- Add FrontendURL to config (FRONTEND_URL or VITE_FRONTEND_URL)
- OAuth handlers use config instead of os.Getenv
- Update TODOS_AUDIT: mark UUID migration items as resolved
- Add ISSUES_P2_BACKLOG.md for GitHub issues
- Add ROUTES_ORPHANES.md for routes without UI
- Document FRONTEND_URL in .env.example
- Add TrackDownloadLicenseChecker to verify paid track download rights
- Check marketplace license when track is sold as product and user is not owner
- Return 403 with 'purchase required' message when license missing
Replace NODE_ENV/APP_ENV bypass with DISABLE_RATE_LIMIT_FOR_TESTS=true.
Only test runners should set this. Prevents rate limiting bypass when
APP_ENV=development is mistakenly used in production.
Phase 1 audit - P1.6
Conditionally register pprof routes only when APP_ENV is not production.
Prevents leaking sensitive runtime information via profiling endpoints.
Phase 1 audit - P1.5
Add validation in ValidateForEnvironment() to fail startup when
CLAMAV_REQUIRED=false in production. Virus scanning is mandatory
for all file uploads in production.
Phase 1 audit - P1.4
- 1.8: Implement GetUserByOAuthID in database.go via federated_identities join
- 1.8: Use OAuth ID lookup first in oauth_service getOrCreateUser
- 1.9: Add cargo audit step to chat-ci.yml and stream-ci.yml
Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.8, 1.9
- 1.6: Replace hardcoded JWT secrets in chat server tests with runtime-generated
values (env TEST_JWT_SECRET or uuid-based fallback)
- 1.7: Add validateNoBypassFlagsInProduction() in config; fail startup if
BYPASS_CONTENT_CREATOR_ROLE or CSRF_DISABLED is set in production
Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.6, 1.7
- Add early validation in Setup() returning error if Redis nil in production
- Remove panic/Fatal from routes_core.go and router.go applyCSRFProtection
- Handle Setup() error in cmd/api/main.go and cmd/modern-server/main.go
- Mark audit item 1.4 as done
- Add DATABASE_READ_URL config and InitReadReplica in database package
- Add ForRead() helper for read-only handler routing
- Update TrackService and TrackSearchService to use read replica for reads
- Document setup in DEPLOYMENT_GUIDE.md and .env.template
- Add turbo devDependency and packageManager to root
- Create turbo.json with build, test, lint pipeline
- Add package.json to veza-backend-api, veza-chat-server, veza-stream-server
- Extend workspaces to include Go and Rust services
- Migrate CI to use turbo run for build, test, lint
- Add Group and GroupMember models with CRUD service methods
- Implement social group endpoints: create, list, get, join, leave
- Add WishlistItem model with get/add/remove service methods
- Add CartItem model with get/add/remove/checkout service methods
- Create handlers for marketplace wishlist and cart operations
- Register playlist export (JSON/CSV) and duplicate routes
- Enable PLAYLIST_SHARE and NOTIFICATIONS feature flags
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add IsURLSafe() function to webhook service blocking private IPs,
localhost, and cloud metadata endpoints (SSRF protection)
- Implement real validate_track_access() in stream server querying DB
for track visibility, ownership, and purchase status
- Remove dangerous JWT fallback user in chat server that allowed
deleted users to maintain access with forged credentials
- Add upper limit (100) on pagination in profile, track, and room handlers
- Fix Dockerfile.production healthcheck path to /api/v1/health
Co-authored-by: Cursor <cursoragent@cursor.com>
- Add allowedTestTables map containing all known database tables
- Add validateTableName() function that panics if table name is not
in the whitelist
- Call validateTableName() before all fmt.Sprintf("DELETE FROM %s")
and fmt.Sprintf("TRUNCATE TABLE %s CASCADE") statements
- Prevents potential SQL injection via table name interpolation,
even though the risk is low (test-only code, table names come from
hardcoded lists or DB introspection)
Addresses audit finding: A03 (Injection) — minor risk in test utilities.
Co-authored-by: Cursor <cursoragent@cursor.com>
