CHANGELOG v1.0.6.2 block now documents the distribution-handler
propagate fix as part of the release (applied in commit 3cee007d8
before re-tagging). v1.0.7 item G acceptance gains a recovery
endpoint requirement so the "complete payment" error message has a
real target rather than leaving users stuck.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes a bypass surfaced by the 2026-04 audit probe (axis-1 Q2): any
authenticated user could POST /api/v1/subscriptions/subscribe on a paid
plan and receive 201 active without the payment provider ever being
invoked. The resulting row satisfied `checkEligibility()` in the
distribution service via `can_sell_on_marketplace=true` on the Creator
plan — effectively free access to /api/v1/distribution/submit, which
dispatches to external partners.
Fix is centralised in `GetUserSubscription` so there is no code path
that can grant subscription-gated access without routing through the
payment check. Effective-payment = free plan OR unexpired trial OR
invoice with non-empty hyperswitch_payment_id. Migration 980 sweeps
pre-existing fantôme rows into `expired`, preserving the tuple in a
dated audit table for support outreach.
Subscribe and subscribeToFreePlan treat the new ErrSubscriptionNoPayment
as equivalent to ErrNoActiveSubscription so re-subscription works
cleanly post-cleanup. GET /me/subscription surfaces needs_payment=true
with a support-contact message rather than a misleading "you're on
free" or an opaque 500. TODO(v1.0.7-item-G) annotation marks where the
`if s.paymentProvider != nil` short-circuit needs to become a mandatory
pending_payment state.
Probe script `scripts/probes/subscription-unpaid-activation.sh` kept as
a versioned regression test — dry-run by default, --destructive logs in
and attempts the exploit against a live backend with automatic cleanup.
8-case unit test matrix covers the full hasEffectivePayment predicate.
Smoke validated end-to-end against local v1.0.6.2: POST /subscribe
returns 201 (by design — item G closes the creation path), but
GET /me/subscription returns subscription=null + needs_payment=true,
distribution eligibility returns false.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hotfix surfaced by the v1.0.6 refund smoke test. Migration 978's plain
UNIQUE constraint on hyperswitch_refund_id collided on empty strings
— two refunds in the same post-Phase-1 / pre-Phase-2 state (or a
previous Phase-2 failure leaving '') would violate the constraint at
INSERT time on the second attempt, even though the refunds were for
different orders.
* Migration 979_refunds_unique_partial.sql replaces the plain
UNIQUE with a partial index excluding empty and NULL values.
Idempotency for successful refunds is preserved — duplicate
Hyperswitch webhooks land on the same row because the PSP-
assigned refund_id is non-empty.
* No Go code change. The bug was purely in the DB constraint shape.
Smoke test that caught it — 5/5 scenarios re-verified end-to-end:
happy path, idempotent replay (succeeded_at + balance strictly
invariant), PSP error rollback, webhook refund.failed, double-submit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up to the v1.0.5 hardening sprint. That release validated the
`register → verify → play` critical path end-to-end; this one addresses
the next layer — the UX friction and operational blindspots that a
first-day public user (or a first-day on-call) would hit. Six targeted
commits, each with its own tests:
* Fix 1 — Self-service creator role (c32278dc1)
* Fix 2 — Upload size limits from a single source (5848c2e40)
* Fix 3 — Unified SMTP env schema on canonical SMTP_* names (066144352)
* Fix 4 — Refund reverse-charge with idempotent webhook (959031667)
* Fix 5 — RTMP ingest health banner on Go Live (64fa0c9ac)
* Fix 6 — RabbitMQ publish failures no longer silent (bf688af35)
Breaking changes:
* marketplace.MarketplaceService.RefundOrder now returns
(*Refund, error) — callers must accept the pending refund row.
* Internal refundProvider interface changed from
Refund(...) error to CreateRefund(...) (refundID, status, err).
* Order status machine gains `refund_pending` as an intermediate
state. Clients reading orders.status should not treat it as
refunded yet.
Parked for v1.0.7:
* Partial refunds (UX decision + call-site wiring)
* Stripe Connect Transfers:reversal (internal accounting is
already corrected; this is the external money-movement call)
* CloudUploadModal.tsx unifying on /upload/limits
* Manual smoke test of refund flow against Hyperswitch sandbox
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
A fresh clone + `cp veza-backend-api/.env.template .env` + `make dev-full`
booted the backend with `SMTP_HOST=""` — `EmailService.sendEmail` short-
circuits to log-only when the host is empty, so `register` + `password
reset` produced users stuck with no way to verify (or recover) in dev,
and the smoke test caught MailHog empty despite the service being up.
- `.env.template` now ships MailHog-ready defaults (`localhost:1025`,
UI on `:8025`, `FROM_EMAIL=no-reply@veza.local`) so a bare clone +
copy gives a working register flow. Comment rewritten to point at
both the dev path and the prod override.
- Also exports duplicate variable names (`SMTP_USERNAME`, `SMTP_FROM`,
`SMTP_FROM_NAME`) read by `internal/email/sender.go`. The two email
services in-tree disagree on env schema (`SMTP_USER` vs
`SMTP_USERNAME`, `FROM_EMAIL` vs `SMTP_FROM`, `FROM_NAME` vs
`SMTP_FROM_NAME`); until v1.0.6 reconciles them, both sets are
populated so whichever path fires finds its names.
Pure config hotfix. No code change, no migration.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Seven targeted fixes to the register → verify → play critical path before
public opening. Each landed in its own commit with dedicated tests; this
commit just rolls VERSION forward and captures the rationale in the
changelog.
Summary of what's in this release:
* Fix 1 — Player muet: /stream endpoint + HLS default alignment
* Fix 2 — Email verify bidon: real SMTP + MailHog + fail-loud in prod
* Fix 3 — Marketplace gratuit: HYPERSWITCH_ENABLED=true required in prod
* Fix 4 — Redis obligatoire: REDIS_URL required in prod + ERROR log
on in-memory PubSub fallback
* Fix 5 — Maintenance mode DB-backed via platform_settings
* Fix 6 — Hourly cleanup of orphan tracks stuck in processing
* Fix 7 — Response cache bypass for range-aware media endpoints
(surfaced by the browser smoke test; prevents Range/Accept-Ranges
strip and JSON-round-trip byte corruption on /stream, /download,
/hls/ and any request with a Range header)
Parked for v1.0.6 (🟠/🟡 audit items + smoke-test ergonomics):
Hyperswitch refund→PSP propagation, livestream UI feedback when
nginx-rtmp is down, upload size mismatch (front 500MB vs back 100MB),
RabbitMQ silent drop on enqueue failure, SMTP_HOST ergonomics for
`make dev` host mode, creator-role self-service onboarding for upload.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
7-day cleanup sprint (J1–J7) done. The codebase is unchanged
functionally but the working tree, docs, k8s runbooks, CI, and
Go dependency graph are all realigned with reality for the first
time since the v1.0.0 release.
VERSION 1.0.2 → 1.0.4 (skips v1.0.3 — that tag already
exists upstream, unused on this branch)
CHANGELOG.md full v1.0.4 entry with per-day (J1–J7) breakdown
and the govulncheck + CI fix trail
docs/PROJECT_STATE.md header month + version table refreshed,
pointer to AUDIT_REPORT.md added
docs/FEATURE_STATUS.md header updated — no feature matrix
changes (no feature work in this sprint)
Key deliverables of the sprint:
J1 7c9eece09 purge 220 MB of debris (binaries, reports,
session docs, stale MVP scripts)
J2 172ff497b rewrite CLAUDE.md, fix README, purge chat-server
refs from k8s runbooks and env examples
J3 784961b7e remove 3 deprecated unused handlers
J3+ dbda03f45 2FA handler duplicate removal (bundled by parallel
ci-cache commit)
J4 ebb28c77a GDPR-compliant hard delete with Redis SCAN cursor
and ES DeleteByQuery — closes TODO(HIGH-007)
J5 edc851af6 defer GeoIP, rename v2-v3-types.ts to domain.ts,
document Storybook kill
J5+ a9394a4a0 fix lint-staged eslint rule (was linting the
whole project — root cause of earlier --no-verify)
J6 091583b3d mark 3 dormant docker-compose files deprecated
fix 9e817aa6b bump x/image, quic-go, testcontainers-go — drops
containerd + docker/docker from dep graph,
resolving 5 govulncheck findings without allowlist
fix 51ed89cda bump go.work to 1.25 to match veza-backend-api
fix 51416ce37 bump x/net v0.51.0 for GO-2026-4559
fix 8f15bb136 retire legacy backend-ci.yml, centralize Docker
probe in SkipIfNoIntegration
CI status on the consolidated ci.yml workflow for 8f15bb136:
Veza CI / Backend (Go) OK 6m36s
Veza CI / Frontend (Web) OK 20m57s
Veza CI / Rust (Stream) OK 6m25s
Security Scan / gitleaks OK 4m13s
Veza CI / Notify skipped (fires only on failure)
First fully green CI run of the sprint and the first in a long
time overall. The tag v1.0.4 is cut on this state.
Refs: AUDIT_REPORT.md, all commits 7c9eece09..8f15bb136
FIN-05 + FIN-06: Complete CHANGELOG for v0.404 with all security,
infrastructure, code quality, documentation, testing, and integration
changes. Retrospective includes pre/post scores (4.2 -> 6.6/10).
