Replace NODE_ENV/APP_ENV bypass with DISABLE_RATE_LIMIT_FOR_TESTS=true.
Only test runners should set this. Prevents rate limiting bypass when
APP_ENV=development is mistakenly used in production.
Phase 1 audit - P1.6
Conditionally register pprof routes only when APP_ENV is not production.
Prevents leaking sensitive runtime information via profiling endpoints.
Phase 1 audit - P1.5
Add validation in ValidateForEnvironment() to fail startup when
CLAMAV_REQUIRED=false in production. Virus scanning is mandatory
for all file uploads in production.
Phase 1 audit - P1.4
- 1.8: Implement GetUserByOAuthID in database.go via federated_identities join
- 1.8: Use OAuth ID lookup first in oauth_service getOrCreateUser
- 1.9: Add cargo audit step to chat-ci.yml and stream-ci.yml
Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.8, 1.9
- 1.6: Replace hardcoded JWT secrets in chat server tests with runtime-generated
values (env TEST_JWT_SECRET or uuid-based fallback)
- 1.7: Add validateNoBypassFlagsInProduction() in config; fail startup if
BYPASS_CONTENT_CREATOR_ROLE or CSRF_DISABLED is set in production
Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.6, 1.7
- Add early validation in Setup() returning error if Redis nil in production
- Remove panic/Fatal from routes_core.go and router.go applyCSRFProtection
- Handle Setup() error in cmd/api/main.go and cmd/modern-server/main.go
- Mark audit item 1.4 as done
- Add hls_auth_middleware in stream server (Bearer + ?token=)
- Apply auth to /hls/:track_id/* routes
- Update frontend hlsService to use stream server URL + pass JWT via xhrSetup
- Add getHLSXhrSetup() and getHLSURLWithToken() for hls.js integration
- Add VITE_HLS_BASE_URL config (derived from VITE_STREAM_URL when unset)
- Add unit tests for token extraction and HLS helpers
- Mark audit item 1.3 as done
- Fix misleading comment in TwoFactorVerify (authApi.verify2FA is for setup, not login)
- Add MSW handler for POST /auth/login/2fa
- Improve error display in AuthViewContent when 2FA verification fails
- Add integration test for 2FA login flow
- Update AUDIT_TECHNIQUE_INTEGRAL
Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md item 1.2 (P0)
- Add DATABASE_READ_URL config and InitReadReplica in database package
- Add ForRead() helper for read-only handler routing
- Update TrackService and TrackSearchService to use read replica for reads
- Document setup in DEPLOYMENT_GUIDE.md and .env.template
- Add smoke-post-deploy.spec.ts for health checks
- Add playwright.config.smoke.ts (no webServer)
- Add smoke-post-deploy job to cd.yml (runs when STAGING_URL set)
- Document procedure in e2e/README.md
- Add VITE_CDN_URL, VITE_CDN_ENABLED to .env.example
- Create getAssetURL, getAudioURL in utils/cdn.ts
- Use getAudioURL in hlsService for HLS stream URLs
- Document migration approach in ZUSTAND_MIGRATION_STRATEGY.md
- Add persistWithMigration utility for future stores
- Add version and migrate to authStore, library, ui, cartStore, playerStore
- Add useAbortSignal hook for component lifecycle cancellation
- Pass signal to apiClient in useLibraryItems, useUser, useDashboard,
useMyTracks, useNotificationMenu
- Prevents memory leaks when navigating away during fetch
- Add turbo devDependency and packageManager to root
- Create turbo.json with build, test, lint pipeline
- Add package.json to veza-backend-api, veza-chat-server, veza-stream-server
- Extend workspaces to include Go and Rust services
- Migrate CI to use turbo run for build, test, lint
