senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2177 commits 37 branches 94 tags 1.5 GiB
Commit graph

13 commits

Author SHA1 Message Date
dependabot[bot]
a51f14409e chore(deps): bump docker/setup-buildx-action from 3 to 4
Some checks failed
Backend API CI / test-unit (push) Failing after 0s
Details
Backend API CI / test-integration (push) Failing after 0s
Details
Frontend CI / test (push) Failing after 0s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 0s
Details 
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-18 10:39:08 +00:00
senke
9cd0da0046 fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)

HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)

MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)

LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)

All tests pass. Go and Rust compile clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-14 00:44:46 +01:00
senke
c0e2fe2e12 fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings 
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go,
  use c.ClientIP() only (respects SetTrustedProxies)
MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files
MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly
MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes
MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files
MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod
MEDIUM-009: Add trial-already-used check in subscription service
MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections
MEDIUM-011: Mask email in auth handler logs with maskEmail() helper
MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats
LOW-001: Align frontend password policy to 12 chars (matching backend)
LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server
LOW-004: Enable xpack.security in Elasticsearch dev/local compose files
LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background()
LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests)

29/30 findings remediated. 1 noted (LOW-002).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-12 06:13:38 +01:00
senke
279a10d317 chore(cleanup): remove veza-chat-server directory and all operational references 
Chat functionality is now fully handled by the Go backend (since v0.502).
Remove the deprecated Rust chat server and all its references from:
- CI/CD workflows (ci.yml, cd.yml, rust-ci.yml, chat-ci.yml)
- Monitoring & proxy config (prometheus, caddy, haproxy)
- Incus deployment scripts and documentation
- Monorepo config (package.json, dependabot, GH templates)
 2026-02-22 21:13:00 +01:00
senke
eb82e02c83 fix(ci): repair CD pipeline -- use vars.* instead of secrets.* in if conditions, target Dockerfile.production 2026-02-22 17:23:43 +01:00
senke
b103a09a25 chore: consolidate CI, E2E, backend and frontend updates 
- CI: workflows updates (cd, ci), remove playwright.yml
- E2E: global-setup, auth/playlists/profile specs
- Remove playwright-report and test-results artifacts from tracking
- Backend: auth, handlers, services, workers, migrations
- Frontend: components, features, vite config
- Add e2e-results.json to gitignore
- Docs: REMEDIATION_PROGRESS, audit archive
- Rust: chat-server, stream-server updates
 2026-02-17 16:43:21 +01:00
senke
c2296ac1c6 test(e2e): add post-deploy smoke tests 
- Add smoke-post-deploy.spec.ts for health checks
- Add playwright.config.smoke.ts (no webServer)
- Add smoke-post-deploy job to cd.yml (runs when STAGING_URL set)
- Document procedure in e2e/README.md
 2026-02-14 22:45:10 +01:00
senke
c681b97e1f feat(cd): add cosign image signing and SBOM generation 2026-02-14 18:22:46 +01:00
senke
ae586f6134 Phase 2 stabilisation: code mort, Modal→Dialog, feature flags, tests, router split, Rust legacy 
Bloc A - Code mort:
- Suppression Studio (components, views, features)
- Suppression gamification + services mock (projectService, storageService, gamificationService)
- Mise à jour Sidebar, Navbar, locales

Bloc B - Frontend:
- Suppression modal.tsx deprecated, Modal.stories (doublon Dialog)
- Feature flags: PLAYLIST_SEARCH, PLAYLIST_RECOMMENDATIONS, ROLE_MANAGEMENT = true
- Suppression 19 tests orphelins, retrait exclusions vitest.config

Bloc C - Backend:
- Extraction routes_auth.go depuis router.go

Bloc D - Rust:
- Suppression security_legacy.rs (code mort, patterns déjà dans security/)
 2026-02-14 17:23:32 +01:00
senke
8f1ccd8a56 fix(ci): correct Rust service paths and reactivate CD pipeline 
- Fix chat-ci.yml and stream-ci.yml to reference veza-chat-server/
  and veza-stream-server/ instead of non-existent apps/ paths
- Add veza-common/ to CI triggers so shared library changes are tested
- Reactivate CD pipeline with Docker registry push and Kubernetes
  deployment steps (gated on secrets availability)
- Standardize Redis dependency to v0.32 across both Rust services

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-12 22:44:56 +01:00
senke
a7b5cdc55f fix(ci): remove remaining || true and || echo in secondary workflows 
- cd.yml: remove || echo soft failures on Docker builds for chat-server
  and stream-server. Build must fail if Dockerfile is missing in CD.
- vulnerability-scan.yml: remove || true from govulncheck command.
  The step-level continue-on-error: true already handles failure
  gracefully for the report-only govulncheck step.

Addresses audit findings D3, A08: 3 residual || true / || echo patterns.

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-11 23:14:21 +01:00
senke
49bc0c1443 ci: upgrade remaining GitHub Actions and remove || true patterns 
- backend-ci.yml: remove || true from govulncheck
- frontend-ci.yml: remove || true from npm audit
- cd.yml: upgrade checkout@v3 -> v4, buildx-action@v2 -> v3
- chat-ci.yml: replace actions-rs/toolchain@v1 with dtolnay/rust-toolchain@stable
- stream-ci.yml: replace actions-rs/toolchain@v1 with dtolnay/rust-toolchain@stable

Zero remaining `|| true` patterns across all 11 workflow files.
Zero remaining deprecated action references.

Completes CI hardening started in C1.

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-02-11 22:54:35 +01:00
senke
36c54f1500 [INFRA-001] infra: Set up CI/CD pipeline 2025-12-25 21:30:57 +01:00