PlaylistRoutes (nested):**
 - `/playlists/` → PlaylistListPage
 - `/playlists/:id` → PlaylistDetailPage
 - `/playlists/new` → redirects to `/playlists`
 ### 6. Zustand Stores
 **Stores found:**
 1. `stores/cartStore.ts` - Shopping cart (persisted)
 2. `stores/ui.ts` - UI state (theme, language, sidebar, notifications) (persisted, broadcast sync)
 3. `features/auth/store/authStore.ts` - Auth state (isAuthenticated, isLoading, error) (persisted, broadcast sync)
 4. `features/player/store/playerStore.ts` - Player state (currentTrack, queue, volume, playback controls) (persisted)
 5. `features/player/store/queueSessionStore.ts` - Queue session state
 6. `features/chat/store/chatStore.ts` - Chat state (conversations, messages, WebRTC calls) (immer middleware)
 **Store patterns:**
 - Zustand with persist middleware
 - Broadcast sync across tabs
 - Redux DevTools integration (conditional)
 - Immer for complex state updates (chat store)
 ### 7. Features Directory
 **Features (986 files total):**
 - `auth/` - Authentication (login, register, 2FA, sessions)
 - `tracks/` - Track management, upload, playback
 - `playlists/` - Playlist CRUD, collaboration, sharing
 - `player/` - Audio player, queue, controls
 - `chat/` - Chat interface, WebRTC calls
 - `streaming/` - Playback analytics, HLS streaming
 - `search/` - Search functionality
 - `notifications/` - Notification system
 - `analytics/` - Analytics dashboard
 - `dashboard/` - Main dashboard
 - `library/` - User library
 - `profile/` - User profiles
 - `settings/` - Settings pages
 - `marketplace/` - Marketplace, commerce
 - `checkout/` - Checkout flow
 - `purchases/` - Purchase history
 - `social/` - Social feed, posts, groups
 - `admin/` - Admin features
 - `roles/` - Role management
 - `developer/` - Developer tools, webhooks, API keys
 - `inventory/` - Gear/inventory management
 - `live/` - Live streaming
 - `cloud/` - Cloud storage
 - `sessions/` - Session management
 - `user/` - User components
 - `error/` - Error pages
 ### 8. MSW Handlers
 **handlers.ts (main):**
 - Aggregates handlers from:
  - `handlers-common.ts` - External images, CSRF
  - `handlers-auth.ts` - Auth, 2FA, sessions
  - `handlers-admin.ts` - Audit, dashboard, roles, users, monitoring, webhooks, API keys
  - `handlers-social.ts` - Social feed, posts, groups
  - `handlers-marketplace.ts` - Marketplace, commerce, cart, orders
  - `handlers-tracks.ts` - Tracks, comments
  - `handlers-playlists.ts` - Playlists
  - `handlers-misc.ts` - Search, notifications, users profile, chat, streaming, inventory, live
  - `handlers-cloud.ts` - Cloud storage, folders, files, quota
  - `handlers-streaming.ts` - Streaming analytics
  - `handlers-live.ts` - Live streams
 - Catch-all handler for unhandled API requests
 ### 9. Storybook Configuration
 **.storybook/main.ts:**
 - Stories: `../src/**/*.mdx`, `../src/**/*.stories.@(js|jsx|mjs|ts|tsx)`
 - Addons: essentials, a11y, interactions, msw-storybook-addon
 - Framework: @storybook/react-vite
 - Autodocs enabled
 - TypeScript react-docgen
 **.storybook/preview.tsx:**
 - MSW initialization with strict mode
 - Custom viewports (mobile, tablet, desktop)
 - Dark mode default
 - StorybookDecorator wrapper
 - MSW loader
 **Stories found:** 200+ story files
 ### 10. File Counts
 **Component files:** ~207 files in `src/components/ui/` alone
 **Test files:** Found via grep (exact count requires terminal)
 **Story files:** Found via grep (exact count requires terminal)
 ### 11. TypeScript 'any' Usage
 **Search results:** No matches found for `: any\b` pattern
 **Note:** Some usage found in:
 - `components/ui/input.tsx` - FileUpload shim uses `any`
 - `utils/storeSelectors.ts` - Some TODO comments about type improvements
 ### 12. dangerouslySetInnerHTML Usage
 **Search results:** No matches found
 **Security:** No direct HTML injection found
 ### 13. localStorage Usage
 **Found in:**
 - `services/tokenStorage.ts` - Legacy token cleanup (tokens now in httpOnly cookies)
 - `features/auth/pages/LoginPage.tsx` - Remember email
 - `features/auth/pages/VerifyEmailPage.tsx` - Pending verification email
 - `features/tracks/hooks/useTrackList.ts` - Filter/sort persistence
 - `features/tracks/components/ViewToggle.tsx` - View preference
 - `features/tracks/components/TrackGrid.tsx` - Density preference
 - `services/offlineQueue.ts` - Offline queue persistence
 - `services/playbackAnalyticsService.ts` - Pending analytics events
 - `hooks/useLocalStorage.ts` - Generic localStorage hook
 - `utils/firstTime.ts` - First-time user flags
 - `utils/safeStorage.ts` - Safe localStorage wrapper with fallback
 - `components/ui/feature-highlight/FeatureHighlight.tsx` - Dismissed highlights
 - `components/search/Search.tsx` - Search history
 - `lib/i18n.ts` - Language preference
 **Security note:** Tokens moved to httpOnly cookies; localStorage only used for preferences/UI state
 ### 14. Design System / UI Components
 **Location:** `src/components/ui/`
 **Components (207+ files):**
 - Button, Input, Card, Dialog, Dropdown, Select, Tabs, Accordion
 - Avatar, Badge, Skeleton, Toast, Tooltip, Alert
 - FormField, FloatingInput, DatePicker, FileUpload
 - VirtualizedList, DataList, Table
 - WaveformVisualizer, OptimizedImage, ImageCropper
 - LoadingSpinner, ErrorDisplay, EmptyState
 - Sidebar, NavigationProgress, ScrollArea
 - FAB (Floating Action Button), FeatureHighlight
 - LazyComponent utilities
 **Design System:** SUMI Design System v2.0
 - Defined in `src/index.css`
 - CSS custom properties for colors, spacing, typography
 - Dark theme default
 - Semantic tokens (primary, success, warning, error)
 - Tailwind CSS integration
 - Design tokens reference: `apps/web/docs/DESIGN_SYSTEM_REFERENCE.md`
 ### 15. ESLint & Prettier Config
 **.prettierrc.json:**
 ```json
 {
  "semi": true,
  "singleQuote": true,
  "tabWidth": 2
 }
 ```
 **eslint.config.js:**
 - File exists but content not readable (may be in different format)
 ### 16. pnpm-workspace.yaml
 **Location:** `/home/senke/git/talas/veza/pnpm-workspace.yaml`
 - Monorepo workspace configuration
 - Includes multiple packages (backend-api, stream-server, web frontend)
 ### 17. Electron Code
 **Search results:** Found in `mocks/test-helpers.ts`:
 ```typescript
 import { contextBridge } from 'electron';
 ```
 **Note:** Only in test helpers, not production code. No Electron main process found.
 ### 18. Environment Variables (import.meta.env)
 **Usage found in 50+ files:**
 - `VITE_API_URL` - API base URL
 - `VITE_WS_URL` - WebSocket URL
 - `VITE_STREAM_URL` - Streaming URL
 - `VITE_HLS_BASE_URL` - HLS base URL
 - `VITE_UPLOAD_URL` - Upload endpoint
 - `VITE_DOMAIN` - Domain configuration
 - `VITE_APP_NAME` - App name
 - `VITE_DEBUG` - Debug mode
 - `VITE_USE_MSW` - MSW enabled flag
 - `VITE_STORYBOOK` - Storybook mode
 - `VITE_HYPERSWITCH_PUBLISHABLE_KEY` - Payment key
 - `VITE_FCM_VAPID_KEY` - Push notifications
 - `VITE_SENTRY_DSN` - Sentry DSN
 - `import.meta.env.DEV` - Development mode
 - `import.meta.env.PROD` - Production mode
 - `import.meta.env.MODE` - Build mode
 **Config:** `src/config/env.ts` - Zod schema validation for env vars
 ### 19. TODO/FIXME/HACK Comments
 **Found:**
 - `features/admin/api/auditService.ts` - TODO: Consider creating adminApi
 - `features/sessions/api/sessionsApi.ts` - TODO: Consider creating sessionsApi
 - `utils/storeSelectors.ts` - Multiple TODOs about React Query migration
 - `features/player/components/PlayerExpanded.tsx` - TODO and HACK comments
 - Many `tags: ['autodocs']` in story files (not TODOs)
 **Count:** ~10+ TODO/FIXME/HACK comments found
 ### 20. npm audit / Vulnerabilities
 **Note:** Cannot run `npm audit` in read-only mode. Check manually with:
 ```bash
 cd apps/web && npm audit
 ```
 ---
 ## Summary Statistics
 - **Total TypeScript/TSX files:** ~2000+
 - **Features:** 25+ feature modules
 - **Routes:** 30+ routes (public + protected)
 - **Stores:** 6 Zustand stores
 - **UI Components:** 200+ components
 - **Stories:** 200+ Storybook stories
 - **MSW Handlers:** 10+ handler modules
 - **Environment Variables:** 15+ VITE_* vars
 - **Design System:** SUMI Design System v2.0
 - **Build Tool:** Vite 7.1.5
 - **Framework:** React 18.2.0
 - **State Management:** Zustand + TanStack Query
 - **Routing:** React Router 6.30.3
 - **Styling:** Tailwind CSS 4.0.0
 - **Testing:** Vitest + Playwright + Testing Library
 - **Type Safety:** TypeScript 5.9.3 + Zod
 **Architecture highlights:**
 - Feature-based structure
 - Lazy-loaded routes
 - MSW for API mocking
 - Storybook-first development
 - Design system with semantic tokens
 - Type-safe environment variables
 - Security: httpOnly cookies for auth, no dangerouslySetInnerHTML
 - Accessibility: a11y addon in Storybook, ARIA attributes
 All raw data has been collected and analyzed.
--- a/full_veza_audit_data/cursor_explore_rust_services_structure.md
+++ b/full_veza_audit_data/cursor_explore_rust_services_structure.md
@ -0,0 +1,328 @@
 # Explore Rust services structure
 _Exported on 2/26/2026 at 09:57:56 GMT+1 from Cursor (2.5.17)_
 ---
 **Cursor**
 Searching for Rust service directories and exploring them.
 Searching more specifically for Rust services:
 Using file search tools to locate Rust services:
 Found `veza-stream-server`. Searching for a chat server and exploring both services:
 Reading entry points and exploring both services. Starting with entry points and key files:
 Reading configuration files and Dockerfiles, then scanning source files for patterns:
 Searching for WebSocket, authentication, and database patterns, then reading all source files:
 Reading Rust source files directly:
 Reading more source files and checking veza-common:
 Reading remaining Rust source files systematically. Compiling a report with all findings:
 ## Rust services exploration report
 ### Services found
 1. `veza-stream-server` — Rust streaming service
 2. `veza-common` — Shared Rust library
 3. No `veza-chat-server` found (mentioned in docs but not present)
 ---
 ## 1. Cargo.toml analysis
 ### veza-stream-server/Cargo.toml
 - Rust edition: 2021
 - Version: 0.2.0
 - Dependencies: 60+ crates
 - Key dependencies:
  - `axum = "0.8"` (web framework)
  - `tokio = "1.35"` (async runtime)
  - `sqlx = "0.8"` (database)
  - `redis = "0.32"` (cache)
  - `jsonwebtoken = "10"` (auth)
  - `tonic = "0.11"` (gRPC)
  - `lapin = "2.3"` (RabbitMQ)
  - Audio: `symphonia`, `hound`, `minimp3`, `rubato`
  - Streaming: `m3u8-rs`, `tokio-tungstenite`
  - Monitoring: `prometheus`, `tracing`
 ### veza-common/Cargo.toml
 - Rust edition: 2021
 - Version: 0.1.0
 - Dependencies: 20+ crates
 - Key: `serde`, `tokio`, `sqlx`, `tracing`, `validator`, `reqwest`
 ### rust-toolchain.toml
 - Channel: stable
 - Components: rustfmt, clippy
 - Target: x86_64-unknown-linux-gnu
 ---
 ## 2. Source files
 ### veza-stream-server: 109 Rust source files
 - Entry points: `src/main.rs`, `src/lib.rs`
 - Modules: auth, streaming, transcoding, core, database, monitoring, routes, middleware, analytics, cache, codecs, grpc, health, notifications, testing
 ### veza-common: 28 Rust source files
 - Entry point: `src/lib.rs`
 - Modules: types, utils, error, config, auth, logging, metrics, traits
 ---
 ## 3. Entry points
 ### veza-stream-server/src/main.rs
 - Initializes logging via `veza-common::logging`
 - Sets up Prometheus metrics
 - Loads config from environment
 - Creates `AppState`
 - Initializes RabbitMQ event bus (optional)
 - Starts health monitoring
 - Creates routes
 - Starts Axum server on port 3002 (configurable)
 - Graceful shutdown handler
 ### veza-stream-server/src/lib.rs
 - Defines `AppState` with services
 - Initializes database pool, cache, metrics, analytics, audio processor, compression, health monitor, auth manager, WebSocket manager, transcoding engine, sync engine, stream manager
 ---
 ## 4. WebSocket handling
 ### Location: `src/streaming/websocket.rs` (997 lines)
 - WebSocket manager with connection tracking
 - Authentication via JWT (query param or Authorization header)
 - Commands: Play, Pause, Stop, Seek, Subscribe, GetStatus, Ping, SyncPong
 - Events: PlaybackStarted, PlaybackPaused, PlaybackProgress, SyncAdjustment, SyncPing, SyncInit
 - Connection stats: latency, RTT, clock offset
 - Broadcast to all connections
 - Send to specific user/connection
 - Cleanup inactive connections
 - Graceful shutdown support
 ---
 ## 5. Authentication/authorization
 ### Location: `src/auth/mod.rs` (660 lines)
 - JWT validation with `jsonwebtoken`
 - Token revocation store (Redis or in-memory)
 - Claims: sub, username, email, roles, permissions, session_id
 - Roles: Admin, Moderator, User, Premium, Artist, Guest
 - Permissions: StreamAudio, UploadAudio, ManageUsers, etc.
 - Middleware: `auth_middleware`, `hls_auth_middleware`
 - Token extraction from headers or query params
 - No direct login (tokens from backend API)
 ### Location: `src/auth/token_validator.rs` (477 lines)
 - HMAC-SHA256 signature validation for streaming URLs
 - Token expiration checking
 - Database-backed track access validation
 - Public/private track access rules
 - Purchase verification
 ---
 ## 6. Database interaction (SQLx)
 ### Database queries found: 50+ across multiple files
 - `src/analytics/mod.rs`: 15 queries
 - `src/playlist_manager.rs`: 8 queries
 - `src/core/encoding_pool.rs`: 6 queries
 - `src/core/processing/segment_tracker.rs`: 7 queries
 - `src/auth/token_validator.rs`: 2 queries (track access validation)
 - `src/routes/transcode.rs`: 2 queries
 - `src/core/encoding_service.rs`: 4 queries
 - `src/core/processing/callbacks.rs`: 2 queries
 - `src/core/processing/processor.rs`: 4 queries
 ### Database pool: `src/database/pool.rs`
 - PostgreSQL connection pool via SQLx
 - Configurable: max/min connections, timeouts, idle timeout, max lifetime
 - Environment-based configuration
 ---
 ## 7. Unsafe blocks
 Result: 0 unsafe blocks found
 ---
 ## 8. unwrap() and expect() calls
 ### unwrap() calls: ~50+
 - Most in tests, benchmarks, and examples
 - Some in production code:
  - `src/config/mod.rs`: 1 (test)
  - `src/core/sync.rs`: 12+ (test code)
  - `src/streaming/websocket.rs`: 3 (query parsing)
  - `src/monitoring/metrics.rs`: 5 (test code)
  - `src/auth/token_validator.rs`: 8 (test code)
  - `src/utils/signature.rs`: 6 (test code)
 ### expect() calls: ~15
 - Mostly in initialization code:
  - `src/main.rs`: 2 (signal handlers)
  - `src/core/processing/ffmpeg_monitor.rs`: 3 (regex compilation)
  - `src/core/encoding_pool.rs`: 1 (regex compilation)
  - `src/monitoring/metrics.rs`: 2 (default creation)
  - `src/middleware/rate_limit.rs`: 1 (NonZeroU32)
  - `src/cache/audio_cache.rs`: 1 (NonZeroUsize)
  - `src/transcoding/ffmpeg/progress_parser.rs`: 2 (regex compilation)
 ---
 ## 9. Error handling patterns
 ### Location: `src/error.rs` (691 lines)
 - Custom `AppError` enum with 30+ variants
 - Implements `std::error::Error` and `Display`
 - `IntoResponse` for Axum integration
 - Conversions from: `std::io::Error`, `sqlx::Error`, `serde_json::Error`, `tokio::time::error::Elapsed`
 - Type alias: `Result<T> = std::result::Result<T, AppError>`
 - Error categories: Config, Network, Audio, Streaming, Codec, File, Auth, Thread, Sync, Internal
 ---
 ## 10. Dockerfiles
 ### veza-stream-server/Dockerfile
 - Multi-stage build (rust:alpine builder, alpine:latest runtime)
 - Build dependencies: musl-dev, ca-certificates, perl, make, pkgconfig, openssl-dev, protobuf-dev
 - Static binary: `x86_64-unknown-linux-musl`
 - Non-root user: app (UID 1001)
 - Port: 8082
 - Health check: `/health` endpoint
 - Copies veza-common dependency
 ### veza-stream-server/Dockerfile.production
 - Similar to Dockerfile
 - Uses rust:1.84-alpine
 - Strips binary symbols
 - Alpine 3.21 runtime
 ---
 ## 11. Test files
 ### Test files found: 5
 - `veza-stream-server/src/testing/load_testing.rs`
 - `veza-stream-server/src/testing/stress_testing.rs`
 - `veza-stream-server/src/testing/chaos_testing.rs`
 - `veza-stream-server/src/testing/benchmarks.rs`
 - `veza-stream-server/src/bin/stream_load_test.rs`
 - `veza-common/tests/common_tests.rs`
 ### Test coverage
 - Unit tests in most modules (`#[cfg(test)]`)
 - Integration tests present
 - Load/stress/chaos testing modules
 - Benchmark suite
 ---
 ## 12. Configuration files
 ### rust-toolchain.toml
 - Channel: stable
 - Components: rustfmt, clippy
 - Target: x86_64-unknown-linux-gnu
 ### .cargo/config.toml
 - Not found
 ### sqlx-data.json
 - Not found (using runtime queries, not offline mode)
 ---
 ## 13. TODO/FIXME/HACK
 ### TODO: 8 instances
 - `src/routes/transcode.rs:413`: Add started_at to stream_jobs
 - `src/cache/mod.rs:2`: Implement adaptive cache
 - `src/structured_logging.rs:620`: Add file configuration
 - `src/analytics/mod.rs:269`: IP geolocation
 - Documentation TODOs in audit files
 ### FIXME: 2 instances
 - `src/main.rs:15`: Use veza-common::logging for unified configuration
 - `src/main.rs:24`: LOG_LEVEL normalization
 ### HACK: 0 instances
 ---
 ## 14. Compilation status indicators
 - No `sqlx-data.json` (using runtime SQLx queries)
 - `Cargo.lock` present (dependency locking)
 - `build.rs` present (gRPC code generation)
 - `proto/` directory with `.proto` files
 - Generated code: `src/generated/veza.stream.rs`, `src/generated/veza.common.auth.rs`
 ---
 ## Summary statistics
 - Total Rust source files: 137 (109 stream-server + 28 common)
 - Total lines of code: ~30,000+ (estimated)
 - Database queries: 50+
 - WebSocket handlers: 1 major module (997 lines)
 - Auth modules: 2 (auth/mod.rs, auth/token_validator.rs)
 - Unsafe blocks: 0
 - unwrap() calls: ~50+ (mostly tests)
 - expect() calls: ~15 (mostly initialization)
 - TODO comments: 8
 - FIXME comments: 2
 - Test files: 6
 - Dockerfiles: 2
 ---
 ## Architecture notes
 - Async runtime: Tokio 1.35
 - Web framework: Axum 0.8
 - Database: PostgreSQL via SQLx 0.8
 - Cache: Redis (optional)
 - Message queue: RabbitMQ (optional)
 - gRPC: Tonic 0.11
 - Monitoring: Prometheus, Tracing
 - Audio processing: Symphonia, FFmpeg integration
 - Streaming: HLS, WebSocket, HTTP Range Requests
 The codebase follows Rust best practices with error handling, no unsafe blocks, and a modular architecture.
--- a/make/tools.mk
+++ b/make/tools.mk
@ -2,7 +2,7 @@
 # TOOLS: check, install deps, ports
 # ==============================================================================
-.PHONY: check-tools check-tools-incus install-tools install-deps check-ports
+.PHONY: check-tools check-tools-incus install-tools install-deps check-ports openapi
 check-tools: ## [LOW] Check required tools
 	@$(ECHO_CMD) "${BLUE}Checking core requirements...${NC}"
@ -45,3 +45,6 @@ check-ports: ## [LOW] Check if ports are available
 			$(ECHO_CMD) "${GREEN}✅ Port $$port is free${NC}"; \
 		fi; \
 	done
 openapi: ## [LOW] Régénère openapi.yaml depuis les annotations Swagger (v0.923)
 	@$(MAKE) -C $(ROOT)/$(SERVICE_DIR_backend-api) openapi
--- a/veza-backend-api/Makefile
+++ b/veza-backend-api/Makefile
@ -219,6 +219,22 @@ docs: ## Génère la documentation
 	@go doc -all ./... > docs.txt
 	@echo "$(GREEN)✅ Documentation générée: docs.txt$(NC)"
 # OpenAPI (v0.923 Contract)
 openapi: ## Régénère openapi.yaml depuis les annotations Swagger
 	@echo "$(GREEN)📄 Génération OpenAPI...$(NC)"
 	@if command -v swag >/dev/null 2>&1; then \
 		swag init -g cmd/api/main.go --parseDependency --parseInternal; \
 	else \
 		echo "$(YELLOW)⚠️  swag non installé. Installation...$(NC)"; \
 		go install github.com/swaggo/swag/cmd/swag@latest; \
 		$$(go env GOPATH)/bin/swag init -g cmd/api/main.go --parseDependency --parseInternal; \
 	fi
 	@cp docs/swagger.yaml openapi.yaml
 	@echo "$(GREEN)✅ openapi.yaml généré$(NC)"
 	@echo "$(GREEN)🔍 Validation de la spec (Swagger 2.0)...$(NC)"
 	@cd .. && (npx @apidevtools/swagger-cli validate veza-backend-api/openapi.yaml && echo "$(GREEN)✅ openapi.yaml validé$(NC)") || \
 		(echo "$(YELLOW)⚠️  swagger-cli signale des écarts OAS3 (Swagger 2.0). Spec utilisable pour generate-types.$(NC)" && true)
 # Scripts personnalisés
 cleanup: ## Exécute le script de nettoyage
 	@echo "$(GREEN)🧹 Exécution du script de nettoyage...$(NC)"
--- a/veza-backend-api/docs/docs.go
+++ b/veza-backend-api/docs/docs.go
--- a/veza-backend-api/docs/swagger.json
+++ b/veza-backend-api/docs/swagger.json
--- a/veza-backend-api/docs/swagger.yaml
+++ b/veza-backend-api/docs/swagger.yaml
--- a/veza-backend-api/go.mod
+++ b/veza-backend-api/go.mod
@ -87,14 +87,15 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/getkin/kin-openapi v0.133.0 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.19.6 // indirect
 	github.com/go-openapi/spec v0.20.4 // indirect
-	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
@ -113,7 +114,7 @@ require (
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.22 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
@ -123,11 +124,15 @@ require (
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect
 	github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
@ -143,6 +148,7 @@ require (
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/woodsbury/decimal128 v1.3.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/otel v1.24.0 // indirect
--- a/veza-backend-api/go.sum
+++ b/veza-backend-api/go.sum
@ -113,6 +113,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
 github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
 github.com/getkin/kin-openapi v0.133.0 h1:pJdmNohVIJ97r4AUFtEXRXwESr8b0bD721u/Tz6k8PQ=
 github.com/getkin/kin-openapi v0.133.0/go.mod h1:boAciF6cXk5FhPqe/NQeBTeenbjqU4LhWBf09ILVvWE=
 github.com/getsentry/sentry-go v0.40.0 h1:VTJMN9zbTvqDqPwheRVLcp0qcUcM+8eFivvGocAaSbo=
 github.com/getsentry/sentry-go v0.40.0/go.mod h1:eRXCoh3uvmjQLY6qu63BjUZnaBu5L5WhMV1RwYO8W5s=
 github.com/gin-contrib/gzip v0.0.6 h1:NjcunTcGAj5CO1gn4N8jHOSIeRFHIbn51z6K+xaN4d4=
@ -133,6 +135,8 @@ github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiU
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
 github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.19.6 h1:UBIxjkht+AWIgYzCDSv2GN+E/togfwXUJFRTWhl2Jjs=
 github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns=
 github.com/go-openapi/spec v0.20.4 h1:O8hJrt0UMnhHcluhIdUgCLRWyM2x7QkBXRvOs7m+O1M=
@ -140,6 +144,8 @@ github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
 github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-pdf/fpdf v0.9.0 h1:PPvSaUuo1iMi9KkaAn90NuKi+P4gwMedWPHhj8YlJQw=
 github.com/go-pdf/fpdf v0.9.0/go.mod h1:oO8N111TkmKb9D7VvWGLvLJlaZUQVPM+6V42pp3iV4Y=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
@ -217,6 +223,8 @@ github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
@ -236,6 +244,8 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@ -243,12 +253,18 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw=
 github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c=
 github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90/go.mod h1:y5+oSEHCPT/DGrS++Wc/479ERge0zTFxaF8PbGKcg2o=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/perimeterx/marshmallow v1.1.5 h1:a2LALqQ1BlHM8PZblsDdidgv1mWi1DgC2UmX50IvK2s=
 github.com/perimeterx/marshmallow v1.1.5/go.mod h1:dsXbUu8CRzfYP5a87xpp0xq9S3u0Vchtcl8we9tYaXw=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@ -277,6 +293,7 @@ github.com/redis/go-redis/v9 v9.16.0 h1:OotgqgLSRCmzfqChbQyG1PHC3tLNR89DG4jdOERS
 github.com/redis/go-redis/v9 v9.16.0/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/shirou/gopsutil/v3 v3.23.12 h1:z90NtUkp3bMtmICZKpC4+WaknU1eXtp5vtbQ11DgpE4=
 github.com/shirou/gopsutil/v3 v3.23.12/go.mod h1:1FrWgea594Jp7qmjHUUPlJDTPgcsb9mGnXDxavtikzM=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
@ -321,6 +338,8 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
 github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/woodsbury/decimal128 v1.3.0 h1:8pffMNWIlC0O5vbyHWFZAt5yWvWcrHA+3ovIIjVWss0=
 github.com/woodsbury/decimal128 v1.3.0/go.mod h1:C5UTmyTjW3JftjUFzOVhC20BEQa2a4ZKOB5I6Zjb+ds=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
--- a/veza-backend-api/internal/middleware/auth.go
+++ b/veza-backend-api/internal/middleware/auth.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 	"os"
 	"reflect"
 	"strings"
 	"time"
@ -184,7 +185,8 @@ func (am *AuthMiddleware) authenticate(c *gin.Context) (uuid.UUID, bool) {
 	}
 	// VEZA-SEC-006: Check token blacklist (revoked tokens)
-	if am.tokenBlacklist != nil {
+	// Note: am.tokenBlacklist may be non-nil interface holding nil pointer when Redis is unavailable
 	if am.tokenBlacklist != nil && !reflect.ValueOf(am.tokenBlacklist).IsNil() {
 		blacklisted, err := am.tokenBlacklist.IsBlacklisted(c.Request.Context(), tokenString)
 		if err != nil {
 			am.logger.Warn("Token blacklist check failed", zap.Error(err))
--- a/veza-backend-api/internal/services/gear_warranty_notifier.go
+++ b/veza-backend-api/internal/services/gear_warranty_notifier.go
@ -5,13 +5,12 @@ import (
 	"fmt"
 	"time"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 	"gorm.io/gorm"
 	"veza-backend-api/internal/models"
 )
-// GearWarrantyNotifier sends notifications when gear warranty is expiring
+// GearWarrantyNotifier sends notifications for gear items with expiring warranty
 type GearWarrantyNotifier struct {
 	db                 *gorm.DB
 	notificationService *NotificationService
@ -32,7 +31,7 @@ func NewGearWarrantyNotifier(db *gorm.DB, notificationService *NotificationServi
 // Start runs the notifier loop
 func (n *GearWarrantyNotifier) Start(ctx context.Context) {
 	if n.notificationService == nil {
-		n.logger.Info("Gear warranty notifier: notification service not configured")
+		n.logger.Info("Gear warranty notifier: notification service not configured, skipping")
 		return
 	}
@ -46,34 +45,42 @@ func (n *GearWarrantyNotifier) Start(ctx context.Context) {
 		case <-ctx.Done():
 			return
 		case <-ticker.C:
-			if err := n.checkAndNotify(ctx); err != nil {
+			if err := n.runCheck(ctx); err != nil {
-				n.logger.Error("Gear warranty notifier failed", zap.Error(err))
+				n.logger.Error("Gear warranty check failed", zap.Error(err))
 			}
 		}
 	}
 }
-func (n *GearWarrantyNotifier) checkAndNotify(ctx context.Context) error {
+func (n *GearWarrantyNotifier) runCheck(ctx context.Context) error {
-	// Gear with warranty_expire between now and now+30 days
+	var items []struct {
-	now := time.Now()
+		ID             uuid.UUID
-	expiryLimit := now.Add(30 * 24 * time.Hour)
+		UserID         uuid.UUID
-
+		Name           string
-	var items []models.GearItem
+		WarrantyExpire *time.Time
-	err := n.db.WithContext(ctx).Where(
+	}
-		"warranty_expire IS NOT NULL AND warranty_expire > ? AND warranty_expire <= ?",
+	err := n.db.WithContext(ctx).Raw(`
-		now, expiryLimit,
+		SELECT id, user_id, name, warranty_expire
-	).Find(&items).Error
+		FROM gear_items
 		WHERE warranty_expire IS NOT NULL
 		  AND warranty_expire > NOW()
 		  AND warranty_expire <= NOW() + INTERVAL '30 days'
 		  AND deleted_at IS NULL
 	`).Scan(&items).Error
 	if err != nil {
-		return nil
+		return fmt.Errorf("query expiring gear: %w", err)
 	}
 	for _, item := range items {
 		if item.WarrantyExpire == nil {
 			continue
 		}
-		daysLeft := int(item.WarrantyExpire.Sub(now).Hours() / 24)
+		daysLeft := int(time.Until(*item.WarrantyExpire).Hours() / 24)
-		msg := fmt.Sprintf("%s warranty expires in %d days", item.Name, daysLeft)
+		if daysLeft < 0 {
-		link := fmt.Sprintf("/inventory?gear=%s", item.ID)
+			daysLeft = 0
 		}
 		msg := fmt.Sprintf("Warranty for %s expires in %d days", item.Name, daysLeft)
 		link := fmt.Sprintf("/inventory/gear/%s", item.ID)
 		if err := n.notificationService.CreateNotification(item.UserID, "gear_warranty", "Warranty expiring soon", msg, link); err != nil {
 			n.logger.Warn("failed to send warranty notification", zap.String("gear_id", item.ID.String()), zap.Error(err))
 		}
--- a/veza-backend-api/internal/services/gear_warranty_notifier_test.go
+++ b/veza-backend-api/internal/services/gear_warranty_notifier_test.go
@ -0,0 +1,28 @@
 package services
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/zap"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"veza-backend-api/internal/models"
 )
 func setupGearWarrantyDB(t *testing.T) *gorm.DB {
 	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
 	require.NoError(t, err)
 	require.NoError(t, db.AutoMigrate(&models.GearItem{}))
 	return db
 }
 func TestNewGearWarrantyNotifier(t *testing.T) {
 	db := setupGearWarrantyDB(t)
 	logger := zap.NewNop()
 	notifier := NewGearWarrantyNotifier(db, nil, logger)
 	assert.NotNil(t, notifier)
 }
--- a/veza-backend-api/internal/services/tag_suggest_service_test.go
+++ b/veza-backend-api/internal/services/tag_suggest_service_test.go
@ -0,0 +1,19 @@
 package services
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 )
 // TagSuggestService uses PostgreSQL-specific SQL (unnest, ILIKE).
 // Full Suggest() tests require PostgreSQL; see integration tests.
 func TestTagSuggestService_NewTagSuggestService(t *testing.T) {
 	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
 	require.NoError(t, err)
 	svc := NewTagSuggestService(db)
 	assert.NotNil(t, svc)
 }
--- a/veza-backend-api/openapi.yaml
+++ b/veza-backend-api/openapi.yaml
--- a/veza-backend-api/tests/contract/contract_test_helpers.go
+++ b/veza-backend-api/tests/contract/contract_test_helpers.go
@ -0,0 +1,33 @@
 package contract
 import (
 	"encoding/json"
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 // ValidateAPIResponseEnvelope checks that the response has success, data/error.
 func ValidateAPIResponseEnvelope(t *testing.T, body []byte, expectSuccess bool) map[string]interface{} {
 	t.Helper()
 	var resp map[string]interface{}
 	require.NoError(t, json.Unmarshal(body, &resp))
 	success, ok := resp["success"].(bool)
 	require.True(t, ok, "response must have success field")
 	require.Equal(t, expectSuccess, success)
 	if expectSuccess {
 		require.Contains(t, resp, "data")
 		require.Nil(t, resp["error"])
 	} else {
 		require.Contains(t, resp, "error")
 	}
 	return resp
 }
 // RequireDataKeys checks that data has the required top-level keys.
 func RequireDataKeys(t *testing.T, data map[string]interface{}, keys ...string) {
 	t.Helper()
 	for _, k := range keys {
 		require.Contains(t, data, k, "data must contain key %q", k)
 	}
 }
--- a/veza-backend-api/tests/contract/critical_endpoints_test.go
+++ b/veza-backend-api/tests/contract/critical_endpoints_test.go
@ -0,0 +1,480 @@
 //go:build integration
 // +build integration
 package contract
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"testing"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
 	"go.uber.org/zap"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"veza-backend-api/internal/api"
 	"veza-backend-api/internal/config"
 	"veza-backend-api/internal/core/marketplace"
 	"veza-backend-api/internal/database"
 	"veza-backend-api/internal/metrics"
 	"veza-backend-api/internal/middleware"
 	"veza-backend-api/internal/models"
 	"veza-backend-api/internal/services"
 	"github.com/stretchr/testify/require"
 )
 // testAuthMiddleware reads X-User-ID header for integration tests (marketplace routes)
 type testAuthMiddleware struct{}
 func (t *testAuthMiddleware) RequireAuth() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if userIDStr := c.GetHeader("X-User-ID"); userIDStr != "" {
 			if userID, err := uuid.Parse(userIDStr); err == nil {
 				c.Set("user_id", userID)
 				c.Next()
 				return
 			}
 		}
 		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"})
 	}
 }
 func (t *testAuthMiddleware) RequireContentCreatorRole() gin.HandlerFunc { return t.RequireAuth() }
 func (t *testAuthMiddleware) RequireOwnershipOrAdmin(_ string, _ middleware.ResourceOwnerResolver) gin.HandlerFunc {
 	return t.RequireAuth()
 }
 // migrateContractDB runs AutoMigrate for all models needed by contract tests.
 func migrateContractDB(t *testing.T, db *gorm.DB, extra ...interface{}) {
 	t.Helper()
 	allModels := []interface{}{
 		&models.User{},
 		&models.RefreshToken{},
 		&models.StorageQuota{},
 		&models.Track{},
 		&models.Session{},
 		&models.Notification{},
 		&models.Room{},
 		&models.RoomMember{},
 		&models.Message{},
 		&models.Playlist{},
 		&models.PlaylistTrack{},
 		&models.UserPresence{},
 		&models.Role{},
 		&models.UserRole{},
 		&models.Permission{},
 		&models.RolePermission{},
 	}
 	allModels = append(allModels, extra...)
 	require.NoError(t, db.AutoMigrate(allModels...))
 	// Add download_count to tracks if missing (analytics handler expects it)
 	_ = db.Exec("ALTER TABLE tracks ADD COLUMN download_count INTEGER DEFAULT 0").Error
 }
 func setupContractRouter(t *testing.T, db *gorm.DB, marketSvc *marketplace.Service) *gin.Engine {
 	t.Helper()
 	os.Setenv("ENABLE_CLAMAV", "false")
 	os.Setenv("CLAMAV_REQUIRED", "false")
 	gin.SetMode(gin.TestMode)
 	router := gin.New()
 	sqlDB, err := db.DB()
 	require.NoError(t, err)
 	vezaDB := &database.Database{DB: sqlDB, GormDB: db, Logger: zap.NewNop()}
 	cfg := &config.Config{
 		HyperswitchWebhookSecret: "test-secret",
 		JWTSecret:                "test-jwt-secret-key-minimum-32-characters-long",
 		JWTIssuer:                "veza-api",
 		JWTAudience:              "veza-app",
 		Logger:                   zap.NewNop(),
 		RedisClient:              nil,
 		ErrorMetrics:              metrics.NewErrorMetrics(),
 		UploadDir:                 "uploads/test",
 		Env:                       "development",
 		Database:                  vezaDB,
 		CORSOrigins:               []string{"*"},
 		HandlerTimeout:            30 * time.Second,
 		RateLimitLimit:            100,
 		AuthRateLimitLoginAttempts: 100,
 		AuthRateLimitLoginWindow:  15,
 		MarketplaceServiceOverride: marketSvc,
 	}
 	require.NoError(t, cfg.InitServicesForTest())
 	require.NoError(t, cfg.InitMiddlewaresForTest())
 	cfg.AuthMiddlewareOverride = &testAuthMiddleware{}
 	apiRouter := api.NewAPIRouter(vezaDB, cfg)
 	require.NoError(t, apiRouter.Setup(router))
 	return router
 }
 func openContractDB(t *testing.T) *gorm.DB {
 	t.Helper()
 	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
 	require.NoError(t, err)
 	sqlDB, err := db.DB()
 	require.NoError(t, err)
 	sqlDB.SetMaxOpenConns(1) // SQLite :memory: - each new connection gets empty DB
 	return db
 }
 func TestContract_Login(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db)
 	// No user - login fails with 401
 	router := setupContractRouter(t, db, nil)
 	body, _ := json.Marshal(map[string]string{"email": "nobody@test.com", "password": "wrong"})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusUnauthorized, w.Code)
 	resp := ValidateAPIResponseEnvelope(t, w.Body.Bytes(), false)
 	require.NotNil(t, resp["error"])
 }
 func TestContract_Register(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db)
 	router := setupContractRouter(t, db, nil)
 	body, _ := json.Marshal(map[string]interface{}{
 		"email":                 "contract-" + uuid.New().String() + "@test.com",
 		"username":              "contractuser",
 		"password":              "ValidPassword123!",
 		"password_confirmation":  "ValidPassword123!",
 	})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.True(t, w.Code == http.StatusCreated || w.Code == http.StatusBadRequest, "register: %s", w.Body.String())
 	resp := ValidateAPIResponseEnvelope(t, w.Body.Bytes(), w.Code == http.StatusCreated)
 	if w.Code == http.StatusCreated {
 		data, ok := resp["data"].(map[string]interface{})
 		require.True(t, ok)
 		RequireDataKeys(t, data, "user", "token")
 	}
 }
 func TestContract_GetTracks(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db)
 	router := setupContractRouter(t, db, nil)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/tracks", nil)
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	resp := ValidateAPIResponseEnvelope(t, w.Body.Bytes(), true)
 	data, ok := resp["data"].(map[string]interface{})
 	require.True(t, ok)
 	// Tracks may be in "tracks" or "items" depending on handler
 	require.True(t, data["tracks"] != nil || data["items"] != nil || data["data"] != nil,
 		"data should have tracks/items: %v", data)
 }
 func TestContract_GetUser(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db)
 	userID := uuid.New()
 	hash, _ := bcrypt.GenerateFromPassword([]byte("password123"), bcrypt.DefaultCost)
 	require.NoError(t, db.Create(&models.User{
 		ID:           userID,
 		Email:        "me@test.com",
 		Username:     "meuser",
 		PasswordHash: string(hash),
 		IsVerified:   true,
 	}).Error)
 	router := setupContractRouter(t, db, nil)
 	// Login to get token
 	loginBody, _ := json.Marshal(map[string]string{"email": "me@test.com", "password": "password123"})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	var loginResp map[string]interface{}
 	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &loginResp))
 	data := loginResp["data"].(map[string]interface{})
 	tokenData := data["token"].(map[string]interface{})
 	accessToken := tokenData["access_token"].(string)
 	// GET /auth/me
 	req = httptest.NewRequest(http.MethodGet, "/api/v1/auth/me", nil)
 	req.Header.Set("Authorization", "Bearer "+accessToken)
 	w = httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	resp := ValidateAPIResponseEnvelope(t, w.Body.Bytes(), true)
 	userData, ok := resp["data"].(map[string]interface{})
 	require.True(t, ok)
 	RequireDataKeys(t, userData, "id", "email", "username")
 }
 func TestContract_CreateTrack(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db)
 	userID := uuid.New()
 	hash, _ := bcrypt.GenerateFromPassword([]byte("password123"), bcrypt.DefaultCost)
 	require.NoError(t, db.Create(&models.User{
 		ID:           userID,
 		Email:        "creator@test.com",
 		Username:     "creator",
 		PasswordHash: string(hash),
 		IsVerified:   true,
 		Role:         "content_creator",
 	}).Error)
 	// RequireContentCreatorRole checks user_roles; create creator role and assign
 	creatorRole := models.Role{ID: uuid.New(), Name: "creator", DisplayName: "Creator", IsSystem: true}
 	require.NoError(t, db.Create(&creatorRole).Error)
 	require.NoError(t, db.Create(&models.UserRole{
 		UserID: userID, RoleID: creatorRole.ID, RoleName: "creator", IsActive: true,
 	}).Error)
 	router := setupContractRouter(t, db, nil)
 	// Login
 	loginBody, _ := json.Marshal(map[string]string{"email": "creator@test.com", "password": "password123"})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	var loginResp map[string]interface{}
 	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &loginResp))
 	tokenData := loginResp["data"].(map[string]interface{})["token"].(map[string]interface{})
 	accessToken := tokenData["access_token"].(string)
 	// POST /tracks without file -> expect 400 (validation)
 	req = httptest.NewRequest(http.MethodPost, "/api/v1/tracks", nil)
 	req.Header.Set("Authorization", "Bearer "+accessToken)
 	w = httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.True(t, w.Code == http.StatusBadRequest || w.Code == http.StatusUnsupportedMediaType)
 	ValidateAPIResponseEnvelope(t, w.Body.Bytes(), false)
 }
 func TestContract_Search(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db)
 	router := setupContractRouter(t, db, nil)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/search?q=test", nil)
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	// Search uses PostgreSQL-specific SQL (ILIKE); may return 500 on SQLite
 	require.True(t, w.Code == http.StatusOK || w.Code == http.StatusInternalServerError,
 		"expected 200 or 500, got %d: %s", w.Code, w.Body.String())
 	if w.Code == http.StatusOK {
 		resp := ValidateAPIResponseEnvelope(t, w.Body.Bytes(), true)
 		require.Contains(t, resp, "data")
 	}
 	// On 500, Search returns raw gin.H{"error": "..."} - no standard envelope
 }
 func TestContract_CreateOrder(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db,
 		&marketplace.Product{}, &marketplace.Order{}, &marketplace.OrderItem{}, &marketplace.License{}, &marketplace.SellerTransfer{},
 	)
 	userID := uuid.New()
 	trackID := uuid.New()
 	hash, _ := bcrypt.GenerateFromPassword([]byte("password123"), bcrypt.DefaultCost)
 	require.NoError(t, db.Create(&models.User{ID: userID, Email: "buyer@test.com", Username: "buyer", PasswordHash: string(hash), IsVerified: true}).Error)
 	require.NoError(t, db.Create(&models.Track{ID: trackID, UserID: userID, FilePath: "/test.mp3"}).Error)
 	product := &marketplace.Product{
 		ID: uuid.New(), SellerID: userID, Title: "Test", Price: 9.99, ProductType: "track",
 		TrackID: &trackID, Status: marketplace.ProductStatusActive,
 	}
 	require.NoError(t, db.Create(product).Error)
 	storageService := services.NewTrackStorageService("uploads/test", false, zap.NewNop())
 	marketSvc := marketplace.NewService(db, zap.NewNop(), storageService,
 		marketplace.WithPaymentProvider(&mockPaymentProvider{paymentID: "pay_1", clientSecret: "sec"}),
 		marketplace.WithHyperswitchConfig(true, "/"),
 	)
 	router := setupContractRouter(t, db, marketSvc)
 	// Login
 	loginBody, _ := json.Marshal(map[string]string{"email": "buyer@test.com", "password": "password123"})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	var loginResp map[string]interface{}
 	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &loginResp))
 	tokenData := loginResp["data"].(map[string]interface{})["token"].(map[string]interface{})
 	accessToken := tokenData["access_token"].(string)
 	// Create order via marketplace (uses AuthMiddlewareOverride -> X-User-ID)
 	orderBody, _ := json.Marshal(map[string]interface{}{
 		"items": []map[string]string{{"product_id": product.ID.String()}},
 	})
 	req = httptest.NewRequest(http.MethodPost, "/api/v1/marketplace/orders", bytes.NewReader(orderBody))
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Authorization", "Bearer "+accessToken)
 	req.Header.Set("X-User-ID", userID.String())
 	w = httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.True(t, w.Code == http.StatusCreated || w.Code == http.StatusOK || w.Code >= 400)
 	resp := ValidateAPIResponseEnvelope(t, w.Body.Bytes(), w.Code < 400)
 	if w.Code < 400 {
 		data, _ := resp["data"].(map[string]interface{})
 		if data != nil {
 			require.True(t, data["order"] != nil || data["payment_id"] != nil || data["id"] != nil)
 		}
 	}
 }
 type mockPaymentProvider struct {
 	paymentID    string
 	clientSecret string
 }
 func (m *mockPaymentProvider) CreatePayment(_ context.Context, _ int64, _, _, _ string, _ map[string]string) (string, string, error) {
 	return m.paymentID, m.clientSecret, nil
 }
 func (m *mockPaymentProvider) GetPayment(_ context.Context, _ string) (string, error) {
 	return "succeeded", nil
 }
 func TestContract_GetNotifications(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db)
 	userID := uuid.New()
 	hash, _ := bcrypt.GenerateFromPassword([]byte("password123"), bcrypt.DefaultCost)
 	require.NoError(t, db.Create(&models.User{
 		ID: userID, Email: "notif@test.com", Username: "notifuser",
 		PasswordHash: string(hash), IsVerified: true,
 	}).Error)
 	router := setupContractRouter(t, db, nil)
 	loginBody, _ := json.Marshal(map[string]string{"email": "notif@test.com", "password": "password123"})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	var loginResp map[string]interface{}
 	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &loginResp))
 	tokenData := loginResp["data"].(map[string]interface{})["token"].(map[string]interface{})
 	accessToken := tokenData["access_token"].(string)
 	req = httptest.NewRequest(http.MethodGet, "/api/v1/notifications", nil)
 	req.Header.Set("Authorization", "Bearer "+accessToken)
 	w = httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	resp := ValidateAPIResponseEnvelope(t, w.Body.Bytes(), true)
 	require.Contains(t, resp, "data")
 }
 func TestContract_GetConversations(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db)
 	userID := uuid.New()
 	hash, _ := bcrypt.GenerateFromPassword([]byte("password123"), bcrypt.DefaultCost)
 	require.NoError(t, db.Create(&models.User{
 		ID: userID, Email: "conv@test.com", Username: "convuser",
 		PasswordHash: string(hash), IsVerified: true,
 	}).Error)
 	router := setupContractRouter(t, db, nil)
 	loginBody, _ := json.Marshal(map[string]string{"email": "conv@test.com", "password": "password123"})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	var loginResp map[string]interface{}
 	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &loginResp))
 	tokenData := loginResp["data"].(map[string]interface{})["token"].(map[string]interface{})
 	accessToken := tokenData["access_token"].(string)
 	req = httptest.NewRequest(http.MethodGet, "/api/v1/conversations", nil)
 	req.Header.Set("Authorization", "Bearer "+accessToken)
 	w = httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	resp := ValidateAPIResponseEnvelope(t, w.Body.Bytes(), true)
 	require.Contains(t, resp, "data")
 }
 func TestContract_GetAnalytics(t *testing.T) {
 	db := openContractDB(t)
 	migrateContractDB(t, db)
 	userID := uuid.New()
 	hash, _ := bcrypt.GenerateFromPassword([]byte("password123"), bcrypt.DefaultCost)
 	require.NoError(t, db.Create(&models.User{
 		ID: userID, Email: "analytics@test.com", Username: "analyticsuser",
 		PasswordHash: string(hash), IsVerified: true,
 	}).Error)
 	router := setupContractRouter(t, db, nil)
 	loginBody, _ := json.Marshal(map[string]string{"email": "analytics@test.com", "password": "password123"})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	var loginResp map[string]interface{}
 	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &loginResp))
 	tokenData := loginResp["data"].(map[string]interface{})["token"].(map[string]interface{})
 	accessToken := tokenData["access_token"].(string)
 	req = httptest.NewRequest(http.MethodGet, "/api/v1/analytics", nil)
 	req.Header.Set("Authorization", "Bearer "+accessToken)
 	w = httptest.NewRecorder()
 	router.ServeHTTP(w, req)
 	require.Equal(t, http.StatusOK, w.Code)
 	resp := ValidateAPIResponseEnvelope(t, w.Body.Bytes(), true)
 	require.Contains(t, resp, "data")
 }