diff --git a/VERSION b/VERSION index 2d0aef0c9..8e5c86d18 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.952 +0.962 diff --git a/docs/API_REFERENCE.md b/docs/API_REFERENCE.md index 5848beafc..771a3419a 100644 --- a/docs/API_REFERENCE.md +++ b/docs/API_REFERENCE.md @@ -4,6 +4,8 @@ Base URL: `http://localhost:8080/api/v1` (or your `APP_DOMAIN`) All responses use the format: `{ "success": true|false, "data": {...} }` or `{ "success": false, "error": "..." }`. +**Quick index:** [Auth](#authentication) | [Tracks](#tracks) | [Chat](#chat) | [Social](#social) | [Conversations](#conversations) | [Sessions](#sessions) | [Marketplace](#marketplace) | [Health](#health) + --- ## Authentication @@ -815,3 +817,194 @@ The following routes are also available at the root (without `/api/v1` prefix) b - `GET /metrics` Use `/api/v1/...` for new integrations. + +--- + +## Tracks (v0.931 cursor) + +### GET /tracks + +List tracks (paginated). Supports cursor-based pagination (v0.931). + +**Auth:** None (public) + +**Query params:** `limit`, `page` (legacy OFFSET), `cursor` (opaque base64, keyset on `created_at`+`id`), `genre`, `format`, `sort_by`, `sort_order` + +**Example:** +```bash +curl "http://localhost:8080/api/v1/tracks?limit=20" +curl "http://localhost:8080/api/v1/tracks?cursor=eyJjcmVhdGVkX2F0Ijo...&limit=20" +``` + +**Response (200):** `{ "success": true, "data": { "tracks": [...], "next_cursor": "...", "has_more": true } }` + +--- + +### GET /tracks/:id + +Get a single track by ID. + +**Auth:** None (public) + +--- + +### GET /tracks/search + +Search tracks. Query: `?q=...&limit=20`. + +**Auth:** None + +--- + +### POST /tracks (protected) + +Upload a track. Requires Bearer token + content creator role. + +--- + +### POST /tracks/:id/like, DELETE /tracks/:id/like + +Like/unlike a track. + +**Auth:** Bearer token (required) + +--- + +### GET /tracks/:id/comments + +List comments on a track. + +**Auth:** None + +--- + +### POST /tracks/:id/comments (protected) + +Add a comment. + +**Auth:** Bearer token (required) + +--- + +## Chat + +### GET /chat/token + +Generate a short-lived JWT for WebSocket authentication. Used by the chat client to connect to the WebSocket endpoint. + +**Auth:** Bearer token (required) + +**Example:** +```bash +curl "http://localhost:8080/api/v1/chat/token" -H "Authorization: Bearer eyJ..." +``` + +**Response (200):** `{ "success": true, "data": { "token": "eyJ...", "expires_in": 300 } }` + +--- + +## Social (v0.931 cursor) + +### GET /social/feed + +Global feed (cursor-based pagination). Auth optional (personalized when authenticated). + +**Query params:** `limit`, `cursor` (base64: `created_at_unix_nano|uuid`) + +**Auth:** None or Bearer (optional for personalization) + +--- + +### GET /social/explore, GET /social/trending + +Explore and trending posts. + +**Auth:** None + +--- + +### POST /social/posts, POST /social/like, POST /social/comments + +Create post, toggle like, add comment. + +**Auth:** Bearer token (required) + +--- + +## Conversations (v0.931 cursor) + +### GET /conversations + +List user's rooms (conversations). + +**Auth:** Bearer token (required) + +--- + +### GET /conversations/:id/history + +Message history for a room. Supports cursor-based pagination. + +**Query params:** `limit`, `cursor` + +**Auth:** Bearer token (required) + +--- + +### POST /conversations, PUT /conversations/:id, DELETE /conversations/:id + +Create, update, delete room. + +**Auth:** Bearer token (required) + +--- + +## Sessions + +### GET /sessions + +List active sessions for the current user. + +**Auth:** Bearer token (required) + +--- + +### POST /sessions/logout, POST /sessions/logout-all, POST /sessions/refresh + +Logout (single, all), refresh session. + +**Auth:** Bearer token (required) + +--- + +## Status & System + +### GET /status + +Platform status (DB, Redis, Chat, Stream server connectivity). + +**Auth:** None + +--- + +### POST /validate + +Validation endpoint (A01 rate limited). Body varies by validation type. + +**Auth:** None + +--- + +### GET /upload/limits, GET /upload/validate-type + +Upload configuration and file type validation (public). + +**Auth:** None + +--- + +### GET /csrf-token + +Get CSRF token for protected requests (optional auth). + +**Auth:** None or Bearer (optional) diff --git a/docs/ONBOARDING.md b/docs/ONBOARDING.md index 0c4eaa21a..43d4e1628 100644 --- a/docs/ONBOARDING.md +++ b/docs/ONBOARDING.md @@ -25,7 +25,7 @@ This guide helps new developers set up the Veza monorepo and understand its arch --- -## 2. Setup in 5 Minutes +## 2. Setup in 5 Minutes (target: <30 min clone → first test passing) ### Quick start (minimal: Backend + Web) @@ -41,6 +41,20 @@ make setup-dev make dev ``` +### Verify your setup (<30 min total) + +Run these commands to confirm everything works: + +```bash +# Backend tests (from repo root) +make test-backend-api + +# Frontend tests +make test-web +``` + +If both pass, your environment is ready. Troubleshooting: see [§6](#6-troubleshooting). + Or step by step: ```bash diff --git a/docs/adr/ADR-003-redis-sentinel-postponed.md b/docs/adr/ADR-003-redis-sentinel-postponed.md new file mode 100644 index 000000000..16e3857ab --- /dev/null +++ b/docs/adr/ADR-003-redis-sentinel-postponed.md @@ -0,0 +1,26 @@ +# ADR-003: Redis Sentinel (HA) Reporté à v1.1 + +**Date**: 2026-03-02 +**Statut**: Accepté +**Réf.**: ROADMAP_V09XX_TO_V1, Audit-DEBT-03 + +--- + +## Contexte + +Redis est utilisé pour : sessions, CSRF tokens, rate limiting, cache, pub/sub. En production v1.0, Redis est un **single point of failure** (SPOF). + +## Décision + +**Reporter Redis Sentinel / Redis Cluster à v1.1.** Pour le lancement v1.0 (quelques centaines d'utilisateurs), une instance Redis unique avec backups réguliers et un runbook de dégradation suffisent. + +## Justification + +- HA Redis (Sentinel ou Cluster) ajoute complexité opérationnelle et ~5 jours de travail +- Le runbook [INCIDENT_RESPONSE.md](runbooks/INCIDENT_RESPONSE.md) documente le comportement dégradé : rate limiting in-memory, CSRF → 503, sessions invalidées → re-login +- Non sur le chemin critique de v1.0 + +## Conséquences + +- v1.0 : SPOF accepté, documenté dans `docs/V1_LIMITATIONS.md` (v0.971) +- v1.1 : implémenter Redis Sentinel ou Cluster pour HA diff --git a/docs/adr/ADR-004-pkce-oauth.md b/docs/adr/ADR-004-pkce-oauth.md new file mode 100644 index 000000000..f091e2d77 --- /dev/null +++ b/docs/adr/ADR-004-pkce-oauth.md @@ -0,0 +1,31 @@ +# ADR-004: PKCE pour le Flux OAuth (v0.902) + +**Date**: 2026-03-02 +**Statut**: Accepté (implémentation prévue v0.902) +**Réf.**: VEZA-SEC-003, OWASP A07 + +--- + +## Contexte + +Le flux OAuth Authorization Code actuel ne supporte pas PKCE (Proof Key for Code Exchange). Sur un client public (SPA), le code d'autorisation peut être intercepté lors de la redirection. + +## Décision + +**Implémenter PKCE (S256) dans le flux OAuth**, cible v0.902 "Sentinel". + +- `code_verifier` : 128 bytes random, base64url +- `code_challenge` : SHA-256 du verifier, base64url +- `code_challenge_method=S256` dans l'URL d'autorisation +- Stockage du verifier en DB (`oauth_states.code_verifier`) ou Redis + +## Justification + +- Google, GitHub, Discord, Spotify supportent PKCE +- Conformité OWASP A07 (Authentication) +- Vulnérabilité ÉLEVÉE identifiée dans l'audit + +## Conséquences + +- OAuth plus sécurisé pour les SPA +- Migration possible pour les bases existantes (nouvelle colonne) diff --git a/docs/adr/README.md b/docs/adr/README.md new file mode 100644 index 000000000..c44d366dd --- /dev/null +++ b/docs/adr/README.md @@ -0,0 +1,8 @@ +# Architecture Decision Records + +| ADR | Title | Status | +|-----|-------|--------| +| [ADR-001](ADR-001-rust-services.md) | Go + Rust + React Architecture | Accepted | +| [ADR-002](ADR-002-chat-server.md) | Chat Server Rust → Go | Accepted | +| [ADR-003](ADR-003-redis-sentinel-postponed.md) | Redis Sentinel postponed to v1.1 | Accepted | +| [ADR-004](ADR-004-pkce-oauth.md) | PKCE for OAuth (v0.902) | Accepted |