senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
veza/docs/PROJECT_STATE.md
senke 2ea5a60dea
Some checks failed
Veza CI / Rust (Stream Server) (push) Successful in 20m54s
Details
E2E Playwright / e2e (full) (push) Failing after 21m0s
Details
Security Scan / Secret Scanning (gitleaks) (push) Successful in 56s
Details
Veza CI / Backend (Go) (push) Failing after 24m45s
Details
Veza CI / Frontend (Web) (push) Successful in 34m57s
Details
Veza CI / Notify on failure (push) Successful in 5s
Details
docs: update PROJECT_STATE + FEATURE_STATUS post-v1.0.8 
Both files were dated v1.0.4 (2026-04-15) — three releases out of
date. Surgical updates rather than a rewrite, since the underlying
feature inventory is mostly unchanged.

PROJECT_STATE.md
- §1 "Version actuelle" : tag v1.0.4 → v1.0.8 (2026-04-26). Phase
  description + next-version hint refreshed (v1.0.9 with item G +
  WebRTC TURN as cibles).
- §2 "Ce qui est livré" : prepended v1.0.8, v1.0.7, v1.0.5–v1.0.6.2
  consolidated entries (with batch labels A/B/B9/C and the
  money-movement plan items A–F). The v0.x sections kept verbatim
  for archive — they document phases that pre-date the launch.
- §3 "Prochaines étapes" : replaced the v0.701 retry/dashboard plan
  (long since shipped) with the v1.0.9 candidate list, ordered by
  effort × impact. Item G subscription pending_payment + WebRTC TURN
  are the two cibles. C6 flake stab + wrappers consolidation +
  multipart S3 + register UX + email tokens header migration listed
  alongside.

FEATURE_STATUS.md
- Header date refreshed to 2026-04-26 / v1.0.8 with the chantier
  summary.
- "Upload de tracks" row : added the v1.0.8 MinIO/S3 wiring detail
  (TRACK_STORAGE_BACKEND flag, chunked upload assembly, signed-URL
  redirect 302).
- "HLS Streaming" feature-flag row : flipped default from `true`
  (v0.101 era) to `false` (v1.0.7 default) — referencing the
  fallback /tracks/:id/stream Range cache bypass landed in
  v1.0.7-rc1 commit `b875efcff`.
- "Appels WebRTC" limitation row : note refreshed — signaling OK,
  NAT traversal still HS without STUN/TURN per FUNCTIONAL_AUDIT 🟡 #1,
  cible bumped from v1.1 to v1.0.9 (matches the v1.0.9 plan above).

The v0.x section in PROJECT_STATE.md (Phases 1–5) intentionally left
as-is — it serves as historical record of what shipped before
launch. Future agents reading the file should focus on §1, §2 v1.0.x,
and §3 for current state.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 01:56:44 +02:00

21 KiB
Raw Permalink Blame History

État du projet Veza — Avril 2026

Document opérationnel : Où en sommes-nous, quelles sont les prochaines étapes.

1. Version actuelle

Élément Valeur
Dernier tag v1.0.8 (2026-04-26)
Branche courante main
Phase Phase 9+ — v1.0 Launch — Stabilisation continue
Prochaine version v1.0.9 (Item G subscription + WebRTC TURN/STUN cibles)

v1.0.8 (2026-04-26) — Quatre chantiers parallèles :

  • Batch A : MinIO/S3 wired bout-en-bout (upload + read + transcode), ferme le 🟡 stockage local de FUNCTIONAL_AUDIT.
  • Batch B : migration OpenAPI orval — 4 services migrés (dashboard / profile / playlist / track) + authService 9/9 (incluant register / refresh / password / verify migrés post-tag dans une session dédiée d'annotation queue + auth password).
  • Batch B9 : suppression de @openapitools/openapi-generator-cli — orval = source unique. 198 fichiers / 23k LOC legacy.
  • Batch C : workflow Playwright E2E sur Forgejo Actions (@critical PR / full push+nightly), --ci seed flag (~5s vs ~60s), runbook docs/CI_E2E.md.

v1.0.7 (2026-04-23) — Release post-BFG : .git 2.3 GB → 66 MB, transactions marketplace b5281bec, UserRateLimiter wired ebf3276d, certs/clés rotatées hors git.

v1.0.4 (2026-04-15) — Release cleanup post-audit AUDIT_REPORT v1 (~220 MB débris retirés, docs alignées sur la réalité, RGPD HIGH-007 fermé, CI consolidée).

Détail commit-par-commit : CHANGELOG.md. Audits source : AUDIT_REPORT.md v3 + FUNCTIONAL_AUDIT.md v2 à la racine.

2. Ce qui est livré

v1.0.8 (2026-04-26 — Storage / OpenAPI / E2E CI)

  • Batch A — MinIO/S3 : tracks.storage_backend column, S3StorageService.UploadStream + GetSignedURL, TrackService.UploadTrack wired S3, chunked upload assembly to S3, signed URL redirect 302 stream/download, transcoder lit signed HTTPS URL, cmd/migrate_storage CLI bulk local→S3.
  • Batch B — OpenAPI orval migration : install orval@^7 + Axios mutator, swaggo annotations sur 50+ endpoints (track / playlist / user / queue / password). 5 services migrés : dashboardService, profileService, playlistService, trackService, authService (9/9 fonctions, dont les renames wire-shape password_confirmpassword_confirmation, refreshTokenrefresh_token, verifyEmail GET→POST). services/api/queue.ts migré.
  • Batch B9 : suppression @openapitools/openapi-generator-cli + apps/web/src/types/generated/ (198 fichiers / 23k LOC). orval = source unique. Pre-commit drift guard simplifié.
  • Batch C — E2E Playwright CI : .github/workflows/e2e.yml (@critical PR / full push+nightly), --ci seed flag (cmd/tools/seed --ci, ~5s vs ~60s), playwright.config.ts reuseExistingServer: !CI, runbook docs/CI_E2E.md.
  • Cleanup : fast-check install (déblo­que pre-commit hermétique), CLAUDE.md stack table à jour, frontend-ci.yml fold dans ci.yml.

v1.0.7 (2026-04-23 — BFG history rewrite + hardening)

  • BFG pass : .git 2.3 GB → 66 MB (97%). Stripped : binaires Go, kubectl vendoré (60 MB), audio uploads, 48 PNG racine, .playwright-mcp/, .env*, certs TLS, builds Incus.
  • Hardening backend : core/marketplace/service.go UpdateProductImages + SetProductLicenses wrappés en transaction GORM (commit b5281bec). UserRateLimiter wired dans AuthMiddleware.RequireAuth() (commit ebf3276d).
  • docs/ENV_VARIABLES.md : réécriture complète (172 → ~600 lignes), ~180 env vars surveyées du code.
  • Orphelins : internal/api/handlers/{chat,rbac,rbac_test}.go, internal/repository/user_repository.go, proto/chat/chat.proto, veza-common/src/types/{chat,websocket}.rs. 19 workflows .disabled archivés.
  • MinIO + mc pinned aux tags datés (RELEASE.2025-09-07*).

v1.0.5 / v1.0.6 / v1.0.6.1 / v1.0.6.2 (mars-avril 2026)

Money-movement hardening — items A à F du plan v1.0.7 livrés en cascade (idempotency keys Hyperswitch, persist stripe_transfer_id, async Stripe Connect reversal worker, reconciliation sweep, webhook raw audit log, ledger-health Prometheus gauges + 3 alertes Alertmanager). Détail dans CHANGELOG.md. Item G (subscription pending_payment) deferred v1.0.9.

v0.103 (Phase 1 Fondation)

  • Auth : OAuth Spotify (A1), Sessions enrichies (A4)
  • Profils : Bannière (B1), Liens sociaux (B2), Profil privé (B3)
  • ⏸️ 2FA SMS, Passkeys → reportés v0.104

v0.201 (Phase 2 Contenu — Lot E)

  • Lot E — Métadonnées : BPM, musical_key, lyrics, tags (E1E4)
  • Migrations : 084 track_lyrics, 085 tracks.tags

v0.202 (Phase 2 Contenu — Lots G, H, F, C, D)

  • Lot G : Recherche avancée (musical_key, tri pertinence, autocomplete, facettes type, historique)
  • Lot H : Analytics créateur (stats, graphiques, taux complétion, export CSV/JSON)
  • Lot F : Seller dashboard (GET /sell/stats, liste produits marketplace)
  • Lot C : Player (crossfade, gapless preload, PiP)
  • Lot D : Autoplay (GET /tracks/recommendations, section « À écouter ensuite »)

v0.203 (Phase 2 Contenu — Lots L, K, D1)

  • Lot L : Social Trending (GET /social/trending, cache Redis, SocialViewTrending connecté)
  • Lot K : Recherche enrichie (pg_trgm fuzzy, AND/OR/NOT/"phrase exacte", tooltip aide)
  • Lot D1 : Queue collaborative (sessions partagées, bouton Partager, polling sync)

v0.301 (Phase 3 Social — Lots P0, C1, P1, S1)

  • Lot P0 : Chat Server typing protocol, auth WebSocket doc
  • Lot C1 : Typing indicators, read receipts, delivered status
  • Lot P1 : Présence (migration 088, GET /users/:id/presence, PresenceBadge)
  • Lot S1 : Social enrichi (feed API, actor/track enrichi, pagination, explore, filtres)

v0.302 (Phase 3 Social — Lots S2, N1, P2)

  • Lot S2 : Groupes avancés (request join, invite, rôles, feed groupes, mes groupes)
  • Lot N1 : Notifications push Web (subscription, envoi sur événement, préférences, badge)
  • Lot P2 : Présence enrichie (rich presence track, mode invisible, PUT /users/me/presence)

v0.303 (Phase 3 Social — Lot C2)

  • Lot C2 : Chat appels WebRTC 1-to-1 (signalisation, CallButton, IncomingCallModal, ActiveCallBar)

v0.401 (Phase 4 Commerce — Lots M1, M2, M3)

  • Lot M1 : Produits & Catalogue (BPM, musical_key, category, previews, images, filtres, rich text)
  • Lot M2 : Licences & Droits (product_licenses, GET /licenses/mine, LicenceCard, LicensesView)
  • Lot M3 : Seller dashboard enrichi (evolution chart, top products, real sales)

v0.402 (Phase 4 Commerce — Lots P1, P2)

  • Lot P1 : Checkout Hyperswitch production-ready (return URL order_id, CheckoutSuccessView/ErrorView, webhook cancelled, CheckoutPaymentForm)
  • Lot P2 : Codes promo (promo_codes, ValidatePromoCode, GET /commerce/promo/:code, PromoCodeModal connecté, OrderSummary dans Cart)

v0.404 (Phase 4bis Stabilisation — post-audit)

  • Sécurité : JWT stream token endpoint, SSRF protection webhooks (HTTPS-only), IDOR fix GetUploadStatus, Hyperswitch webhook secret requis en prod, password reset tokens hashés (SHA-256), docker-compose.hybrid supprimé, secrets CI → GitHub Secrets
  • Infra : Rate limiting Redis, alerting Prometheus, PostgreSQL 16 aligné, compose staging complet, CodeQL SAST, Rust CI avec clippy
  • Qualité : 40 fmt.Printf → zap, ~45 any éliminés frontend, TypeScript 5.9.3 unifié, code mort supprimé (~1600 LOC), gorilla/websocket → coder/websocket

v0.501 (Phase 5 Streaming & Cloud — Lots S1, C1, G1)

  • Lot S1 — HLS production : transcoding adaptatif 3 tiers (128k, 256k, 320k), ABR hls.js, cache segments CDN, monitoring Prometheus (4 compteurs), waveform generation (FFmpeg + audiowaveform), WaveformDisplay SVG interactif, useHLSPlayer hook
  • Lot C1 — Cloud Storage MVP : gestion dossiers/fichiers, upload drag-and-drop avec quota 5GB, prévisualisation audio inline, publication cloud → track
  • Lot G1 — Gear avancé : profils publics (is_public toggle, GearShowcase), galerie images multi-photo avec carousel, recherche ILIKE avec SearchBar
  • Infra : MinIO S3-compatible (dev, staging, prod), 6 migrations (103108)
  • Sécurité : Trivy container scanning CI

v0.803 (Phase 8 — Sécurité, Compliance & Outillage Dev)

  • Security headers (CSP, HSTS, X-Frame-Options, etc.)
  • DDoS rate limiting: global 1000 req/s, per-IP 100 req/s
  • Audit middleware HTTP (POST/PUT/DELETE auto-log), GET /admin/audit/logs
  • CCPA Sec-GPC, opt-out endpoint
  • Account deletion hardening (anonymisation, S3, sessions)
  • Moderation queue (reports CRUD, actions dismiss/warn/ban)
  • Maintenance mode, announcements, feature flags
  • AdminSettingsView (onglet SETTINGS) : maintenance, feature flags, annonces
  • Maintenance mode (503, admin toggle)
  • Announcements CRUD, GET /announcements/active
  • Feature flags DB persistence
  • AdminSettingsView, AdminModerationView, AnnouncementBanner connectés

v0.802 (Phase 8 — Cloud avancé, Gear, Tags)

  • Cloud : versioning, sharing, GDPR export, backup cron
  • Gear : documents CRUD, repairs CRUD, warranty notifier
  • Tags : GET /tags/suggest, audio/aiff
  • Frontend : CloudFileVersions, CloudShareModal, GearDocumentsTab, GearRepairsTab

v0.702 (Phase 7 — Reviews, Factures, Remboursements & Product Detail)

  • Route /marketplace/products/:id avec ProductDetailPage (lazy)
  • MSW handlers : reviews (GET/POST), invoice download
  • Tests unitaires : reviews (6), invoices (4), refunds (6)
  • API_REFERENCE.md : sections Reviews, Invoices, Refunds

v0.801 (Phase 8 — UX/UI Polish, Accessibilité & PWA)

  • User preferences: migration 118, PUT /users/me/preferences (contrast, density, accentHue, fontSize)
  • Thèmes avancés: high contrast, compact/comfortable density, accent color, font size 1420px
  • Accessibilité: ARIA labels, aria-haspopup menu, focus-visible ring, useReducedMotion
  • PWA: service worker re-enabled (safe caching), Install App in Settings
  • Background playback: useWakeLock for mobile

v0.703 (Phase 7 — Go Live & Streaming Complet)

  • Go Live : page /live/go-live, stream key, OBS instructions
  • Endpoints : GET/POST /live/streams/me/key, GET /live/streams/me, PUT /live/streams/:id
  • Live Chat WebSocket : LiveViewChat connecté, stream_id comme room
  • Viewer count temps réel : polling dans LiveViewPlayer
  • Media Session : seekbackward/seekforward (10s)

v0.701 (Phase 7 — Retry, Admin Dashboard, Deep Health)

  • Transfer Retry Worker : retry automatique des transferts failed (backoff exponentiel, max 3)
  • Migration 116 : retry_count, next_retry_at sur seller_transfers
  • GET /admin/transfers, POST /admin/transfers/:id/retry
  • AdminTransfersView : tableau admin avec filtres, pagination, bouton Retry
  • GET /health/deep : DB, Redis, S3, disk, config summary
  • docs/API_REFERENCE.md

v0.603 (Phase 6+ Transfer automatique, Commission & Stabilisation)

  • T1 : Transfer automatique Stripe Connect après paiement réussi (webhook Hyperswitch)
  • Commission plateforme configurable (PLATFORM_FEE_RATE, défaut 10 %)
  • Migration 115 seller_transfers, modèle SellerTransfer, GET /sell/transfers
  • Carte Transfer History dans SellerDashboard
  • Tests unitaires : transfer success, multi-seller, transfer-fails
  • Archivage docs pre-v0.501

v0.602 (Phase 6+ Payout, Dette Technique & Tests E2E)

  • CLN2 : Split interceptors auth.ts, error.ts, facade < 30 LOC
  • P3 : Stripe Connect payout (onboarding, balance, seller_stripe_accounts)
  • INF2 : Grafana dashboards enrichis (p50, top endpoints, 4xx, WS connections, messages/s, orders, refunds, payout)
  • QA2 : E2E commerce backend (product -> order -> review -> invoice), SMOKE_TEST_V0602.md

v0.601 (Phase 6 — Production Readiness & Commerce)

  • INF1 : Blue-green HAProxy, Grafana dashboards (API, Chat, Commerce), Alertmanager, Hyperswitch LIVE_MODE
  • AUTH1 : OAuth Discord, OAuth Spotify opérationnels
  • CLN1 : handler.go split en 4 sous-handlers, interceptors.ts en modules (utils, request, response)
  • QA1 : Tests OAuth, MIGRATIONS.md, audit console.log

v0.503 (Phase 5 — HLS E2E + Chat Hardening + Cleanup)

  • SS1 : HLS Streaming E2E (backend serving routes, frontend ABR player)
  • CH1 : Redis rate limiter (sliding window + in-memory fallback), présence persistante Redis (2min TTL), PostgreSQL full-text search (tsvector + GIN index)
  • CL1 : veza-chat-server directory supprimé, références CI/CD/config/scripts nettoyées
  • QA1 : 23 Go tests passing, documentation

v0.502 (Phase 5 Communication — Chat Server Rewrite)

  • Chat Server Rust → Go : WebSocket intégré dans veza-backend-api (/api/v1/ws)
  • Hub/Client avec goroutines readPump/writePump, 30s ping keepalive
  • 18 types messages entrants, 20 types sortants (protocole identique au Rust)
  • Handlers : SendMessage, EditMessage, DeleteMessage, JoinConversation, LeaveConversation, FetchHistory, SearchMessages, SyncMessages, Typing, MarkAsRead, Delivered, AddReaction, RemoveReaction, WebRTC signaling (5 types)
  • PermissionService (room_members), RateLimiter (per-user per-action)
  • ChatPubSubService (Redis PubSub + fallback in-memory)
  • 4 nouvelles migrations (109112), 3 modèles GORM, 4 repositories enrichis
  • Docker : suppression chat-server Rust de docker-compose.yml, staging.yml, prod.yml
  • Frontend : dérivation WS_URL depuis API_URL, types TS mis à jour, MSW mis à jour
  • 15 tests unitaires Go, E2E tests intégration, CHAT_FEATURE_PARITY.md (25/25 OK)

3. Prochaines étapes

Cible v1.0.9

Triés par effort × impact :

  • Item G subscription pending_payment (M, 3j) — docs/audit-2026-04/v107-plan.md §G. State machine + recovery endpoint + tests + E2E @critical. Le hotfix v1.0.6.2 compense via filter ; G replace le creation path. TODO marqué dans subscription/service.go.
  • WebRTC STUN/TURN (M, 1-2j) — FUNCTIONAL_AUDIT 🟡 #1. Coturn (Incus container ?), env vars, UI fallback si NAT échoue. Le seul 🟡 fonctionnel encore ouvert.
  • Email tokens query→header (S, 0.5j) — FUNCTIONAL_AUDIT §4 #7. Sécu (anti-leak Referer/logs). Coupler avec migration verifyEmail POST déjà landée v1.0.8.
  • Register UX (S, 0.5j) — FUNCTIONAL_AUDIT §4 #8. JWT émis avant l'email send → 403 immédiat tant que non-vérifié. Friction UX.
  • Multipart S3 chunked upload natif (M, 1-2j) — plan v1.0.8 D4 deferred. Aujourd'hui : assemble local puis single-shot stream 500 MB. Risque OOM en pic de concurrence.
  • Consolider services/api/*.ts wrappers (M, 1j) — auth/users/tracks/playlists/search/social. Parallèles aux feature services ; rewire ~30 importers vers feature-direct.
  • C6 E2E flake stab (S, 0.5j) — après le 1er run E2E vert, identifier les vrais flakes en CI vs ceux observés en dev.

Plus tard (deferred v1.1+)

  • Consolidation dual-trigger transcode gRPC + RabbitMQ (FUNCTIONAL §2 parcours 2 #5).
  • Études OOM stockage si scale x10.
  • Backfill seller_transfers.stripe_transfer_id pour les rows pré-v1.0.7 (CHANGELOG ops task #38).
  • Sandbox Hyperswitch → prod réel (mode live).

4. Sécurité

Métrique Avant v0.404 Après v0.404
Score sécurité 5/10 7/10

Améliorations v0.404 :

  • JWT stream token endpoint (POST /auth/stream-token) pour auth HLS/WebSocket
  • SSRF protection sur webhooks (HTTPS-only, whitelist schéma)
  • IDOR corrigé dans GetUploadStatus (ownership check)
  • Hyperswitch webhook secret requis en production (HMAC)
  • Password reset tokens hashés (SHA-256)
  • Docker hybrid compose supprimé
  • Credentials CI migrés vers GitHub Secrets

5. Infrastructure

Élément État v0.404
Rate limiting Redis Disponible
Alerting Prometheus Règles ajoutées
PostgreSQL Aligné v16
Compose staging Complet (chat, stream, reverse proxy)
CodeQL SAST Ajouté
Rust CI (clippy) Ajouté

6. Qualité du code

Métrique v0.404
fmt.Printf → zap 40 remplacements
any TypeScript éliminés ~45
TypeScript unifié 5.9.3
Code mort supprimé ~1600 LOC
gorilla/websocket Remplacé par coder/websocket

7. Références rapides

Document Usage
PLAN_V0_301_FINALISATION.md Plan de finalisation v0.301
V0_401_RELEASE_SCOPE.md Scope v0.401 (Phase 4 Commerce)
V0_402_RELEASE_SCOPE.md Scope v0.402 (checkout & codes promo)
V0_303_RELEASE_SCOPE.md Scope v0.303 (Chat appels WebRTC 1-to-1)
PLAN_V0_401_IMPLEMENTATION.md Plan d'implémentation v0.401
PLAN_V0_402_IMPLEMENTATION.md Plan d'implémentation v0.402
V0_404_RELEASE_SCOPE.md Scope v0.404 (stabilisation post-audit)
V0_501_RELEASE_SCOPE.md Scope v0.501 (Streaming & Cloud, archivé)
V0_502_RELEASE_SCOPE.md Scope v0.502 (Chat Server Rewrite, archivé)
V0_503_RELEASE_SCOPE.md Scope v0.503 (archivé)
V0_601_RELEASE_SCOPE.md Scope v0.601 (archivé)
V0_602_RELEASE_SCOPE.md Scope v0.602 (archivé)
PLAN_V0_601_IMPLEMENTATION.md Plan d'implémentation v0.601
PLAN_V0_602_IMPLEMENTATION.md Plan d'implémentation v0.602
V0_603_RELEASE_SCOPE.md Scope v0.603 (Transfer auto, Commission, Stabilisation)
PLAN_V0_603_IMPLEMENTATION.md Plan d'implémentation v0.603
CHAT_FEATURE_PARITY.md Feature parity Rust vs Go (25/25 OK)
V0_301_RELEASE_SCOPE.md Scope détaillé v0.301 (Phase 3 Social)
V0_203_RELEASE_SCOPE.md Scope v0.203 (archivé)
SCOPE_CONTROL.md Anti-scope-creep, workflow
FEATURE_STATUS.md Statut des features par domaine
CHANGELOG.md Historique des versions

8. Stack technique

Composant État
Backend Go Opérationnel
Frontend React (Vite) Opérationnel
Chat Go (intégré backend) Opérationnel (v0.502)
Stream Server Rust Compile — HLS en intégration (v0.503)
PostgreSQL
Redis

9. Indicateurs

Métrique Valeur
Features livrées (cumul) ~353 / 600
Features E2E fonctionnelles 22
Score maturité produit 5/10
Module Streaming 55%
Module Cloud 30%
Module Gear 60%