senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2174 commits 37 branches 94 tags 1.5 GiB
Commit graph

202 commits

Author SHA1 Message Date
senke
249fd99730 fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)

HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)

MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)

LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)

All tests pass. Go and Rust compile clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-14 00:44:46 +01:00
senke
1ccaa03737 feat(v0.13.5): polish marketplace & compliance — KYC, support, payout E2E 
- Seller KYC via Stripe Identity (start verification, status check, webhook)
- Support ticket system (backend handler + frontend form page)
- E2E payout flow integration test (sale → payment → balance → payout)
- Migrations: seller_kyc columns, support_tickets table
- Frontend: SupportPage with SUMI design, lazy loading, routing

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-13 14:57:19 +01:00
senke
95682e3029 feat(v0.13.3): complete - Polish Sécurité Avancée 
TASK-SECADV-001: WebAuthn/Passkeys (F022)
- WebAuthn credential model, service, handler
- Registration/authentication ceremony endpoints
- CRUD operations (list, rename, delete passkeys)
- Routes: GET/POST/PUT/DELETE /auth/passkeys/*

TASK-SECADV-002: Configurable password policy (F015)
- PasswordPolicyConfig with MinLength, MaxLength, RequireUpper/Lower/Number/Special
- NewPasswordValidatorWithPolicy constructor
- PasswordPolicyFromEnv() reads env vars (PASSWORD_MIN_LENGTH, etc.)
- All character class checks now respect policy configuration

TASK-SECADV-003: Géolocalisation connexions (F025)
- GeoIPResolver interface + GeoIPService implementation
- Country/city columns added to login_history table
- LoginHistoryService.Record() performs GeoIP lookup
- GetUserHistory returns geolocation data
- GET /auth/login-history endpoint

TASK-SECADV-004: Password expiration (F016)
- password_changed_at column on users table
- CheckPasswordExpiration() method on PasswordService
- All password change/reset methods now set password_changed_at
- NewPasswordServiceWithPolicy() supports expiration days config

Migration: 971_security_advanced_v0133.sql

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-13 10:09:01 +01:00
senke
b0a46040f1 feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days
Some checks failed
Backend API CI / test-unit (push) Failing after 0s
Details
Backend API CI / test-integration (push) Failing after 0s
Details 
TASK-SFIX-001: MFA enforcement for privileged roles
- Add RequireMFA() middleware, TwoFactorChecker interface, SetTwoFactorChecker()
- Apply to all 3 admin route groups (platform, moderation, core)
- Returns 403 "mfa_setup_required" if admin/moderator without 2FA
- Regular users bypass the check
- Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 5

TASK-SFIX-002: Refresh token TTL alignment
- jwt_service.go: RefreshTokenTTL 14d→7d, RememberMeRefreshTokenTTL 30d→7d
- handlers/auth.go: Cookie max-age and session expiresIn → 7d across
  Login, LoginWith2FA, Register, Refresh handlers
- middleware/auth.go: Session auto-refresh default 30d→7d
- Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 4

TASK-SFIX-003: 5 unit tests — all PASS
- TestRequireMFA_AdminWithoutMFA, TestRequireMFA_AdminWithMFA
- TestRequireMFA_RegularUserNotAffected
- TestRefreshTokenTTL_Is7Days, TestAccessTokenTTL_Is5Minutes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 06:53:27 +01:00
senke
a0a611525c fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings 
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go,
  use c.ClientIP() only (respects SetTrustedProxies)
MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files
MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly
MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes
MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files
MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod
MEDIUM-009: Add trial-already-used check in subscription service
MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections
MEDIUM-011: Mask email in auth handler logs with maskEmail() helper
MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats
LOW-001: Align frontend password policy to 12 chars (matching backend)
LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server
LOW-004: Enable xpack.security in Elasticsearch dev/local compose files
LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background()
LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests)

29/30 findings remediated. 1 noted (LOW-002).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 06:13:38 +01:00
senke
71c15c2590 fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings 
Security fixes implemented:

CRITICAL:
- CRIT-001: IDOR on chat rooms — added IsRoomMember check before
  returning room data or message history (returns 404, not 403)
- CRIT-002: play_count/like_count exposed publicly — changed JSON
  tags to "-" so they are never serialized in API responses

HIGH:
- HIGH-001: TOCTOU race on marketplace downloads — transaction +
  SELECT FOR UPDATE on GetDownloadURL
- HIGH-002: HS256 in production docker-compose — replaced JWT_SECRET
  with JWT_PRIVATE_KEY_PATH / JWT_PUBLIC_KEY_PATH (RS256)
- HIGH-003: context.Background() bypass in user repository — full
  context propagation from handlers → services → repository (29 files)
- HIGH-004: Race condition on promo codes — SELECT FOR UPDATE
- HIGH-005: Race condition on exclusive licenses — SELECT FOR UPDATE
- HIGH-006: Rate limiter IP spoofing — SetTrustedProxies(nil) default
- HIGH-007: RGPD hard delete incomplete — added cleanup for sessions,
  settings, follows, notifications, audit_logs anonymization
- HIGH-008: RTMP callback auth weak — fail-closed when unconfigured,
  header-only (no query param), constant-time compare
- HIGH-009: Co-listening host hijack — UpdateHostState now takes *Conn
  and verifies IsHost before processing
- HIGH-010: Moderator self-strike — added issuedBy != userID check

MEDIUM:
- MEDIUM-001: Recovery codes used math/rand — replaced with crypto/rand
- MEDIUM-005: Stream token forgeable — resolved by HIGH-002 (RS256)

Updated REMEDIATION_MATRIX: 14 findings marked  CORRIGÉ.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 05:40:53 +01:00
senke
46362581ba feat(v0.12.3): F276-F305 video upload, HLS transcoding, education tests
Some checks failed
Backend API CI / test-unit (push) Failing after 2s
Details
Frontend CI / test (push) Failing after 2s
Details
Backend API CI / test-integration (push) Failing after 4s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 9s
Details 
- Add video upload endpoint POST /courses/:id/lessons/:lesson_id/video
- Add VideoTranscodeService for multi-bitrate HLS (720p/480p/360p)
- Add VideoTranscodeWorker for async lesson video processing
- Add SetLessonVideoPath and UpdateLessonTranscoding to education service
- Add uploadLessonVideo to frontend educationService with progress
- Add comprehensive handler tests (video upload, auth, validation)
- Add service-level tests (models, slugs, clamping, errors, UUIDs)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-11 19:20:48 +01:00
senke
9cd0a43f7e feat(v0.12.3): F276-F305 education backend service, handler, and routes 
- Course CRUD with slug generation, publish/archive lifecycle
- Lesson management with ordering and transcoding status
- Enrollment system with duplicate prevention
- Progress tracking with auto-completion at 90%
- Certificate issuance requiring full course completion
- Course reviews with rating aggregation
- Unit tests for service and handler layers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-11 09:45:26 +01:00
senke
a15bdb965d feat(v0.12.2): F501-F510 distribution service, handler, and routes 
- Distribution module: submit tracks to Spotify, Apple Music, Deezer
- Subscription eligibility check (Creator/Premium only)
- Distribution status tracking with platform-specific statuses
- Status history audit trail
- External streaming royalties import and aggregation
- Distributor provider interface for DistroKid/TuneCore integration
- Handler and service unit tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 19:54:26 +01:00
senke
517af3a68f feat(v0.12.1): subscription plans service, handler, and routes 
- Add subscription module (models, service, tests)
- Plans: Free, Creator ($9.99/mo), Premium ($19.99/mo)
- Features: subscribe, cancel, reactivate, change billing cycle
- 14-day trial for Premium plan
- Upgrade immediate, downgrade at period end
- Invoice tracking and history
- Handler tests for auth and validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 19:36:57 +01:00
senke
1d31c4065a feat(v0.12.0): F252-F254 marketplace service enhancements 
- F252: Enable download count decrement on GetDownloadURL
- F253: Differentiated commission rates (creator 15%, premium 10%)
- F254: Seller balance tracking, payout scheduling, manual payout request
- Enforce 14-day refund window on RefundOrder
- Credit seller balance on completed sales
- New payout handler with balance/payouts/request endpoints
- 15 new tests (payout, refund window, commission)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 18:52:06 +01:00
senke
f2881ad865 feat(gdpr): v0.10.8 portabilité données - export ZIP async, suppression compte, hard delete cron
Some checks failed
Backend API CI / test-unit (push) Failing after 1s
Details
Frontend CI / test (push) Failing after 3s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 2s
Details
Backend API CI / test-integration (push) Failing after 6s
Details 
- Export: table data_exports, POST /me/export (202), GET /me/exports, messages+playback_history
- Notification email quand ZIP prêt, rate limit 3/jour
- Suppression: keep_public_tracks, anonymisation PII complète (users, user_profiles)
- HardDeleteWorker: final anonymization après 30 jours
- Frontend: POST export, checkbox keep_public_tracks
- MSW handlers pour Storybook
 2026-03-10 13:57:04 +01:00
senke
2292ecd56b feat(v0.10.7): Collaboration Temps Réel F481-F483
Some checks failed
Backend API CI / test-unit (push) Failing after 2s
Details
Frontend CI / test (push) Failing after 3s
Details
Backend API CI / test-integration (push) Failing after 5s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 2s
Details 
- F481: Co-listening sessions (WebSocket sync, ListenTogether page)
- F482: Stem sharing (upload/list/download wav,aiff,flac)
- F483: Collaborative rooms (type collaborative, max 10, invite-only)
- Roadmap: v0.10.7 → DONE
 2026-03-10 13:34:16 +01:00
senke
3c01fa742f feat(v0.10.6): Livestreaming basique F471-F476
Some checks failed
Backend API CI / test-unit (push) Failing after 4s
Details
Frontend CI / test (push) Failing after 2s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 3s
Details
Backend API CI / test-integration (push) Failing after 4s
Details 
- Backend: callbacks on_publish/on_publish_done, UpdateStreamURL, GetByStreamKey
- Nginx-RTMP: config infra, docker-compose service (profil live)
- Frontend: stream_url dans LiveStream, HLS.js dans LiveViewPlayer, état Stream terminé
- Chat: rate limit send_live_message 1 msg/3s pour rooms live_streams
- Env: RTMP_CALLBACK_SECRET, STREAM_HLS_BASE_URL, NGINX_RTMP_HOST
- Roadmap v0.10.6 marquée DONE
 2026-03-10 10:21:57 +01:00
senke
c2b3a68fd5 feat(v0.10.5): Notifications complètes — F551-F555
Some checks failed
Backend API CI / test-unit (push) Failing after 1s
Details
Backend API CI / test-integration (push) Failing after 2s
Details
Frontend CI / test (push) Failing after 2s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 2s
Details 
F555: Backend pagination/filter GetNotifications (type, page, limit) + frontend pagination
F551: WebSocket real-time — backend inject chat hub, send on CreateNotification; frontend useChat invalidates
F553: Quiet hours — migration 132, CreateNotification skips push/WS, UI in PushPreferencesSection
F554: Notification grouping — migration 133, group_key/actor_count for like/comment, UI format
F552: Weekly digest — migration 134, NotificationDigestWorker, email template, prefs UI

Acceptance: no gamification notif; defaults unchanged; individual toggles for marketing
 2026-03-10 10:02:21 +01:00
senke
16a338da62 stabilisation commit: while implementing v0.10.5 2026-03-09 19:36:33 +01:00
senke
7259526d43 feat(v0.10.4): Playlists collaboratives - F136, F140, F141, F143, F145
Some checks failed
Backend API CI / test-unit (push) Failing after 2s
Details
Backend API CI / test-integration (push) Failing after 6s
Details
Frontend CI / test (push) Failing after 4s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 3s
Details 
Backend:
- F141: GET /discover/playlists/editorial for editorial playlists
- F143: GET /playlists/shared/:token (public, no auth)
- F145: POST /playlists/import (JSON), GET /playlists/:id/export/m3u
- F136: GET /playlists/favoris (creates Favoris playlist if needed)
- Repo: GetFavorisByUserID, service GetOrCreateFavorisPlaylist

Frontend:
- SharedPlaylistPage at /playlists/shared/:token (public route)
- Editorial playlists section in DiscoverPage
- Export M3U in ExportPlaylistButton dropdown
- Import JSON via ImportPlaylistButton (PlaylistListPage)
- Favoris sidebar link, FavorisRedirectPage, AddToFavorisButton on tracks

Roadmap: v0.10.4 marked DONE
 2026-03-09 16:49:05 +01:00
senke
ef1ca1a908 feat(v0.10.3): Commentaires & Interactions Sociales - F201-F215 
- F201: Commentaires avec timestamp cliquable, modération mots-clés
- F202: Likes privés (compteur visible créateur uniquement)
- F203: Reposts de tracks sur le profil, bouton Repost, onglet Reposts
- F204: Notifications (commentaire, repost), pas de gamification

Backend: migrations 127/128, comment_moderation_service, track_repost_service,
  GetTrackLikes/GetTrack masquent like_count pour non-créateurs
Frontend: LikeButton isCreator, RepostButton, Reposts tab profil, timestamp seek
 2026-03-09 10:30:47 +01:00
senke
b7434acf5a v0.9.8 beta 2026-03-07 00:54:35 +01:00
senke
9721e36289 v0.9.8 2026-03-06 19:13:16 +01:00
senke
7df866cd3f v0.9.7 beta 2026-03-06 18:58:37 +01:00
senke
99136948cb v0.9.7 2026-03-06 18:52:08 +01:00
senke
05446064ea v0.9.6 2026-03-06 10:29:30 +01:00
senke
cd974172cb v0.9.4 2026-03-05 23:03:43 +01:00
senke
2956b12645 v0.9.2 2026-03-05 19:27:34 +01:00
senke
9a93068a9b v0.9.1 2026-03-05 19:22:31 +01:00
senke
3c5bb018cb chore(release): v0.931 — Cursor (cursor-based pagination, performance baseline) 2026-03-02 12:35:49 +01:00
senke
c2aa0483eb chore(release): v0.922 — Greenlight (handler tests: dashboard, presence) 2026-03-02 12:30:51 +01:00
senke
c96be67cbc feat(auth): v0.911 Keystone - OAuth and auth integration tests 
- Add access token blacklist on logout (VEZA-SEC-006)
- Extend OAuthService for mock provider injection in tests
- Add oauth_google_test.go: full OAuth Google flow with mocked provider
- Add oauth_github_test.go: OAuth GitHub flow with PKCE verification
- Add token_refresh_test.go: E2E refresh via httpOnly cookies
- Add logout_blacklist_test.go: E2E logout + token blacklist
- Fix testutils import path in resume_upload_test, track_quota_test
- Fix CreatorID -> UserID in track_quota_test
- Add test:integration script to package.json

Release: v0.911 Keystone
 2026-02-27 09:58:53 +01:00
senke
515494007f release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24 
- ORDER BY dynamiques : whitelist explicite, fallback created_at DESC
- Login/register soumis au rate limiter global
- VERSION sync + check CI
- Nettoyage références veza-chat-server
- Go 1.24 partout (Dockerfile, workflows)
- TODO/FIXME/HACK convertis en issues ou résolus
 2026-02-27 09:43:25 +01:00
senke
4c0be12465 release(v0.902): Sentinel - PKCE OAuth, token encryption, redirect validation, CHAT_JWT_SECRET 
- PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL
- CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest
- OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS
- CHAT_JWT_SECRET must differ from JWT_SECRET in production
- Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens
- Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010
 2026-02-26 19:49:15 +01:00
senke
6e204cc98a feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities 
- OAuth: use JWTService+SessionService, httpOnly cookies (VEZA-SEC-001)
- Remove PasswordService.GenerateJWT (VEZA-SEC-002)
- Hyperswitch webhook: mandatory verification, 500 if secret empty (VEZA-SEC-005)
- Auth middleware: TokenBlacklist.IsBlacklisted check (VEZA-SEC-006)
- Waveform: ValidateExecPath before exec (VEZA-SEC-007)
 2026-02-26 19:34:45 +01:00
senke
c2d530727a test(v0.803): unit tests for CCPA, reports, announcements, feature flags 2026-02-25 20:02:24 +01:00
senke
3edb10b567 feat(admin): feature flags CRUD with DB persistence 2026-02-25 19:56:24 +01:00
senke
d684c69439 feat(admin): global announcements CRUD and public banner endpoint 2026-02-25 19:55:21 +01:00
senke
0d092466f1 feat(admin): moderation queue with reports CRUD 2026-02-25 19:53:04 +01:00
senke
0bee6e8727 feat(api): add Swagger annotations for privacy opt-out and account deletion 2026-02-25 19:51:54 +01:00
senke
29c1688786 feat(users): account deletion hardening with anonymization, S3 cleanup, session revocation 2026-02-25 19:51:21 +01:00
senke
cb0f70022e feat(compliance): CCPA Do Not Sell middleware and opt-out endpoint 2026-02-25 19:49:25 +01:00
senke
a3624ce4b3 feat(v0.802): frontend Cloud/Gear, MSW, docs, scope v0.803, archive 
- Cloud: CloudFileVersions, CloudShareModal, versions/share in CloudView
- Gear: GearDocumentsTab, GearRepairsTab, warranty badge, initialTab
- MSW: cloud versions/share, gear documents/repairs, tags suggest
- Stories: CloudFileVersions, CloudShareModal, GearDetailModal variants
- gearService: listDocuments, uploadDocument, deleteDocument, listRepairs, createRepair, deleteRepair
- cloudService: listVersions, restoreVersion, shareFile, getSharedFile
- gear_warranty_notifier: 24h ticker, notifications for expiring warranty
- tag_handler_test: unit tests
- docs: API_REFERENCE, CHANGELOG, PROJECT_STATE, FEATURE_STATUS v0.802
- SCOPE_CONTROL, .cursorrules: scope v0.803
- archive: V0_802_RELEASE_SCOPE, RETROSPECTIVE_V0802
 2026-02-25 14:00:58 +01:00
senke
b885392304 feat(upload): tags auto-suggest endpoint and additional audio formats 2026-02-25 13:39:59 +01:00
senke
301db440e5 feat(cloud): file versioning, restore, and sharing 2026-02-25 13:33:08 +01:00
senke
75786acb03 feat(live): add handler endpoints for Go Live (me, key, regenerate, update) 2026-02-24 09:53:01 +01:00
senke
022770ef9f feat(v0.701): AdminTransfers page/route, MSW, stories, Deep Health, API ref, docs, scope v0.702 
- Step 13: AdminTransfersPage, LazyAdminTransfers, route /admin/transfers
- Step 14: MSW handlers admin transfers
- Step 15: AdminTransfersView stories (Default, Empty, WithFailedTransfers, Error, Loading)
- Step 16-17: DeepHealth handler (disk, config), GET /health/deep
- Step 19: health_deep_test.go (4 tests)
- Step 20: docs/API_REFERENCE.md
- Step 21: Archive V0_604, MIGRATIONS.md migration 116
- Step 22: CHANGELOG, PROJECT_STATE, FEATURE_STATUS v0.701
- Step 23: RETROSPECTIVE_V0701, V0_702 placeholder, SCOPE_CONTROL, .cursorrules
- Step 24: Archive V0_701_RELEASE_SCOPE
- Fix: AdminTransfersView Select component (use options API)
 2026-02-23 23:42:02 +01:00
senke
56f2e9f9c3 test(admin): add admin transfer handler tests 2026-02-23 23:35:11 +01:00
senke
8375466af9 feat(admin): add admin transfer handler (GET list, POST retry) 2026-02-23 23:33:35 +01:00
senke
81fccda396 feat(seller): add transfers history card to SellerDashboard 2026-02-23 22:57:28 +01:00
senke
c2d5073a6e feat(commerce): add GET /sell/transfers endpoint 2026-02-23 22:56:26 +01:00
senke
b319b60396 chore(release): v0.602 — Payout, Dette Technique & Tests E2E 
- Stripe Connect: onboarding, balance, SellerDashboardView
- Interceptors: auth.ts, error.ts extracted, facade
- Grafana: dashboards enriched (p50, top endpoints, 4xx, WS, commerce)
- E2E commerce: product->order->review->invoice
- SMOKE_TEST_V0602, RETROSPECTIVE_V0602, PAYOUT_MANUAL
- Archive V0_602 scope, V0_603 placeholder, SCOPE_CONTROL v0.603
- Fix sanitizer regex (Go no backreferences)
- Marketplace test schema: product_licenses, product_images, orders, licenses
 2026-02-23 22:32:01 +01:00
senke
3baeef30dd feat(chat): Sprint 2 -- WebSocket hub, client, message types, route 
- Create Hub with register/unregister/broadcast, room/user index
- Create Client with readPump/writePump goroutines, 30s ping keepalive
- Define all 18 incoming + 18 outgoing message types matching Rust protocol
- Add ValidateChatToken to ChatService for JWT validation
- Update WSUrl from /ws to /api/v1/ws
- Register GET /api/v1/ws endpoint in router
- Create ChatWebSocketHandler for WebSocket upgrade and auth
 2026-02-22 20:41:39 +01:00