senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-docs/audit/AUDIT_01_INVENTAIRE.md
senke 0e4117f028 docs: integrate audit roadmap into VEZA_VERSIONS_ROADMAP — v0.12.6.1 DONE, 14 versions added 
- Mark v0.12.6.1 (pentest remediation 30/30) as DONE
- Add 14 new versions from audit: v0.12.6.2→v1.0.0-rc1
- Update tracking table with priorities P0→P3
- Update v0.12.6 checkboxes (all findings now resolved)
- Add Phase P7 (Conformité) and Validation phases
- Update AUDIT_05_ROADMAP_v1.0.md to reflect completed remediation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 06:34:52 +01:00

18 KiB
Raw Permalink Blame History

AUDIT_01_INVENTAIRE.md -- Inventaire Complet du Code Existant

Date : 2026-03-11 Auditeur : Claude Opus 4.6 (audit automatise du code source)

1. VUE D'ENSEMBLE DU MONOREPO

Composant Technologie Fichiers source Fichiers test Migrations SQL
Backend API Go 1.24 + Gin 867 .go 328 _test.go 134 .sql
Frontend Web React + TypeScript + Vite 1,927 .ts/.tsx ~574 test+stories -
Stream Server Rust 131 .rs ~25 avec #[test] -
Design System TypeScript 1 (minimal) - -
Total 2,926 source ~927 test 134

Structure racine

veza/
+-- apps/web/                    # Frontend React + TypeScript + Vite
+-- packages/design-system/      # Design system SUMI (minimal)
+-- veza-backend-api/            # Go API (Gin, PostgreSQL, Redis, RabbitMQ)
+-- veza-stream-server/          # Rust stream server (audio HLS)
+-- veza-common/                 # Shared utilities (Rust + Go)
+-- veza-docs/ORIGIN/            # Specifications (READ-ONLY)
+-- docker/                      # Dockerfiles
+-- infra/                       # Infrastructure configs
+-- k8s/                         # Kubernetes manifests
+-- scripts/                     # Utility scripts
+-- tests/                       # E2E tests (Playwright)
+-- loadtests/                   # k6 load tests
+-- proto/                       # gRPC protobuf definitions
+-- .github/workflows/           # CI/CD pipelines (10 workflows)
+-- make/                        # Makefile includes
+-- config/                      # Shared configs

2. BACKEND API (Go)

2.1 Architecture

veza-backend-api/
+-- cmd/server/              # Entry point
+-- internal/
|   +-- api/                 # Route registration (30+ route files)
|   +-- core/                # Domain modules (auth, track, feed, discover, analytics, moderation, etc.)
|   +-- handlers/            # HTTP handlers (~100 handler files)
|   +-- middleware/           # Middlewares (~40 files)
|   +-- models/              # Data models (~40 files)
|   +-- services/            # Business logic (~130 service files)
|   +-- config/              # Configuration
|   +-- database/            # DB connection
|   +-- elasticsearch/       # Search service
|   +-- websocket/chat/      # WebSocket handlers
|   +-- testutils/           # Test utilities
+-- pkg/apierror/            # Standardized error package
+-- migrations/              # SQL migrations (134 files)
+-- tests/                   # Integration tests

2.2 Route Files (Endpoints)

Route File Domain Key Endpoints
routes_auth.go Authentication register, login, logout, refresh, verify-email, forgot-password, reset-password, 2FA
routes_users.go Users CRUD, profile, avatar, settings, sessions, privacy
routes_tracks.go Tracks CRUD, upload, stream, waveform, HLS, lyrics, stems
routes_playlists.go Playlists CRUD, collaboration, export, import, share
routes_social.go Social follow/unfollow, block, groups, reposts, likes
routes_feed.go Feed Chronological feed, suggestions
routes_search.go Search Fulltext, autocomplete, unified search
routes_discover.go Discovery Genre browse, tag browse, trending (ethical)
routes_tag.go Tags CRUD tags, genres
routes_marketplace.go Marketplace Products, orders, checkout, downloads, reviews, promo codes
routes_subscription.go Subscriptions Plans, upgrade, downgrade, cancel
routes_analytics.go Analytics Creator analytics, heatmap, comparison, audience
routes_moderation.go Moderation Reports, moderation queue, strikes, spam detection
routes_admin_platform.go Admin Platform metrics, user management, content, payments
routes_live.go Livestream Start/stop, RTMP callbacks, HLS live
routes_co_listening.go Co-listening WebSocket sessions, sync
routes_distribution.go Distribution Submit to platforms, track status, royalties
routes_education.go Education Courses, modules, lessons, certificates, video
routes_gear.go Gear/Equipment Inventory CRUD, warranty, documents
routes_cloud.go Cloud storage File sync, backup, sharing
routes_queue.go Queue Playback queue management
routes_developer.go Developer API API keys, rate limits
routes_webhooks.go Webhooks Payment webhooks (Hyperswitch)
routes_core.go Core Health, metrics, feature flags, config

2.3 Key Handlers (sample)

  • Auth: auth.go, oauth_handlers.go, two_factor_handler.go, password_reset_handler.go
  • User: profile_handler.go, avatar_handler.go, settings_handler.go, privacy_handler.go
  • Track: track_crud_handler.go, track_upload_handler.go, track_hls_handler.go, track_social_handler.go, track_search_handler.go, track_waveform_handler.go, track_analytics_handler.go, track_stem_handler.go
  • Chat: chat_handler.go, chat_websocket_handler.go, chat_reaction_handler.go, chat_search_handler.go, chat_attachment_handler.go
  • Marketplace: marketplace_handler.go, sell_handler.go, payout_handler.go
  • Analytics: creator_handler.go, advanced_handler.go, playback_analytics_handler.go
  • Admin: admin/handler.go, admin_transfer_handler.go, announcement_handler.go
  • Moderation: moderation/handler.go, report_handler.go
  • Notifications: notification_handlers.go
  • Live: live_stream_handler.go, live_stream_callback.go
  • Education: education_handler.go, distribution_handler.go
  • GDPR: gdpr_export_handler.go, account_deletion_handler.go
  • Other: gear_handler.go, cloud_handler.go, co_listening_handler.go, queue_handler.go, social_group_handler.go, presence_handler.go

2.4 Services (130+ files)

Major services include:

  • Core: jwt_service.go, user_service.go, session_service.go, password_service.go, email_service.go, email_verification_service.go, oauth_service.go, totp_service.go, rbac_service.go, permission_service.go
  • Track: track_upload_service.go, track_validation_service.go, track_search_service.go, track_like_service.go, track_repost_service.go, track_share_service.go, track_stem_service.go, track_history_service.go, track_recommendation_service.go, track_export_service.go, track_version_service.go
  • Audio: hls_service.go, hls_transcode_service.go, hls_streaming_service_enhanced.go, hls_playlist_generator.go, hls_cleanup_service.go, audio_transcode_service.go, bitrate_adaptation_service.go, bandwidth_detection_service.go, buffer_monitor_service.go, waveform_service.go, stream_service.go, video_transcode_service.go
  • Playlist: playlist_service.go, playlist_analytics_service.go, playlist_follow_service.go, playlist_share_service.go, playlist_duplicate_service.go, playlist_version_service.go, playlist_recommendation_service.go, playlist_notification_service.go
  • Chat: chat_service.go, chat_pubsub.go, co_listening_service.go
  • Social: social_service.go, comment_service.go, comment_moderation_service.go
  • Analytics: analytics_service.go, creator_analytics_service.go, advanced_analytics_service.go, analytics_aggregation_service.go, playback_analytics_service.go, playback_heatmap_service.go, playback_comparison_service.go, playback_export_service.go, playback_filter_service.go, playback_segmentation_service.go, playback_alerts_service.go, playback_retention_service.go
  • Marketplace: core/marketplace/service.go, royalty_service.go, stripe_connect_service.go, track_download_license.go
  • Distribution: core/distribution/service.go
  • Education: core/education/service.go
  • Subscription: core/subscription/service.go
  • Moderation: moderation_service.go
  • Notifications: notification_service.go, notification_service_enhanced.go, notification_digest_worker.go, push_service.go
  • Storage: s3_storage_service.go, image_service.go, image_service_enhanced.go, cdn_service.go, cloud_service.go, cloud_backup.go, backup_service.go
  • Infrastructure: cache_service.go, circuit_breaker.go, monitoring_alerting_service.go, job_service.go, webhook_service.go, feature_flag_service.go, crypto_service.go, token_blacklist.go, refresh_token_service.go
  • GDPR: data_export_service.go, gdpr_export.go
  • Payments: hyperswitch/client.go, hyperswitch/provider.go, hyperswitch/webhook.go
  • Gear: gear_service.go, gear_document_service.go, gear_warranty_notifier.go

2.5 Middleware (40+ files)

  • Security: auth.go, rbac_middleware.go, security_headers.go, csrf.go, cors.go, metrics_protection.go, stream_callback_auth.go, webhook_api_key.go
  • Rate limiting: rate_limiter.go, ratelimit.go, ratelimit_redis.go, endpoint_limiter.go, user_rate_limiter.go
  • Observability: request_logger.go, request_id.go, tracing.go, metrics.go, monitoring.go, audit.go
  • Resilience: recovery.go, sentry_recover.go, timeout.go, error_handler.go, maintenance.go
  • Other: cache_headers.go, response_cache.go, context_propagation.go, validation.go, versioning.go, playlist_permission.go, ccpa.go

2.6 Migrations SQL (134 files)

Range: 000_mark_consolidated.sql to 960_performance_indexes_v0124.sql

Key migration groups:

  • 000-050: Core schema (auth, users, sessions, files, streaming, analytics, follows, notifications, search indexes)
  • 051-095: Chat, stats, audit, jobs, groups, social, webhooks, gear, live streams, payments, API keys, playlists
  • 096-134: Products, marketplace, seller balances, promo codes, chat reactions, mentions, search, threads, attachments, invitations, data exports, collaborative rooms, editorial playlists, quiet hours, notification grouping, digest prefs
  • 900-960: Triggers, audit logs, performance indexes, foreign keys, deletion fields, reports, announcements, feature flags, OAuth, co-listening, stems, creator analytics, advanced analytics, moderation, marketplace, subscriptions, distribution, education, performance indexes v0.12.4

2.7 Dependencies (Go)

Key dependencies: gin-gonic/gin, golang-jwt/jwt/v5, lib/pq (PostgreSQL), redis/go-redis/v9, aws-sdk-go-v2 (S3/MinIO), rabbitmq/amqp091-go, prometheus/client_golang, getsentry/sentry-go, go-playground/validator/v10, pquerna/otp (TOTP), SherClockHolmes/webpush-go, coder/websocket, dhowden/tag (audio metadata), disintegration/imaging, go-pdf/fpdf, DATA-DOG/go-sqlmock, fsnotify/fsnotify

3. FRONTEND WEB (React + TypeScript)

3.1 Architecture

apps/web/
+-- src/
|   +-- app/                 # App entry point
|   +-- components/          # Shared UI components (30+ dirs)
|   +-- features/            # Feature modules (35 modules)
|   +-- hooks/               # Global custom hooks
|   +-- services/api/        # API client + interceptors
|   +-- stores/              # State management (Zustand)
|   +-- router/              # Route definitions
|   +-- schemas/             # Zod validation schemas
|   +-- types/               # TypeScript types + generated OpenAPI types
|   +-- locales/             # i18n translations
|   +-- mocks/               # MSW mocks
|   +-- providers/           # Context providers
|   +-- styles/              # Global styles
|   +-- stories/             # Storybook stories
|   +-- lib/                 # Utility libraries
|   +-- utils/               # Utility functions
|   +-- config/              # Frontend config
|   +-- context/             # React contexts (audio-context)
|   +-- test/                # Test setup

3.2 Feature Modules (35)

Module Description Has Pages Has Tests
admin Admin dashboard, moderation, platform Yes -
analytics Creator analytics views Yes Yes
auth Login, register, sessions, 2FA, OAuth Yes Yes
chat Chat rooms, DMs, reactions, search Yes Yes
checkout Cart, checkout flow Yes -
cloud Cloud storage management Yes -
dashboard User dashboard Yes -
developer API key management Yes -
discover Genre/tag browsing Yes -
distribution Platform distribution Yes -
education Course catalog, learning Yes -
error Error pages (404, 500) Yes -
feed Chronological feed Yes -
inventory Gear/equipment management Yes -
library Track library, playlists Yes -
live Livestream viewer/broadcaster Yes -
marketplace Product listing, buying Yes -
notifications Notification center, preferences Yes -
player Audio player, queue Yes Yes
playlists Playlist management, collaboration Yes Yes
presence Online status, rich presence - -
profile User profile view/edit Yes -
purchases Purchase history Yes -
roles Role management Yes -
search Fulltext search Yes -
seller Seller dashboard Yes -
sessions Active sessions management - -
settings User settings (account, security, data, etc.) Yes -
social Follow, groups Yes -
streaming Audio streaming hooks/services - -
subscription Plan management Yes -
tracks Track detail, upload Yes Yes
upload File upload - -
user User components - -

3.3 Shared Components

  • UI primitives: accordion, avatar-upload, content-transition, context-menu, data-list, date-picker, dialog, dropdown-menu, feature-highlight, file-upload, hover-card, lazy-component, optimized-image, select, tabs, tooltip, virtualized-list
  • Domain: admin, analytics, auth, base, charts, commerce, dashboard, data, demo, developer, feedback, filters, forms, inventory, keyboard, layout, library, live, marketplace, modals, monitoring, navigation, notifications, player, pwa, search, seller, settings, share, social, theme, upload, user

3.4 State Management

  • Zustand stores in src/stores/
  • Feature-specific stores in features/auth/store/, features/chat/store/, features/player/store/

3.5 Testing

  • Unit tests: Vitest
  • E2E tests: Playwright (multiple configs: standard, mocks, visual regression)
  • Visual regression: Playwright visual comparison
  • MSW for API mocking
  • 574 test + stories files

4. STREAM SERVER (Rust)

4.1 Architecture

veza-stream-server/
+-- src/
|   +-- main.rs
|   +-- lib.rs
|   +-- config/
|   +-- handlers/
|   +-- services/
|   +-- models/
|   +-- middleware/
|   +-- routes/
|   +-- audio/           # Audio processing (HLS, transcoding)
|   +-- storage/          # S3 integration
|   +-- monitoring/       # Metrics, health
+-- Cargo.toml
  • 131 Rust source files
  • 25 files with #[test] blocks
  • Handles: audio streaming, HLS segment serving, transcoding, S3 storage integration, metrics

5. INFRASTRUCTURE & DEVOPS

5.1 Docker

  • docker-compose.yml (production)
  • docker-compose.dev.yml (development: Postgres, Redis, RabbitMQ, ClamAV, MinIO)
  • docker-compose.staging.yml
  • docker-compose.prod.yml
  • docker-compose.test.yml
  • Dockerfiles in docker/

5.2 CI/CD (GitHub Actions - 10 workflows)

Workflow Description
ci.yml Main CI pipeline
backend-ci.yml Go tests, lint, build
frontend-ci.yml TypeScript checks, Vitest, ESLint
rust-ci.yml Cargo test, clippy, fmt
stream-ci.yml Stream server CI
cd.yml Continuous deployment
security-scan.yml Security scanning
sast.yml Static analysis
container-scan.yml Container vulnerability scan
load-test-nightly.yml Nightly k6 load tests
storybook-audit.yml Storybook validation

5.3 Kubernetes

  • Manifests in k8s/ directory

5.4 Makefile

  • Comprehensive Makefile with make/ includes (build.mk, tools.mk, etc.)
  • Key targets: dev, build, test, lint, doctor, infra-up-dev, migrate-up, etc.

5.5 Load Tests

  • k6 load test scripts in loadtests/

5.6 Monitoring

  • Prometheus metrics via Go middleware
  • Sentry error tracking integration

6. DOCUMENTATION

6.1 ORIGIN Specs (24 files)

Complete specification suite in veza-docs/ORIGIN/:

  • Architecture, features registry, API spec, security framework, business logic, UI/UX system
  • Code standards, testing strategy, performance targets, error patterns, error prevention guide
  • Quality metrics, feature validation, deployment guide, development phases
  • Database schema, technical stack, implementation tasks, revision summary

6.2 Existing Audit Reports

  • 103_audit_global_features_states.md
  • 103_RAPPORT_ETAT_FEATURES_2026_02_16.md
  • AUDIT_TECHNIQUE_2026-02-22.md
  • AUDIT_TECHNIQUE_VEZA_2026-03-04.md
  • ORIGIN_GAP_ANALYSIS_2026-03-04.md
  • PENTEST_REPORT_VEZA_v0.12.6.md
  • REMEDIATION_MATRIX_v0.12.6.md
  • ASVS_CHECKLIST_v0.12.6.md

6.3 Other docs

  • docs/adr/ - Architecture Decision Records
  • docs/ENV_VARIABLES.md
  • docs/SECRETS_AUDIT.md
  • CHANGELOG.md, CONTRIBUTING.md, README.md
  • VEZA_VERSIONS_ROADMAP.md - Version tracking (source of truth)

7. CODE HEALTH INDICATORS

Metric Value Notes
TODO/FIXME in backend+rust 2 Very clean
TODO/FIXME in frontend 43 Acceptable
Banned code traces (AI/ML/Web3/Gamification) 0 Clean
Go test files 328 (38% of Go files) Good coverage
Frontend test+stories files 574 (30% of TS/TSX files) Acceptable
SQL migrations 134 Comprehensive schema
CI workflows 10 Including security scans
Middleware files 40+ Very comprehensive

Fin de l'inventaire Phase 1