Third batch. Fills the playlist_handler.go gap (was 8/24 annotated,
now 20/24). Covers the functionality consumed by the frontend
playlists service: import, favoris, share tokens, collaborators,
analytics, search, recommendations, duplication.
Handlers annotated:
- ImportPlaylist — POST /playlists/import
- GetFavorisPlaylist — GET /playlists/favoris
- GetPlaylistByShareToken — GET /playlists/shared/{token}
- SearchPlaylists — GET /playlists/search
- GetRecommendations — GET /playlists/recommendations
- GetPlaylistStats — GET /playlists/{id}/analytics
- AddCollaborator — POST /playlists/{id}/collaborators
- GetCollaborators — GET /playlists/{id}/collaborators
- UpdateCollaboratorPermission — PUT /playlists/{id}/collaborators/{userId}
- RemoveCollaborator — DELETE /playlists/{id}/collaborators/{userId}
- CreateShareLink — POST /playlists/{id}/share
- DuplicatePlaylist — POST /playlists/{id}/duplicate
Not annotated (unrouted, survey false positives): FollowPlaylist,
UnfollowPlaylist — no route references in internal/api/routes_*.go.
Left unannotated to avoid polluting the spec with dead handlers.
Marketplace gap originally planned for this batch is deferred to
v1.0.9: the 13 remaining handlers (UploadProductPreview, reviews,
licenses, sell stats, refund, invoice) don't block the B-2 frontend
migration (auth/users/tracks/playlists only), so they will be done
after v1.0.8 ships. Task #48 updated to reflect.
Spec coverage:
/playlists/* paths: 5 → 15
make openapi: ✅ valid
go build ./...: ✅
Next: profile_handler.go + auth/handler.go to finish the B-2 spec
surface (users endpoints), then regen orval and migrate 4 services.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CLN-03: router.go, track/service.go, upload_validator.go, cors.go,
playlist_handler.go, and mfa.go now use zap.L() or local logger
for structured logging instead of fmt.Printf.
- Tests complets pour frontend_log_handler.go (12 tests)
- Tests couvrent NewFrontendLogHandler et ReceiveLog
- Tests pour tous les niveaux de log (DEBUG, INFO, WARN, ERROR)
- Tests pour gestion des erreurs et validation JSON
- Couverture actuelle: 30.6% (objectif: 80%)
Files: veza-backend-api/internal/handlers/frontend_log_handler_test.go
VEZA_ROADMAP.json
Hours: 16 estimated, 23 actual
- Created comprehensive sanitization utility functions
- SanitizeInput, SanitizeText, SanitizeHTML, SanitizeURL, SanitizeEmail, SanitizeUsername
- Applied sanitization to profile handler (username, bio, names, search)
- Applied sanitization to social posts content
- Applied sanitization to comment content
- Applied sanitization to playlist titles and descriptions
- All functions prevent XSS via HTML escaping and remove dangerous URL schemes
- Removes control characters and limits input length to prevent DoS
- Added POST /playlists/:id/share route in router.go
- Initialized PlaylistShareService and set it in PlaylistService
- Handler CreateShareLink already existed and was fully implemented
- Standardized API response to return shareLink directly
- Route requires ownership or admin permission via middleware
Phase: PHASE-2
Priority: P1
Progress: 14/267 (5.2%)
- Added routes in router.go: POST, GET, PUT, DELETE /playlists/:id/collaborators
- Applied RequireOwnershipOrAdmin middleware to POST, PUT, DELETE routes
- GET route accessible to collaborators (service layer checks permissions)
- Fixed UpdateCollaboratorPermission handler to use RespondWithAppError
- All handlers already existed in playlist_handler.go
- All endpoints properly authenticated and ownership checks enforced
Phase: PHASE-1
Priority: P0
Progress: 5/267 (1.9%)
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
