FIN-05 + FIN-06: Complete CHANGELOG for v0.404 with all security,
infrastructure, code quality, documentation, testing, and integration
changes. Retrospective includes pre/post scores (4.2 -> 6.6/10).
FIN-02: Updated version to v0.404, added security score improvements
(5->7/10), infrastructure readiness, code quality metrics, and
updated next version target to v0.501.
INT-05: 26 tests in chat-server (config, error, permissions, rate
limiter, logging, utils) and 25 tests in stream-server (config,
error, auth, HLS, signature, utils). All test pure logic.
INT-06: Migrated playback_websocket_handler.go from deprecated
gorilla/websocket to coder/websocket v1.8.14. Uses context-based
reads/writes and websocket.Accept instead of Upgrader.
INT-03: Tests for health endpoint, auth flow, track upload auth,
webhook HTTPS-only, and rate limit headers. Build-tagged
'integration' to avoid running in regular test suite.
INT-02: TrackService.copyFileAsync now calls StreamService.StartProcessing
after successful file copy. Wires the stream server integration into
all track route registrations.
CLN-07: Copied .proto sources from chat-server and stream-server
to proto/{common,chat,stream}/. Original copies remain until builds
are updated to use the shared directory.
CLN-05: Corrected OAuth status (Discord/Spotify not implemented),
HLS streaming (integration in progress), Chat (partial). Added
erratum section for v0.404 audit.
CLN-04: Replaced any with unknown, proper interfaces, or concrete
types across 17 files. Focus: error handlers, API responses,
WebSocket data, and function parameters.
CLN-03: router.go, track/service.go, upload_validator.go, cors.go,
playlist_handler.go, and mfa.go now use zap.L() or local logger
for structured logging instead of fmt.Printf.
INF-10: Reset tokens are now SHA-256 hashed before INSERT. Validation
hashes the received token and compares against stored hash. Plain
tokens never persisted.
INF-01: RedisRateLimiter uses atomic Lua script (INCR+EXPIRE) for
distributed rate limiting. Falls back to in-memory SimpleRateLimiter
when Redis is unavailable. Same X-RateLimit-* headers and 429 format.
SEC-08: If HYPERSWITCH_ENABLED=true in production, startup now fails
unless HYPERSWITCH_WEBHOOK_SECRET is set. This prevents webhook
signature verification from being silently bypassed.
SEC-07: Strengthened ValidateWebhookURL to require HTTPS only (was
allowing HTTP). Private IP ranges, localhost, and cloud metadata
endpoints remain blocked.
SEC-06: GetUploadStatus now verifies that the authenticated user owns the
upload before returning status. Returns 404 for non-owners to prevent
information disclosure.
SEC-04: File used network_mode: host on all services and had default
Grafana password 'admin'. Removed entirely; if needed in the future,
recreate without host networking.
SEC-03: TokenStorage.getAccessToken() returns null with httpOnly cookies.
New POST /api/v1/auth/stream-token returns a 5-min JWT compatible with
both stream server (Claims struct) and chat server (JwtClaims struct).
Frontend hlsService and websocket updated to use fetchStreamToken() fallback.
- RefundRequestModal: call marketplaceService.refundOrder, loading state, onSuccess callback
- PurchasesView: pass loadPurchases as onSuccess to refetch after refund
- SellerDashboardView: add Refund button on each sale, RefundRequestModal with fetchData onSuccess
- MSW: add POST /marketplace/orders/:id/refund handler
