senke
778c85508b
docs(audit): reconcile top-15 priorities with tier 1-3 + BFG pass
...
Veza CI / Backend (Go) (push) Failing after 0s
Veza CI / Frontend (Web) (push) Failing after 0s
Veza CI / Rust (Stream Server) (push) Failing after 0s
Frontend CI / test (push) Failing after 0s
Security Scan / Secret Scanning (gitleaks) (push) Failing after 0s
Veza CI / Notify on failure (push) Failing after 0s
Updates AUDIT_REPORT §9/§9.bis/§9.3/§10 and FUNCTIONAL_AUDIT §7 to
reflect the 2026-04-23 cleanup session + git-filter-repo history rewrite.
Top-15 outcome:
- 10 items DONE with commit refs (b5281becebf3276d4310dbb7172581ff18eed3c4d12b901d#4 context.Background: 26/31 in _test.go, 5 legit (WS pumps, health)
#5 CSP/XFO: already complete in middleware/security_headers.go
#10 RespondWithAppError: intentional thin wrapper (handlers pkg)
- 2 deferred to v1.0.8 (#8 OpenAPI typegen, #14 E2E CI).
- 1 remaining before v1.0.7 final: #15 docs/ENV_VARIABLES.md sync.
Repo hygiene: .git 2.3 GB → 66 MB (−97%) after BFG pass, force-push
stages 1+2 OK, fingerprint match on Forgejo CA cert.
Annexe: diff table expanded v1 ↔ v2 ↔ v3.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 14:20:28 +02:00
senke
7fa35edc5c
chore(cleanup): untrack docker/haproxy/certs/veza.crt + regen dev keys
...
Follow-up to d12b901d
2026-04-20 10:00:45 +02:00
senke
d12b901de5
chore(cleanup): untrack debris pre-BFG — audio, PEM, screenshots, reports
...
Phase 0 (J2 cleanup) of chore/v1.0.7-cleanup branch. Pure index removals
before BFG history rewrite. No working-tree changes, no code touched.
Removed from git index (still on disk):
- 44× veza-backend-api/uploads/*.mp3 (audio fixtures, ~200MB)
- 23× root PNG screenshots (design-system, forgot-password,
register, reset-password, settings,
storybook — various prefixes)
- 1× docker/haproxy/certs/veza.pem (self-signed dev cert, regen via
scripts/generate-ssl-cert.sh)
- 1× generate_page_fix_prompts.sh (one-off generated tooling)
- 4× apps/web/*.json (AUDIT_ISSUES, audit_remediation,
lint_comprehensive, storybook-roadmap)
.gitignore enriched (post-audit J2 block) to prevent recommits:
- veza-backend-api/uploads/ (audio fixtures → git-lfs or external)
- config/ssl/*.{pem,key,crt}
- .playwright-mcp/ (MCP session debris)
- CLAUDE_CONTEXT.txt, UI_CONTEXT_SUMMARY.md, *.context.txt (AI session artefacts)
- Root PNG prefixes beyond existing rules
- apps/web/{AUDIT_ISSUES,audit_remediation,lint_comprehensive,storybook-*}.json
- /generate_page_fix_prompts.sh, /build-archive.log
Next: BFG for history rewrite to compact .git (currently 2.3 GB).
Refs: AUDIT_REPORT.md §9.1, FUNCTIONAL_AUDIT.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 09:56:47 +02:00
senke
3a5c6e1840
chore(cleanup): J1 — purge 220MB of debris, archive session docs
...
Remove accidentally-committed artifacts from v1.0.3 → v1.0.4 cleanup sprint:
Binaries (5, ~167 MB):
- veza-backend-api/{server,modern-server,encrypt_oauth_tokens,seed,seed-v2}
Reports & logs (frontend):
- 9 lint_report*.json (~32 MB)
- tsc_*.{log,txt}, ts_*.log (TypeScript error snapshots)
- storybook_*.json (1375+ stored errors)
- build_errors*.txt, final_errors.txt, build_output.txt
Reports & logs (backend):
- coverage*.out + coverage_groups/ (70 files, ~4 MB)
- 3 internal/handlers/*.go.bak files
Root audit screenshots:
- 54 audit-*.png (~11 MB visual regression baselines)
Session docs archived (not deleted):
- 78 apps/web/*.md → docs/archive/frontend-sessions-2026/
- 43 veza-backend-api/*.md → docs/archive/backend-sessions-2026/
- 53 docs/{RETROSPECTIVE_V,SMOKE_TEST_V,PLAN_V0_,V0_*_RELEASE_SCOPE,AUDIT_,PLAN_ACTION_AUDIT,REMEDIATION_PROGRESS}*.md → docs/archive/v0-history/
Stale scripts removed (Jan 2026 MVP-era, hardcoded v0.101):
- start_{iteration,mvp,recovery}.sh
- test_{mvp_endpoints,protected_endpoints,user_journey}.sh
- validate_v0101.sh, verify_logs_setup.sh, gen_hash.py
.gitignore updated to prevent recurrence.
README.md and CONTRIBUTING.md preserved in both apps/web/ and veza-backend-api/.
Total: 169 deletions, 174 renames, 1 .gitignore modification.
Refs: AUDIT_REPORT.md §11
2026-04-14 17:01:27 +02:00
senke
441cb02233
fix(a11y): fix heading hierarchy h1→h3 gaps on 8 pages
...
Changed h3 section titles to h2 on pages where they directly follow the page h1:
- Library: empty state heading
- Queue: "Now Playing" + "Up Next"
- Search: discovery sections + results sections
- Profile: "About" + "Links"
- Sessions: card title
- Notifications: date group headers
Also: add 'api' binary to .gitignore
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 10:14:18 +01:00
senke
f1f3bfe5de
chore: update gitignore — exclude local files and test audio
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 15:44:17 +01:00
senke
ba04bd45a0
chore: update .gitignore — exclude binary, debug screenshots, MCP config
...
- Add veza-backend-api/veza-api (99MB ELF binary) to gitignore
- Add root-level debug/test screenshot patterns
- Add .mcp.json (local MCP config)
- Remove veza-api binary from tracking
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 17:43:04 +01:00
senke
9cd0da0046
fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files
...
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)
HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)
MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)
LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)
All tests pass. Go and Rust compile clean.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-14 00:44:46 +01:00
senke
2df921abd5
v0.9.1
2026-03-05 19:22:31 +01:00
senke
4464f98194
chore(release): v0.981 — Beta (staging deploy, bug bash, smoke test)
Stream Server CI / test (push) Failing after 0s
2026-03-02 19:33:42 +01:00
senke
7e015f8e73
chore(release): v0.941 — Cleanup (dead code, migrations dedup, deprecated routes)
Backend API CI / test-unit (push) Failing after 0s
Backend API CI / test-integration (push) Failing after 0s
Stream Server CI / test (push) Failing after 0s
2026-03-02 19:04:30 +01:00
senke
b103a09a25
chore: consolidate CI, E2E, backend and frontend updates
...
- CI: workflows updates (cd, ci), remove playwright.yml
- E2E: global-setup, auth/playlists/profile specs
- Remove playwright-report and test-results artifacts from tracking
- Backend: auth, handlers, services, workers, migrations
- Frontend: components, features, vite config
- Add e2e-results.json to gitignore
- Docs: REMEDIATION_PROGRESS, audit archive
- Rust: chat-server, stream-server updates
2026-02-17 16:43:21 +01:00
senke
e27b74130f
chore(e2e): Playwright webServer env for CI, gitignore e2e auth
...
- Pass VITE_DOMAIN, VITE_BACKEND_PORT to webServer in CI
- Add apps/web/e2e/.auth/ to gitignore
2026-02-17 16:42:48 +01:00
senke
35511ce9ca
chore: clean root directory, move design system files, update .gitignore
2026-02-15 16:05:54 +01:00
senke
67271c7b34
chore: audit 2.8 et 2.9 — gitignore et Tokio
...
2.8: Mise à jour .gitignore
- .turbo/ (cache Turborepo)
- *.out (Go coverage, artefacts)
- test-results/ et playwright-report/ (patterns globaux)
2.9: Alignement Tokio 1.0 → 1.35
- veza-common: dependencies + dev-dependencies
- veza-stream-server/tools
2026-02-15 14:47:31 +01:00
senke
92f432fb9e
chore: consolidate pending changes (Hyperswitch, PostCard, dashboard, stream server, etc.)
2026-02-14 21:45:15 +01:00
senke
ae586f6134
Phase 2 stabilisation: code mort, Modal→Dialog, feature flags, tests, router split, Rust legacy
...
Bloc A - Code mort:
- Suppression Studio (components, views, features)
- Suppression gamification + services mock (projectService, storageService, gamificationService)
- Mise à jour Sidebar, Navbar, locales
Bloc B - Frontend:
- Suppression modal.tsx deprecated, Modal.stories (doublon Dialog)
- Feature flags: PLAYLIST_SEARCH, PLAYLIST_RECOMMENDATIONS, ROLE_MANAGEMENT = true
- Suppression 19 tests orphelins, retrait exclusions vitest.config
Bloc C - Backend:
- Extraction routes_auth.go depuis router.go
Bloc D - Rust:
- Suppression security_legacy.rs (code mort, patterns déjà dans security/)
2026-02-14 17:23:32 +01:00
senke
8e03d524cf
chore: add .cursor/ to .gitignore
...
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-11 22:20:44 +01:00
senke
d7bb127920
fix(security): stop tracking veza-stream-server/.env and config/incus env files
...
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-11 19:48:51 +01:00
senke
ad60247f33
feat: global update including storybook setup and backend fixes
...
- Web: Setup Storybook, added addons, configured Tailwind, added stories for UI components.
- Backend: Updated API router, database, workers, and auth in common.
- Stream Server: Removed SQLx queries and updated auth.
- Docs & Scripts: Updated documentation and recovery scripts.
2026-02-02 19:34:14 +01:00
senke
8efbb97e6f
stabilisation commit A
2026-01-07 19:39:21 +01:00
senke
3d72d5ac3c
stabilizing apps/web: FIRST BATCH
2025-12-17 08:07:35 -05:00
okinrev
87c6461900
report generation and future tasks selection
2025-12-08 19:57:54 +01:00
okinrev
b7955a680c
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
...
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 11:14:38 +01:00
okinrev
6e2e16fbb5
initial: initial repo set up (README, LICENSE, CONTRIBUTORS, etc...)
2025-12-03 13:54:23 +01:00
okinrev
d6a9eef4d6
Initial commit
2025-12-03 10:02:55 +01:00
