# Changelog - Remediation "Full Audit Fix"

## [Unreleased] - 2024-12-07

### Security
- **chat-server**: Implemented JWT Authentication Middleware for HTTP API.
  - Secured `/api/messages` (POST) and `/api/messages/{id}` (GET).
  - Enforced permission checks (`can_send_message`, `can_read_conversation`).
  - Patched `sender_id` spoofing vulnerability by enforcing User ID from Token Claims.
- **backend**: Resolved `veza_errors_total` metric collision preventing proper monitoring initialization.

### Fixed
- **backend**: Fixed `JobWorker` starvation issue by replacing blocking `time.Sleep` with non-blocking scheduler.
- **stream-server**: Improved task safety by replacing unsafe `abort()` with graceful `join/await` for monitoring tasks.
- **chat-server**: Fixed resource leak by implementing 60s WebSocket inactivity/heartbeat timeout.
- **chat-server**: Implemented Graceful Shutdown handling for OS signals (SIGTERM/SIGINT).
- **backend-tests**: Fixed `RoomHandler` unit tests.
  - Refactored `RoomHandler` to use `RoomServiceInterface` for dependency injection.
  - Updated `CreateRoom` tests to match actual Service signatures.
  - Fixed `bitrate_handler_test.go` compilation errors.
  - Resolved global metric registration panics during testing.

### Removed
- **backend**: Deleted legacy maintenance code (`migrations_legacy/` and `src/cmd/main.go.legacy`).

### Known Issues
- **backend**: Some unit tests (`metrics_test.go`, `profile_handler_test.go`, `system_metrics_test.go`) are disabled due to bitrot/missing dependencies.
- **stream-server**: Compilation requires active Database connection (sqlx compile-time verification) or `sqlx-data.json`.