diff --git a/veza-chat-server/.env.lab.example b/veza-chat-server/.env.lab.example
index d9132c88f..66b7e157d 100644
--- a/veza-chat-server/.env.lab.example
+++ b/veza-chat-server/.env.lab.example
@@ -3,8 +3,8 @@
 
 # Base de données (avec schema chat forcé)
 # Note: Les scripts lab ajoutent automatiquement options=-c search_path=chat si absent
-VEZA_LAB_DSN="postgres://veza:veza_password@localhost:5432/veza_lab?sslmode=disable"
-DATABASE_URL="postgres://veza:veza_password@localhost:5432/veza_lab?sslmode=disable&options=-c%20search_path=chat"
+VEZA_LAB_DSN="postgres://veza:veza_password@veza.fr:5432/veza_lab?sslmode=disable"
+DATABASE_URL="postgres://veza:veza_password@veza.fr:5432/veza_lab?sslmode=disable&options=-c%20search_path=chat"
 
 # Serveur
 CHAT_SERVER_PORT=8081
diff --git a/veza-common/Cargo.toml b/veza-common/Cargo.toml
index 916e758bb..95c3d420e 100644
--- a/veza-common/Cargo.toml
+++ b/veza-common/Cargo.toml
@@ -52,7 +52,7 @@ sha2 = "0.10"
 hmac = "0.12"
 base64 = "0.21"
 rand = "0.8"
-totp-rs = "5.4"
+totp-rs = { version = "5.4", features = ["otpauth"] }
 
 # HTTP client
 reqwest = { version = "0.11", features = ["json"] }
diff --git a/veza-common/src/auth.rs b/veza-common/src/auth.rs
index 45591e79d..23afd5005 100644
--- a/veza-common/src/auth.rs
+++ b/veza-common/src/auth.rs
@@ -354,6 +354,8 @@ pub fn validate_totp_code(secret: &str, code: &str, _window: i64) -> VezaResult<
         30,
         secret_obj.to_bytes()
             .map_err(|e| VezaError::Auth(format!("Invalid TOTP secret: {}", e)))?,
+        None,
+        "".to_string(),
     ).map_err(|e| VezaError::Auth(format!("Invalid TOTP secret: {}", e)))?;
     
     let is_valid = totp.check_current(code)
diff --git a/veza-stream-server/src/routes/api.rs b/veza-stream-server/src/routes/api.rs
index e543fa849..3ce636dc3 100644
--- a/veza-stream-server/src/routes/api.rs
+++ b/veza-stream-server/src/routes/api.rs
@@ -149,7 +149,7 @@ async fn internal_transcode_handler(
     headers: HeaderMap,
     Json(payload): Json<serde_json::Value>,
 ) -> Result<Json<serde_json::Value>, (StatusCode, String)> {
-    // SECURITY: Require X-Internal-API-Key when INTERNAL_API_KEY is set
+    // SECURITY: Require X-Internal-API-Key when INTERNAL_API_KEY is set (P1.1.2)
     if let Ok(expected_key) = std::env::var("INTERNAL_API_KEY") {
         if !expected_key.is_empty() {
             let provided = headers
diff --git a/veza-stream-server/src/streaming/websocket.rs b/veza-stream-server/src/streaming/websocket.rs
index 894649cc9..dbdee62b5 100644
--- a/veza-stream-server/src/streaming/websocket.rs
+++ b/veza-stream-server/src/streaming/websocket.rs
@@ -313,7 +313,7 @@ impl WebSocketManager {
         };
 
         if let Ok(json) = serde_json::to_string(&welcome_event) {
-            if let Err(e) = sender_ws.send(Message::Text(json)).await {
+            if let Err(e) = sender_ws.send(Message::Text(json.into())).await {
                 tracing::warn!("Erreur envoi message bienvenue: {}", e);
             }
         }
@@ -416,7 +416,7 @@ impl WebSocketManager {
 
                 if should_send {
                     if let Ok(json) = serde_json::to_string(&event) {
-                        if let Err(e) = sender_ws.send(Message::Text(json)).await {
+                        if let Err(e) = sender_ws.send(Message::Text(json.into())).await {
                             tracing::warn!(
                                 "Erreur envoi événement à {}: {}",
                                 connection_id_clone,