207 commits

Author	SHA1	Message	Date
senke	26aa51a2ab	Merge branch 'feat/v0.13.3-polish-securite-avancee' ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 13:39:38 +01:00
senke	6a675565e1	feat(v0.13.3): complete - Polish Sécurité Avancée ... TASK-SECADV-001: WebAuthn/Passkeys (F022) - WebAuthn credential model, service, handler - Registration/authentication ceremony endpoints - CRUD operations (list, rename, delete passkeys) - Routes: GET/POST/PUT/DELETE /auth/passkeys/* TASK-SECADV-002: Configurable password policy (F015) - PasswordPolicyConfig with MinLength, MaxLength, RequireUpper/Lower/Number/Special - NewPasswordValidatorWithPolicy constructor - PasswordPolicyFromEnv() reads env vars (PASSWORD_MIN_LENGTH, etc.) - All character class checks now respect policy configuration TASK-SECADV-003: Géolocalisation connexions (F025) - GeoIPResolver interface + GeoIPService implementation - Country/city columns added to login_history table - LoginHistoryService.Record() performs GeoIP lookup - GetUserHistory returns geolocation data - GET /auth/login-history endpoint TASK-SECADV-004: Password expiration (F016) - password_changed_at column on users table - CheckPasswordExpiration() method on PasswordService - All password change/reset methods now set password_changed_at - NewPasswordServiceWithPolicy() supports expiration days config Migration: 971_security_advanced_v0133.sql Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:09:01 +01:00
senke	b47fa21331	feat(v0.12.8): documentation & API publique — rate limiting, scopes, OpenAPI ... - API key rate limiting middleware (1000 reads/h, 200 writes/h par clé) — tracking séparé read/write, par API key ID (pas par IP) — headers X-RateLimit-Limit/Remaining/Reset sur chaque réponse - API key scope enforcement middleware (read → GET, write → POST/PUT/DELETE) — admin scope permet tout, CSRF skip pour API key auth - OpenAPI spec: ajout securityDefinition ApiKeyAuth (X-API-Key header) - Swagger annotations: ajout ApiKeyAuth dans cmd/api/main.go - Wiring dans router.go: middlewares appliqués sur tout le groupe /api/v1 - Tests: 10 tests (5 rate limiter + 5 scope enforcement), tous PASS Backend existant déjà en place (pré-v0.12.8): - Swagger UI (gin-swagger + frontend SwaggerUIDoc component) - API key CRUD (create/list/delete + X-API-Key auth dans AuthMiddleware) - Developer Dashboard frontend (API keys, webhooks, playground) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 18:44:09 +01:00
senke	72b732664a	feat(v0.12.6.3): remove ghost modules — gamification, A/B testing, GraphQL stubs ... Deleted 8 dead code modules identified by audit diagnostic: - api/contest/, sound_design_contest/, production_challenge/, voting_system/ (gamification stubs — violate CLAUDE.md Rule 3: no XP/streaks/leaderboards/badges) - models/contest.go (314 lines: ContestBadge with rarity, ContestPrize, ContestVote) - models/user.go: removed orphan JuryMember struct (contest reference) - services/playback_abtest_service.go + test (476+579 lines: A/B testing on playback metrics — violates ORIGIN_UI_UX_SYSTEM.md §13 anti-dark-patterns) - api/graphql/ (REST-only per ORIGIN spec) Kept: listing/, offer/ (marketplace stubs, ORIGIN-approved), grpc/ (ORIGIN §9 approved). Verified: go build passes, grep confirms 0 forbidden terms remaining. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 07:29:56 +01:00
senke	7a0819f69a	feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days ... TASK-SFIX-001: MFA enforcement for privileged roles - Add RequireMFA() middleware, TwoFactorChecker interface, SetTwoFactorChecker() - Apply to all 3 admin route groups (platform, moderation, core) - Returns 403 "mfa_setup_required" if admin/moderator without 2FA - Regular users bypass the check - Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 5 TASK-SFIX-002: Refresh token TTL alignment - jwt_service.go: RefreshTokenTTL 14d→7d, RememberMeRefreshTokenTTL 30d→7d - handlers/auth.go: Cookie max-age and session expiresIn → 7d across Login, LoginWith2FA, Register, Refresh handlers - middleware/auth.go: Session auto-refresh default 30d→7d - Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 4 TASK-SFIX-003: 5 unit tests — all PASS - TestRequireMFA_AdminWithoutMFA, TestRequireMFA_AdminWithMFA - TestRequireMFA_RegularUserNotAffected - TestRefreshTokenTTL_Is7Days, TestAccessTokenTTL_Is5Minutes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 06:53:27 +01:00
senke	8f4ba0c284	Merge branch 'feat/v0.12.4-performance-scalabilite' ... # Conflicts: # VEZA_VERSIONS_ROADMAP.md	2026-03-11 23:04:31 +01:00
senke	02d1846141	feat(v0.12.3): F276-F305 video upload, HLS transcoding, education tests ... - Add video upload endpoint POST /courses/:id/lessons/:lesson_id/video - Add VideoTranscodeService for multi-bitrate HLS (720p/480p/360p) - Add VideoTranscodeWorker for async lesson video processing - Add SetLessonVideoPath and UpdateLessonTranscoding to education service - Add uploadLessonVideo to frontend educationService with progress - Add comprehensive handler tests (video upload, auth, validation) - Add service-level tests (models, slugs, clamping, errors, UUIDs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 19:20:48 +01:00
senke	ade46fc70f	feat(v0.12.4): Redis response cache and CDN cache headers middleware ... - ResponseCache: Redis-backed HTTP response caching for public GET endpoints with configurable TTLs per endpoint prefix (tracks 15m, search 5m, etc.) - CacheHeaders: CDN-optimized Cache-Control headers per asset type (static 1yr immutable, audio 7d, HLS 60s, images 30d, API no-cache) - Integrated both middlewares into the router middleware stack - Unit tests for cache key generation, header rules, and config Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 09:57:06 +01:00
senke	506195f4e0	feat(v0.12.3): F276-F305 education backend service, handler, and routes ... - Course CRUD with slug generation, publish/archive lifecycle - Lesson management with ordering and transcoding status - Enrollment system with duplicate prevention - Progress tracking with auto-completion at 90% - Certificate issuance requiring full course completion - Course reviews with rating aggregation - Unit tests for service and handler layers Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 09:45:26 +01:00
senke	6063bfdeea	feat(v0.12.2): F501-F510 distribution service, handler, and routes ... - Distribution module: submit tracks to Spotify, Apple Music, Deezer - Subscription eligibility check (Creator/Premium only) - Distribution status tracking with platform-specific statuses - Status history audit trail - External streaming royalties import and aggregation - Distributor provider interface for DistroKid/TuneCore integration - Handler and service unit tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 19:54:26 +01:00
senke	f6ca52c3dc	feat(v0.12.1): subscription plans service, handler, and routes ... - Add subscription module (models, service, tests) - Plans: Free, Creator ($9.99/mo), Premium ($19.99/mo) - Features: subscribe, cancel, reactivate, change billing cycle - 14-day trial for Premium plan - Upgrade immediate, downgrade at period end - Invoice tracking and history - Handler tests for auth and validation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 19:36:57 +01:00
senke	38530b5a52	feat(v0.12.0): F252-F254 marketplace service enhancements ... - F252: Enable download count decrement on GetDownloadURL - F253: Differentiated commission rates (creator 15%, premium 10%) - F254: Seller balance tracking, payout scheduling, manual payout request - Enforce 14-day refund window on RefundOrder - Credit seller balance on completed sales - New payout handler with balance/payouts/request endpoints - 15 new tests (payout, refund window, commission) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 18:52:06 +01:00
senke	ec2792118f	feat(v0.11.3): F421-F424 admin platform handler and routes ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 18:19:45 +01:00
senke	025c7aae45	feat(v0.11.2): F411-F420 moderation handler and routes ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 17:49:51 +01:00
senke	c756cb9e65	feat(v0.11.1): F396-F399 advanced analytics service, handler and routes ... - F396: Track listening heatmap (segment-level aggregated data) - F397: Period comparison (week/month/quarter with % changes) - F398: Marketplace analytics (product views, conversion rates, revenue) - F399: Metric alerts (opt-in thresholds, preferences, CRUD) - Unit tests for service (percent change calculations) and handler (auth, validation) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 17:12:26 +01:00
senke	8b6f0bb430	feat(v0.11.0): F381-F385 creator analytics handler and routes ... Add CreatorAnalyticsHandler with endpoints: - GET /api/v1/creator/analytics/dashboard (F381) - GET /api/v1/creator/analytics/plays (F382) - GET /api/v1/creator/analytics/sales (F383) - GET /api/v1/creator/analytics/discovery (F381) - GET /api/v1/creator/analytics/geographic (F381) - GET /api/v1/creator/analytics/audience (F384) - GET /api/v1/creator/analytics/live/:streamId (F385) - GET /api/v1/creator/analytics/tracks (F381) - GET /api/v1/creator/analytics/export (F383) All endpoints require authentication and only return data for the authenticated creator. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 16:28:22 +01:00
senke	19fec9e40a	feat(gdpr): v0.10.8 portabilité données - export ZIP async, suppression compte, hard delete cron ... - Export: table data_exports, POST /me/export (202), GET /me/exports, messages+playback_history - Notification email quand ZIP prêt, rate limit 3/jour - Suppression: keep_public_tracks, anonymisation PII complète (users, user_profiles) - HardDeleteWorker: final anonymization après 30 jours - Frontend: POST export, checkbox keep_public_tracks - MSW handlers pour Storybook	2026-03-10 13:57:04 +01:00
senke	871a0f2a05	feat(v0.10.7): Collaboration Temps Réel F481-F483 ... - F481: Co-listening sessions (WebSocket sync, ListenTogether page) - F482: Stem sharing (upload/list/download wav,aiff,flac) - F483: Collaborative rooms (type collaborative, max 10, invite-only) - Roadmap: v0.10.7 → DONE	2026-03-10 13:34:16 +01:00
senke	eb2862092d	feat(v0.10.6): Livestreaming basique F471-F476 ... - Backend: callbacks on_publish/on_publish_done, UpdateStreamURL, GetByStreamKey - Nginx-RTMP: config infra, docker-compose service (profil live) - Frontend: stream_url dans LiveStream, HLS.js dans LiveViewPlayer, état Stream terminé - Chat: rate limit send_live_message 1 msg/3s pour rooms live_streams - Env: RTMP_CALLBACK_SECRET, STREAM_HLS_BASE_URL, NGINX_RTMP_HOST - Roadmap v0.10.6 marquée DONE	2026-03-10 10:21:57 +01:00
senke	22f0c04b3f	stabilisation commit: while implementing v0.10.5	2026-03-09 19:36:33 +01:00
senke	ac182d9f35	feat(v0.10.4): Playlists collaboratives - F136, F140, F141, F143, F145 ... Backend: - F141: GET /discover/playlists/editorial for editorial playlists - F143: GET /playlists/shared/:token (public, no auth) - F145: POST /playlists/import (JSON), GET /playlists/:id/export/m3u - F136: GET /playlists/favoris (creates Favoris playlist if needed) - Repo: GetFavorisByUserID, service GetOrCreateFavorisPlaylist Frontend: - SharedPlaylistPage at /playlists/shared/:token (public route) - Editorial playlists section in DiscoverPage - Export M3U in ExportPlaylistButton dropdown - Import JSON via ImportPlaylistButton (PlaylistListPage) - Favoris sidebar link, FavorisRedirectPage, AddToFavorisButton on tracks Roadmap: v0.10.4 marked DONE	2026-03-09 16:49:05 +01:00
senke	6111ae6136	feat(v0.10.3): Commentaires & Interactions Sociales - F201-F215 ... - F201: Commentaires avec timestamp cliquable, modération mots-clés - F202: Likes privés (compteur visible créateur uniquement) - F203: Reposts de tracks sur le profil, bouton Repost, onglet Reposts - F204: Notifications (commentaire, repost), pas de gamification Backend: migrations 127/128, comment_moderation_service, track_repost_service, GetTrackLikes/GetTrack masquent like_count pour non-créateurs Frontend: LikeButton isCreator, RepostButton, Reposts tab profil, timestamp seek	2026-03-09 10:30:47 +01:00
senke	171a154763	feat(v0.10.2): Recherche fulltext Elasticsearch - F361-F365 ... - Elasticsearch 8.x dans docker-compose.dev - Package internal/elasticsearch: client, config, mappings, indices - Sync PG→ES: reindex tracks/users/playlists, IndexTrack/DeleteTrack - SearchService ES: multi_match + fuzziness (typo tolerance), highlighting - Fallback gracieux: PostgreSQL si ELASTICSEARCH_URL absent - Routes: GET /search, GET /search/suggestions, POST /admin/search/reindex - Frontend: searchApi cursor/limit params (extensibilité) - docs/ENV_VARIABLES: ELASTICSEARCH_URL, ELASTICSEARCH_INDEX, ELASTICSEARCH_AUTO_INDEX - Roadmap v0.10.2 → DONE	2026-03-09 10:13:18 +01:00
senke	4a422fc4c3	feat(v0.10.1): Tags & Genres discover - F351-F355 ... - Tags déclaratifs (max 10, 30 chars) via track_tags + tags - Genres normalisés (max 3) via track_genres + taxonomy - GET /api/v1/discover/genre/:genre, tag/:tag (browse chrono) - POST/DELETE follow genre/tag - Section feed "Nouvelles sorties dans vos genres" - Track update: SyncTrackTags, SyncTrackGenres via discover service - Frontend: discoverService, FeedPage by_genres, DiscoverPage - Migration 126_tags_genres_discover - MSW handlers for discover	2026-03-09 01:52:56 +01:00
senke	41d55e107d	v0.9.7 beta	2026-03-06 18:58:37 +01:00
senke	05467c1c2f	v0.9.7	2026-03-06 18:52:08 +01:00
senke	257077ad49	v0.9.6	2026-03-06 10:29:30 +01:00
senke	2ed2bb9dcf	v0.9.4	2026-03-05 23:03:43 +01:00
senke	b6c004319c	v0.9.2	2026-03-05 19:27:34 +01:00
senke	2df921abd5	v0.9.1	2026-03-05 19:22:31 +01:00
senke	354c747cce	feat(security): add global and per-IP DDoS rate limiting (1000/s, 100/s) ... SEC1-04: Redis sliding window 1s, excluded paths (health, swagger, auth)	2026-03-03 09:25:08 +01:00
senke	d577f8c9be	chore(release): v0.971 — Phantom (gamification removal, WebRTC Beta, limits doc)	2026-03-02 19:25:37 +01:00
senke	7e015f8e73	chore(release): v0.941 — Cleanup (dead code, migrations dedup, deprecated routes)	2026-03-02 19:04:30 +01:00
senke	7cb4ef56e1	feat(v0.912): Cashflow - payment E2E integration tests ... - Add MarketplaceServiceOverride and AuthMiddlewareOverride to config for tests - Wire overrides in routes_webhooks and routes_marketplace (authForMarketplaceInterface) - payment_flow_test: cart -> checkout -> webhook -> order completed, license, transfer - webhook_idempotency_test: 3 identical webhooks -> 1 order, 1 license - webhook_security_test: empty secret 500, invalid sig 401, valid sig 200 - refund_flow_test: completed order -> refund -> order refunded, license revoked - Shared computeWebhookSignature helper in webhook_test_helpers.go - SetMaxOpenConns(1) for sqlite :memory: in idempotency test to avoid flakiness Ref: docs/ROADMAP_V09XX_TO_V1.md v0.912 Cashflow	2026-02-27 20:00:51 +01:00
senke	f9120c322b	release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24 ... - ORDER BY dynamiques : whitelist explicite, fallback created_at DESC - Login/register soumis au rate limiter global - VERSION sync + check CI - Nettoyage références veza-chat-server - Go 1.24 partout (Dockerfile, workflows) - TODO/FIXME/HACK convertis en issues ou résolus	2026-02-27 09:43:25 +01:00
senke	6823e5a30d	release(v0.902): Sentinel - PKCE OAuth, token encryption, redirect validation, CHAT_JWT_SECRET ... - PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL - CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest - OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS - CHAT_JWT_SECRET must differ from JWT_SECRET in production - Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens - Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010	2026-02-26 19:49:15 +01:00
senke	51984e9a1f	feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities ... - OAuth: use JWTService+SessionService, httpOnly cookies (VEZA-SEC-001) - Remove PasswordService.GenerateJWT (VEZA-SEC-002) - Hyperswitch webhook: mandatory verification, 500 if secret empty (VEZA-SEC-005) - Auth middleware: TokenBlacklist.IsBlacklisted check (VEZA-SEC-006) - Waveform: ValidateExecPath before exec (VEZA-SEC-007)	2026-02-26 19:34:45 +01:00
senke	c782bcb5b3	feat(admin): feature flags CRUD with DB persistence	2026-02-25 19:56:24 +01:00
senke	99b7cd8d97	feat(admin): global announcements CRUD and public banner endpoint	2026-02-25 19:55:21 +01:00
senke	f30a9562a9	feat(admin): maintenance mode middleware with 503 responses	2026-02-25 19:54:22 +01:00
senke	911fc525a2	feat(admin): moderation queue with reports CRUD	2026-02-25 19:53:04 +01:00
senke	9636613eaa	feat(users): account deletion hardening with anonymization, S3 cleanup, session revocation	2026-02-25 19:51:21 +01:00
senke	3f56e49791	feat(compliance): CCPA Do Not Sell middleware and opt-out endpoint	2026-02-25 19:49:25 +01:00
senke	470162ade8	feat(audit): HTTP audit middleware for auto-logging POST/PUT/DELETE	2026-02-25 19:48:03 +01:00
senke	7692c4b8b9	feat(v0.802): frontend Cloud/Gear, MSW, docs, scope v0.803, archive ... - Cloud: CloudFileVersions, CloudShareModal, versions/share in CloudView - Gear: GearDocumentsTab, GearRepairsTab, warranty badge, initialTab - MSW: cloud versions/share, gear documents/repairs, tags suggest - Stories: CloudFileVersions, CloudShareModal, GearDetailModal variants - gearService: listDocuments, uploadDocument, deleteDocument, listRepairs, createRepair, deleteRepair - cloudService: listVersions, restoreVersion, shareFile, getSharedFile - gear_warranty_notifier: 24h ticker, notifications for expiring warranty - tag_handler_test: unit tests - docs: API_REFERENCE, CHANGELOG, PROJECT_STATE, FEATURE_STATUS v0.802 - SCOPE_CONTROL, .cursorrules: scope v0.803 - archive: V0_802_RELEASE_SCOPE, RETROSPECTIVE_V0802	2026-02-25 14:00:58 +01:00
senke	596233aaaf	feat(upload): tags auto-suggest endpoint and additional audio formats	2026-02-25 13:39:59 +01:00
senke	8162d1b419	feat(cloud): GDPR data export and automatic backup cron	2026-02-25 13:35:16 +01:00
senke	dced768c01	feat(cloud): file versioning, restore, and sharing	2026-02-25 13:33:08 +01:00
senke	d161a3739d	feat(users): add user_preferences migration with appearance fields	2026-02-25 09:45:03 +01:00
senke	63867f1d09	feat(v0.703): Go Live & Streaming Complet ... - Backend: room creation for live streams, permissions CanJoin/CanSend/CanRead for stream rooms - LiveViewChat: useLiveStreamChat hook, WebSocket connection, stream_id as room - LiveViewPlayer: real-time viewer count via polling (5s) - Media Session: seekbackward/seekforward handlers (10s step) - GoLiveView.stories.tsx: Default, Loading, Error, StreamKeyVisible - Docs: API_REFERENCE, CHANGELOG, PROJECT_STATE, FEATURE_STATUS, RETROSPECTIVE_V0703 - SCOPE_CONTROL, .cursorrules: update to v0.801 - Archive V0_703_RELEASE_SCOPE.md	2026-02-25 09:35:22 +01:00