senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2174 commits 37 branches 94 tags 1.5 GiB
Commit graph

128 commits

Author SHA1 Message Date
senke
249fd99730 fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)

HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)

MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)

LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)

All tests pass. Go and Rust compile clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-14 00:44:46 +01:00
senke
d12a21bca1 feat(v0.12.9): ethical bias tests, discovery algorithm docs, CI coverage gates
Some checks failed
Backend API CI / test-unit (push) Failing after 0s
Details
Backend API CI / test-integration (push) Failing after 0s
Details 
TASK-ETH-001: 4 discovery bias tests (genre/tag browse, emerging artist visibility,
  metrics not exposed in JSON). Verifies chronological ordering regardless of play count.
TASK-ETH-002: 4 search fairness tests (artist 0 plays discoverable, zero-play tracks
  not filtered, default sort is chronological, no popularity bias in default ranking).
TASK-ETH-003: veza-docs/DISCOVERY_ALGORITHM.md — documents all 6 discovery mechanisms,
  ethical constraints, and forbidden patterns per ORIGIN specs.
TASK-COV-001: CI coverage gates — Go >= 70% (backend-ci.yml), Rust >= 50% (rust-ci.yml
  with cargo-tarpaulin). Extended Go test scope to core/ and middleware/.
TASK-COV-002: Coverage badge JSON artifact on main push (shields.io compatible).

All 8 ethical tests PASS. Build clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 08:19:41 +01:00
senke
a0a611525c fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings 
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go,
  use c.ClientIP() only (respects SetTrustedProxies)
MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files
MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly
MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes
MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files
MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod
MEDIUM-009: Add trial-already-used check in subscription service
MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections
MEDIUM-011: Mask email in auth handler logs with maskEmail() helper
MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats
LOW-001: Align frontend password policy to 12 chars (matching backend)
LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server
LOW-004: Enable xpack.security in Elasticsearch dev/local compose files
LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background()
LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests)

29/30 findings remediated. 1 noted (LOW-002).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 06:13:38 +01:00
senke
71c15c2590 fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings 
Security fixes implemented:

CRITICAL:
- CRIT-001: IDOR on chat rooms — added IsRoomMember check before
  returning room data or message history (returns 404, not 403)
- CRIT-002: play_count/like_count exposed publicly — changed JSON
  tags to "-" so they are never serialized in API responses

HIGH:
- HIGH-001: TOCTOU race on marketplace downloads — transaction +
  SELECT FOR UPDATE on GetDownloadURL
- HIGH-002: HS256 in production docker-compose — replaced JWT_SECRET
  with JWT_PRIVATE_KEY_PATH / JWT_PUBLIC_KEY_PATH (RS256)
- HIGH-003: context.Background() bypass in user repository — full
  context propagation from handlers → services → repository (29 files)
- HIGH-004: Race condition on promo codes — SELECT FOR UPDATE
- HIGH-005: Race condition on exclusive licenses — SELECT FOR UPDATE
- HIGH-006: Rate limiter IP spoofing — SetTrustedProxies(nil) default
- HIGH-007: RGPD hard delete incomplete — added cleanup for sessions,
  settings, follows, notifications, audit_logs anonymization
- HIGH-008: RTMP callback auth weak — fail-closed when unconfigured,
  header-only (no query param), constant-time compare
- HIGH-009: Co-listening host hijack — UpdateHostState now takes *Conn
  and verifies IsHost before processing
- HIGH-010: Moderator self-strike — added issuedBy != userID check

MEDIUM:
- MEDIUM-001: Recovery codes used math/rand — replaced with crypto/rand
- MEDIUM-005: Stream token forgeable — resolved by HIGH-002 (RS256)

Updated REMEDIATION_MATRIX: 14 findings marked  CORRIGÉ.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 05:40:53 +01:00
senke
46362581ba feat(v0.12.3): F276-F305 video upload, HLS transcoding, education tests
Some checks failed
Backend API CI / test-unit (push) Failing after 2s
Details
Frontend CI / test (push) Failing after 2s
Details
Backend API CI / test-integration (push) Failing after 4s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 9s
Details 
- Add video upload endpoint POST /courses/:id/lessons/:lesson_id/video
- Add VideoTranscodeService for multi-bitrate HLS (720p/480p/360p)
- Add VideoTranscodeWorker for async lesson video processing
- Add SetLessonVideoPath and UpdateLessonTranscoding to education service
- Add uploadLessonVideo to frontend educationService with progress
- Add comprehensive handler tests (video upload, auth, validation)
- Add service-level tests (models, slugs, clamping, errors, UUIDs)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-11 19:20:48 +01:00
senke
9cd0a43f7e feat(v0.12.3): F276-F305 education backend service, handler, and routes 
- Course CRUD with slug generation, publish/archive lifecycle
- Lesson management with ordering and transcoding status
- Enrollment system with duplicate prevention
- Progress tracking with auto-completion at 90%
- Certificate issuance requiring full course completion
- Course reviews with rating aggregation
- Unit tests for service and handler layers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-11 09:45:26 +01:00
senke
a15bdb965d feat(v0.12.2): F501-F510 distribution service, handler, and routes 
- Distribution module: submit tracks to Spotify, Apple Music, Deezer
- Subscription eligibility check (Creator/Premium only)
- Distribution status tracking with platform-specific statuses
- Status history audit trail
- External streaming royalties import and aggregation
- Distributor provider interface for DistroKid/TuneCore integration
- Handler and service unit tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 19:54:26 +01:00
senke
517af3a68f feat(v0.12.1): subscription plans service, handler, and routes 
- Add subscription module (models, service, tests)
- Plans: Free, Creator ($9.99/mo), Premium ($19.99/mo)
- Features: subscribe, cancel, reactivate, change billing cycle
- 14-day trial for Premium plan
- Upgrade immediate, downgrade at period end
- Invoice tracking and history
- Handler tests for auth and validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 19:36:57 +01:00
senke
1d31c4065a feat(v0.12.0): F252-F254 marketplace service enhancements 
- F252: Enable download count decrement on GetDownloadURL
- F253: Differentiated commission rates (creator 15%, premium 10%)
- F254: Seller balance tracking, payout scheduling, manual payout request
- Enforce 14-day refund window on RefundOrder
- Credit seller balance on completed sales
- New payout handler with balance/payouts/request endpoints
- 15 new tests (payout, refund window, commission)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 18:52:06 +01:00
senke
f68405a52e feat(v0.11.3): F421-F424 admin platform handler and routes 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 18:19:45 +01:00
senke
5b76eb7fb4 feat(v0.11.2): F411-F420 moderation handler and routes 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 17:49:51 +01:00
senke
29586b59da feat(v0.11.1): F396-F399 advanced analytics service, handler and routes 
- F396: Track listening heatmap (segment-level aggregated data)
- F397: Period comparison (week/month/quarter with % changes)
- F398: Marketplace analytics (product views, conversion rates, revenue)
- F399: Metric alerts (opt-in thresholds, preferences, CRUD)
- Unit tests for service (percent change calculations) and handler (auth, validation)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 17:12:26 +01:00
senke
256781f00d feat(v0.11.0): F381-F385 creator analytics handler and routes 
Add CreatorAnalyticsHandler with endpoints:
- GET /api/v1/creator/analytics/dashboard (F381)
- GET /api/v1/creator/analytics/plays (F382)
- GET /api/v1/creator/analytics/sales (F383)
- GET /api/v1/creator/analytics/discovery (F381)
- GET /api/v1/creator/analytics/geographic (F381)
- GET /api/v1/creator/analytics/audience (F384)
- GET /api/v1/creator/analytics/live/:streamId (F385)
- GET /api/v1/creator/analytics/tracks (F381)
- GET /api/v1/creator/analytics/export (F383)

All endpoints require authentication and only return data for the authenticated creator.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 16:28:22 +01:00
senke
c2b3a68fd5 feat(v0.10.5): Notifications complètes — F551-F555
Some checks failed
Backend API CI / test-unit (push) Failing after 1s
Details
Backend API CI / test-integration (push) Failing after 2s
Details
Frontend CI / test (push) Failing after 2s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 2s
Details 
F555: Backend pagination/filter GetNotifications (type, page, limit) + frontend pagination
F551: WebSocket real-time — backend inject chat hub, send on CreateNotification; frontend useChat invalidates
F553: Quiet hours — migration 132, CreateNotification skips push/WS, UI in PushPreferencesSection
F554: Notification grouping — migration 133, group_key/actor_count for like/comment, UI format
F552: Weekly digest — migration 134, NotificationDigestWorker, email template, prefs UI

Acceptance: no gamification notif; defaults unchanged; individual toggles for marketing
 2026-03-10 10:02:21 +01:00
senke
7259526d43 feat(v0.10.4): Playlists collaboratives - F136, F140, F141, F143, F145
Some checks failed
Backend API CI / test-unit (push) Failing after 2s
Details
Backend API CI / test-integration (push) Failing after 6s
Details
Frontend CI / test (push) Failing after 4s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 3s
Details 
Backend:
- F141: GET /discover/playlists/editorial for editorial playlists
- F143: GET /playlists/shared/:token (public, no auth)
- F145: POST /playlists/import (JSON), GET /playlists/:id/export/m3u
- F136: GET /playlists/favoris (creates Favoris playlist if needed)
- Repo: GetFavorisByUserID, service GetOrCreateFavorisPlaylist

Frontend:
- SharedPlaylistPage at /playlists/shared/:token (public route)
- Editorial playlists section in DiscoverPage
- Export M3U in ExportPlaylistButton dropdown
- Import JSON via ImportPlaylistButton (PlaylistListPage)
- Favoris sidebar link, FavorisRedirectPage, AddToFavorisButton on tracks

Roadmap: v0.10.4 marked DONE
 2026-03-09 16:49:05 +01:00
senke
ef1ca1a908 feat(v0.10.3): Commentaires & Interactions Sociales - F201-F215 
- F201: Commentaires avec timestamp cliquable, modération mots-clés
- F202: Likes privés (compteur visible créateur uniquement)
- F203: Reposts de tracks sur le profil, bouton Repost, onglet Reposts
- F204: Notifications (commentaire, repost), pas de gamification

Backend: migrations 127/128, comment_moderation_service, track_repost_service,
  GetTrackLikes/GetTrack masquent like_count pour non-créateurs
Frontend: LikeButton isCreator, RepostButton, Reposts tab profil, timestamp seek
 2026-03-09 10:30:47 +01:00
senke
6690e334a1 feat(v0.10.1): Tags & Genres discover - F351-F355 
- Tags déclaratifs (max 10, 30 chars) via track_tags + tags
- Genres normalisés (max 3) via track_genres + taxonomy
- GET /api/v1/discover/genre/:genre, tag/:tag (browse chrono)
- POST/DELETE follow genre/tag
- Section feed "Nouvelles sorties dans vos genres"
- Track update: SyncTrackTags, SyncTrackGenres via discover service
- Frontend: discoverService, FeedPage by_genres, DiscoverPage
- Migration 126_tags_genres_discover
- MSW handlers for discover
 2026-03-09 01:52:56 +01:00
senke
cd974172cb v0.9.4 2026-03-05 23:03:43 +01:00
senke
7ede202e95 fix(release): v1.0.1 — Conformité complète ROADMAP checklist
Some checks failed
Backend API CI / test-unit (push) Failing after 0s
Details
Backend API CI / test-integration (push) Failing after 0s
Details
Stream Server CI / test (push) Failing after 0s
Details 
- Sécurité: npm 0 CRITICAL, cargo audit 0 vulnérabilités
- OpenAPI: @Param id corrigé pour /tracks/quota/{id}
- Tests: Payment E2E passe, OAuth DATABASE_URL fallback
- Migrations: 000_mark_consolidated.sql
- veza-stream-server: prometheus 0.14, validator 0.19
- docs: SECURITY_SCAN_RC1, V1_SIGNOFF, PROJECT_STATE
 2026-03-03 20:17:54 +01:00
senke
c38e915025 chore(release): v0.943 — Refactor (split track batch ops to track_batch_service) 2026-03-02 19:07:49 +01:00
senke
3c5bb018cb chore(release): v0.931 — Cursor (cursor-based pagination, performance baseline) 2026-03-02 12:35:49 +01:00
senke
fc3585c556 test(marketplace): add refund order unit tests 2026-02-24 00:19:42 +01:00
senke
3d311ef01a test(marketplace): add invoice generation unit tests 2026-02-24 00:19:10 +01:00
senke
63b5abe08a test(marketplace): add product review unit tests 2026-02-24 00:18:45 +01:00
senke
0211e44a09 test(marketplace): add transfer retry worker tests 2026-02-23 23:32:59 +01:00
senke
fd357cb383 feat(marketplace): add TransferRetryWorker background goroutine 2026-02-23 23:32:03 +01:00
senke
bdfda923ae feat(marketplace): add retry fields to SellerTransfer model 2026-02-23 23:30:51 +01:00
senke
31034f409c test(commerce): add transfer tests — success, multi-seller, transfer-fails 2026-02-23 22:58:16 +01:00
senke
4a08a89dc5 feat(commerce): trigger seller transfers on payment succeeded 2026-02-23 22:56:01 +01:00
senke
a0a36e9d3e feat(commerce): add TransferService interface and WithTransferService option 2026-02-23 22:55:18 +01:00
senke
e86c476d42 feat(commerce): add SellerTransfer model 2026-02-23 22:55:08 +01:00
senke
b319b60396 chore(release): v0.602 — Payout, Dette Technique & Tests E2E 
- Stripe Connect: onboarding, balance, SellerDashboardView
- Interceptors: auth.ts, error.ts extracted, facade
- Grafana: dashboards enriched (p50, top endpoints, 4xx, WS, commerce)
- E2E commerce: product->order->review->invoice
- SMOKE_TEST_V0602, RETROSPECTIVE_V0602, PAYOUT_MANUAL
- Archive V0_602 scope, V0_603 placeholder, SCOPE_CONTROL v0.603
- Fix sanitizer regex (Go no backreferences)
- Marketplace test schema: product_licenses, product_images, orders, licenses
 2026-02-23 22:32:01 +01:00
senke
28136f2897 feat(v0.501): Sprint 5 -- integration, tests, and cleanup 
- INT-01: Add E2E streaming tests (upload -> HLS auth)
- INT-02: Add E2E cloud tests (CRUD auth, public gear)
- INT-03: Split track/handler.go into 4 focused sub-handlers
- INT-04: Create migration squash script + MIGRATIONS.md
- INT-05: Add Trivy container image scanning CI workflow
- INT-06: Replace production console.log with structured logger
 2026-02-22 18:40:07 +01:00
senke
bcc885327b feat(v0.501): Sprint 4 -- Cloud frontend + Gear advanced 
- C1-09: Create CloudPage with folder tree, file list, and /cloud route
- C1-10: Create CloudUploadModal with drag-and-drop and progress
- C1-11: Create CloudFilePreview mini player inline
- C1-12: Add Cloud stories (loading, empty, populated, quota full)
- G1-01: Add is_public toggle, public gear endpoint, GearShowcase
- G1-02: Add gear image upload endpoints, GearImageGallery component
- G1-03: Add gear search with ILIKE + SearchBar in toolbar
- G1-04: Add stories for GearShowcase and GearImageGallery
 2026-02-22 18:30:49 +01:00
senke
86a0978c28 feat(v0.501): Sprint 3 -- Cloud Storage MVP backend 
- C1-01: Create CloudService with CRUD folders/files, quota, ownership
- C1-02: Create CloudHandler with 11 REST endpoints
- C1-03: Register cloud routes in Go router
- C1-04: Implement file streaming with HTTP Range support
- C1-05: Add publish cloud file as track endpoint
- C1-06: Add MSW mock handlers for cloud API
- C1-07: Auto-init 5GB storage quota on user registration
- C1-08: Add 12 unit tests for CloudService
 2026-02-22 18:23:58 +01:00
senke
465aa9e008 feat(v0.501): Sprint 2 -- HLS production-ready 
- S1-01: Add multi-bitrate streaming profiles (128k, 256k, 320k)
- S1-02: Update master.m3u8 endpoint with 3-tier quality system
- S1-03: Integrate hls.js with ABR + useHLSPlayer hook
- S1-04: Add Cache-Control headers on HLS segments and manifests
- S1-05: Create WaveformService with async generation (FFmpeg + audiowaveform)
- S1-06: Add GET /tracks/:id/waveform endpoint with Redis cache
- S1-07: Create WaveformDisplay component with story
- S1-08: Add 4 Prometheus metrics for streaming monitoring
 2026-02-22 18:16:37 +01:00
senke
5258b9bf17 feat(streaming): trigger HLS transcoding after track upload 
INT-02: TrackService.copyFileAsync now calls StreamService.StartProcessing
after successful file copy. Wires the stream server integration into
all track route registrations.
 2026-02-22 17:52:39 +01:00
senke
0e095d9a54 refactor(backend): replace 40 fmt.Printf calls with zap structured logging 
CLN-03: router.go, track/service.go, upload_validator.go, cors.go,
playlist_handler.go, and mfa.go now use zap.L() or local logger
for structured logging instead of fmt.Printf.
 2026-02-22 17:44:38 +01:00
senke
952520dd7f feat(marketplace): add license revoked_at migration 2026-02-22 16:18:01 +01:00
senke
5b023ae895 chore(backend): add PDF library for invoices 
feat(marketplace): add invoice generation service and download endpoint
 2026-02-22 16:11:42 +01:00
senke
45cbc96fac feat(marketplace): add avg_rating and review_count to Product 2026-02-22 16:07:06 +01:00
senke
578af84819 feat(marketplace): add ProductReview model and service 2026-02-22 16:05:16 +01:00
senke
afeec3ae65 fix(checkout): handle cancelled status in Hyperswitch webhook 2026-02-22 14:42:57 +01:00
senke
e60354f7ce feat(checkout): add order_id to Hyperswitch return URL 2026-02-22 14:40:13 +01:00
senke
79ef2f52a0 feat(seller): add GET /sell/stats/evolution, top-products, sales, SalesEvolutionChart, real commerceService 2026-02-22 14:21:21 +01:00
senke
c977681bf8 feat(marketplace): add migration 098 product_licenses, ProductLicense model, GET /licenses/mine 2026-02-22 14:16:24 +01:00
senke
f4fff1126f feat(marketplace): add bpm, musical_key, category filters to ListProducts 2026-02-22 14:08:41 +01:00
senke
8ecd66786d feat(marketplace): add product images management endpoint 2026-02-22 14:08:13 +01:00
senke
8e68ca3be0 feat(marketplace): add POST /products/:id/preview for audio preview upload 2026-02-22 14:07:30 +01:00
senke
7a68e3ced2 feat(marketplace): accept bpm, musical_key, category in CreateProduct and UpdateProduct 2026-02-22 14:06:20 +01:00