22 commits

Author	SHA1	Message	Date
senke	441cb02233	fix(a11y): fix heading hierarchy h1→h3 gaps on 8 pages ... Changed h3 section titles to h2 on pages where they directly follow the page h1: - Library: empty state heading - Queue: "Now Playing" + "Up Next" - Search: discovery sections + results sections - Profile: "About" + "Links" - Sessions: card title - Notifications: date group headers Also: add 'api' binary to .gitignore Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-25 10:14:18 +01:00
senke	f1f3bfe5de	chore: update gitignore — exclude local files and test audio ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-23 15:44:17 +01:00
senke	ba04bd45a0	chore: update .gitignore — exclude binary, debug screenshots, MCP config ... - Add veza-backend-api/veza-api (99MB ELF binary) to gitignore - Add root-level debug/test screenshot patterns - Add .mcp.json (local MCP config) - Remove veza-api binary from tracking Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-17 17:43:04 +01:00
senke	9cd0da0046	fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files ... CRITICAL fixes: - Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002) - IDOR on analytics endpoint — ownership check enforced (CRITICAL-003) - CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004) - Mass assignment on user self-update — strip privileged fields (CRITICAL-005) HIGH fixes: - Path traversal in marketplace upload — UUID filenames (HIGH-001) - IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002) - Popularity metrics (followers, likes) set to json:"-" (HIGH-003) - bcrypt cost hardened to 12 everywhere (HIGH-004) - Refresh token lock made mandatory (HIGH-005) - Stream token replay prevention with access_count (HIGH-006) - Subscription trial race condition fixed (HIGH-007) - License download expiration check (HIGH-008) - Webhook amount validation (HIGH-009) - pprof endpoint removed from production (HIGH-010) MEDIUM fixes: - WebSocket message size limit 64KB (MEDIUM-010) - HSTS header in nginx production (MEDIUM-001) - CORS origin restricted in nginx-rtmp (MEDIUM-002) - Docker alpine pinned to 3.21 (MEDIUM-003/004) - Redis authentication enforced (MEDIUM-005) - GDPR account deletion expanded (MEDIUM-006) - .gitignore hardened (MEDIUM-007) LOW/INFO fixes: - GitHub Actions SHA pinning on all workflows (LOW-001) - .env.example security documentation (INFO-001) - Production CORS set to HTTPS (LOW-002) All tests pass. Go and Rust compile clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-14 00:44:46 +01:00
senke	2df921abd5	v0.9.1	2026-03-05 19:22:31 +01:00
senke	4464f98194	chore(release): v0.981 — Beta (staging deploy, bug bash, smoke test)	2026-03-02 19:33:42 +01:00
senke	7e015f8e73	chore(release): v0.941 — Cleanup (dead code, migrations dedup, deprecated routes)	2026-03-02 19:04:30 +01:00
senke	b103a09a25	chore: consolidate CI, E2E, backend and frontend updates ... - CI: workflows updates (cd, ci), remove playwright.yml - E2E: global-setup, auth/playlists/profile specs - Remove playwright-report and test-results artifacts from tracking - Backend: auth, handlers, services, workers, migrations - Frontend: components, features, vite config - Add e2e-results.json to gitignore - Docs: REMEDIATION_PROGRESS, audit archive - Rust: chat-server, stream-server updates	2026-02-17 16:43:21 +01:00
senke	e27b74130f	chore(e2e): Playwright webServer env for CI, gitignore e2e auth ... - Pass VITE_DOMAIN, VITE_BACKEND_PORT to webServer in CI - Add apps/web/e2e/.auth/ to gitignore	2026-02-17 16:42:48 +01:00
senke	35511ce9ca	chore: clean root directory, move design system files, update .gitignore	2026-02-15 16:05:54 +01:00
senke	67271c7b34	chore: audit 2.8 et 2.9 — gitignore et Tokio ... 2.8: Mise à jour .gitignore - .turbo/ (cache Turborepo) - *.out (Go coverage, artefacts) - test-results/ et playwright-report/ (patterns globaux) 2.9: Alignement Tokio 1.0 → 1.35 - veza-common: dependencies + dev-dependencies - veza-stream-server/tools	2026-02-15 14:47:31 +01:00
senke	92f432fb9e	chore: consolidate pending changes (Hyperswitch, PostCard, dashboard, stream server, etc.)	2026-02-14 21:45:15 +01:00
senke	ae586f6134	Phase 2 stabilisation: code mort, Modal→Dialog, feature flags, tests, router split, Rust legacy ... Bloc A - Code mort: - Suppression Studio (components, views, features) - Suppression gamification + services mock (projectService, storageService, gamificationService) - Mise à jour Sidebar, Navbar, locales Bloc B - Frontend: - Suppression modal.tsx deprecated, Modal.stories (doublon Dialog) - Feature flags: PLAYLIST_SEARCH, PLAYLIST_RECOMMENDATIONS, ROLE_MANAGEMENT = true - Suppression 19 tests orphelins, retrait exclusions vitest.config Bloc C - Backend: - Extraction routes_auth.go depuis router.go Bloc D - Rust: - Suppression security_legacy.rs (code mort, patterns déjà dans security/)	2026-02-14 17:23:32 +01:00
senke	8e03d524cf	chore: add .cursor/ to .gitignore ... Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-11 22:20:44 +01:00
senke	d7bb127920	fix(security): stop tracking veza-stream-server/.env and config/incus env files ... Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-11 19:48:51 +01:00
senke	ad60247f33	feat: global update including storybook setup and backend fixes ... - Web: Setup Storybook, added addons, configured Tailwind, added stories for UI components. - Backend: Updated API router, database, workers, and auth in common. - Stream Server: Removed SQLx queries and updated auth. - Docs & Scripts: Updated documentation and recovery scripts.	2026-02-02 19:34:14 +01:00
senke	8efbb97e6f	stabilisation commit A	2026-01-07 19:39:21 +01:00
senke	3d72d5ac3c	stabilizing apps/web: FIRST BATCH	2025-12-17 08:07:35 -05:00
okinrev	87c6461900	report generation and future tasks selection	2025-12-08 19:57:54 +01:00
okinrev	b7955a680c	P0: stabilisation backend/chat/stream + nouvelle base migrations v1 ... Backend Go: - Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN. - Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError). - Sécurisation de config.go, CORS, statuts de santé et monitoring. - Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles). - Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés. - Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*. Chat server (Rust): - Refonte du pipeline JWT + sécurité, audit et rate limiting avancé. - Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing). - Nettoyage des panics, gestion d’erreurs robuste, logs structurés. - Migrations chat alignées sur le schéma UUID et nouvelles features. Stream server (Rust): - Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core. - Transactions P0 pour les jobs et segments, garanties d’atomicité. - Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION). Documentation & audits: - TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services. - Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3). - Scripts de reset et de cleanup pour la lab DB et la V1. Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).	2025-12-06 11:14:38 +01:00
okinrev	6e2e16fbb5	initial: initial repo set up (README, LICENSE, CONTRIBUTORS, etc...)	2025-12-03 13:54:23 +01:00
okinrev	d6a9eef4d6	Initial commit	2025-12-03 10:02:55 +01:00