# AUDIT_02_SPECIFICATIONS.md -- Synthese des Exigences ORIGIN

**Date** : 2026-03-11
**Auditeur** : Claude Opus 4.6

---

## 1. FEATURES REGISTRY (ORIGIN_FEATURES_REGISTRY.md)

### 1.1 Vue d'ensemble

- **Total features specifiees** : ~560 (apres suppression des 40 features ethiquement exclues)
- **Features supprimees** : F456-F470 (AI/ML), F491-F500 (Blockchain/Web3), F536-F550 (Gamification)
- **IDs non reattribues** : Les numeros supprimes restent vacants

### 1.2 Modules et features par module

| Module | Range | Features | Priorite |
|--------|-------|----------|----------|
| 1. Auth & Securite | F001-F030 | 30 | P0-P1 |
| 2. Profils & Utilisateurs | F031-F065 | 35 | P0-P2 |
| 3. Gestion de Fichiers | F066-F105 | 40 | P0-P2 |
| 4. Streaming Audio | F106-F150 | 45 | P0-P2 |
| 5. Chat & Messagerie | F151-F185 | 35 | P1-P2 |
| 6. Social & Communaute | F186-F225 | 40 | P1-P2 |
| 7. Marketplace | F226-F275 | 50 | P1-P2 |
| 8. Formation & Education | F276-F305 | 30 | P2-P3 |
| 9. Gestion de Materiel | F306-F330 | 25 | P3 |
| 10. Cloud & Stockage | F331-F350 | 20 | P2-P3 |
| 11. Recherche & Decouverte | F351-F380 | 30 | P1-P2 |
| 12. Analytics & Statistiques | F381-F410 | 30 | P1-P2 |
| 13. Administration | F411-F435 | 25 | P1-P2 |
| 14. UI/UX | F436-F455 | 20 | P2 |
| ~~15. IA & Fonctionnalites Avancees~~ | ~~F456-F470~~ | ~~15~~ | **SUPPRIME** |
| 16. Livestreaming | F471-F480 | 10 | P2 |
| 17. Collaboration Temps Reel | F481-F490 | 10 | P2-P3 |
| ~~18. Blockchain & Web3~~ | ~~F491-F500~~ | ~~10~~ | **SUPPRIME** |
| 19. Integrations Externes | F501-F520 | 20 | P2-P3 |
| 20. Applications Natives (-> PWA) | F521-F535 | 15 | P2 |
| ~~21. Gamification~~ | ~~F536-F550~~ | ~~15~~ | **SUPPRIME** |
| 22. Notifications | F551-F570 | 20 | P1-P2 |
| 23. Securite Avancee | F571-F585 | 15 | P0-P1 |
| 24. Developpeurs & API | F586-F600 | 15 | P2-P3 |

---

## 2. API SPECIFICATION (ORIGIN_API_SPECIFICATION.md)

### 2.1 Principes obligatoires

- URLs: `/api/v{version}/{resource}` (plural nouns, snake_case fields)
- Responses: JSON, dates ISO 8601, IDs UUID v4
- Pagination: cursor-based par defaut, offset-based pour pages fixes
- Rate limiting: headers `X-RateLimit-*` obligatoires, `Retry-After` sur 429
- Erreurs: format standardise `{"error": {"code": 1000-9999, "message": ..., "details": [...]}}`
- Auth: JWT Bearer, OAuth 2.0 (Google, GitHub, Discord, Spotify)
- Roles RBAC: user, creator, premium, moderator, admin

### 2.2 Endpoints specifies (extrait des sections 7.x)

| Groupe | Endpoints | Examples |
|--------|-----------|---------|
| Auth | 8 | register, login, logout, refresh, forgot-password, reset-password, verify-email, me |
| Users | 6+ | GET/PATCH /{id}, GET /{id}/tracks, followers, following, follow/unfollow |
| Tracks | 10+ | CRUD, upload, stream, waveform, likes, comments, tags |
| Playlists | 8+ | CRUD, tracks, collaborate, share, export |
| Chat | 6+ | rooms, messages, reactions, mentions, search, attachments |
| Marketplace | 10+ | products, orders, checkout, downloads, reviews, promo codes |
| Search | 3+ | unified, suggestions, autocomplete |
| Feed | 2+ | feed, suggestions |
| Discover | 3+ | genre, tag, trending |
| Analytics | 5+ | dashboard, heatmap, comparison, export, audience |
| Admin | 5+ | metrics, users, content, payments, announcements |
| Notifications | 3+ | list, preferences, mark-read |
| Live | 4+ | start, stop, callbacks, list |
| Subscriptions | 4+ | plans, subscribe, cancel, invoices |
| GDPR | 3+ | export, delete account, anonymize |

### 2.3 Rate limits specifies

| Type | Limite | Fenetre |
|------|--------|---------|
| Authentication | 10 req | 1 min |
| Read (GET) | 1,000 req | 1 h |
| Write (POST/PUT/PATCH) | 100 req | 1 h |
| Upload | 10 | 1 h |
| Search | 500 | 1 h |
| Streaming | 10,000 plays | 1 jour |
| Export | 3 req | 1 jour |

---

## 3. SECURITY FRAMEWORK (ORIGIN_SECURITY_FRAMEWORK.md)

### 3.1 Exigences critiques

| Exigence | Ref | Criticite |
|----------|-----|-----------|
| Passwords hashes avec Argon2id ou bcrypt (cost >= 12) | Regle 1 | P0 |
| TLS 1.3 minimum sur toutes les communications | Regle 2 | P0 |
| Donnees sensibles chiffrees au repos (AES-256) | Regle 3 | P0 |
| JWT access token: 15 min, refresh: 7 jours | Regle 4 | P0 |
| MFA obligatoire pour admin et moderator | Regle 5 | P0 |
| Rate limiting sur tous les endpoints publics | Regle 6 | P0 |
| Input validation cote serveur obligatoire | Regle 7 | P0 |
| Audit logs immutables pour actions sensibles | Regle 8 | P0 |
| Security headers obligatoires (CSP, HSTS, X-Frame-Options) | Regle 9 | P0 |
| Secrets JAMAIS dans le code | Regle 10 | P0 |

### 3.2 Findings audit (VEZA-SEC-001/002)

- **VEZA-SEC-001** : Secret JWT par defaut en dur dans config_rust.rs (P0) -> Corrige v0.9.1
- **VEZA-SEC-002** : Desalignement issuer/audience JWT Go/Rust (P0) -> Corrige v0.9.1

### 3.3 Pentest v0.12.6 findings

- 2 CRITIQUES, 10 HAUTS, 12 MOYENS, 6 BAS, 5 INFO
- Statut: 2 CRITIQUES corriges, **3 HAUTS restants a corriger**

---

## 4. BUSINESS LOGIC (ORIGIN_BUSINESS_LOGIC.md)

### 4.1 Regles financieres

| Regle | Valeur |
|-------|--------|
| Commission Creator | 15% |
| Commission Premium | 10% |
| Payout auto | >= $50 (hebdomadaire) |
| Payout manuel | >= $100 |
| Remboursement | 30 jours max (14 jours standard) |
| Prix en centimes | Obligatoire |

### 4.2 Plans d'abonnement

| Plan | Prix | Storage | Upload | Commission |
|------|------|---------|--------|------------|
| Free | $0/mois | 1 GB | 5 tracks/mois | N/A |
| Creator | $9.99/mois | 50 GB | Illimite | 15% |
| Premium | $19.99/mois | 200 GB | Illimite | 10% |

### 4.3 Regles de moderation

- 3 strikes = suspension automatique
- Decision finale toujours humaine
- Categories: spam, contenu offensant, violation droits, fake, other
- Detection deterministe uniquement (pas de ML)

### 4.4 Notifications ethiques

- Push desactivees par defaut (sauf DMs et follows)
- Pas de "X likes" ou gamification dans les notifications
- Quiet hours configurables
- Desactivation marketing en un clic

---

## 5. PERFORMANCE TARGETS (ORIGIN_PERFORMANCE_TARGETS.md)

### 5.1 SLOs

| Metrique | Cible | Stretch |
|----------|-------|---------|
| API p95 | < 100ms | < 50ms |
| API p99 | < 200ms | < 100ms |
| DB query p95 | < 10ms | < 5ms |
| FCP | < 1.5s | < 1s |
| TTI | < 3.5s | < 2s |
| Audio stream start | < 500ms | < 300ms |
| Search results | < 500ms | < 200ms |
| Uptime | 99.9% | 99.99% |

### 5.2 Lighthouse Scores

| Categorie | Cible |
|-----------|-------|
| Performance | >= 90 |
| Accessibility | >= 95 |
| Best Practices | >= 90 |
| SEO | >= 90 |

### 5.3 Budgets

| Metrique | Limite |
|----------|--------|
| Bundle JS initial | < 200KB gzip |
| N+1 queries | Interdites |
| Memory leaks | Zero tolerance |
| Rebuffering audio | < 0.5% |
| Concurrent users | 100K (cible prod) |
| Throughput | 10K req/s |

---

## 6. TESTING STRATEGY (ORIGIN_TESTING_STRATEGY.md)

### 6.1 Coverage cibles

| Type | Coverage | Temps max |
|------|----------|-----------|
| Unit tests | >= 80% lignes | < 2 min |
| Integration tests | >= 70% endpoints | < 5 min |
| E2E tests | >= 50% flows critiques | < 10 min |
| Performance tests | 100% endpoints critiques | < 15 min |
| Security tests | 100% OWASP Top 10 | < 20 min |
| Load tests | 100% scenarios prod | 30-60 min |

### 6.2 Coverage par stack (trajectoire)

| Stack | Actuel (estim.) | Phase 3.5 | Phase 4R | Phase 5R |
|-------|-----------------|-----------|----------|----------|
| Frontend | ~50% | 70% | 75% | 80% |
| Backend Go | Non mesure | 70% | 80% | 80% |
| Backend Rust | Non mesure | 60% | 70% | 75% |

---

## 7. UI/UX SYSTEM (ORIGIN_UI_UX_SYSTEM.md)

### 7.1 Design system SUMI

- 200+ composants specifies
- Design tokens (couleurs, typo, spacing, shadows, radius)
- Dark mode obligatoire
- Mobile-first design
- 4px base spacing grid

### 7.2 Anti-dark-patterns (S13)

Interdits: FOMO, notifications push manipulatrices, friction a la desinscription, metriques de popularite publiques, streaks/XP/leaderboards, confirmshaming, bait-and-switch, roach motels, trick questions, disguised ads, hidden costs

### 7.3 Accessibilite

- WCAG AA minimum sur toute la plateforme
- WCAG AAA pour fonctions critiques (navigation, lecture audio, upload, inscription)
- Keyboard navigation complete
- Screen reader support (ARIA labels)
- Contrast >= 4.5:1 (normal text), >= 3:1 (large text)

---

## 8. CODE STANDARDS (ORIGIN_CODE_STANDARDS.md)

### 8.1 Conventions obligatoires

| Convention | Description |
|-----------|-------------|
| Formatters obligatoires | gofmt, rustfmt, Prettier |
| Linters obligatoires | golangci-lint, clippy, ESLint |
| Tests obligatoires | Coverage >= 80% nouveau code |
| Context propagation | Toute fonction I/O: ctx en premier param |
| Error format API | `{"error": {"code": ..., "message": ..., "context": ...}}` |
| Pagination | `{"data": [...], "pagination": {...}}` |
| Logging JSON | `level`, `time`, `msg`, `request_id`, `user_id` |
| Goroutines | Mecanisme de terminaison obligatoire |
| Fonctions | Max 50 lignes, complexite cyclomatique < 10 |
| Code mort | Suppression immediate interdite |
| Magic numbers | Interdits (utiliser constantes) |

---

## 9. QUALITY METRICS (ORIGIN_QUALITY_METRICS.md)

### 9.1 Dettes techniques identifiees (DT-001 a DT-017)

| ID | Description | Priorite |
|----|------------|----------|
| DT-007 | `.nvmrc` manquant | Corrige |
| DT-008 | `rust-toolchain.toml` manquant | Corrige |
| DT-013 | TypeScript strict mode | Corrige |
| DT-001 a DT-017 | Voir detail dans ORIGIN | Variable |

---

## 10. ERROR PATTERNS (ORIGIN_ERROR_PATTERNS.md)

### 10.1 Patterns identifies (31 total)

| Categorie | Patterns | Priorite |
|-----------|----------|----------|
| Backend Go | 10 | P0-P1 |
| Frontend TypeScript | 8 | P0-P2 |
| Tests | 6 | P1-P2 |
| Configuration | 3 | P0-P1 |
| Lint/Format | 4 | P2 |

Key patterns:
- **PAT-001**: Import cycles (circular dependencies)
- **PAT-002**: Type mismatches (string vs *string)
- **PAT-024**: JWT mismatch between Go and Rust
- **PAT-025**: Context propagation missing
- **PAT-026**: Goroutine leaks
- **PAT-027**: Inconsistent pagination
- **PAT-028**: Non-standard error handling

---

## 11. GO/NO-GO v1.0 CRITERIA

### Securite
- [ ] JWT RS256 en production
- [ ] Aucun secret dans le repo git
- [ ] Pentest valide (0 finding critique/haut ouvert)
- [ ] RGPD: export et suppression fonctionnels

### Stabilite
- [ ] Uptime >= 99.9% (30 derniers jours)
- [ ] Taux d'erreur 5xx < 0.1%
- [ ] Aucun incident P0 non resolu

### Performance
- [ ] p95 API < 100ms
- [ ] Lighthouse Performance >= 85
- [ ] Lighthouse Accessibility >= 90
- [ ] Lighthouse PWA >= 90

### Qualite
- [ ] Coverage tests >= 70% (Go + Rust)
- [ ] 0 linting error
- [ ] CI/CD verte depuis 2 semaines

### Ethique
- [ ] Audit UX anti-dark-patterns valide
- [ ] Aucune donnee comportementale revendue
- [ ] Algorithme de decouverte documente et auditable
- [ ] Politique de confidentialite conforme RGPD

### Business
- [ ] Flux de paiement teste E2E en production
- [ ] Flux de payout createur teste
- [ ] Support accessible

---

*Fin de la synthese des specifications Phase 2*