- Add IsURLSafe() function to webhook service blocking private IPs,
localhost, and cloud metadata endpoints (SSRF protection)
- Implement real validate_track_access() in stream server querying DB
for track visibility, ownership, and purchase status
- Remove dangerous JWT fallback user in chat server that allowed
deleted users to maintain access with forged credentials
- Add upper limit (100) on pagination in profile, track, and room handlers
- Fix Dockerfile.production healthcheck path to /api/v1/health
Co-authored-by: Cursor <cursoragent@cursor.com>
- Added UpdateRoom method to RoomService with ownership check
- Only room creator can update the room
- Added UpdateRoomRequest type
- Added UpdateRoom to RoomServiceInterface and RoomHandler
- Added PUT /conversations/:id route
- Handler uses standard API response format
- Service updates name and/or description fields
Phase: PHASE-2
Priority: P1
Progress: 21/267 (7.9%)
- Added RemoveMember method to RoomService and RoomServiceInterface
- Corrected RemoveMember in RoomRepository to use uuid.UUID
- Added AddParticipant and RemoveParticipant handlers
- Added POST /conversations/:id/participants route
- Added DELETE /conversations/:id/participants/:userId route
- Handlers use standard API response format
- Handlers reuse AddMember/RemoveMember service methods
Phase: PHASE-2
Priority: P1
Progress: 20/267 (7.5%)
- Added DeleteRoom method to RoomService with ownership check
- Only room creator can delete the room
- Added DeleteRoom to RoomServiceInterface and RoomHandler
- Added DELETE /conversations/:id route
- Handler uses standard API response format
- Service performs soft delete via GORM
Phase: PHASE-2
Priority: P1
Progress: 19/267 (7.1%)
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
