senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2174 commits 37 branches 94 tags 1.5 GiB
Commit graph

542 commits

Author SHA1 Message Date
senke
fd357cb383 feat(marketplace): add TransferRetryWorker background goroutine 2026-02-23 23:32:03 +01:00
senke
ab12f5d1fe feat(monitoring): add transfer retry Prometheus metrics 2026-02-23 23:31:35 +01:00
senke
3261d0fb44 feat(config): add transfer retry configuration (v0.701) 2026-02-23 23:31:09 +01:00
senke
bdfda923ae feat(marketplace): add retry fields to SellerTransfer model 2026-02-23 23:30:51 +01:00
senke
db0f40815a feat(marketplace): add migration 116 — retry columns for seller_transfers 2026-02-23 23:30:41 +01:00
senke
31034f409c test(commerce): add transfer tests — success, multi-seller, transfer-fails 2026-02-23 22:58:16 +01:00
senke
81fccda396 feat(seller): add transfers history card to SellerDashboard 2026-02-23 22:57:28 +01:00
senke
c2d5073a6e feat(commerce): add GET /sell/transfers endpoint 2026-02-23 22:56:26 +01:00
senke
4a08a89dc5 feat(commerce): trigger seller transfers on payment succeeded 2026-02-23 22:56:01 +01:00
senke
51dd867bdf feat(commerce): wire TransferService in marketplace and webhook routes 2026-02-23 22:55:39 +01:00
senke
a0a36e9d3e feat(commerce): add TransferService interface and WithTransferService option 2026-02-23 22:55:18 +01:00
senke
e86c476d42 feat(commerce): add SellerTransfer model 2026-02-23 22:55:08 +01:00
senke
4b07957d1a feat(commerce): add 115_seller_transfers migration 2026-02-23 22:54:56 +01:00
senke
979658165c feat(commerce): add PLATFORM_FEE_RATE config (default 10%) 2026-02-23 22:54:50 +01:00
senke
b319b60396 chore(release): v0.602 — Payout, Dette Technique & Tests E2E 
- Stripe Connect: onboarding, balance, SellerDashboardView
- Interceptors: auth.ts, error.ts extracted, facade
- Grafana: dashboards enriched (p50, top endpoints, 4xx, WS, commerce)
- E2E commerce: product->order->review->invoice
- SMOKE_TEST_V0602, RETROSPECTIVE_V0602, PAYOUT_MANUAL
- Archive V0_602 scope, V0_603 placeholder, SCOPE_CONTROL v0.603
- Fix sanitizer regex (Go no backreferences)
- Marketplace test schema: product_licenses, product_images, orders, licenses
 2026-02-23 22:32:01 +01:00
senke
a5d2951ec5 feat(seller): add seller_stripe_accounts migration and model 2026-02-23 22:11:11 +01:00
senke
cb9b418286 feat(seller): add Stripe Connect config 2026-02-23 22:09:23 +01:00
senke
06e3de98b9 feat(commerce): Hyperswitch LIVE_MODE configuration 
- config: HyperswitchLiveMode (HYPERSWITCH_LIVE_MODE)
- routes_marketplace: warn when production + LiveMode=false
- docker-compose.prod: HYPERSWITCH_LIVE_MODE env var
 2026-02-23 19:56:52 +01:00
senke
8f6a6b0b13 feat(streaming): wire HLS pipeline end-to-end with serving routes 
- Add HLSEnabled and HLSStorageDir to backend config (HLS_STREAMING env)
- Register HLS serving routes (master.m3u8, quality playlist, segments)
  behind HLSEnabled feature flag on existing track routes
- Add GetHLSStatus and TriggerHLSTranscode methods to StreamService
  for stream server communication
- Update docker-compose (dev, staging, prod) with HLS env vars and
  shared hls-data volume between backend and stream-server
- Stream callback already correctly updates stream_manifest_url
 2026-02-22 21:20:35 +01:00
senke
d3e3ba9b33 feat(chat): Redis rate limiter, persistent presence, PostgreSQL full-text search 
- Rewrite chat rate limiter with Redis sliding window (sorted sets) and
  automatic in-memory fallback when Redis is unavailable
- Add ChatPresenceService with Redis-backed online/offline/heartbeat
  tracking (2min TTL), integrated into Hub register/unregister
- Add migration 113: tsvector column with GIN index and auto-update
  trigger on messages table for full-text search
- Update Search repository method to use ts_rank ordering instead of ILIKE
- Wire Redis client into chat WebSocket setup in router.go
- Add comprehensive tests: rate limiter, presence, 100-user concurrent benchmark
 2026-02-22 21:17:51 +01:00
senke
25e7345a6a test(chat): Sprint 5 -- unit tests, E2E tests, feature parity validation 
- Add hub_test.go: register/unregister, join/leave room, broadcast, exclude sender,
  send to user, multiple clients same user (6 tests)
- Add handler_messages_test.go: send message, missing fields, edit ownership check,
  soft delete (4 tests)
- Add handler_realtime_test.go: typing broadcast, read receipts, reactions add/remove,
  delivered status (5 tests)
- Add e2e_chat_ws_test.go: auth valid, missing token, invalid token, ping/pong
- Add e2e_chat_messages_test.go: 2-client message flow, typing indicator
- Create CHAT_FEATURE_PARITY.md: 25-feature checklist (all OK or IMPROVED)
 2026-02-22 20:49:32 +01:00
senke
603eb06dae feat(chat): Sprint 3 -- message handlers, real-time features, permissions 
- Implement full MessageHandler dispatch with all 18 incoming message types
- Add handler_messages.go: SendMessage, EditMessage, DeleteMessage with ownership checks
- Add handler_rooms.go: JoinConversation, LeaveConversation
- Add handler_history.go: FetchHistory (cursor-based), SearchMessages (ILIKE), SyncMessages
- Add handler_realtime.go: Typing, MarkAsRead, Delivered, AddReaction, RemoveReaction
- Add handler_calls.go: WebRTC signaling relay (CallOffer/Answer/ICE/Hangup/Reject)
- Add PermissionService: CanRead/CanSend/CanJoin/CanModerate based on room_members
- Add RateLimiter: per-user per-action sliding window (in-memory)
- Wire all dependencies in router.go setupChatWebSocket
 2026-02-22 20:43:44 +01:00
senke
3baeef30dd feat(chat): Sprint 2 -- WebSocket hub, client, message types, route 
- Create Hub with register/unregister/broadcast, room/user index
- Create Client with readPump/writePump goroutines, 30s ping keepalive
- Define all 18 incoming + 18 outgoing message types matching Rust protocol
- Add ValidateChatToken to ChatService for JWT validation
- Update WSUrl from /ws to /api/v1/ws
- Register GET /api/v1/ws endpoint in router
- Create ChatWebSocketHandler for WebSocket upgrade and auth
 2026-02-22 20:41:39 +01:00
senke
2ee63b9b11 feat(chat): Sprint 1 -- migrations, models, repositories for chat rewrite 
- Add migrations 109-112: read_receipts, delivered_status, message_reactions, messages extra columns
- Create ReadReceipt, DeliveredStatus, MessageReaction GORM models
- Update Message model with EditedAt, Status, IsPinned, Metadata fields
- Enrich ChatMessageRepository with cursor pagination, search, soft delete
- Create ReadReceiptRepository, DeliveredStatusRepository, ReactionRepository
- Create ChatPubSubService with Redis PubSub and in-memory fallback
 2026-02-22 20:38:20 +01:00
senke
28136f2897 feat(v0.501): Sprint 5 -- integration, tests, and cleanup 
- INT-01: Add E2E streaming tests (upload -> HLS auth)
- INT-02: Add E2E cloud tests (CRUD auth, public gear)
- INT-03: Split track/handler.go into 4 focused sub-handlers
- INT-04: Create migration squash script + MIGRATIONS.md
- INT-05: Add Trivy container image scanning CI workflow
- INT-06: Replace production console.log with structured logger
 2026-02-22 18:40:07 +01:00
senke
bcc885327b feat(v0.501): Sprint 4 -- Cloud frontend + Gear advanced 
- C1-09: Create CloudPage with folder tree, file list, and /cloud route
- C1-10: Create CloudUploadModal with drag-and-drop and progress
- C1-11: Create CloudFilePreview mini player inline
- C1-12: Add Cloud stories (loading, empty, populated, quota full)
- G1-01: Add is_public toggle, public gear endpoint, GearShowcase
- G1-02: Add gear image upload endpoints, GearImageGallery component
- G1-03: Add gear search with ILIKE + SearchBar in toolbar
- G1-04: Add stories for GearShowcase and GearImageGallery
 2026-02-22 18:30:49 +01:00
senke
86a0978c28 feat(v0.501): Sprint 3 -- Cloud Storage MVP backend 
- C1-01: Create CloudService with CRUD folders/files, quota, ownership
- C1-02: Create CloudHandler with 11 REST endpoints
- C1-03: Register cloud routes in Go router
- C1-04: Implement file streaming with HTTP Range support
- C1-05: Add publish cloud file as track endpoint
- C1-06: Add MSW mock handlers for cloud API
- C1-07: Auto-init 5GB storage quota on user registration
- C1-08: Add 12 unit tests for CloudService
 2026-02-22 18:23:58 +01:00
senke
465aa9e008 feat(v0.501): Sprint 2 -- HLS production-ready 
- S1-01: Add multi-bitrate streaming profiles (128k, 256k, 320k)
- S1-02: Update master.m3u8 endpoint with 3-tier quality system
- S1-03: Integrate hls.js with ABR + useHLSPlayer hook
- S1-04: Add Cache-Control headers on HLS segments and manifests
- S1-05: Create WaveformService with async generation (FFmpeg + audiowaveform)
- S1-06: Add GET /tracks/:id/waveform endpoint with Redis cache
- S1-07: Create WaveformDisplay component with story
- S1-08: Add 4 Prometheus metrics for streaming monitoring
 2026-02-22 18:16:37 +01:00
senke
1797e5c32c feat(v0.501): Sprint 1 -- infrastructure foundations 
- Add MinIO S3-compatible storage to docker-compose (dev, staging, prod)
- Create migrations 103-108 (waveform_url, user_folders, user_files,
  user_storage_quotas, gear_items.is_public, gear_images)
- Add Go models: UserFile, UserFolder, StorageQuota, GearImage
- Add WaveformURL to Track model, IsPublic + GearImages to GearItem model
 2026-02-22 18:10:25 +01:00
senke
09dc20e965 refactor(websocket): replace gorilla/websocket with coder/websocket 
INT-06: Migrated playback_websocket_handler.go from deprecated
gorilla/websocket to coder/websocket v1.8.14. Uses context-based
reads/writes and websocket.Accept instead of Upgrader.
 2026-02-22 17:53:10 +01:00
senke
43536ea3f3 fix(tests): fix 2 skipped tests, add clear skip reasons to 11 others 
INT-04: Fixed nil UserID panic in AuditService (re-enabled 2 tests).
Added INT-04 comments explaining skip reasons for tests requiring
PostgreSQL, real file headers, or external services.
 2026-02-22 17:53:00 +01:00
senke
23791095ad test: add 5 cross-service E2E integration tests 
INT-03: Tests for health endpoint, auth flow, track upload auth,
webhook HTTPS-only, and rate limit headers. Build-tagged
'integration' to avoid running in regular test suite.
 2026-02-22 17:52:50 +01:00
senke
5258b9bf17 feat(streaming): trigger HLS transcoding after track upload 
INT-02: TrackService.copyFileAsync now calls StreamService.StartProcessing
after successful file copy. Wires the stream server integration into
all track route registrations.
 2026-02-22 17:52:39 +01:00
senke
0e095d9a54 refactor(backend): replace 40 fmt.Printf calls with zap structured logging 
CLN-03: router.go, track/service.go, upload_validator.go, cors.go,
playlist_handler.go, and mfa.go now use zap.L() or local logger
for structured logging instead of fmt.Printf.
 2026-02-22 17:44:38 +01:00
senke
05daed60df refactor: remove dead code (api_manager.go, unused templates) 
CLN-01: Deleted archived api_manager.go (~789 LOC, build-tag ignore)
and dev-environment/templates/ (~806 LOC, never used by generator).
 2026-02-22 17:44:19 +01:00
senke
9752a90dfb fix(security): hash password reset tokens before database storage 
INF-10: Reset tokens are now SHA-256 hashed before INSERT. Validation
hashes the received token and compares against stored hash. Plain
tokens never persisted.
 2026-02-22 17:36:10 +01:00
senke
eb92779df2 feat(security): implement Redis-backed rate limiter with in-memory fallback 
INF-01: RedisRateLimiter uses atomic Lua script (INCR+EXPIRE) for
distributed rate limiting. Falls back to in-memory SimpleRateLimiter
when Redis is unavailable. Same X-RateLimit-* headers and 429 format.
 2026-02-22 17:35:21 +01:00
senke
4409022d55 fix(build): unify Go version to 1.24 across Dockerfile and CI 
SEC-09: go.mod declares Go 1.24.0 but Dockerfile.production used 1.23
and backend-ci.yml used 1.23. Aligned both to 1.24.
 2026-02-22 17:32:17 +01:00
senke
4efd5d1d07 fix(security): require Hyperswitch webhook secret in production when payments enabled 
SEC-08: If HYPERSWITCH_ENABLED=true in production, startup now fails
unless HYPERSWITCH_WEBHOOK_SECRET is set. This prevents webhook
signature verification from being silently bypassed.
 2026-02-22 17:31:52 +01:00
senke
142d1576be fix(security): add SSRF protection for webhook URL registration 
SEC-07: Strengthened ValidateWebhookURL to require HTTPS only (was
allowing HTTP). Private IP ranges, localhost, and cloud metadata
endpoints remain blocked.
 2026-02-22 17:31:10 +01:00
senke
72d15f60b5 fix(security): add ownership check to GetUploadStatus handler (IDOR fix) 
SEC-06: GetUploadStatus now verifies that the authenticated user owns the
upload before returning status. Returns 404 for non-owners to prevent
information disclosure.
 2026-02-22 17:30:30 +01:00
senke
de5b3bc542 feat(auth): add ephemeral stream-token endpoint for HLS and WebSocket authentication 
SEC-03: TokenStorage.getAccessToken() returns null with httpOnly cookies.
New POST /api/v1/auth/stream-token returns a 5-min JWT compatible with
both stream server (Claims struct) and chat server (JwtClaims struct).
Frontend hlsService and websocket updated to use fetchStreamToken() fallback.
 2026-02-22 17:28:00 +01:00
senke
952520dd7f feat(marketplace): add license revoked_at migration 2026-02-22 16:18:01 +01:00
senke
bf57d58f5a feat(hyperswitch): add CreateRefund to client 2026-02-22 16:17:54 +01:00
senke
5b023ae895 chore(backend): add PDF library for invoices 
feat(marketplace): add invoice generation service and download endpoint
 2026-02-22 16:11:42 +01:00
senke
45cbc96fac feat(marketplace): add avg_rating and review_count to Product 2026-02-22 16:07:06 +01:00
senke
25eee5bf91 feat(marketplace): add create and list reviews endpoints 2026-02-22 16:06:18 +01:00
senke
578af84819 feat(marketplace): add ProductReview model and service 2026-02-22 16:05:16 +01:00
senke
c3b8d9198a feat(marketplace): add product_reviews migration 2026-02-22 16:04:14 +01:00
senke
afeec3ae65 fix(checkout): handle cancelled status in Hyperswitch webhook 2026-02-22 14:42:57 +01:00
senke
e60354f7ce feat(checkout): add order_id to Hyperswitch return URL 2026-02-22 14:40:13 +01:00
senke
79ef2f52a0 feat(seller): add GET /sell/stats/evolution, top-products, sales, SalesEvolutionChart, real commerceService 2026-02-22 14:21:21 +01:00
senke
c977681bf8 feat(marketplace): add migration 098 product_licenses, ProductLicense model, GET /licenses/mine 2026-02-22 14:16:24 +01:00
senke
432cabec6f feat(marketplace): add playable preview and image gallery to ProductDetailView 2026-02-22 14:14:38 +01:00
senke
f25956e9e2 feat(marketplace): add rich text description with sanitization 2026-02-22 14:14:27 +01:00
senke
f4fff1126f feat(marketplace): add bpm, musical_key, category filters to ListProducts 2026-02-22 14:08:41 +01:00
senke
8ecd66786d feat(marketplace): add product images management endpoint 2026-02-22 14:08:13 +01:00
senke
8e68ca3be0 feat(marketplace): add POST /products/:id/preview for audio preview upload 2026-02-22 14:07:30 +01:00
senke
7a68e3ced2 feat(marketplace): accept bpm, musical_key, category in CreateProduct and UpdateProduct 2026-02-22 14:06:20 +01:00
senke
ef0a928ab4 feat(marketplace): add ProductPreview, ProductImage models and Product enrichment fields 2026-02-22 14:05:37 +01:00
senke
0a00da931e feat(marketplace): add migrations 095-097 for products enrichment, previews, images 2026-02-22 14:05:19 +01:00
senke
8f4f445dcb feat(presence): P2.1 rich presence, P2.2 invisible mode 
Backend:
- UserPresence: track_id, track_title, invisible
- UpdatePresenceFull, GetPresenceForViewer (invisible hides for others)
- PUT /users/me/presence
- Migration 094 rich presence columns

Frontend:
- presenceService.updatePresence
- usePresenceSync: sync currentTrack to presence
- PresenceBadge: statusMessage tooltip
- PresenceInvisibleToggle in PrivacySettings
- MSW: PUT /users/me/presence
 2026-02-21 16:47:09 +01:00
senke
51af2d073f feat(notifications): N1.1-N1.3 Web Push subscription, send on events, preferences 
- N1.1: POST /notifications/push/subscribe, PushService, migration 090
- N1.2: Send Web Push on follow/like/comment/message via CreateNotification
- N1.3: GET/PUT /notifications/preferences, migration 093
- Shared NotificationService with PushService for profile, track, comment handlers
- Fix MockSocialService GetGlobalFeed, GetTrendingHashtags for tests
 2026-02-21 16:41:39 +01:00
senke
ed5e395900 feat(groups): S2 frontend - request join, invite, roles, my groups, MSW handlers 2026-02-21 05:51:29 +01:00
senke
2bc8c36b79 feat(groups): S2.1-S2.5 request join, invite, roles, feed groups, my groups 2026-02-21 05:48:59 +01:00
senke
6a8252a351 chore(migrations): add 069, 089, 090, 091 for v0.302 2026-02-21 05:47:14 +01:00
senke
d8be2c0164 feat(social): GET /social/explore, explore tab, feed filters all/following/groups (S1.5, S1.6) 2026-02-21 05:31:12 +01:00
senke
7e106cc096 feat(social): feed pagination with cursor (S1.4) 2026-02-21 05:28:19 +01:00
senke
2fc102e46b feat(social): connect feed to social API, enrich with actor/track, FeedItem supports posts (S1.1-S1.3) 2026-02-21 05:26:52 +01:00
senke
ade1a7d2a6 feat(presence): PresenceService and GET /users/:id/presence (P1.2) 2026-02-21 05:22:43 +01:00
senke
4a2ba9f404 feat(presence): migration 088 user_presence (P1.1) 2026-02-21 05:22:33 +01:00
senke
5c79b8fafe feat(queue): add queue session API (create, get, delete, add/remove items) 2026-02-20 18:41:12 +01:00
senke
92d25164e9 feat(queue): add queue_sessions and shared_queue_items models 2026-02-20 18:39:33 +01:00
senke
d54945d84e feat(search): add boolean operators AND, OR, NOT, exact phrase 2026-02-20 18:38:34 +01:00
senke
b209a8dc96 feat(search): add phonetic/fuzzy search via pg_trgm 2026-02-20 18:36:07 +01:00
senke
6b71c6b6b8 feat(search): add pg_trgm extension for fuzzy search 2026-02-20 18:34:50 +01:00
senke
544ffd140a feat(social): cache trending hashtags in Redis 2026-02-20 18:33:17 +01:00
senke
3ad7d39128 feat(social): add GET /social/trending endpoint 2026-02-20 18:32:16 +01:00
senke
b5fe6e8fd1 feat(release): v0.202 — Lots G, H, F, C, D 
- Lot G: Recherche avancée (musical_key, tri pertinence, autocomplete, facettes, historique)
- Lot H: Analytics créateur (stats, charts, completion rate, export CSV/JSON)
- Lot F: Seller dashboard (GET /sell/stats, liste produits)
- Lot C: Player (crossfade, gapless preload, PiP)
- Lot D2: Autoplay (GET /tracks/recommendations, section À écouter ensuite)

Backend: GetRecommendations handler, route /tracks/recommendations
Frontend: PlayerQueue recommendations, fix TS errors (GlobalPlayer, AnalyticsViewKpiGrid, etc.)
Docs: FEATURE_STATUS, PROJECT_STATE, CHANGELOG, SCOPE_CONTROL
 2026-02-20 18:16:17 +01:00
senke
b8693ca07f feat(seller): connect products list to marketplace API (F2) 2026-02-20 17:02:54 +01:00
senke
ea29927d2a feat(seller): add GET /sell/stats and connect dashboard (F1) 2026-02-20 17:02:13 +01:00
senke
b887110214 feat(analytics): add creator export CSV/JSON (H4) 2026-02-20 17:00:36 +01:00
senke
d9fee2684b feat(analytics): add creator charts endpoint and UI (H2) 2026-02-20 16:59:25 +01:00
senke
9ca90e6096 feat(analytics): add creator stats endpoint and UI (H1) 2026-02-20 16:57:58 +01:00
senke
ef320888f6 feat(search): add autocomplete suggestions endpoint and UI (G3) 2026-02-20 16:54:17 +01:00
senke
7eb1e0d945 feat(search): add relevance sort option (G2) 2026-02-20 16:50:49 +01:00
senke
458e88472b feat(search): add musical_key filter and wire tags filter (G1) 2026-02-20 16:50:30 +01:00
senke
002b8f2ec2 feat(tracks): add suggested tags endpoint and UI (E4) 
- Migration 085: tracks.tags TEXT[]
- Track model: Tags pq.StringArray
- GET /tracks/suggested-tags?genre=X&bpm=Y (static suggestions by genre)
- UpdateTrack: support tags
- TrackMetadataEditModal: tags chips + suggestions dropdown
- TrackDetailPageInfo: display tags
- getSuggestedTags, UpdateTrackParams.tags
- MSW: suggested-tags handler, tags in mock track
 2026-02-20 15:38:51 +01:00
senke
79f552212f feat(tracks): add lyrics model and endpoints (E3) 
- Migration 084: track_lyrics table
- TrackLyrics model, GetLyrics, CreateOrUpdateLyrics in TrackService
- GET /tracks/:id/lyrics, PUT /tracks/:id/lyrics (owner only)
- Frontend: TrackLyricsSection with show/hide toggle, Lyrics tab
- trackService: getLyrics, updateLyrics
- MSW: handlers for lyrics
 2026-02-20 15:36:28 +01:00
senke
265f9fa86c feat(tracks): add BPM field to model and CRUD (E1) 
- Backend: BPM and MusicalKey in Track model, UpdateTrack handler
- track_search_service: enable BPM filter (min_bpm, max_bpm)
- Frontend: Track type, UpdateTrackParams, display in TrackDetailPageInfo
- TrackMetadataEditModal: BPM input, edit flow for track creator
- MSW: bpm, musical_key in mock track, correct response envelope
 2026-02-20 15:34:00 +01:00
senke
efd09e0c11 feat(profile): add profile privacy toggle (B3) 
- Backend: is_public in Profile, UpdateProfile; strip SocialLinks for private
- Settings: ProfileVisibilityCard toggle in Privacy tab
- UserProfilePage: show 'Profil privé' when viewing private profile
 2026-02-20 15:10:02 +01:00
senke
ef00e165e9 feat(profile): add profile banner (B1) 2026-02-20 14:56:25 +01:00
senke
99f60ebbaa feat(auth): enrich sessions page with history and revoke (A4) 2026-02-20 14:52:20 +01:00
senke
6a1686aad8 feat(auth): add OAuth Spotify provider (A1) 2026-02-20 14:48:08 +01:00
senke
134b8979c0 chore(v0.102): consolidate remaining changes — docs, frontend, backend 
- docs: SCOPE_CONTROL, CONTRIBUTING, README, .github templates
- frontend: DeveloperDashboardView, Player components, MSW handlers, auth, reactQuerySync
- backend: playback_analytics, playlist_service, testutils, integration README

Excluded (artifacts): .auth, playwright-report, test-results, storybook_audit_detailed.json
 2026-02-20 13:02:12 +01:00
senke
bdea490c21 feat(developer): add API keys backend (Lot C) 
- Migration 082: api_keys table (user_id, name, prefix, hashed_key, scopes, last_used_at, expires_at)
- APIKey model, APIKeyService (Create, List, Delete, ValidateAPIKey)
- APIKeyHandler: GET/POST/DELETE /api/v1/developer/api-keys
- AuthMiddleware: X-API-Key and Bearer vza_* accepted as alternative to JWT
- CSRF: skip for API key auth (stateless)
- Key format: vza_ prefix, SHA-256 hashed storage
 2026-02-20 00:18:36 +01:00
senke
331905c05a feat(queue): add backend queue API with CRUD operations 2026-02-19 23:44:44 +01:00
senke
c73effcf88 chore(docs): add v0.101 diagnostic baseline 
- Add V0_101_DIAGNOSTIC_BASELINE.md with initial diagnostic results
- Fix eslint: remove storybook plugin dep, add dist_verification to ignores
- Fix .storybook/preview.tsx: remove unused React, use object shorthand
 2026-02-19 16:08:05 +01:00
senke
b9a929607b fix(tests): parse RespondSuccess envelope in GetUploadStats test 2026-02-19 14:04:47 +01:00
senke
2d6b872051 fix(tests): correct UpdateProfile assertion in user_service_test 2026-02-19 14:03:28 +01:00
senke
6a499ae11b fix(backend): resolve failing tests for v0.101 
- config: isolate TestLoad/TestLoad_DefaultValues from env (APP_DOMAIN, DB_HOST, REDIS_URL)
- handlers: fix TestLogin_InvalidCredentials (401 not 403), TestLogout_Success, TestGetMe_Success (inject auth middleware), TestResendVerification_Success (unverify user)
 2026-02-19 11:29:30 +01:00
senke
a4220bf110 chore(infra): add ClamAV to docker-compose for v0.101 2026-02-18 12:03:14 +01:00
senke
f56ca7bfd9 Merge branch 'production-ready-fixes-10504759203042880560' into main 2026-02-17 16:45:16 +01:00
senke
e11984898d chore: consolidate CI, E2E, backend and frontend updates 
- CI: workflows updates (cd, ci), remove playwright.yml
- E2E: global-setup, auth/playlists/profile specs
- Remove playwright-report and test-results artifacts from tracking
- Backend: auth, handlers, services, workers, migrations
- Frontend: components, features, vite config
- Add e2e-results.json to gitignore
- Docs: REMEDIATION_PROGRESS, audit archive
- Rust: chat-server, stream-server updates
 2026-02-17 16:43:21 +01:00
senke
3c9d5cd608 feat(backend): OAuth FRONTEND_URL from config, docs update 
- Add FrontendURL to config (FRONTEND_URL or VITE_FRONTEND_URL)
- OAuth handlers use config instead of os.Getenv
- Update TODOS_AUDIT: mark UUID migration items as resolved
- Add ISSUES_P2_BACKLOG.md for GitHub issues
- Add ROUTES_ORPHANES.md for routes without UI
- Document FRONTEND_URL in .env.example
 2026-02-17 16:42:23 +01:00
senke
ea1b60466a fix(backend): remediation plan — tests, playback_analytics, job queue, gamification 
Phase 1 - Backend tests:
- Add PlaybackAnalytics to AutoMigrate in setupTestTrackHandler
- Create migration 081_create_playback_analytics.sql for production
- PlaybackAnalyticsService: return ErrTrackNotFound for missing track
- RecordPlay handler: return 404 when track not found
- CreateShare: use RespondSuccess, fix services.ErrTrackNotFound/ErrForbidden
- GetTrackLikes, UnlikeTrack: use RespondSuccess for consistent response
- GetUserLikedTracks test: fix route /users/:id/likes and params
- GetSharedTrack_InvalidToken: set share service in test

Phase 4 - Job queue transcoding:
- Add EnqueueTranscodingJob to JobEnqueuer interface
- Add TypeTranscoding and processTranscodingJob (stub) in JobWorker
- MockJobEnqueuer: implement EnqueueTranscodingJob

Phase 5 - Gamification cleanup:
- Move api_manager.go to internal/api/archive/
- Add archive/README.md documenting archived modules
- Update TODOS_AUDIT.md and FEATURE_STATUS.md
 2026-02-17 16:01:45 +01:00
senke
c854701cc3 fix(backend): remove obsolete UUID migration comment in track handler 
- trackUploadService and GetUploadProgress already use uuid.UUID
- Migration complete, no code changes needed
 2026-02-17 15:35:25 +01:00
senke
89ae164ac8 refactor(backend): split config into domain modules (P2) 2026-02-16 11:12:21 +01:00
senke
057d9a8361 chore(docs): reorganize markdown files, add docs/README (P2) 2026-02-16 11:04:24 +01:00
senke
3ad91e7708 chore: remove dead code (Education, Studio, Gamification) (P2) 2026-02-16 11:03:27 +01:00
senke
563a1c9001 fix(security): verify track access before download (A04) 
- Add TrackDownloadLicenseChecker to verify paid track download rights
- Check marketplace license when track is sold as product and user is not owner
- Return 403 with 'purchase required' message when license missing
 2026-02-16 10:23:41 +01:00
senke
838d61d2a0 fix(security): add rate limiting to POST /validate (A01) 2026-02-16 10:17:28 +01:00
senke
47dfa6b805 fix(security): graceful CSRF handling when Redis unavailable (A05) 2026-02-16 10:16:50 +01:00
senke
caa5e698aa fix(security): reject DISABLE_RATE_LIMIT_FOR_TESTS in production (A04) 2026-02-16 10:16:35 +01:00
senke
d89d3d123b feat(analytics): complete backend analytics, remove frontend mocks 2026-02-15 16:21:20 +01:00
senke
d847374520 refactor(backend): unify architecture - migrate analytics handler to core (ADR-001) 2026-02-15 16:18:13 +01:00
senke
057057ca8f fix(backend): implement track stats/history endpoints 2026-02-15 16:10:33 +01:00
senke
1a67ceb28b chore: clean root directory, move design system files, update .gitignore 2026-02-15 16:05:54 +01:00
senke
68f4b86b6d fix(backend): use explicit DISABLE_RATE_LIMIT_FOR_TESTS flag instead of env-based bypass 
Replace NODE_ENV/APP_ENV bypass with DISABLE_RATE_LIMIT_FOR_TESTS=true.
Only test runners should set this. Prevents rate limiting bypass when
APP_ENV=development is mistakenly used in production.
Phase 1 audit - P1.6
 2026-02-15 15:56:53 +01:00
senke
1bdff5410d fix(backend): disable pprof endpoints in production 
Conditionally register pprof routes only when APP_ENV is not production.
Prevents leaking sensitive runtime information via profiling endpoints.
Phase 1 audit - P1.5
 2026-02-15 15:55:18 +01:00
senke
9c23fefe40 fix(backend): require ClamAV in production environment 
Add validation in ValidateForEnvironment() to fail startup when
CLAMAV_REQUIRED=false in production. Virus scanning is mandatory
for all file uploads in production.
Phase 1 audit - P1.4
 2026-02-15 15:54:58 +01:00
senke
93c607d272 feat(loadtests): audit 3.2 — tests de charge k6 complets 
- loadtests: centraliser scripts (backend, stream, chat)
- backend: health, auth, tracks, uploads, playlists, marketplace
- stream: http health, healthz, readyz
- chat: WebSocket load (register -> login -> chat token -> WS)
- ci: workflow nightly load-test-nightly.yml
- docs: README loadtests
- make: load-test-smoke, load-test-backend, load-test-all
- fix: veza-backend-api Makefile load-test (scripts/load_test_uploads.js -> loadtests)
 2026-02-15 15:22:48 +01:00
senke
8ff4b730e1 refactor(config): découper config.go par domaine (audit 2.7) 
- env_helpers.go: getEnv*, parseLogAggregationLabels
- db_init.go: initDatabaseWithRetry
- redis_init.go: initRedis, filteredRedisLogger
- rabbitmq.go: getRabbitMQURL
- cors.go: CORS, cookies
- rate_limit.go: rate limit defaults
- services_init.go: initServices
- middlewares_init.go: initMiddlewares, SetupMiddleware
- config.go réduit de ~1487 à ~550 LOC
 2026-02-15 14:44:33 +01:00
senke
4d213a5be9 chore(audit 2.4, 2.5): supprimer code mort Education et cmd/modern-server 
- Supprimer routes/handlers/core Education (backend)
- Supprimer handler MSW education, refs Sidebar/locales
- Basculer Makefile, make/dev.mk, scripts vers cmd/api/main.go
- Supprimer veza-backend-api/cmd/modern-server/
 2026-02-15 14:39:40 +01:00
senke
d86b27efdc fix(audit-1.8,1.9): implement OAuth user lookup, add cargo audit to CI 
- 1.8: Implement GetUserByOAuthID in database.go via federated_identities join
- 1.8: Use OAuth ID lookup first in oauth_service getOrCreateUser
- 1.9: Add cargo audit step to chat-ci.yml and stream-ci.yml

Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.8, 1.9
 2026-02-15 14:22:27 +01:00
senke
efbe6968f9 fix(audit-1.6,1.7): remove hardcoded test secrets, block bypass flags in prod 
- 1.6: Replace hardcoded JWT secrets in chat server tests with runtime-generated
  values (env TEST_JWT_SECRET or uuid-based fallback)
- 1.7: Add validateNoBypassFlagsInProduction() in config; fail startup if
  BYPASS_CONTENT_CREATOR_ROLE or CSRF_DISABLED is set in production

Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.6, 1.7
 2026-02-15 14:18:23 +01:00
senke
8ab391dd73 fix(backend): replace panic/Fatal with graceful error when Redis down (audit 1.4, P0) 
- Add early validation in Setup() returning error if Redis nil in production
- Remove panic/Fatal from routes_core.go and router.go applyCSRFProtection
- Handle Setup() error in cmd/api/main.go and cmd/modern-server/main.go
- Mark audit item 1.4 as done
 2026-02-15 14:05:20 +01:00
senke
a08d9f109f feat(api): add PostgreSQL read replica support (3.7) 
- Add DATABASE_READ_URL config and InitReadReplica in database package
- Add ForRead() helper for read-only handler routing
- Update TrackService and TrackSearchService to use read replica for reads
- Document setup in DEPLOYMENT_GUIDE.md and .env.template
 2026-02-14 22:50:23 +01:00
senke
203b45852a docs: update TODO audit docs after Phase 3 2026-02-14 22:45:48 +01:00
senke
d286ef5127 chore: add Turborepo for monorepo orchestration 
- Add turbo devDependency and packageManager to root
- Create turbo.json with build, test, lint pipeline
- Add package.json to veza-backend-api, veza-chat-server, veza-stream-server
- Extend workspaces to include Go and Rust services
- Migrate CI to use turbo run for build, test, lint
 2026-02-14 22:38:32 +01:00
senke
7f7b6547bc chore: consolidate pending changes (Hyperswitch, PostCard, dashboard, stream server, etc.) 2026-02-14 21:45:15 +01:00
senke
724064bdbf fix(api): add rate limiting on POST /api/v1/logs/frontend 2026-02-14 20:19:56 +01:00
senke
654b9f6971 perf(db): add missing indexes for file_id and cover_art_file_id 2026-02-14 18:32:05 +01:00
senke
74fa1b4fc9 perf(analytics): optimize GetTrackStats to single query 2026-02-14 18:31:29 +01:00
senke
55ec0a54a6 fix(auth): add Redis lock for concurrent refresh token requests 2026-02-14 18:29:37 +01:00
senke
15c3919311 security(webhooks): extract SSRF validation to internal/validators/url_validator 2026-02-14 18:24:39 +01:00
senke
4ef3a0bc71 chore: add go.work and optional monorepo orchestrator 2026-02-14 18:21:39 +01:00
senke
e49dba240d refactor(backend): add track, notification, webhook repositories 2026-02-14 18:07:04 +01:00
senke
6677dc38d3 feat(migrations): add down migration scripts for rollback 2026-02-14 18:05:11 +01:00
senke
037692887f refactor(api): extract route setup functions into dedicated files 2026-02-14 18:04:37 +01:00
senke
04c25aa24f Phase 2 stabilisation: code mort, Modal→Dialog, feature flags, tests, router split, Rust legacy 
Bloc A - Code mort:
- Suppression Studio (components, views, features)
- Suppression gamification + services mock (projectService, storageService, gamificationService)
- Mise à jour Sidebar, Navbar, locales

Bloc B - Frontend:
- Suppression modal.tsx deprecated, Modal.stories (doublon Dialog)
- Feature flags: PLAYLIST_SEARCH, PLAYLIST_RECOMMENDATIONS, ROLE_MANAGEMENT = true
- Suppression 19 tests orphelins, retrait exclusions vitest.config

Bloc C - Backend:
- Extraction routes_auth.go depuis router.go

Bloc D - Rust:
- Suppression security_legacy.rs (code mort, patterns déjà dans security/)
 2026-02-14 17:23:32 +01:00
senke
48b5a2e6c9 fix(backend): avoid nil user in GetProfile (userToProfile panic in profile handler test) 2026-02-14 14:07:03 +01:00
senke
5747eedf2f fix(backend): serialize backup_codes as JSON in two_factor_service (fix TestLogin_Requires2FA) 2026-02-14 14:03:43 +01:00
senke
caa23312fe chore: enable noUncheckedIndexedAccess, isolate ghost MSW handlers, document go-clamd tech debt 
- Enable TypeScript noUncheckedIndexedAccess and fix 133 resulting errors
  across 46 files with proper null guards, optional chaining, and fallbacks
- Extract education/gamification ghost feature MSW handlers into handlers-ghost.ts
- Add Storybook test plugin documentation in vitest.config.ts
- Document abandoned go-clamd dependency (2017) as tech debt in upload_validator.go

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-12 23:12:35 +01:00
senke
ecac9c3b03 feat(backend): add social groups, wishlist, cart, and playlist export endpoints 
- Add Group and GroupMember models with CRUD service methods
- Implement social group endpoints: create, list, get, join, leave
- Add WishlistItem model with get/add/remove service methods
- Add CartItem model with get/add/remove/checkout service methods
- Create handlers for marketplace wishlist and cart operations
- Register playlist export (JSON/CSV) and duplicate routes
- Enable PLAYLIST_SHARE and NOTIFICATIONS feature flags

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-12 22:48:50 +01:00
senke
78db1fa684 fix(security): add SSRF protection, real track access validation, and pagination bounds 
- Add IsURLSafe() function to webhook service blocking private IPs,
  localhost, and cloud metadata endpoints (SSRF protection)
- Implement real validate_track_access() in stream server querying DB
  for track visibility, ownership, and purchase status
- Remove dangerous JWT fallback user in chat server that allowed
  deleted users to maintain access with forged credentials
- Add upper limit (100) on pagination in profile, track, and room handlers
- Fix Dockerfile.production healthcheck path to /api/v1/health

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-12 22:44:03 +01:00
senke
b7e1941339 fix(ci): remove remaining || true and || echo in secondary workflows 
- cd.yml: remove || echo soft failures on Docker builds for chat-server
  and stream-server. Build must fail if Dockerfile is missing in CD.
- vulnerability-scan.yml: remove || true from govulncheck command.
  The step-level continue-on-error: true already handles failure
  gracefully for the report-only govulncheck step.

Addresses audit findings D3, A08: 3 residual || true / || echo patterns.

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-11 23:14:21 +01:00
senke
e2a1840e56 fix(backend): add table name whitelist in testutils/db.go 
- Add allowedTestTables map containing all known database tables
- Add validateTableName() function that panics if table name is not
  in the whitelist
- Call validateTableName() before all fmt.Sprintf("DELETE FROM %s")
  and fmt.Sprintf("TRUNCATE TABLE %s CASCADE") statements
- Prevents potential SQL injection via table name interpolation,
  even though the risk is low (test-only code, table names come from
  hardcoded lists or DB introspection)

Addresses audit finding: A03 (Injection) — minor risk in test utilities.

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-11 22:57:40 +01:00
senke
916bff002f chore(backend): config, router, auth, stream service, sanitizer, tests 
Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-11 22:19:09 +01:00
senke
80b7c93c9e fix(security): validate exec.Command paths in Go services 
Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-11 21:32:38 +01:00