# AUDIT_01_INVENTAIRE.md -- Inventaire Complet du Code Existant

**Date** : 2026-03-11
**Auditeur** : Claude Opus 4.6 (audit automatise du code source)

---

## 1. VUE D'ENSEMBLE DU MONOREPO

| Composant | Technologie | Fichiers source | Fichiers test | Migrations SQL |
|-----------|-------------|-----------------|---------------|----------------|
| **Backend API** | Go 1.24 + Gin | 867 `.go` | 328 `_test.go` | 134 `.sql` |
| **Frontend Web** | React + TypeScript + Vite | 1,927 `.ts/.tsx` | ~574 test+stories | - |
| **Stream Server** | Rust | 131 `.rs` | ~25 avec `#[test]` | - |
| **Design System** | TypeScript | 1 (minimal) | - | - |
| **Total** | | **2,926** source | **~927** test | **134** |

### Structure racine

```
veza/
+-- apps/web/                    # Frontend React + TypeScript + Vite
+-- packages/design-system/      # Design system SUMI (minimal)
+-- veza-backend-api/            # Go API (Gin, PostgreSQL, Redis, RabbitMQ)
+-- veza-stream-server/          # Rust stream server (audio HLS)
+-- veza-common/                 # Shared utilities (Rust + Go)
+-- veza-docs/ORIGIN/            # Specifications (READ-ONLY)
+-- docker/                      # Dockerfiles
+-- infra/                       # Infrastructure configs
+-- k8s/                         # Kubernetes manifests
+-- scripts/                     # Utility scripts
+-- tests/                       # E2E tests (Playwright)
+-- loadtests/                   # k6 load tests
+-- proto/                       # gRPC protobuf definitions
+-- .github/workflows/           # CI/CD pipelines (10 workflows)
+-- make/                        # Makefile includes
+-- config/                      # Shared configs
```

---

## 2. BACKEND API (Go)

### 2.1 Architecture

```
veza-backend-api/
+-- cmd/server/              # Entry point
+-- internal/
|   +-- api/                 # Route registration (30+ route files)
|   +-- core/                # Domain modules (auth, track, feed, discover, analytics, moderation, etc.)
|   +-- handlers/            # HTTP handlers (~100 handler files)
|   +-- middleware/           # Middlewares (~40 files)
|   +-- models/              # Data models (~40 files)
|   +-- services/            # Business logic (~130 service files)
|   +-- config/              # Configuration
|   +-- database/            # DB connection
|   +-- elasticsearch/       # Search service
|   +-- websocket/chat/      # WebSocket handlers
|   +-- testutils/           # Test utilities
+-- pkg/apierror/            # Standardized error package
+-- migrations/              # SQL migrations (134 files)
+-- tests/                   # Integration tests
```

### 2.2 Route Files (Endpoints)

| Route File | Domain | Key Endpoints |
|------------|--------|---------------|
| `routes_auth.go` | Authentication | register, login, logout, refresh, verify-email, forgot-password, reset-password, 2FA |
| `routes_users.go` | Users | CRUD, profile, avatar, settings, sessions, privacy |
| `routes_tracks.go` | Tracks | CRUD, upload, stream, waveform, HLS, lyrics, stems |
| `routes_playlists.go` | Playlists | CRUD, collaboration, export, import, share |
| `routes_social.go` | Social | follow/unfollow, block, groups, reposts, likes |
| `routes_feed.go` | Feed | Chronological feed, suggestions |
| `routes_search.go` | Search | Fulltext, autocomplete, unified search |
| `routes_discover.go` | Discovery | Genre browse, tag browse, trending (ethical) |
| `routes_tag.go` | Tags | CRUD tags, genres |
| `routes_marketplace.go` | Marketplace | Products, orders, checkout, downloads, reviews, promo codes |
| `routes_subscription.go` | Subscriptions | Plans, upgrade, downgrade, cancel |
| `routes_analytics.go` | Analytics | Creator analytics, heatmap, comparison, audience |
| `routes_moderation.go` | Moderation | Reports, moderation queue, strikes, spam detection |
| `routes_admin_platform.go` | Admin | Platform metrics, user management, content, payments |
| `routes_live.go` | Livestream | Start/stop, RTMP callbacks, HLS live |
| `routes_co_listening.go` | Co-listening | WebSocket sessions, sync |
| `routes_distribution.go` | Distribution | Submit to platforms, track status, royalties |
| `routes_education.go` | Education | Courses, modules, lessons, certificates, video |
| `routes_gear.go` | Gear/Equipment | Inventory CRUD, warranty, documents |
| `routes_cloud.go` | Cloud storage | File sync, backup, sharing |
| `routes_queue.go` | Queue | Playback queue management |
| `routes_developer.go` | Developer API | API keys, rate limits |
| `routes_webhooks.go` | Webhooks | Payment webhooks (Hyperswitch) |
| `routes_core.go` | Core | Health, metrics, feature flags, config |

### 2.3 Key Handlers (sample)

- **Auth**: `auth.go`, `oauth_handlers.go`, `two_factor_handler.go`, `password_reset_handler.go`
- **User**: `profile_handler.go`, `avatar_handler.go`, `settings_handler.go`, `privacy_handler.go`
- **Track**: `track_crud_handler.go`, `track_upload_handler.go`, `track_hls_handler.go`, `track_social_handler.go`, `track_search_handler.go`, `track_waveform_handler.go`, `track_analytics_handler.go`, `track_stem_handler.go`
- **Chat**: `chat_handler.go`, `chat_websocket_handler.go`, `chat_reaction_handler.go`, `chat_search_handler.go`, `chat_attachment_handler.go`
- **Marketplace**: `marketplace_handler.go`, `sell_handler.go`, `payout_handler.go`
- **Analytics**: `creator_handler.go`, `advanced_handler.go`, `playback_analytics_handler.go`
- **Admin**: `admin/handler.go`, `admin_transfer_handler.go`, `announcement_handler.go`
- **Moderation**: `moderation/handler.go`, `report_handler.go`
- **Notifications**: `notification_handlers.go`
- **Live**: `live_stream_handler.go`, `live_stream_callback.go`
- **Education**: `education_handler.go`, `distribution_handler.go`
- **GDPR**: `gdpr_export_handler.go`, `account_deletion_handler.go`
- **Other**: `gear_handler.go`, `cloud_handler.go`, `co_listening_handler.go`, `queue_handler.go`, `social_group_handler.go`, `presence_handler.go`

### 2.4 Services (130+ files)

Major services include:
- **Core**: `jwt_service.go`, `user_service.go`, `session_service.go`, `password_service.go`, `email_service.go`, `email_verification_service.go`, `oauth_service.go`, `totp_service.go`, `rbac_service.go`, `permission_service.go`
- **Track**: `track_upload_service.go`, `track_validation_service.go`, `track_search_service.go`, `track_like_service.go`, `track_repost_service.go`, `track_share_service.go`, `track_stem_service.go`, `track_history_service.go`, `track_recommendation_service.go`, `track_export_service.go`, `track_version_service.go`
- **Audio**: `hls_service.go`, `hls_transcode_service.go`, `hls_streaming_service_enhanced.go`, `hls_playlist_generator.go`, `hls_cleanup_service.go`, `audio_transcode_service.go`, `bitrate_adaptation_service.go`, `bandwidth_detection_service.go`, `buffer_monitor_service.go`, `waveform_service.go`, `stream_service.go`, `video_transcode_service.go`
- **Playlist**: `playlist_service.go`, `playlist_analytics_service.go`, `playlist_follow_service.go`, `playlist_share_service.go`, `playlist_duplicate_service.go`, `playlist_version_service.go`, `playlist_recommendation_service.go`, `playlist_notification_service.go`
- **Chat**: `chat_service.go`, `chat_pubsub.go`, `co_listening_service.go`
- **Social**: `social_service.go`, `comment_service.go`, `comment_moderation_service.go`
- **Analytics**: `analytics_service.go`, `creator_analytics_service.go`, `advanced_analytics_service.go`, `analytics_aggregation_service.go`, `playback_analytics_service.go`, `playback_heatmap_service.go`, `playback_comparison_service.go`, `playback_export_service.go`, `playback_filter_service.go`, `playback_segmentation_service.go`, `playback_alerts_service.go`, `playback_retention_service.go`
- **Marketplace**: `core/marketplace/service.go`, `royalty_service.go`, `stripe_connect_service.go`, `track_download_license.go`
- **Distribution**: `core/distribution/service.go`
- **Education**: `core/education/service.go`
- **Subscription**: `core/subscription/service.go`
- **Moderation**: `moderation_service.go`
- **Notifications**: `notification_service.go`, `notification_service_enhanced.go`, `notification_digest_worker.go`, `push_service.go`
- **Storage**: `s3_storage_service.go`, `image_service.go`, `image_service_enhanced.go`, `cdn_service.go`, `cloud_service.go`, `cloud_backup.go`, `backup_service.go`
- **Infrastructure**: `cache_service.go`, `circuit_breaker.go`, `monitoring_alerting_service.go`, `job_service.go`, `webhook_service.go`, `feature_flag_service.go`, `crypto_service.go`, `token_blacklist.go`, `refresh_token_service.go`
- **GDPR**: `data_export_service.go`, `gdpr_export.go`
- **Payments**: `hyperswitch/client.go`, `hyperswitch/provider.go`, `hyperswitch/webhook.go`
- **Gear**: `gear_service.go`, `gear_document_service.go`, `gear_warranty_notifier.go`

### 2.5 Middleware (40+ files)

- **Security**: `auth.go`, `rbac_middleware.go`, `security_headers.go`, `csrf.go`, `cors.go`, `metrics_protection.go`, `stream_callback_auth.go`, `webhook_api_key.go`
- **Rate limiting**: `rate_limiter.go`, `ratelimit.go`, `ratelimit_redis.go`, `endpoint_limiter.go`, `user_rate_limiter.go`
- **Observability**: `request_logger.go`, `request_id.go`, `tracing.go`, `metrics.go`, `monitoring.go`, `audit.go`
- **Resilience**: `recovery.go`, `sentry_recover.go`, `timeout.go`, `error_handler.go`, `maintenance.go`
- **Other**: `cache_headers.go`, `response_cache.go`, `context_propagation.go`, `validation.go`, `versioning.go`, `playlist_permission.go`, `ccpa.go`

### 2.6 Migrations SQL (134 files)

Range: `000_mark_consolidated.sql` to `960_performance_indexes_v0124.sql`

Key migration groups:
- **000-050**: Core schema (auth, users, sessions, files, streaming, analytics, follows, notifications, search indexes)
- **051-095**: Chat, stats, audit, jobs, groups, social, webhooks, gear, live streams, payments, API keys, playlists
- **096-134**: Products, marketplace, seller balances, promo codes, chat reactions, mentions, search, threads, attachments, invitations, data exports, collaborative rooms, editorial playlists, quiet hours, notification grouping, digest prefs
- **900-960**: Triggers, audit logs, performance indexes, foreign keys, deletion fields, reports, announcements, feature flags, OAuth, co-listening, stems, creator analytics, advanced analytics, moderation, marketplace, subscriptions, distribution, education, performance indexes v0.12.4

### 2.7 Dependencies (Go)

Key dependencies: `gin-gonic/gin`, `golang-jwt/jwt/v5`, `lib/pq` (PostgreSQL), `redis/go-redis/v9`, `aws-sdk-go-v2` (S3/MinIO), `rabbitmq/amqp091-go`, `prometheus/client_golang`, `getsentry/sentry-go`, `go-playground/validator/v10`, `pquerna/otp` (TOTP), `SherClockHolmes/webpush-go`, `coder/websocket`, `dhowden/tag` (audio metadata), `disintegration/imaging`, `go-pdf/fpdf`, `DATA-DOG/go-sqlmock`, `fsnotify/fsnotify`

---

## 3. FRONTEND WEB (React + TypeScript)

### 3.1 Architecture

```
apps/web/
+-- src/
|   +-- app/                 # App entry point
|   +-- components/          # Shared UI components (30+ dirs)
|   +-- features/            # Feature modules (35 modules)
|   +-- hooks/               # Global custom hooks
|   +-- services/api/        # API client + interceptors
|   +-- stores/              # State management (Zustand)
|   +-- router/              # Route definitions
|   +-- schemas/             # Zod validation schemas
|   +-- types/               # TypeScript types + generated OpenAPI types
|   +-- locales/             # i18n translations
|   +-- mocks/               # MSW mocks
|   +-- providers/           # Context providers
|   +-- styles/              # Global styles
|   +-- stories/             # Storybook stories
|   +-- lib/                 # Utility libraries
|   +-- utils/               # Utility functions
|   +-- config/              # Frontend config
|   +-- context/             # React contexts (audio-context)
|   +-- test/                # Test setup
```

### 3.2 Feature Modules (35)

| Module | Description | Has Pages | Has Tests |
|--------|-------------|-----------|-----------|
| `admin` | Admin dashboard, moderation, platform | Yes | - |
| `analytics` | Creator analytics views | Yes | Yes |
| `auth` | Login, register, sessions, 2FA, OAuth | Yes | Yes |
| `chat` | Chat rooms, DMs, reactions, search | Yes | Yes |
| `checkout` | Cart, checkout flow | Yes | - |
| `cloud` | Cloud storage management | Yes | - |
| `dashboard` | User dashboard | Yes | - |
| `developer` | API key management | Yes | - |
| `discover` | Genre/tag browsing | Yes | - |
| `distribution` | Platform distribution | Yes | - |
| `education` | Course catalog, learning | Yes | - |
| `error` | Error pages (404, 500) | Yes | - |
| `feed` | Chronological feed | Yes | - |
| `inventory` | Gear/equipment management | Yes | - |
| `library` | Track library, playlists | Yes | - |
| `live` | Livestream viewer/broadcaster | Yes | - |
| `marketplace` | Product listing, buying | Yes | - |
| `notifications` | Notification center, preferences | Yes | - |
| `player` | Audio player, queue | Yes | Yes |
| `playlists` | Playlist management, collaboration | Yes | Yes |
| `presence` | Online status, rich presence | - | - |
| `profile` | User profile view/edit | Yes | - |
| `purchases` | Purchase history | Yes | - |
| `roles` | Role management | Yes | - |
| `search` | Fulltext search | Yes | - |
| `seller` | Seller dashboard | Yes | - |
| `sessions` | Active sessions management | - | - |
| `settings` | User settings (account, security, data, etc.) | Yes | - |
| `social` | Follow, groups | Yes | - |
| `streaming` | Audio streaming hooks/services | - | - |
| `subscription` | Plan management | Yes | - |
| `tracks` | Track detail, upload | Yes | Yes |
| `upload` | File upload | - | - |
| `user` | User components | - | - |

### 3.3 Shared Components

- **UI primitives**: accordion, avatar-upload, content-transition, context-menu, data-list, date-picker, dialog, dropdown-menu, feature-highlight, file-upload, hover-card, lazy-component, optimized-image, select, tabs, tooltip, virtualized-list
- **Domain**: admin, analytics, auth, base, charts, commerce, dashboard, data, demo, developer, feedback, filters, forms, inventory, keyboard, layout, library, live, marketplace, modals, monitoring, navigation, notifications, player, pwa, search, seller, settings, share, social, theme, upload, user

### 3.4 State Management

- Zustand stores in `src/stores/`
- Feature-specific stores in `features/auth/store/`, `features/chat/store/`, `features/player/store/`

### 3.5 Testing

- Unit tests: Vitest
- E2E tests: Playwright (multiple configs: standard, mocks, visual regression)
- Visual regression: Playwright visual comparison
- MSW for API mocking
- 574 test + stories files

---

## 4. STREAM SERVER (Rust)

### 4.1 Architecture

```
veza-stream-server/
+-- src/
|   +-- main.rs
|   +-- lib.rs
|   +-- config/
|   +-- handlers/
|   +-- services/
|   +-- models/
|   +-- middleware/
|   +-- routes/
|   +-- audio/           # Audio processing (HLS, transcoding)
|   +-- storage/          # S3 integration
|   +-- monitoring/       # Metrics, health
+-- Cargo.toml
```

- 131 Rust source files
- 25 files with `#[test]` blocks
- Handles: audio streaming, HLS segment serving, transcoding, S3 storage integration, metrics

---

## 5. INFRASTRUCTURE & DEVOPS

### 5.1 Docker

- `docker-compose.yml` (production)
- `docker-compose.dev.yml` (development: Postgres, Redis, RabbitMQ, ClamAV, MinIO)
- `docker-compose.staging.yml`
- `docker-compose.prod.yml`
- `docker-compose.test.yml`
- Dockerfiles in `docker/`

### 5.2 CI/CD (GitHub Actions - 10 workflows)

| Workflow | Description |
|----------|-------------|
| `ci.yml` | Main CI pipeline |
| `backend-ci.yml` | Go tests, lint, build |
| `frontend-ci.yml` | TypeScript checks, Vitest, ESLint |
| `rust-ci.yml` | Cargo test, clippy, fmt |
| `stream-ci.yml` | Stream server CI |
| `cd.yml` | Continuous deployment |
| `security-scan.yml` | Security scanning |
| `sast.yml` | Static analysis |
| `container-scan.yml` | Container vulnerability scan |
| `load-test-nightly.yml` | Nightly k6 load tests |
| `storybook-audit.yml` | Storybook validation |

### 5.3 Kubernetes

- Manifests in `k8s/` directory

### 5.4 Makefile

- Comprehensive Makefile with `make/` includes (build.mk, tools.mk, etc.)
- Key targets: `dev`, `build`, `test`, `lint`, `doctor`, `infra-up-dev`, `migrate-up`, etc.

### 5.5 Load Tests

- k6 load test scripts in `loadtests/`

### 5.6 Monitoring

- Prometheus metrics via Go middleware
- Sentry error tracking integration

---

## 6. DOCUMENTATION

### 6.1 ORIGIN Specs (24 files)

Complete specification suite in `veza-docs/ORIGIN/`:
- Architecture, features registry, API spec, security framework, business logic, UI/UX system
- Code standards, testing strategy, performance targets, error patterns, error prevention guide
- Quality metrics, feature validation, deployment guide, development phases
- Database schema, technical stack, implementation tasks, revision summary

### 6.2 Existing Audit Reports

- `103_audit_global_features_states.md`
- `103_RAPPORT_ETAT_FEATURES_2026_02_16.md`
- `AUDIT_TECHNIQUE_2026-02-22.md`
- `AUDIT_TECHNIQUE_VEZA_2026-03-04.md`
- `ORIGIN_GAP_ANALYSIS_2026-03-04.md`
- `PENTEST_REPORT_VEZA_v0.12.6.md`
- `REMEDIATION_MATRIX_v0.12.6.md`
- `ASVS_CHECKLIST_v0.12.6.md`

### 6.3 Other docs

- `docs/adr/` - Architecture Decision Records
- `docs/ENV_VARIABLES.md`
- `docs/SECRETS_AUDIT.md`
- `CHANGELOG.md`, `CONTRIBUTING.md`, `README.md`
- `VEZA_VERSIONS_ROADMAP.md` - Version tracking (source of truth)

---

## 7. CODE HEALTH INDICATORS

| Metric | Value | Notes |
|--------|-------|-------|
| TODO/FIXME in backend+rust | 2 | Very clean |
| TODO/FIXME in frontend | 43 | Acceptable |
| Banned code traces (AI/ML/Web3/Gamification) | **0** | Clean |
| Go test files | 328 (38% of Go files) | Good coverage |
| Frontend test+stories files | 574 (30% of TS/TSX files) | Acceptable |
| SQL migrations | 134 | Comprehensive schema |
| CI workflows | 10 | Including security scans |
| Middleware files | 40+ | Very comprehensive |

---

*Fin de l'inventaire Phase 1*