156 commits

Author	SHA1	Message	Date
senke	a0a611525c	fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings ... MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go, use c.ClientIP() only (respects SetTrustedProxies) MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod MEDIUM-009: Add trial-already-used check in subscription service MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections MEDIUM-011: Mask email in auth handler logs with maskEmail() helper MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats LOW-001: Align frontend password policy to 12 chars (matching backend) LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server LOW-004: Enable xpack.security in Elasticsearch dev/local compose files LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background() LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests) 29/30 findings remediated. 1 noted (LOW-002). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 06:13:38 +01:00
senke	71c15c2590	fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings ... Security fixes implemented: CRITICAL: - CRIT-001: IDOR on chat rooms — added IsRoomMember check before returning room data or message history (returns 404, not 403) - CRIT-002: play_count/like_count exposed publicly — changed JSON tags to "-" so they are never serialized in API responses HIGH: - HIGH-001: TOCTOU race on marketplace downloads — transaction + SELECT FOR UPDATE on GetDownloadURL - HIGH-002: HS256 in production docker-compose — replaced JWT_SECRET with JWT_PRIVATE_KEY_PATH / JWT_PUBLIC_KEY_PATH (RS256) - HIGH-003: context.Background() bypass in user repository — full context propagation from handlers → services → repository (29 files) - HIGH-004: Race condition on promo codes — SELECT FOR UPDATE - HIGH-005: Race condition on exclusive licenses — SELECT FOR UPDATE - HIGH-006: Rate limiter IP spoofing — SetTrustedProxies(nil) default - HIGH-007: RGPD hard delete incomplete — added cleanup for sessions, settings, follows, notifications, audit_logs anonymization - HIGH-008: RTMP callback auth weak — fail-closed when unconfigured, header-only (no query param), constant-time compare - HIGH-009: Co-listening host hijack — UpdateHostState now takes *Conn and verifies IsHost before processing - HIGH-010: Moderator self-strike — added issuedBy != userID check MEDIUM: - MEDIUM-001: Recovery codes used math/rand — replaced with crypto/rand - MEDIUM-005: Stream token forgeable — resolved by HIGH-002 (RS256) Updated REMEDIATION_MATRIX: 14 findings marked ✅ CORRIGÉ. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 05:40:53 +01:00
senke	46362581ba	feat(v0.12.3): F276-F305 video upload, HLS transcoding, education tests ... - Add video upload endpoint POST /courses/:id/lessons/:lesson_id/video - Add VideoTranscodeService for multi-bitrate HLS (720p/480p/360p) - Add VideoTranscodeWorker for async lesson video processing - Add SetLessonVideoPath and UpdateLessonTranscoding to education service - Add uploadLessonVideo to frontend educationService with progress - Add comprehensive handler tests (video upload, auth, validation) - Add service-level tests (models, slugs, clamping, errors, UUIDs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 19:20:48 +01:00
senke	0a055db479	feat(v0.11.3): F421-F424 admin platform service with metrics, user mgmt, content, payments ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 18:16:27 +01:00
senke	5d71454088	feat(v0.11.2): F411-F420 moderation service with queue, spam, fingerprints, strikes ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 17:45:34 +01:00
senke	29586b59da	feat(v0.11.1): F396-F399 advanced analytics service, handler and routes ... - F396: Track listening heatmap (segment-level aggregated data) - F397: Period comparison (week/month/quarter with % changes) - F398: Marketplace analytics (product views, conversion rates, revenue) - F399: Metric alerts (opt-in thresholds, preferences, CRUD) - Unit tests for service (percent change calculations) and handler (auth, validation) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 17:12:26 +01:00
senke	e8fc494184	feat(v0.11.0): F381-F385 creator analytics service ... Implement CreatorAnalyticsService with: - GetCreatorDashboard: aggregated plays, listeners, revenue (F381) - GetPlayEvolution: temporal data by day/week/month (F382) - GetSalesSummary: revenue and sales history (F383) - GetDiscoverySources: how listeners find tracks (F381) - GetGeographicBreakdown: anonymized geographic data (F381) - GetAudienceProfile: aggregated audience demographics, min 10 users (F384) - GetLiveStreamMetrics: real-time viewer count (F385) - GetPerTrackStats: per-track analytics with pagination All data is private to the creator, never exposed publicly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 16:25:30 +01:00
senke	f2881ad865	feat(gdpr): v0.10.8 portabilité données - export ZIP async, suppression compte, hard delete cron ... - Export: table data_exports, POST /me/export (202), GET /me/exports, messages+playback_history - Notification email quand ZIP prêt, rate limit 3/jour - Suppression: keep_public_tracks, anonymisation PII complète (users, user_profiles) - HardDeleteWorker: final anonymization après 30 jours - Frontend: POST export, checkbox keep_public_tracks - MSW handlers pour Storybook	2026-03-10 13:57:04 +01:00
senke	2292ecd56b	feat(v0.10.7): Collaboration Temps Réel F481-F483 ... - F481: Co-listening sessions (WebSocket sync, ListenTogether page) - F482: Stem sharing (upload/list/download wav,aiff,flac) - F483: Collaborative rooms (type collaborative, max 10, invite-only) - Roadmap: v0.10.7 → DONE	2026-03-10 13:34:16 +01:00
senke	3c01fa742f	feat(v0.10.6): Livestreaming basique F471-F476 ... - Backend: callbacks on_publish/on_publish_done, UpdateStreamURL, GetByStreamKey - Nginx-RTMP: config infra, docker-compose service (profil live) - Frontend: stream_url dans LiveStream, HLS.js dans LiveViewPlayer, état Stream terminé - Chat: rate limit send_live_message 1 msg/3s pour rooms live_streams - Env: RTMP_CALLBACK_SECRET, STREAM_HLS_BASE_URL, NGINX_RTMP_HOST - Roadmap v0.10.6 marquée DONE	2026-03-10 10:21:57 +01:00
senke	9de06bbf48	feat(v0.10.5): Notifications Complètes (F551-F555) ... - Phase 1: Default prefs — push_message & push_follow only; migration 941 - Phase 2: Digest = new tracks from followed artists (ORIGIN §8.1), not unread notifications - Phase 3: Toggle 'désactiver marketing' + button 'Tout désactiver sauf messages et follows' - Phase 4: PushPreferencesSection first in NotificationSettings (source of truth) - Roadmap: v0.10.5 → DONE	2026-03-10 10:09:32 +01:00
senke	c2b3a68fd5	feat(v0.10.5): Notifications complètes — F551-F555 ... F555: Backend pagination/filter GetNotifications (type, page, limit) + frontend pagination F551: WebSocket real-time — backend inject chat hub, send on CreateNotification; frontend useChat invalidates F553: Quiet hours — migration 132, CreateNotification skips push/WS, UI in PushPreferencesSection F554: Notification grouping — migration 133, group_key/actor_count for like/comment, UI format F552: Weekly digest — migration 134, NotificationDigestWorker, email template, prefs UI Acceptance: no gamification notif; defaults unchanged; individual toggles for marketing	2026-03-10 10:02:21 +01:00
senke	16a338da62	stabilisation commit: while implementing v0.10.5	2026-03-09 19:36:33 +01:00
senke	7259526d43	feat(v0.10.4): Playlists collaboratives - F136, F140, F141, F143, F145 ... Backend: - F141: GET /discover/playlists/editorial for editorial playlists - F143: GET /playlists/shared/:token (public, no auth) - F145: POST /playlists/import (JSON), GET /playlists/:id/export/m3u - F136: GET /playlists/favoris (creates Favoris playlist if needed) - Repo: GetFavorisByUserID, service GetOrCreateFavorisPlaylist Frontend: - SharedPlaylistPage at /playlists/shared/:token (public route) - Editorial playlists section in DiscoverPage - Export M3U in ExportPlaylistButton dropdown - Import JSON via ImportPlaylistButton (PlaylistListPage) - Favoris sidebar link, FavorisRedirectPage, AddToFavorisButton on tracks Roadmap: v0.10.4 marked DONE	2026-03-09 16:49:05 +01:00
senke	ef1ca1a908	feat(v0.10.3): Commentaires & Interactions Sociales - F201-F215 ... - F201: Commentaires avec timestamp cliquable, modération mots-clés - F202: Likes privés (compteur visible créateur uniquement) - F203: Reposts de tracks sur le profil, bouton Repost, onglet Reposts - F204: Notifications (commentaire, repost), pas de gamification Backend: migrations 127/128, comment_moderation_service, track_repost_service, GetTrackLikes/GetTrack masquent like_count pour non-créateurs Frontend: LikeButton isCreator, RepostButton, Reposts tab profil, timestamp seek	2026-03-09 10:30:47 +01:00
senke	9721e36289	v0.9.8	2026-03-06 19:13:16 +01:00
senke	7df866cd3f	v0.9.7 beta	2026-03-06 18:58:37 +01:00
senke	99136948cb	v0.9.7	2026-03-06 18:52:08 +01:00
senke	05446064ea	v0.9.6	2026-03-06 10:29:30 +01:00
senke	cd974172cb	v0.9.4	2026-03-05 23:03:43 +01:00
senke	2956b12645	v0.9.2	2026-03-05 19:27:34 +01:00
senke	9a93068a9b	v0.9.1	2026-03-05 19:22:31 +01:00
senke	a007f4c7e4	fix(release): v1.0.2 — Conformité complète V1_SIGNOFF (21 critères) ... - Couverture Go: script coverage_report.sh, 39% mesuré - Vitest thresholds frontend 50% - Load test WebSocket: CHAT_ORIGIN→backend, WS_URL=/api/v1/ws - Tests: chat_service (WSUrl), password_service (hash/expired) - V1_SIGNOFF: 14 PASS, 7 N/A documentés - PERFORMANCE_BASELINE, RGPD, PWA tables v1.0.2 - Runbooks, Grafana, Secrets validés	2026-03-03 21:18:53 +01:00
senke	3c5bb018cb	chore(release): v0.931 — Cursor (cursor-based pagination, performance baseline)	2026-03-02 12:35:49 +01:00
senke	4f47cec05d	feat(v0.923): API contract tests, OpenAPI generation, CI type sync check	2026-02-27 20:23:10 +01:00
senke	c96be67cbc	feat(auth): v0.911 Keystone - OAuth and auth integration tests ... - Add access token blacklist on logout (VEZA-SEC-006) - Extend OAuthService for mock provider injection in tests - Add oauth_google_test.go: full OAuth Google flow with mocked provider - Add oauth_github_test.go: OAuth GitHub flow with PKCE verification - Add token_refresh_test.go: E2E refresh via httpOnly cookies - Add logout_blacklist_test.go: E2E logout + token blacklist - Fix testutils import path in resume_upload_test, track_quota_test - Fix CreatorID -> UserID in track_quota_test - Add test:integration script to package.json Release: v0.911 Keystone	2026-02-27 09:58:53 +01:00
senke	515494007f	release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24 ... - ORDER BY dynamiques : whitelist explicite, fallback created_at DESC - Login/register soumis au rate limiter global - VERSION sync + check CI - Nettoyage références veza-chat-server - Go 1.24 partout (Dockerfile, workflows) - TODO/FIXME/HACK convertis en issues ou résolus	2026-02-27 09:43:25 +01:00
senke	4c0be12465	release(v0.902): Sentinel - PKCE OAuth, token encryption, redirect validation, CHAT_JWT_SECRET ... - PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL - CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest - OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS - CHAT_JWT_SECRET must differ from JWT_SECRET in production - Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens - Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010	2026-02-26 19:49:15 +01:00
senke	6e204cc98a	feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities ... - OAuth: use JWTService+SessionService, httpOnly cookies (VEZA-SEC-001) - Remove PasswordService.GenerateJWT (VEZA-SEC-002) - Hyperswitch webhook: mandatory verification, 500 if secret empty (VEZA-SEC-005) - Auth middleware: TokenBlacklist.IsBlacklisted check (VEZA-SEC-006) - Waveform: ValidateExecPath before exec (VEZA-SEC-007)	2026-02-26 19:34:45 +01:00
senke	3edb10b567	feat(admin): feature flags CRUD with DB persistence	2026-02-25 19:56:24 +01:00
senke	d684c69439	feat(admin): global announcements CRUD and public banner endpoint	2026-02-25 19:55:21 +01:00
senke	0d092466f1	feat(admin): moderation queue with reports CRUD	2026-02-25 19:53:04 +01:00
senke	a3624ce4b3	feat(v0.802): frontend Cloud/Gear, MSW, docs, scope v0.803, archive ... - Cloud: CloudFileVersions, CloudShareModal, versions/share in CloudView - Gear: GearDocumentsTab, GearRepairsTab, warranty badge, initialTab - MSW: cloud versions/share, gear documents/repairs, tags suggest - Stories: CloudFileVersions, CloudShareModal, GearDetailModal variants - gearService: listDocuments, uploadDocument, deleteDocument, listRepairs, createRepair, deleteRepair - cloudService: listVersions, restoreVersion, shareFile, getSharedFile - gear_warranty_notifier: 24h ticker, notifications for expiring warranty - tag_handler_test: unit tests - docs: API_REFERENCE, CHANGELOG, PROJECT_STATE, FEATURE_STATUS v0.802 - SCOPE_CONTROL, .cursorrules: scope v0.803 - archive: V0_802_RELEASE_SCOPE, RETROSPECTIVE_V0802	2026-02-25 14:00:58 +01:00
senke	b885392304	feat(upload): tags auto-suggest endpoint and additional audio formats	2026-02-25 13:39:59 +01:00
senke	e303e33dfc	feat(cloud): GDPR data export and automatic backup cron	2026-02-25 13:35:16 +01:00
senke	301db440e5	feat(cloud): file versioning, restore, and sharing	2026-02-25 13:33:08 +01:00
senke	93666a3390	feat(v0.703): Go Live & Streaming Complet ... - Backend: room creation for live streams, permissions CanJoin/CanSend/CanRead for stream rooms - LiveViewChat: useLiveStreamChat hook, WebSocket connection, stream_id as room - LiveViewPlayer: real-time viewer count via polling (5s) - Media Session: seekbackward/seekforward handlers (10s step) - GoLiveView.stories.tsx: Default, Loading, Error, StreamKeyVisible - Docs: API_REFERENCE, CHANGELOG, PROJECT_STATE, FEATURE_STATUS, RETROSPECTIVE_V0703 - SCOPE_CONTROL, .cursorrules: update to v0.801 - Archive V0_703_RELEASE_SCOPE.md	2026-02-25 09:35:22 +01:00
senke	feed95fccd	test(live): add live stream service unit tests ... Use serializer:json for LiveStream.Tags to support SQLite in-memory tests.	2026-02-24 09:56:08 +01:00
senke	d386a98810	feat(live): stream key generation, ListByUser, RegenerateStreamKey	2026-02-24 09:52:04 +01:00
senke	b319b60396	chore(release): v0.602 — Payout, Dette Technique & Tests E2E ... - Stripe Connect: onboarding, balance, SellerDashboardView - Interceptors: auth.ts, error.ts extracted, facade - Grafana: dashboards enriched (p50, top endpoints, 4xx, WS, commerce) - E2E commerce: product->order->review->invoice - SMOKE_TEST_V0602, RETROSPECTIVE_V0602, PAYOUT_MANUAL - Archive V0_602 scope, V0_603 placeholder, SCOPE_CONTROL v0.603 - Fix sanitizer regex (Go no backreferences) - Marketplace test schema: product_licenses, product_images, orders, licenses	2026-02-23 22:32:01 +01:00
senke	8f6a6b0b13	feat(streaming): wire HLS pipeline end-to-end with serving routes ... - Add HLSEnabled and HLSStorageDir to backend config (HLS_STREAMING env) - Register HLS serving routes (master.m3u8, quality playlist, segments) behind HLSEnabled feature flag on existing track routes - Add GetHLSStatus and TriggerHLSTranscode methods to StreamService for stream server communication - Update docker-compose (dev, staging, prod) with HLS env vars and shared hls-data volume between backend and stream-server - Stream callback already correctly updates stream_manifest_url	2026-02-22 21:20:35 +01:00
senke	3baeef30dd	feat(chat): Sprint 2 -- WebSocket hub, client, message types, route ... - Create Hub with register/unregister/broadcast, room/user index - Create Client with readPump/writePump goroutines, 30s ping keepalive - Define all 18 incoming + 18 outgoing message types matching Rust protocol - Add ValidateChatToken to ChatService for JWT validation - Update WSUrl from /ws to /api/v1/ws - Register GET /api/v1/ws endpoint in router - Create ChatWebSocketHandler for WebSocket upgrade and auth	2026-02-22 20:41:39 +01:00
senke	2ee63b9b11	feat(chat): Sprint 1 -- migrations, models, repositories for chat rewrite ... - Add migrations 109-112: read_receipts, delivered_status, message_reactions, messages extra columns - Create ReadReceipt, DeliveredStatus, MessageReaction GORM models - Update Message model with EditedAt, Status, IsPinned, Metadata fields - Enrich ChatMessageRepository with cursor pagination, search, soft delete - Create ReadReceiptRepository, DeliveredStatusRepository, ReactionRepository - Create ChatPubSubService with Redis PubSub and in-memory fallback	2026-02-22 20:38:20 +01:00
senke	bcc885327b	feat(v0.501): Sprint 4 -- Cloud frontend + Gear advanced ... - C1-09: Create CloudPage with folder tree, file list, and /cloud route - C1-10: Create CloudUploadModal with drag-and-drop and progress - C1-11: Create CloudFilePreview mini player inline - C1-12: Add Cloud stories (loading, empty, populated, quota full) - G1-01: Add is_public toggle, public gear endpoint, GearShowcase - G1-02: Add gear image upload endpoints, GearImageGallery component - G1-03: Add gear search with ILIKE + SearchBar in toolbar - G1-04: Add stories for GearShowcase and GearImageGallery	2026-02-22 18:30:49 +01:00
senke	86a0978c28	feat(v0.501): Sprint 3 -- Cloud Storage MVP backend ... - C1-01: Create CloudService with CRUD folders/files, quota, ownership - C1-02: Create CloudHandler with 11 REST endpoints - C1-03: Register cloud routes in Go router - C1-04: Implement file streaming with HTTP Range support - C1-05: Add publish cloud file as track endpoint - C1-06: Add MSW mock handlers for cloud API - C1-07: Auto-init 5GB storage quota on user registration - C1-08: Add 12 unit tests for CloudService	2026-02-22 18:23:58 +01:00
senke	465aa9e008	feat(v0.501): Sprint 2 -- HLS production-ready ... - S1-01: Add multi-bitrate streaming profiles (128k, 256k, 320k) - S1-02: Update master.m3u8 endpoint with 3-tier quality system - S1-03: Integrate hls.js with ABR + useHLSPlayer hook - S1-04: Add Cache-Control headers on HLS segments and manifests - S1-05: Create WaveformService with async generation (FFmpeg + audiowaveform) - S1-06: Add GET /tracks/:id/waveform endpoint with Redis cache - S1-07: Create WaveformDisplay component with story - S1-08: Add 4 Prometheus metrics for streaming monitoring	2026-02-22 18:16:37 +01:00
senke	43536ea3f3	fix(tests): fix 2 skipped tests, add clear skip reasons to 11 others ... INT-04: Fixed nil UserID panic in AuditService (re-enabled 2 tests). Added INT-04 comments explaining skip reasons for tests requiring PostgreSQL, real file headers, or external services.	2026-02-22 17:53:00 +01:00
senke	0e095d9a54	refactor(backend): replace 40 fmt.Printf calls with zap structured logging ... CLN-03: router.go, track/service.go, upload_validator.go, cors.go, playlist_handler.go, and mfa.go now use zap.L() or local logger for structured logging instead of fmt.Printf.	2026-02-22 17:44:38 +01:00
senke	9752a90dfb	fix(security): hash password reset tokens before database storage ... INF-10: Reset tokens are now SHA-256 hashed before INSERT. Validation hashes the received token and compares against stored hash. Plain tokens never persisted.	2026-02-22 17:36:10 +01:00
senke	72d15f60b5	fix(security): add ownership check to GetUploadStatus handler (IDOR fix) ... SEC-06: GetUploadStatus now verifies that the authenticated user owns the upload before returning status. Returns 404 for non-owners to prevent information disclosure.	2026-02-22 17:30:30 +01:00