senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
1728 commits 37 branches 94 tags 1.5 GiB
Commit graph

1728 commits

This branch
This branch
All branches
Author SHA1 Message Date
senke
b103a09a25 chore: consolidate CI, E2E, backend and frontend updates 
- CI: workflows updates (cd, ci), remove playwright.yml
- E2E: global-setup, auth/playlists/profile specs
- Remove playwright-report and test-results artifacts from tracking
- Backend: auth, handlers, services, workers, migrations
- Frontend: components, features, vite config
- Add e2e-results.json to gitignore
- Docs: REMEDIATION_PROGRESS, audit archive
- Rust: chat-server, stream-server updates
 2026-02-17 16:43:21 +01:00
senke
e27b74130f chore(e2e): Playwright webServer env for CI, gitignore e2e auth 
- Pass VITE_DOMAIN, VITE_BACKEND_PORT to webServer in CI
- Add apps/web/e2e/.auth/ to gitignore
 2026-02-17 16:42:48 +01:00
senke
8d40db47cd feat(chat): delivered status display 
- Add status and delivered_at to ChatMessage
- Handle MessageDelivered WebSocket event
- Send Delivered when receiving NewMessage or loading history
- Display ✓ (sent) / ✓✓ (delivered) in ChatMessageComponent
 2026-02-17 16:42:36 +01:00
senke
06d56dd298 feat(backend): OAuth FRONTEND_URL from config, docs update 
- Add FrontendURL to config (FRONTEND_URL or VITE_FRONTEND_URL)
- OAuth handlers use config instead of os.Getenv
- Update TODOS_AUDIT: mark UUID migration items as resolved
- Add ISSUES_P2_BACKLOG.md for GitHub issues
- Add ROUTES_ORPHANES.md for routes without UI
- Document FRONTEND_URL in .env.example
 2026-02-17 16:42:23 +01:00
senke
7846bbab28 fix(backend): remediation plan — tests, playback_analytics, job queue, gamification 
Phase 1 - Backend tests:
- Add PlaybackAnalytics to AutoMigrate in setupTestTrackHandler
- Create migration 081_create_playback_analytics.sql for production
- PlaybackAnalyticsService: return ErrTrackNotFound for missing track
- RecordPlay handler: return 404 when track not found
- CreateShare: use RespondSuccess, fix services.ErrTrackNotFound/ErrForbidden
- GetTrackLikes, UnlikeTrack: use RespondSuccess for consistent response
- GetUserLikedTracks test: fix route /users/:id/likes and params
- GetSharedTrack_InvalidToken: set share service in test

Phase 4 - Job queue transcoding:
- Add EnqueueTranscodingJob to JobEnqueuer interface
- Add TypeTranscoding and processTranscodingJob (stub) in JobWorker
- MockJobEnqueuer: implement EnqueueTranscodingJob

Phase 5 - Gamification cleanup:
- Move api_manager.go to internal/api/archive/
- Add archive/README.md documenting archived modules
- Update TODOS_AUDIT.md and FEATURE_STATUS.md
 2026-02-17 16:01:45 +01:00
senke
b3ab89acd2 docs: align FEATURE_STATUS and validation scripts with v0.101 state 
- docs/FEATURE_STATUS.md: 19 operational features (Gear, Live, Analytics, Roles)
- apps/web/docs/FEATURE_STATUS.md: reference 103 report, 19 features summary
- scripts/validate-full.sh: add full validation (validate-light + go test + npm test)
 2026-02-17 15:35:58 +01:00
senke
c298307f39 fix(backend): remove obsolete UUID migration comment in track handler 
- trackUploadService and GetUploadProgress already use uuid.UUID
- Migration complete, no code changes needed
 2026-02-17 15:35:25 +01:00
senke
59e1f3514e fix(ci): add E2E test user seed and fix smoke/auth specs 
- Add create_test_user step in CI e2e job (e2e@test.com)
- Add TEST_EMAIL and TEST_PASSWORD to Playwright env for consistency
- Add form visibility waits in smoke.spec.ts (align with auth.spec.ts)
- Ensures login form is visible before fillField to avoid flaky failures
 2026-02-17 15:05:10 +01:00
senke
0f1e416679 refactor(backend): split config into domain modules (P2) 2026-02-16 11:12:21 +01:00
senke
348ff092ef fix(stream): replace expect in production signature (stability) 2026-02-16 11:08:11 +01:00
senke
fd51839d34 chore(docs): reorganize markdown files, add docs/README (P2) 2026-02-16 11:04:24 +01:00
senke
9c0c065383 chore: remove dead code (Education, Studio, Gamification) (P2) 2026-02-16 11:03:27 +01:00
senke
ba8a5de491 refactor(frontend): unify pages pattern, remove legacy views (P2) 2026-02-16 11:02:29 +01:00
senke
ab85dd793f docs: update REMEDIATION_PROGRESS with Phase 2 completion 2026-02-16 10:53:29 +01:00
senke
0118172b40 fix(e2e): set VITE_API_URL for E2E to use Vite proxy in CI 2026-02-16 10:52:56 +01:00
senke
28f6885492 chore: align Go version in CI with go.mod (1.24) 2026-02-16 10:23:47 +01:00
senke
3cf1d14f46 fix(security): verify track access before download (A04) 
- Add TrackDownloadLicenseChecker to verify paid track download rights
- Check marketplace license when track is sold as product and user is not owner
- Return 403 with 'purchase required' message when license missing
 2026-02-16 10:23:41 +01:00
senke
7c981c1ec8 docs(security): document Lot 9 (2FA) and Lot 10 (OAuth) verification (A07) 
Both flows verified correct - no code changes required.
 2026-02-16 10:23:33 +01:00
senke
fae4588d70 fix(security): update or remove vulnerable npm devDependencies (A06) 
- Remove @lhci/cli, newman, pa11y-ci (used only by obsolete Makefile.old)
- Redirect qa:postman, qa:lh, qa:a11y scripts to explanatory message
- npm audit fix for remaining lodash vulnerability
- Document Lot 6 (bypass flags verified) and Lot 8 in REMEDIATION_PROGRESS
 2026-02-16 10:20:10 +01:00
senke
b05d7a04e3 fix(security): remove or protect education routes (A01) 
Education packages internal/api/education and internal/core/education were
empty directories with no routes registered. Removed empty dirs and
documented in REMEDIATION_PROGRESS.md.
 2026-02-16 10:18:43 +01:00
senke
66032b6e3d fix(security): isolate test secrets in chat server config (A02) 2026-02-16 10:18:06 +01:00
senke
f87923a7bc fix(security): add rate limiting to POST /validate (A01) 2026-02-16 10:17:28 +01:00
senke
4475eaf1af fix(security): graceful CSRF handling when Redis unavailable (A05) 2026-02-16 10:16:50 +01:00
senke
eea88d80bf fix(security): reject DISABLE_RATE_LIMIT_FOR_TESTS in production (A04) 2026-02-16 10:16:35 +01:00
senke
f6fd3a131b fix(security): protect /v1/stream/hls/* endpoints with JWT auth (A01) 2026-02-16 10:16:08 +01:00
senke
ad78a23ac1 feat(analytics): complete backend analytics, remove frontend mocks 2026-02-15 16:21:20 +01:00
senke
1159874adf refactor(backend): unify architecture - migrate analytics handler to core (ADR-001) 2026-02-15 16:18:13 +01:00
senke
36c03e1cba docs: add developer onboarding guide 2026-02-15 16:13:20 +01:00
senke
45008a4c21 fix(backend): implement track stats/history endpoints 2026-02-15 16:10:33 +01:00
senke
37e6e426f0 feat(payments): document Hyperswitch activation and validate checkout flow 2026-02-15 16:08:49 +01:00
senke
65ea4c4b2e fix(e2e): fix auth flow tests for httpOnly cookie auth 2026-02-15 16:08:23 +01:00
senke
35511ce9ca chore: clean root directory, move design system files, update .gitignore 2026-02-15 16:05:54 +01:00
senke
1b25013c6f refactor(frontend): simplify TokenStorage usage for httpOnly cookie auth 2026-02-15 16:04:42 +01:00
senke
1b2079dcdd chore(frontend): remove or simplify ghost features (Developer Dashboard, Education/Gamification/Studio) 2026-02-15 16:03:43 +01:00
senke
7962c8f1b9 fix(frontend): connect social feed to backend with proper actor mapping 2026-02-15 16:02:49 +01:00
senke
f4c2acdd02 refactor(frontend): document chat store as single source of truth 2026-02-15 16:02:14 +01:00
senke
b657776892 fix(infra): HAProxy HTTPS and stats security 
P1.1 - Enable HTTPS in HAProxy for production:
- HTTP to HTTPS redirect (301)
- HTTPS frontend on port 443 with veza.pem
- config/ssl/ structure with README and generate-ssl-cert.sh
- docker-compose.prod.yml volume for certs

P1.3 - Restrict HAProxy stats to internal network:
- ACL from_internal (127.0.0.1, 172.20.0.0/16)
- stats admin if from_internal

Also: remove errorfile directives (use HAProxy built-in defaults)
 2026-02-15 15:58:51 +01:00
senke
66ba082788 fix(backend): use explicit DISABLE_RATE_LIMIT_FOR_TESTS flag instead of env-based bypass 
Replace NODE_ENV/APP_ENV bypass with DISABLE_RATE_LIMIT_FOR_TESTS=true.
Only test runners should set this. Prevents rate limiting bypass when
APP_ENV=development is mistakenly used in production.
Phase 1 audit - P1.6
 2026-02-15 15:56:53 +01:00
senke
35370330b5 fix(backend): disable pprof endpoints in production 
Conditionally register pprof routes only when APP_ENV is not production.
Prevents leaking sensitive runtime information via profiling endpoints.
Phase 1 audit - P1.5
 2026-02-15 15:55:18 +01:00
senke
62f4ae2c82 fix(backend): require ClamAV in production environment 
Add validation in ValidateForEnvironment() to fail startup when
CLAMAV_REQUIRED=false in production. Virus scanning is mandatory
for all file uploads in production.
Phase 1 audit - P1.4
 2026-02-15 15:54:58 +01:00
senke
cc2c5123bc fix(rust): ensure chat-server and stream-server compile in release mode 
Add scripts/verify-rust-build.sh to verify all Rust crates (veza-common,
veza-chat-server, veza-stream-server) compile in release mode.
Phase 1 audit - P1.2
 2026-02-15 15:54:03 +01:00
senke
fef7e7fc7c feat(loadtests): audit 3.2 — tests de charge k6 complets 
- loadtests: centraliser scripts (backend, stream, chat)
- backend: health, auth, tracks, uploads, playlists, marketplace
- stream: http health, healthz, readyz
- chat: WebSocket load (register -> login -> chat token -> WS)
- ci: workflow nightly load-test-nightly.yml
- docs: README loadtests
- make: load-test-smoke, load-test-backend, load-test-all
- fix: veza-backend-api Makefile load-test (scripts/load_test_uploads.js -> loadtests)
 2026-02-15 15:22:48 +01:00
senke
b9875c5e92 test(e2e): audit 2.10 — flows critiques Auth, Upload, Purchase, Chat 
- purchase.spec.ts: add to cart, checkout, success
- chat.spec.ts: load UI, send message (when WebSocket available)
- README: document critical flows and prerequisites
 2026-02-15 14:51:29 +01:00
senke
67271c7b34 chore: audit 2.8 et 2.9 — gitignore et Tokio 
2.8: Mise à jour .gitignore
- .turbo/ (cache Turborepo)
- *.out (Go coverage, artefacts)
- test-results/ et playwright-report/ (patterns globaux)

2.9: Alignement Tokio 1.0 → 1.35
- veza-common: dependencies + dev-dependencies
- veza-stream-server/tools
 2026-02-15 14:47:31 +01:00
senke
bbd8ed54de refactor(config): découper config.go par domaine (audit 2.7) 
- env_helpers.go: getEnv*, parseLogAggregationLabels
- db_init.go: initDatabaseWithRetry
- redis_init.go: initRedis, filteredRedisLogger
- rabbitmq.go: getRabbitMQURL
- cors.go: CORS, cookies
- rate_limit.go: rate limit defaults
- services_init.go: initServices
- middlewares_init.go: initMiddlewares, SetupMiddleware
- config.go réduit de ~1487 à ~550 LOC
 2026-02-15 14:44:33 +01:00
senke
22e5e21757 chore(audit 2.4, 2.5): supprimer code mort Education et cmd/modern-server 
- Supprimer routes/handlers/core Education (backend)
- Supprimer handler MSW education, refs Sidebar/locales
- Basculer Makefile, make/dev.mk, scripts vers cmd/api/main.go
- Supprimer veza-backend-api/cmd/modern-server/
 2026-02-15 14:39:40 +01:00
senke
43af35fd93 chore(audit 2.2, 2.3): nettoyer .md et .json à la racine 
- Archiver 131 .md dans docs/archive/root-md/
- Archiver 22 .json dans docs/archive/root-json/
- Conserver 7 .md utiles (README, CONTRIBUTING, CHANGELOG, etc.)
- Conserver package.json, package-lock.json, turbo.json
- Ajouter README d'index dans chaque archive
 2026-02-15 14:35:08 +01:00
senke
8b1644640d refactor(audit-2.1,2.6): unify views and pages to features/*/pages pattern 
- Migrate LiveView, GearView, PurchasesView, SocialView, AnalyticsView into features
- Create features: admin, developer, seller; add QueuePage, WishlistPage
- Migrate pages/marketplace to features/marketplace
- Remove components/views/ and pages/ legacy directories
- Update lazyExports, docs (ARCHITECTURE)
- Mark audit 2.1, 2.6 as done

Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 2.1, 2.6
 2026-02-15 14:30:40 +01:00
senke
03f626c9e8 fix(audit-1.8,1.9): implement OAuth user lookup, add cargo audit to CI 
- 1.8: Implement GetUserByOAuthID in database.go via federated_identities join
- 1.8: Use OAuth ID lookup first in oauth_service getOrCreateUser
- 1.9: Add cargo audit step to chat-ci.yml and stream-ci.yml

Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.8, 1.9
 2026-02-15 14:22:27 +01:00
senke
2e04d45a14 fix(audit-1.6,1.7): remove hardcoded test secrets, block bypass flags in prod 
- 1.6: Replace hardcoded JWT secrets in chat server tests with runtime-generated
  values (env TEST_JWT_SECRET or uuid-based fallback)
- 1.7: Add validateNoBypassFlagsInProduction() in config; fail startup if
  BYPASS_CONTENT_CREATOR_ROLE or CSRF_DISABLED is set in production

Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.6, 1.7
 2026-02-15 14:18:23 +01:00