Fourth batch. Closes the user/profile surface consumed by the
frontend users service. 6 handlers annotated across
internal/handlers/profile_handler.go (now 12/15 annotated).
Handlers annotated:
- SearchUsers — GET /users/search
- FollowUser — POST /users/{id}/follow
- GetFollowSuggestions — GET /users/suggestions
- UnfollowUser — DELETE /users/{id}/follow
- BlockUser — POST /users/{id}/block
- UnblockUser — DELETE /users/{id}/block
Added a blank `_ "veza-backend-api/internal/models"` import so swaggo
can resolve models.User in doc comments without forcing runtime use
(same pattern as track_hls_handler.go / track_waveform_handler.go).
Spec coverage: /users/* paths now 12 (all frontend-consumed endpoints).
make openapi: ✅ · go build ./...: ✅.
Completes the B-2 backend annotation scope for auth / users / tracks /
playlists — the four services that will migrate to orval in the next
commit. Remaining unannotated handlers (admin, moderation, analytics,
education, cloud, gear, social_group, etc.) are outside the v1.0.8
frontend migration and deferred to v1.0.9.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Third batch. Fills the playlist_handler.go gap (was 8/24 annotated,
now 20/24). Covers the functionality consumed by the frontend
playlists service: import, favoris, share tokens, collaborators,
analytics, search, recommendations, duplication.
Handlers annotated:
- ImportPlaylist — POST /playlists/import
- GetFavorisPlaylist — GET /playlists/favoris
- GetPlaylistByShareToken — GET /playlists/shared/{token}
- SearchPlaylists — GET /playlists/search
- GetRecommendations — GET /playlists/recommendations
- GetPlaylistStats — GET /playlists/{id}/analytics
- AddCollaborator — POST /playlists/{id}/collaborators
- GetCollaborators — GET /playlists/{id}/collaborators
- UpdateCollaboratorPermission — PUT /playlists/{id}/collaborators/{userId}
- RemoveCollaborator — DELETE /playlists/{id}/collaborators/{userId}
- CreateShareLink — POST /playlists/{id}/share
- DuplicatePlaylist — POST /playlists/{id}/duplicate
Not annotated (unrouted, survey false positives): FollowPlaylist,
UnfollowPlaylist — no route references in internal/api/routes_*.go.
Left unannotated to avoid polluting the spec with dead handlers.
Marketplace gap originally planned for this batch is deferred to
v1.0.9: the 13 remaining handlers (UploadProductPreview, reviews,
licenses, sell stats, refund, invoice) don't block the B-2 frontend
migration (auth/users/tracks/playlists only), so they will be done
after v1.0.8 ships. Task #48 updated to reflect.
Spec coverage:
/playlists/* paths: 5 → 15
make openapi: ✅ valid
go build ./...: ✅
Next: profile_handler.go + auth/handler.go to finish the B-2 spec
surface (users endpoints), then regen orval and migrate 4 services.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
First batch of the backend OpenAPI annotation campaign. Adds full
swaggo annotations to the 8 handlers in internal/core/track/track_crud_handler.go
so the resulting openapi.yaml exposes the track CRUD surface to
orval-generated frontend clients.
Handlers annotated (all under @Tags Track):
- ListTracks — GET /tracks
- GetTrack — GET /tracks/{id}
- UpdateTrack — PUT /tracks/{id} (Auth, ownership)
- GetLyrics — GET /tracks/{id}/lyrics
- UpdateLyrics — PUT /tracks/{id}/lyrics (Auth, ownership)
- DeleteTrack — DELETE /tracks/{id} (Auth, ownership)
- BatchDeleteTracks — POST /tracks/batch/delete (Auth)
- BatchUpdateTracks — POST /tracks/batch/update (Auth)
Each block follows the established pattern (auth.go + marketplace.go):
Summary / Description / Tags / Accept / Produce / Security when auth-required /
Param (path/query/body) with concrete types / Success envelope typed via
response.APIResponse{data=...} / Failure 400/401/403/404/500 / Router.
make openapi: ✅ valid (Swagger 2.0)
go build ./...: ✅
openapi.yaml: +490 LOC, 8 new paths exposed under /tracks.
Part of the Option B campaign tracked in
/home/senke/.claude/plans/audit-fonctionnel-wild-hickey.md.
~364 handlers total remain unannotated across 16 files in /internal/core/
and ~55 files in /internal/handlers/. Subsequent commits will annotate
one handler file at a time so each regenerated spec stays bisectable.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- ORDER BY dynamiques : whitelist explicite, fallback created_at DESC
- Login/register soumis au rate limiter global
- VERSION sync + check CI
- Nettoyage références veza-chat-server
- Go 1.24 partout (Dockerfile, workflows)
- TODO/FIXME/HACK convertis en issues ou résolus
- Add FrontendURL to config (FRONTEND_URL or VITE_FRONTEND_URL)
- OAuth handlers use config instead of os.Getenv
- Update TODOS_AUDIT: mark UUID migration items as resolved
- Add ISSUES_P2_BACKLOG.md for GitHub issues
- Add ROUTES_ORPHANES.md for routes without UI
- Document FRONTEND_URL in .env.example
Add validation in ValidateForEnvironment() to fail startup when
CLAMAV_REQUIRED=false in production. Virus scanning is mandatory
for all file uploads in production.
Phase 1 audit - P1.4
- Add DATABASE_READ_URL config and InitReadReplica in database package
- Add ForRead() helper for read-only handler routing
- Update TrackService and TrackSearchService to use read replica for reads
- Document setup in DEPLOYMENT_GUIDE.md and .env.template
- Completed Action 1.3.2.4: Audited all response helper functions
- Created RESPONSE_HELPERS_AUDIT.md documenting all helpers
- Verified all helpers use wrapped format: Success(), Created(), Error(), RespondWithAppError(), RespondSuccess()
- Found two implementation approaches (gin.H vs APIResponse struct) - both produce wrapped format
- No changes needed - backend already compliant with wrapped format requirement
- Completed Action 1.3.1.2: Tested 36 endpoints for response format consistency
- Fixed test script to handle subshell issues with RESULTS array
- Created ENDPOINT_FORMAT_AUDIT.md documenting findings
- Found 2 endpoints using wrapped format, 0 direct format
- Most endpoints require auth (22) or have errors (12)
- Limited coverage due to authentication requirements and path parameters
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
