42 commits

Author	SHA1	Message	Date
senke	26aa51a2ab	Merge branch 'feat/v0.13.3-polish-securite-avancee' ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 13:39:38 +01:00
senke	8afe01c0c0	Merge branch 'feat/v0.13.2-consolidation-design-system'	2026-03-13 10:16:09 +01:00
senke	e22db9c321	docs: update VEZA_VERSIONS_ROADMAP [v0.13.3 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:09:46 +01:00
senke	d61842879d	docs: update VEZA_VERSIONS_ROADMAP [v0.13.2 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 09:46:07 +01:00
senke	565a37f7fe	docs: update VEZA_VERSIONS_ROADMAP [v0.13.1 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 22:39:25 +01:00
senke	d0ae65bd88	docs: update VEZA_VERSIONS_ROADMAP [v0.12.8 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 18:45:07 +01:00
senke	16860701f7	docs: update VEZA_VERSIONS_ROADMAP [v0.12.7 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 14:29:59 +01:00
senke	e4dd09a909	feat(v0.13.0): conformité features partielles — CAPTCHA, password history, login history, SMS 2FA ... TASK-CONF-001: SMS 2FA service (sms_2fa_service.go) — SMSProvider interface, rate limiting (3/h), 6-digit codes, 5min expiry, LogSMSProvider for dev. TASK-CONF-002: CAPTCHA service (captcha_service.go) — Cloudflare Turnstile verification with fail-open + RequireCaptcha middleware. 11 tests. TASK-CONF-003: Auth features completed: - F014 password history (password_history_service.go) — checks last 5 hashes, integrated into PasswordService.ChangePassword. 3 tests. - F024 login history (login_history_service.go) — Record, GetUserHistory, CountRecentFailures for security auditing. - F010/F013/F018/F021/F026 verified already implemented. TASK-CONF-004: F075 ClamAV verified implemented. F080 watermark deferred (P4). TASK-CONF-005: ADR-005 handler architecture documented (keep dual, migrate forward). TASK-CONF-006: Frontend 0 TODO/FIXME, backend 1 — criteria met. Migration: 970_password_login_history_v0130.sql (password_history, login_history, sms_verification_codes tables). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 09:31:50 +01:00
senke	0aa77d2bd9	feat(v0.12.9): ethical bias tests, discovery algorithm docs, CI coverage gates ... TASK-ETH-001: 4 discovery bias tests (genre/tag browse, emerging artist visibility, metrics not exposed in JSON). Verifies chronological ordering regardless of play count. TASK-ETH-002: 4 search fairness tests (artist 0 plays discoverable, zero-play tracks not filtered, default sort is chronological, no popularity bias in default ranking). TASK-ETH-003: veza-docs/DISCOVERY_ALGORITHM.md — documents all 6 discovery mechanisms, ethical constraints, and forbidden patterns per ORIGIN specs. TASK-COV-001: CI coverage gates — Go >= 70% (backend-ci.yml), Rust >= 50% (rust-ci.yml with cargo-tarpaulin). Extended Go test scope to core/ and middleware/. TASK-COV-002: Coverage badge JSON artifact on main push (shields.io compatible). All 8 ethical tests PASS. Build clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 08:19:41 +01:00
senke	72b732664a	feat(v0.12.6.3): remove ghost modules — gamification, A/B testing, GraphQL stubs ... Deleted 8 dead code modules identified by audit diagnostic: - api/contest/, sound_design_contest/, production_challenge/, voting_system/ (gamification stubs — violate CLAUDE.md Rule 3: no XP/streaks/leaderboards/badges) - models/contest.go (314 lines: ContestBadge with rarity, ContestPrize, ContestVote) - models/user.go: removed orphan JuryMember struct (contest reference) - services/playback_abtest_service.go + test (476+579 lines: A/B testing on playback metrics — violates ORIGIN_UI_UX_SYSTEM.md §13 anti-dark-patterns) - api/graphql/ (REST-only per ORIGIN spec) Kept: listing/, offer/ (marketplace stubs, ORIGIN-approved), grpc/ (ORIGIN §9 approved). Verified: go build passes, grep confirms 0 forbidden terms remaining. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 07:29:56 +01:00
senke	7a0819f69a	feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days ... TASK-SFIX-001: MFA enforcement for privileged roles - Add RequireMFA() middleware, TwoFactorChecker interface, SetTwoFactorChecker() - Apply to all 3 admin route groups (platform, moderation, core) - Returns 403 "mfa_setup_required" if admin/moderator without 2FA - Regular users bypass the check - Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 5 TASK-SFIX-002: Refresh token TTL alignment - jwt_service.go: RefreshTokenTTL 14d→7d, RememberMeRefreshTokenTTL 30d→7d - handlers/auth.go: Cookie max-age and session expiresIn → 7d across Login, LoginWith2FA, Register, Refresh handlers - middleware/auth.go: Session auto-refresh default 30d→7d - Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 4 TASK-SFIX-003: 5 unit tests — all PASS - TestRequireMFA_AdminWithoutMFA, TestRequireMFA_AdminWithMFA - TestRequireMFA_RegularUserNotAffected - TestRefreshTokenTTL_Is7Days, TestAccessTokenTTL_Is5Minutes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 06:53:27 +01:00
senke	0e4117f028	docs: integrate audit roadmap into VEZA_VERSIONS_ROADMAP — v0.12.6.1 DONE, 14 versions added ... - Mark v0.12.6.1 (pentest remediation 30/30) as DONE - Add 14 new versions from audit: v0.12.6.2→v1.0.0-rc1 - Update tracking table with priorities P0→P3 - Update v0.12.6 checkboxes (all findings now resolved) - Add Phase P7 (Conformité) and Validation phases - Update AUDIT_05_ROADMAP_v1.0.md to reflect completed remediation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 06:34:52 +01:00
senke	0d845ebf2c	Merge branch 'feat/v0.12.6-pentest-audit' ... # Conflicts: # VEZA_VERSIONS_ROADMAP.md	2026-03-11 23:05:26 +01:00
senke	e35f1c0e51	Merge branch 'feat/v0.12.5-pwa-mobile' ... # Conflicts: # VEZA_VERSIONS_ROADMAP.md	2026-03-11 23:05:01 +01:00
senke	8f4ba0c284	Merge branch 'feat/v0.12.4-performance-scalabilite' ... # Conflicts: # VEZA_VERSIONS_ROADMAP.md	2026-03-11 23:04:31 +01:00
senke	f56b5a2b45	feat(v0.12.6): consolidated audit — 2 CRITICAL, 10 HIGH findings ... Deep audit with 6 parallel analysis passes reveals additional findings: CRITICAL: - CRIT-001: IDOR on chat rooms — any user can read private conversations - CRIT-002: play_count/like_count publicly exposed (violates VEZA ethics) NEW HIGH: - HIGH-004/005: Race conditions on promo codes and exclusive licenses - HIGH-006: Rate limiter bypass via X-Forwarded-For (no TrustedProxies) - HIGH-007: GDPR hard delete incomplete (Redis, ES, audit_logs) - HIGH-008: RTMP callback auth fallback to stream_key as secret - HIGH-009: Co-listening host hijack by non-host participants - HIGH-010: Moderator can issue strikes without conflict-of-interest check Total: 2 CRITICAL, 10 HIGH, 12 MEDIUM, 6 LOW, 5 INFO Estimated remediation: ~39h30 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 15:44:51 +01:00
senke	d6b614cc42	docs: update VEZA_VERSIONS_ROADMAP [v0.12.6 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 14:31:54 +01:00
senke	8f0de5727d	docs: update VEZA_VERSIONS_ROADMAP [v0.12.5 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 10:10:53 +01:00
senke	9b0ae525db	docs: update VEZA_VERSIONS_ROADMAP [v0.12.4 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 09:59:04 +01:00
senke	9e0cfb23c8	docs: update VEZA_VERSIONS_ROADMAP [v0.12.3 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 09:47:42 +01:00
senke	f0304d78ba	docs: update VEZA_VERSIONS_ROADMAP [v0.12.2 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 19:55:56 +01:00
senke	67a3d60266	docs: update VEZA_VERSIONS_ROADMAP [v0.12.1 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 19:39:01 +01:00
senke	d4a55b44f3	docs: update VEZA_VERSIONS_ROADMAP [v0.12.0 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 18:53:39 +01:00
senke	ba286f59cd	docs: update VEZA_VERSIONS_ROADMAP [v0.11.3 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 18:27:47 +01:00
senke	4ea725157e	docs: update VEZA_VERSIONS_ROADMAP [v0.11.2 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 17:51:36 +01:00
senke	020ebd9272	docs: update VEZA_VERSIONS_ROADMAP [v0.11.1 DONE] ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 17:14:39 +01:00
senke	217ba95796	docs: update VEZA_VERSIONS_ROADMAP [v0.11.0 DONE] ... - Mark v0.11.0 Analytics Créateur as ✅ DONE (2026-03-10) - Check all F381-F385 tasks and acceptance criteria - Fix tracking table: v0.9.8 and v0.10.0 now ✅ DONE (were inconsistent) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 16:39:20 +01:00
senke	19fec9e40a	feat(gdpr): v0.10.8 portabilité données - export ZIP async, suppression compte, hard delete cron ... - Export: table data_exports, POST /me/export (202), GET /me/exports, messages+playback_history - Notification email quand ZIP prêt, rate limit 3/jour - Suppression: keep_public_tracks, anonymisation PII complète (users, user_profiles) - HardDeleteWorker: final anonymization après 30 jours - Frontend: POST export, checkbox keep_public_tracks - MSW handlers pour Storybook	2026-03-10 13:57:04 +01:00
senke	871a0f2a05	feat(v0.10.7): Collaboration Temps Réel F481-F483 ... - F481: Co-listening sessions (WebSocket sync, ListenTogether page) - F482: Stem sharing (upload/list/download wav,aiff,flac) - F483: Collaborative rooms (type collaborative, max 10, invite-only) - Roadmap: v0.10.7 → DONE	2026-03-10 13:34:16 +01:00
senke	eb2862092d	feat(v0.10.6): Livestreaming basique F471-F476 ... - Backend: callbacks on_publish/on_publish_done, UpdateStreamURL, GetByStreamKey - Nginx-RTMP: config infra, docker-compose service (profil live) - Frontend: stream_url dans LiveStream, HLS.js dans LiveViewPlayer, état Stream terminé - Chat: rate limit send_live_message 1 msg/3s pour rooms live_streams - Env: RTMP_CALLBACK_SECRET, STREAM_HLS_BASE_URL, NGINX_RTMP_HOST - Roadmap v0.10.6 marquée DONE	2026-03-10 10:21:57 +01:00
senke	dd23805401	feat(v0.10.5): Notifications Complètes (F551-F555) ... - Phase 1: Default prefs — push_message & push_follow only; migration 941 - Phase 2: Digest = new tracks from followed artists (ORIGIN §8.1), not unread notifications - Phase 3: Toggle 'désactiver marketing' + button 'Tout désactiver sauf messages et follows' - Phase 4: PushPreferencesSection first in NotificationSettings (source of truth) - Roadmap: v0.10.5 → DONE	2026-03-10 10:09:32 +01:00
senke	ac182d9f35	feat(v0.10.4): Playlists collaboratives - F136, F140, F141, F143, F145 ... Backend: - F141: GET /discover/playlists/editorial for editorial playlists - F143: GET /playlists/shared/:token (public, no auth) - F145: POST /playlists/import (JSON), GET /playlists/:id/export/m3u - F136: GET /playlists/favoris (creates Favoris playlist if needed) - Repo: GetFavorisByUserID, service GetOrCreateFavorisPlaylist Frontend: - SharedPlaylistPage at /playlists/shared/:token (public route) - Editorial playlists section in DiscoverPage - Export M3U in ExportPlaylistButton dropdown - Import JSON via ImportPlaylistButton (PlaylistListPage) - Favoris sidebar link, FavorisRedirectPage, AddToFavorisButton on tracks Roadmap: v0.10.4 marked DONE	2026-03-09 16:49:05 +01:00
senke	6111ae6136	feat(v0.10.3): Commentaires & Interactions Sociales - F201-F215 ... - F201: Commentaires avec timestamp cliquable, modération mots-clés - F202: Likes privés (compteur visible créateur uniquement) - F203: Reposts de tracks sur le profil, bouton Repost, onglet Reposts - F204: Notifications (commentaire, repost), pas de gamification Backend: migrations 127/128, comment_moderation_service, track_repost_service, GetTrackLikes/GetTrack masquent like_count pour non-créateurs Frontend: LikeButton isCreator, RepostButton, Reposts tab profil, timestamp seek	2026-03-09 10:30:47 +01:00
senke	171a154763	feat(v0.10.2): Recherche fulltext Elasticsearch - F361-F365 ... - Elasticsearch 8.x dans docker-compose.dev - Package internal/elasticsearch: client, config, mappings, indices - Sync PG→ES: reindex tracks/users/playlists, IndexTrack/DeleteTrack - SearchService ES: multi_match + fuzziness (typo tolerance), highlighting - Fallback gracieux: PostgreSQL si ELASTICSEARCH_URL absent - Routes: GET /search, GET /search/suggestions, POST /admin/search/reindex - Frontend: searchApi cursor/limit params (extensibilité) - docs/ENV_VARIABLES: ELASTICSEARCH_URL, ELASTICSEARCH_INDEX, ELASTICSEARCH_AUTO_INDEX - Roadmap v0.10.2 → DONE	2026-03-09 10:13:18 +01:00
senke	4a422fc4c3	feat(v0.10.1): Tags & Genres discover - F351-F355 ... - Tags déclaratifs (max 10, 30 chars) via track_tags + tags - Genres normalisés (max 3) via track_genres + taxonomy - GET /api/v1/discover/genre/:genre, tag/:tag (browse chrono) - POST/DELETE follow genre/tag - Section feed "Nouvelles sorties dans vos genres" - Track update: SyncTrackTags, SyncTrackGenres via discover service - Frontend: discoverService, FeedPage by_genres, DiscoverPage - Migration 126_tags_genres_discover - MSW handlers for discover	2026-03-09 01:52:56 +01:00
senke	41d55e107d	v0.9.7 beta	2026-03-06 18:58:37 +01:00
senke	257077ad49	v0.9.6	2026-03-06 10:29:30 +01:00
senke	f5bca2b642	v0.9.5	2026-03-06 10:02:53 +01:00
senke	2ed2bb9dcf	v0.9.4	2026-03-05 23:03:43 +01:00
senke	5197bd24ee	v0.9.3	2026-03-05 19:35:57 +01:00
senke	c8c5debe84	finalizing v0.9.2	2026-03-05 19:30:28 +01:00
senke	2df921abd5	v0.9.1	2026-03-05 19:22:31 +01:00