chore(release): v0.962 — Onboard (API ref, onboarding <30min, ADRs)

VERSION

@@ -1 +1 @@
-0.952
+0.962

docs/API_REFERENCE.md

@@ -4,6 +4,8 @@ Base URL: `http://localhost:8080/api/v1` (or your `APP_DOMAIN`)
 
 All responses use the format: `{ "success": true|false, "data": {...} }` or `{ "success": false, "error": "..." }`.
 
+**Quick index:** [Auth](#authentication) | [Tracks](#tracks) | [Chat](#chat) | [Social](#social) | [Conversations](#conversations) | [Sessions](#sessions) | [Marketplace](#marketplace) | [Health](#health)
+
 ---
 
 ## Authentication
@@ -815,3 +817,194 @@ The following routes are also available at the root (without `/api/v1` prefix) b
 - `GET /metrics`
 
 Use `/api/v1/...` for new integrations.
+
+---
+
+## Tracks (v0.931 cursor)
+
+### GET /tracks
+
+List tracks (paginated). Supports cursor-based pagination (v0.931).
+
+**Auth:** None (public)
+
+**Query params:** `limit`, `page` (legacy OFFSET), `cursor` (opaque base64, keyset on `created_at`+`id`), `genre`, `format`, `sort_by`, `sort_order`
+
+**Example:**
+```bash
+curl "http://localhost:8080/api/v1/tracks?limit=20"
+curl "http://localhost:8080/api/v1/tracks?cursor=eyJjcmVhdGVkX2F0Ijo...&limit=20"
+```
+
+**Response (200):** `{ "success": true, "data": { "tracks": [...], "next_cursor": "...", "has_more": true } }`
+
+---
+
+### GET /tracks/:id
+
+Get a single track by ID.
+
+**Auth:** None (public)
+
+---
+
+### GET /tracks/search
+
+Search tracks. Query: `?q=...&limit=20`.
+
+**Auth:** None
+
+---
+
+### POST /tracks (protected)
+
+Upload a track. Requires Bearer token + content creator role.
+
+---
+
+### POST /tracks/:id/like, DELETE /tracks/:id/like
+
+Like/unlike a track.
+
+**Auth:** Bearer token (required)
+
+---
+
+### GET /tracks/:id/comments
+
+List comments on a track.
+
+**Auth:** None
+
+---
+
+### POST /tracks/:id/comments (protected)
+
+Add a comment.
+
+**Auth:** Bearer token (required)
+
+---
+
+## Chat
+
+### GET /chat/token
+
+Generate a short-lived JWT for WebSocket authentication. Used by the chat client to connect to the WebSocket endpoint.
+
+**Auth:** Bearer token (required)
+
+**Example:**
+```bash
+curl "http://localhost:8080/api/v1/chat/token" -H "Authorization: Bearer eyJ..."
+```
+
+**Response (200):** `{ "success": true, "data": { "token": "eyJ...", "expires_in": 300 } }`
+
+---
+
+## Social (v0.931 cursor)
+
+### GET /social/feed
+
+Global feed (cursor-based pagination). Auth optional (personalized when authenticated).
+
+**Query params:** `limit`, `cursor` (base64: `created_at_unix_nano|uuid`)
+
+**Auth:** None or Bearer (optional for personalization)
+
+---
+
+### GET /social/explore, GET /social/trending
+
+Explore and trending posts.
+
+**Auth:** None
+
+---
+
+### POST /social/posts, POST /social/like, POST /social/comments
+
+Create post, toggle like, add comment.
+
+**Auth:** Bearer token (required)
+
+---
+
+## Conversations (v0.931 cursor)
+
+### GET /conversations
+
+List user's rooms (conversations).
+
+**Auth:** Bearer token (required)
+
+---
+
+### GET /conversations/:id/history
+
+Message history for a room. Supports cursor-based pagination.
+
+**Query params:** `limit`, `cursor`
+
+**Auth:** Bearer token (required)
+
+---
+
+### POST /conversations, PUT /conversations/:id, DELETE /conversations/:id
+
+Create, update, delete room.
+
+**Auth:** Bearer token (required)
+
+---
+
+## Sessions
+
+### GET /sessions
+
+List active sessions for the current user.
+
+**Auth:** Bearer token (required)
+
+---
+
+### POST /sessions/logout, POST /sessions/logout-all, POST /sessions/refresh
+
+Logout (single, all), refresh session.
+
+**Auth:** Bearer token (required)
+
+---
+
+## Status & System
+
+### GET /status
+
+Platform status (DB, Redis, Chat, Stream server connectivity).
+
+**Auth:** None
+
+---
+
+### POST /validate
+
+Validation endpoint (A01 rate limited). Body varies by validation type.
+
+**Auth:** None
+
+---
+
+### GET /upload/limits, GET /upload/validate-type
+
+Upload configuration and file type validation (public).
+
+**Auth:** None
+
+---
+
+### GET /csrf-token
+
+Get CSRF token for protected requests (optional auth).
+
+**Auth:** None or Bearer (optional)

docs/ONBOARDING.md

@@ -25,7 +25,7 @@ This guide helps new developers set up the Veza monorepo and understand its arch
 
 ---
 
-## 2. Setup in 5 Minutes
+## 2. Setup in 5 Minutes (target: <30 min clone → first test passing)
 
 ### Quick start (minimal: Backend + Web)
 
@@ -41,6 +41,20 @@ make setup-dev
 make dev
 ```
 
+### Verify your setup (<30 min total)
+
+Run these commands to confirm everything works:
+
+```bash
+# Backend tests (from repo root)
+make test-backend-api
+
+# Frontend tests
+make test-web
+```
+
+If both pass, your environment is ready. Troubleshooting: see [§6](#6-troubleshooting).
+
 Or step by step:
 
 ```bash

docs/adr/ADR-003-redis-sentinel-postponed.md

@@ -0,0 +1,26 @@
+# ADR-003: Redis Sentinel (HA) Reporté à v1.1
+
+**Date**: 2026-03-02  
+**Statut**: Accepté  
+**Réf.**: ROADMAP_V09XX_TO_V1, Audit-DEBT-03
+
+---
+
+## Contexte
+
+Redis est utilisé pour : sessions, CSRF tokens, rate limiting, cache, pub/sub. En production v1.0, Redis est un **single point of failure** (SPOF).
+
+## Décision
+
+**Reporter Redis Sentinel / Redis Cluster à v1.1.** Pour le lancement v1.0 (quelques centaines d'utilisateurs), une instance Redis unique avec backups réguliers et un runbook de dégradation suffisent.
+
+## Justification
+
+- HA Redis (Sentinel ou Cluster) ajoute complexité opérationnelle et ~5 jours de travail
+- Le runbook [INCIDENT_RESPONSE.md](runbooks/INCIDENT_RESPONSE.md) documente le comportement dégradé : rate limiting in-memory, CSRF → 503, sessions invalidées → re-login
+- Non sur le chemin critique de v1.0
+
+## Conséquences
+
+- v1.0 : SPOF accepté, documenté dans `docs/V1_LIMITATIONS.md` (v0.971)
+- v1.1 : implémenter Redis Sentinel ou Cluster pour HA

docs/adr/ADR-004-pkce-oauth.md

@@ -0,0 +1,31 @@
+# ADR-004: PKCE pour le Flux OAuth (v0.902)
+
+**Date**: 2026-03-02  
+**Statut**: Accepté (implémentation prévue v0.902)  
+**Réf.**: VEZA-SEC-003, OWASP A07
+
+---
+
+## Contexte
+
+Le flux OAuth Authorization Code actuel ne supporte pas PKCE (Proof Key for Code Exchange). Sur un client public (SPA), le code d'autorisation peut être intercepté lors de la redirection.
+
+## Décision
+
+**Implémenter PKCE (S256) dans le flux OAuth**, cible v0.902 "Sentinel".
+
+- `code_verifier` : 128 bytes random, base64url
+- `code_challenge` : SHA-256 du verifier, base64url
+- `code_challenge_method=S256` dans l'URL d'autorisation
+- Stockage du verifier en DB (`oauth_states.code_verifier`) ou Redis
+
+## Justification
+
+- Google, GitHub, Discord, Spotify supportent PKCE
+- Conformité OWASP A07 (Authentication)
+- Vulnérabilité ÉLEVÉE identifiée dans l'audit
+
+## Conséquences
+
+- OAuth plus sécurisé pour les SPA
+- Migration possible pour les bases existantes (nouvelle colonne)

docs/adr/README.md

@@ -0,0 +1,8 @@
+# Architecture Decision Records
+
+| ADR | Title | Status |
+|-----|-------|--------|
+| [ADR-001](ADR-001-rust-services.md) | Go + Rust + React Architecture | Accepted |
+| [ADR-002](ADR-002-chat-server.md) | Chat Server Rust → Go | Accepted |
+| [ADR-003](ADR-003-redis-sentinel-postponed.md) | Redis Sentinel postponed to v1.1 | Accepted |
+| [ADR-004](ADR-004-pkce-oauth.md) | PKCE for OAuth (v0.902) | Accepted |