TASK-AUDIO-001: Enhanced gapless playback with 10s pre-buffering
TASK-AUDIO-002: Crossfade UI in expanded player (0-12s configurable slider)
TASK-AUDIO-003: Audio normalization via Web Audio API GainNode (EBU R128)
TASK-AUDIO-004: Complete player features (playback speed, preload, fade)
- AudioPlayerService: added normalization gain node, connectAudioGraph(),
setNormalizationGain(), setNormalizationEnabled() with dB-to-linear conversion
- useAudioAnalyser: integrated with gain node for correct audio graph routing
- useAudioNormalization: new hook syncing normalization state with track changes
- PlayerStore: added normalizationEnabled setting (persisted)
- AudioSettingsPanel: new component with crossfade slider + normalization toggle
- PlayerExpanded: added audio settings panel with Settings2 icon toggle
- GlobalPlayer: integrated useAudioNormalization hook
- usePlayer: extended pre-buffer window from 5s to 10s for gapless playback
- 97 tests passing (56 service + 41 store)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- API key rate limiting middleware (1000 reads/h, 200 writes/h par clé)
— tracking séparé read/write, par API key ID (pas par IP)
— headers X-RateLimit-Limit/Remaining/Reset sur chaque réponse
- API key scope enforcement middleware (read → GET, write → POST/PUT/DELETE)
— admin scope permet tout, CSRF skip pour API key auth
- OpenAPI spec: ajout securityDefinition ApiKeyAuth (X-API-Key header)
- Swagger annotations: ajout ApiKeyAuth dans cmd/api/main.go
- Wiring dans router.go: middlewares appliqués sur tout le groupe /api/v1
- Tests: 10 tests (5 rate limiter + 5 scope enforcement), tous PASS
Backend existant déjà en place (pré-v0.12.8):
- Swagger UI (gin-swagger + frontend SwaggerUIDoc component)
- API key CRUD (create/list/delete + X-API-Key auth dans AuthMiddleware)
- Developer Dashboard frontend (API keys, webhooks, playground)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Ajout traductions espagnol (es.json, 532 clés)
- Extension type Language à 'en' | 'fr' | 'es' dans tous les stores/hooks/types
- Formatage dates/nombres/monnaies selon la locale courante (Intl API)
- Utilitaires formatNumber() et formatCurrency() ajoutés
- Temps relatifs localisés (en/fr/es) dans date.ts
- PreferenceSettings utilise i18n pour les labels (plus de hardcoded French)
- Synchronisation i18n immédiate au changement de langue (sans rechargement)
- Tests: 50 tests passent (useTranslation + date utilities, 3 locales)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
TASK-ETH-001: 4 discovery bias tests (genre/tag browse, emerging artist visibility,
metrics not exposed in JSON). Verifies chronological ordering regardless of play count.
TASK-ETH-002: 4 search fairness tests (artist 0 plays discoverable, zero-play tracks
not filtered, default sort is chronological, no popularity bias in default ranking).
TASK-ETH-003: veza-docs/DISCOVERY_ALGORITHM.md — documents all 6 discovery mechanisms,
ethical constraints, and forbidden patterns per ORIGIN specs.
TASK-COV-001: CI coverage gates — Go >= 70% (backend-ci.yml), Rust >= 50% (rust-ci.yml
with cargo-tarpaulin). Extended Go test scope to core/ and middleware/.
TASK-COV-002: Coverage badge JSON artifact on main push (shields.io compatible).
All 8 ethical tests PASS. Build clean.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Updated Hyperswitch payment router from 2025.01.21.0-standalone to
2026.03.11.0-standalone in both docker-compose.yml and docker-compose.prod.yml.
All 30/30 pentest findings now remediated.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go,
use c.ClientIP() only (respects SetTrustedProxies)
MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files
MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly
MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes
MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files
MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod
MEDIUM-009: Add trial-already-used check in subscription service
MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections
MEDIUM-011: Mask email in auth handler logs with maskEmail() helper
MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats
LOW-001: Align frontend password policy to 12 chars (matching backend)
LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server
LOW-004: Enable xpack.security in Elasticsearch dev/local compose files
LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background()
LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests)
29/30 findings remediated. 1 noted (LOW-002).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Aligns the in-memory implementation with the updated services.UserRepository
interface for consistency (HIGH-003 context propagation).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Deep audit with 6 parallel analysis passes reveals additional findings:
CRITICAL:
- CRIT-001: IDOR on chat rooms — any user can read private conversations
- CRIT-002: play_count/like_count publicly exposed (violates VEZA ethics)
NEW HIGH:
- HIGH-004/005: Race conditions on promo codes and exclusive licenses
- HIGH-006: Rate limiter bypass via X-Forwarded-For (no TrustedProxies)
- HIGH-007: GDPR hard delete incomplete (Redis, ES, audit_logs)
- HIGH-008: RTMP callback auth fallback to stream_key as secret
- HIGH-009: Co-listening host hijack by non-host participants
- HIGH-010: Moderator can issue strikes without conflict-of-interest check
Total: 2 CRITICAL, 10 HIGH, 12 MEDIUM, 6 LOW, 5 INFO
Estimated remediation: ~39h30
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- ResponseCache: Redis-backed HTTP response caching for public GET endpoints
with configurable TTLs per endpoint prefix (tracks 15m, search 5m, etc.)
- CacheHeaders: CDN-optimized Cache-Control headers per asset type
(static 1yr immutable, audio 7d, HLS 60s, images 30d, API no-cache)
- Integrated both middlewares into the router middleware stack
- Unit tests for cache key generation, header rules, and config
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- EducationPage with 3 tabs: Catalog, My Courses, Certificates
- HLS.js video player integration for course lessons
- Course enrollment, progress tracking, and certificate display
- TypeScript types matching backend models
- API service layer for all education endpoints
- Lazy loading route configuration
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Course CRUD with slug generation, publish/archive lifecycle
- Lesson management with ordering and transcoding status
- Enrollment system with duplicate prevention
- Progress tracking with auto-completion at 90%
- Certificate issuance requiring full course completion
- Course reviews with rating aggregation
- Unit tests for service and handler layers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Tables: courses, lessons, course_enrollments, lesson_progress,
certificates, course_reviews with proper indexes and constraints.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Distribution types, API service, and page component
- Distributions list with platform-specific status badges
- External streaming revenue table with summary cards
- Platform icons and status colors for Spotify/Apple Music/Deezer
- ARIA labels for accessibility
- Lazy-loaded route at /distribution
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Distribution module: submit tracks to Spotify, Apple Music, Deezer
- Subscription eligibility check (Creator/Premium only)
- Distribution status tracking with platform-specific statuses
- Status history audit trail
- External streaming royalties import and aggregation
- Distributor provider interface for DistroKid/TuneCore integration
- Handler and service unit tests
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
