Bumps VERSION to 1.0.10 and rolls a CHANGELOG entry covering the 12
items shipped over the last cluster session :
- Légal 1-4 : cookie banner + age gate + CGU/CGV/mentions versionnées
+ royalty splits multi-créateurs.
- Sécu 5-7 : API keys (audité), JWT JTI revocation ledger, SSRF /
open-redirect on Stripe Connect + KYC.
- Ops 8-12 : MinIO cross-region replication, RUM Web Vitals, business
KPIs alerting, DB pool monitoring + N+1 detection, WCAG 2.1 AA
axe-core CI.
Refreshes :
- CHANGELOG.md — full v1.0.10 entry with sub-sections per cluster.
- docs/PROJECT_STATE.md — version table now reflects 2026-05-05 +
next-version line points at v2.0.0-rc1.
- docs/FEATURE_STATUS.md — header date + last-update note.
- CLAUDE.md — Historique entry for v1.0.10 + last-updated header.
Pre-flight : `go build ./...` clean ; targeted package tests
(handlers / database / middleware / monitoring / metrics /
core/marketplace / core/auth) all pass with VEZA_SKIP_INTEGRATION=1.
The pre-requirements blocking v2.0.0-public are now closed. Next
step is the v2.0.0-rc1 → v2.0.0-public transition (already
sequenced in the W6 GO/NO-GO checklist from v1.0.9 Day 26).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves the AUDIT_REPORT v2 §2.2 drift findings on the stack table
and adds the v1.0.7 + v1.0.8 entries to the Historique section.
Stack table corrections :
- Vite 5 → Vite 7.1.5 (actual version pinned in apps/web/package.json)
- Zustand 4.5 + React Query 5.17 (was just "Zustand + React Query 5")
- Axios 1.13 added (was unmentioned)
- **OpenAPI typegen** row added — orval ^7 since v1.0.8 B9, single
source. Notes the openapi-generator-cli removal explicitly so a
future agent doesn't go looking for the legacy generator.
- MinIO row added with the dated tag
(RELEASE.2025-09-07T16-13-09Z) pinned in commit `4310dbb7`.
- Elasticsearch row clarified — dev-only orphan, search uses
Postgres FTS (was misleadingly listed as just "8.11.0").
- CI row updated to reference all 5 active workflows
(frontend-ci.yml was folded into ci.yml in commit `d6b5ae95`).
- E2E row added — Playwright 1.57 with the @critical / full split.
Historique section :
- **2026-04-23** v1.0.7 (BFG, transactions, UserRateLimiter).
- **2026-04-26** v1.0.8 (MinIO end-to-end, orval migration, E2E
workflow, queue+password annotations, authService 9/9).
"Dernière mise à jour" header bumped to 2026-04-26 v1.0.8.
"Architecture réelle du repo" date bumped likewise.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Move ASVS_CHECKLIST_v0.12.6.md, PENTEST_REPORT_VEZA_v0.12.6.md, and
REMEDIATION_MATRIX_v0.12.6.md to docs/archive/ — all reference a
pentest conducted on v0.12.6 (2026-03), stale relative to the current
v1.0.7 codebase (different security middleware, different payment
flow, different config validation).
Update CLAUDE.md tree listing and AUDIT_REPORT.md §9.1 to reflect the
archive location. Keep docs/SECURITY_SCAN_RC1.md (still current).
Closes AUDIT_REPORT §9.1 obsolete-doc item.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Completes Day 2 of the v1.0.3 → v1.0.4 cleanup sprint. The documentation
now describes the actual repo layout instead of a fictional one.
CLAUDE.md — complete rewrite
Old version referenced paths that don't exist and a protocol aimed at
implementing v0.11.0 (current tag: v1.0.3). The agent was following a
map for a city that had been rebuilt.
- backend/ → veza-backend-api/
- frontend/ → apps/web/
- ORIGIN/ (root) → veza-docs/ORIGIN/
- veza-chat-server → merged into backend-api (v0.502, commit 279a10d31)
- apps/desktop/ → never existed
Also refreshed: stack versions (Go 1.25, Vite 5, React 18.2, Axum 0.8),
commands, conventions, hook bypasses (SKIP_TYPES/SKIP_TESTS/SKIP_E2E),
scope rules kept as immutable (no AI/ML, no Web3, no gamification, no
dark patterns, no public popularity metrics).
README.md — targeted fixes
- "Version cible: v0.101" → "Version courante: v1.0.4"
- "Development Setup (v0.9.3)" → "Development Setup"
- Removed Desktop (Electron) section — never implemented
- Removed veza-chat-server from structure — merged into backend
- Removed deprecated compose files section (nothing is DEPRECATED now)
k8s runbooks — remove stale chat-server references
The disaster-recovery runbooks still scaled/restarted a deployment
that no longer exists. In a real failover these commands would have
failed silently and blocked the procedure. Files patched:
- k8s/disaster-recovery/runbooks/cluster-failover.md
- k8s/disaster-recovery/runbooks/data-restore.md
- k8s/disaster-recovery/runbooks/database-failover.md
- k8s/disaster-recovery/runbooks/rollback-procedure.md
- k8s/network-policies/README.md
- k8s/secrets/README.md
- k8s/secrets.yaml.example
Each reference is replaced by a short inline note pointing to v0.502
(commit 279a10d31) so future readers understand the history.
.env.example — remove CHAT_JWT_SECRET
Legacy env var for the deleted chat server. Replaced by an explanatory
comment.
Not in this commit (user handles on Forgejo):
- Closing the 5 open dependabot PRs on veza-chat-server/* branches
- Deleting those 5 remote branches after the PRs are closed
Refs: AUDIT_REPORT.md §5.1, §7.1, §10 P1, §10 P4
