MinIO images were pinned to `:latest` in 4 compose files — supply-
chain risk (auto-updates on every `docker compose pull`, bit-rot if
upstream changes behavior). Pin to dated RELEASE.* tags documented
by MinIO (conservative Sep 2025 release).
Changed:
docker-compose.yml ×2 (minio + mc)
docker-compose.dev.yml ×2
docker-compose.prod.yml ×2
docker-compose.staging.yml ×2
Tags:
minio/minio:RELEASE.2025-09-07T16-13-09Z
minio/mc:RELEASE.2025-09-07T05-25-40Z
Operator should bump to latest verified release when they next
revisit infra. Tag chosen conservatively — if it does not exist in
local Docker cache, `docker compose pull` will surface the error
immediately (safer than silent drift).
Refs: AUDIT_REPORT.md §6.1 Dette 1 (MinIO :latest 4 occurrences).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Updated Hyperswitch payment router from 2025.01.21.0-standalone to
2026.03.11.0-standalone in both docker-compose.yml and docker-compose.prod.yml.
All 30/30 pentest findings now remediated.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go,
use c.ClientIP() only (respects SetTrustedProxies)
MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files
MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly
MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes
MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files
MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod
MEDIUM-009: Add trial-already-used check in subscription service
MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections
MEDIUM-011: Mask email in auth handler logs with maskEmail() helper
MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats
LOW-001: Align frontend password policy to 12 chars (matching backend)
LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server
LOW-004: Enable xpack.security in Elasticsearch dev/local compose files
LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background()
LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests)
29/30 findings remediated. 1 noted (LOW-002).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add HLSEnabled and HLSStorageDir to backend config (HLS_STREAMING env)
- Register HLS serving routes (master.m3u8, quality playlist, segments)
behind HLSEnabled feature flag on existing track routes
- Add GetHLSStatus and TriggerHLSTranscode methods to StreamService
for stream server communication
- Update docker-compose (dev, staging, prod) with HLS env vars and
shared hls-data volume between backend and stream-server
- Stream callback already correctly updates stream_manifest_url
Production (docker-compose.prod.yml):
- Change sslmode=disable to sslmode=require on all 3 DATABASE_URLs
- Replace JWT_SECRET fallback defaults with :? syntax (fails if unset)
- Replace DB_PASS default 'password' with :? syntax (fails if unset)
- Separate RABBITMQ_PASS from DB_PASS, require explicit setting
Staging (docker-compose.staging.yml):
- Add sslmode=require to DATABASE_URL
- Replace all default passwords with :? syntax (fails if unset)
docker-compose up with these files will now FAIL if required secrets
are not explicitly provided via environment variables.
Addresses audit findings: A02 (Cryptographic Failures), section 7 (Infra).
Co-authored-by: Cursor <cursoragent@cursor.com>
- Configure LOG_DIR=/var/log/veza pour tous les services
- Ajoute scripts de gestion des logs (setup, view, rotate)
- Configure volume Docker partagé pour les logs
- Logs organisés par service avec fichiers séparés pour les erreurs
- Rotation automatique : 100MB, 10 backups, 30 jours, compression gzip
- Documentation dans LOGGING.md et ENV_CONFIG.md
Services configurés:
- Backend API: backend-api.log, redis.log, db.log, rabbitmq.log
- Chat Server: chat-server.log (à configurer)
- Stream Server: stream-server.log (à configurer)
Le backend API a déjà toute l'infrastructure de logging en place.
Les serveurs chat et stream utiliseront LOG_DIR depuis l'environnement.
