senke/veza

senke 0e4117f028 docs: integrate audit roadmap into VEZA_VERSIONS_ROADMAP — v0.12.6.1 DONE, 14 versions added

- Mark v0.12.6.1 (pentest remediation 30/30) as DONE
- Add 14 new versions from audit: v0.12.6.2→v1.0.0-rc1
- Update tracking table with priorities P0→P3
- Update v0.12.6 checkboxes (all findings now resolved)
- Add Phase P7 (Conformité) and Validation phases
- Update AUDIT_05_ROADMAP_v1.0.md to reflect completed remediation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-12 06:34:52 +01:00

18 KiB

Raw Blame History

AUDIT_01_INVENTAIRE.md -- Inventaire Complet du Code Existant

Date : 2026-03-11 Auditeur : Claude Opus 4.6 (audit automatise du code source)

1. VUE D'ENSEMBLE DU MONOREPO

Composant	Technologie	Fichiers source	Fichiers test	Migrations SQL
Backend API	Go 1.24 + Gin	867 `.go`	328 `_test.go`	134 `.sql`
Frontend Web	React + TypeScript + Vite	1,927 `.ts/.tsx`	~574 test+stories	-
Stream Server	Rust	131 `.rs`	~25 avec `#[test]`	-
Design System	TypeScript	1 (minimal)	-	-
Total		2,926 source	~927 test	134

Structure racine

veza/
+-- apps/web/                    # Frontend React + TypeScript + Vite
+-- packages/design-system/      # Design system SUMI (minimal)
+-- veza-backend-api/            # Go API (Gin, PostgreSQL, Redis, RabbitMQ)
+-- veza-stream-server/          # Rust stream server (audio HLS)
+-- veza-common/                 # Shared utilities (Rust + Go)
+-- veza-docs/ORIGIN/            # Specifications (READ-ONLY)
+-- docker/                      # Dockerfiles
+-- infra/                       # Infrastructure configs
+-- k8s/                         # Kubernetes manifests
+-- scripts/                     # Utility scripts
+-- tests/                       # E2E tests (Playwright)
+-- loadtests/                   # k6 load tests
+-- proto/                       # gRPC protobuf definitions
+-- .github/workflows/           # CI/CD pipelines (10 workflows)
+-- make/                        # Makefile includes
+-- config/                      # Shared configs

2. BACKEND API (Go)

2.1 Architecture

veza-backend-api/
+-- cmd/server/              # Entry point
+-- internal/
|   +-- api/                 # Route registration (30+ route files)
|   +-- core/                # Domain modules (auth, track, feed, discover, analytics, moderation, etc.)
|   +-- handlers/            # HTTP handlers (~100 handler files)
|   +-- middleware/           # Middlewares (~40 files)
|   +-- models/              # Data models (~40 files)
|   +-- services/            # Business logic (~130 service files)
|   +-- config/              # Configuration
|   +-- database/            # DB connection
|   +-- elasticsearch/       # Search service
|   +-- websocket/chat/      # WebSocket handlers
|   +-- testutils/           # Test utilities
+-- pkg/apierror/            # Standardized error package
+-- migrations/              # SQL migrations (134 files)
+-- tests/                   # Integration tests

2.2 Route Files (Endpoints)

Route File	Domain	Key Endpoints
`routes_auth.go`	Authentication	register, login, logout, refresh, verify-email, forgot-password, reset-password, 2FA
`routes_users.go`	Users	CRUD, profile, avatar, settings, sessions, privacy
`routes_tracks.go`	Tracks	CRUD, upload, stream, waveform, HLS, lyrics, stems
`routes_playlists.go`	Playlists	CRUD, collaboration, export, import, share
`routes_social.go`	Social	follow/unfollow, block, groups, reposts, likes
`routes_feed.go`	Feed	Chronological feed, suggestions
`routes_search.go`	Search	Fulltext, autocomplete, unified search
`routes_discover.go`	Discovery	Genre browse, tag browse, trending (ethical)
`routes_tag.go`	Tags	CRUD tags, genres
`routes_marketplace.go`	Marketplace	Products, orders, checkout, downloads, reviews, promo codes
`routes_subscription.go`	Subscriptions	Plans, upgrade, downgrade, cancel
`routes_analytics.go`	Analytics	Creator analytics, heatmap, comparison, audience
`routes_moderation.go`	Moderation	Reports, moderation queue, strikes, spam detection
`routes_admin_platform.go`	Admin	Platform metrics, user management, content, payments
`routes_live.go`	Livestream	Start/stop, RTMP callbacks, HLS live
`routes_co_listening.go`	Co-listening	WebSocket sessions, sync
`routes_distribution.go`	Distribution	Submit to platforms, track status, royalties
`routes_education.go`	Education	Courses, modules, lessons, certificates, video
`routes_gear.go`	Gear/Equipment	Inventory CRUD, warranty, documents
`routes_cloud.go`	Cloud storage	File sync, backup, sharing
`routes_queue.go`	Queue	Playback queue management
`routes_developer.go`	Developer API	API keys, rate limits
`routes_webhooks.go`	Webhooks	Payment webhooks (Hyperswitch)
`routes_core.go`	Core	Health, metrics, feature flags, config

2.3 Key Handlers (sample)

Auth: auth.go, oauth_handlers.go, two_factor_handler.go, password_reset_handler.go
User: profile_handler.go, avatar_handler.go, settings_handler.go, privacy_handler.go
Track: track_crud_handler.go, track_upload_handler.go, track_hls_handler.go, track_social_handler.go, track_search_handler.go, track_waveform_handler.go, track_analytics_handler.go, track_stem_handler.go
Chat: chat_handler.go, chat_websocket_handler.go, chat_reaction_handler.go, chat_search_handler.go, chat_attachment_handler.go
Marketplace: marketplace_handler.go, sell_handler.go, payout_handler.go
Analytics: creator_handler.go, advanced_handler.go, playback_analytics_handler.go
Admin: admin/handler.go, admin_transfer_handler.go, announcement_handler.go
Moderation: moderation/handler.go, report_handler.go
Notifications: notification_handlers.go
Live: live_stream_handler.go, live_stream_callback.go
Education: education_handler.go, distribution_handler.go
GDPR: gdpr_export_handler.go, account_deletion_handler.go
Other: gear_handler.go, cloud_handler.go, co_listening_handler.go, queue_handler.go, social_group_handler.go, presence_handler.go

2.4 Services (130+ files)

Major services include:

Core: jwt_service.go, user_service.go, session_service.go, password_service.go, email_service.go, email_verification_service.go, oauth_service.go, totp_service.go, rbac_service.go, permission_service.go
Track: track_upload_service.go, track_validation_service.go, track_search_service.go, track_like_service.go, track_repost_service.go, track_share_service.go, track_stem_service.go, track_history_service.go, track_recommendation_service.go, track_export_service.go, track_version_service.go
Audio: hls_service.go, hls_transcode_service.go, hls_streaming_service_enhanced.go, hls_playlist_generator.go, hls_cleanup_service.go, audio_transcode_service.go, bitrate_adaptation_service.go, bandwidth_detection_service.go, buffer_monitor_service.go, waveform_service.go, stream_service.go, video_transcode_service.go
Playlist: playlist_service.go, playlist_analytics_service.go, playlist_follow_service.go, playlist_share_service.go, playlist_duplicate_service.go, playlist_version_service.go, playlist_recommendation_service.go, playlist_notification_service.go
Chat: chat_service.go, chat_pubsub.go, co_listening_service.go
Social: social_service.go, comment_service.go, comment_moderation_service.go
Analytics: analytics_service.go, creator_analytics_service.go, advanced_analytics_service.go, analytics_aggregation_service.go, playback_analytics_service.go, playback_heatmap_service.go, playback_comparison_service.go, playback_export_service.go, playback_filter_service.go, playback_segmentation_service.go, playback_alerts_service.go, playback_retention_service.go
Marketplace: core/marketplace/service.go, royalty_service.go, stripe_connect_service.go, track_download_license.go
Distribution: core/distribution/service.go
Education: core/education/service.go
Subscription: core/subscription/service.go
Moderation: moderation_service.go
Notifications: notification_service.go, notification_service_enhanced.go, notification_digest_worker.go, push_service.go
Storage: s3_storage_service.go, image_service.go, image_service_enhanced.go, cdn_service.go, cloud_service.go, cloud_backup.go, backup_service.go
Infrastructure: cache_service.go, circuit_breaker.go, monitoring_alerting_service.go, job_service.go, webhook_service.go, feature_flag_service.go, crypto_service.go, token_blacklist.go, refresh_token_service.go
GDPR: data_export_service.go, gdpr_export.go
Payments: hyperswitch/client.go, hyperswitch/provider.go, hyperswitch/webhook.go
Gear: gear_service.go, gear_document_service.go, gear_warranty_notifier.go

2.5 Middleware (40+ files)

Security: auth.go, rbac_middleware.go, security_headers.go, csrf.go, cors.go, metrics_protection.go, stream_callback_auth.go, webhook_api_key.go
Rate limiting: rate_limiter.go, ratelimit.go, ratelimit_redis.go, endpoint_limiter.go, user_rate_limiter.go
Observability: request_logger.go, request_id.go, tracing.go, metrics.go, monitoring.go, audit.go
Resilience: recovery.go, sentry_recover.go, timeout.go, error_handler.go, maintenance.go
Other: cache_headers.go, response_cache.go, context_propagation.go, validation.go, versioning.go, playlist_permission.go, ccpa.go

2.6 Migrations SQL (134 files)

Range: 000_mark_consolidated.sql to 960_performance_indexes_v0124.sql

Key migration groups:

000-050: Core schema (auth, users, sessions, files, streaming, analytics, follows, notifications, search indexes)
051-095: Chat, stats, audit, jobs, groups, social, webhooks, gear, live streams, payments, API keys, playlists
096-134: Products, marketplace, seller balances, promo codes, chat reactions, mentions, search, threads, attachments, invitations, data exports, collaborative rooms, editorial playlists, quiet hours, notification grouping, digest prefs
900-960: Triggers, audit logs, performance indexes, foreign keys, deletion fields, reports, announcements, feature flags, OAuth, co-listening, stems, creator analytics, advanced analytics, moderation, marketplace, subscriptions, distribution, education, performance indexes v0.12.4

2.7 Dependencies (Go)

Key dependencies: gin-gonic/gin, golang-jwt/jwt/v5, lib/pq (PostgreSQL), redis/go-redis/v9, aws-sdk-go-v2 (S3/MinIO), rabbitmq/amqp091-go, prometheus/client_golang, getsentry/sentry-go, go-playground/validator/v10, pquerna/otp (TOTP), SherClockHolmes/webpush-go, coder/websocket, dhowden/tag (audio metadata), disintegration/imaging, go-pdf/fpdf, DATA-DOG/go-sqlmock, fsnotify/fsnotify

3. FRONTEND WEB (React + TypeScript)

3.1 Architecture

apps/web/
+-- src/
|   +-- app/                 # App entry point
|   +-- components/          # Shared UI components (30+ dirs)
|   +-- features/            # Feature modules (35 modules)
|   +-- hooks/               # Global custom hooks
|   +-- services/api/        # API client + interceptors
|   +-- stores/              # State management (Zustand)
|   +-- router/              # Route definitions
|   +-- schemas/             # Zod validation schemas
|   +-- types/               # TypeScript types + generated OpenAPI types
|   +-- locales/             # i18n translations
|   +-- mocks/               # MSW mocks
|   +-- providers/           # Context providers
|   +-- styles/              # Global styles
|   +-- stories/             # Storybook stories
|   +-- lib/                 # Utility libraries
|   +-- utils/               # Utility functions
|   +-- config/              # Frontend config
|   +-- context/             # React contexts (audio-context)
|   +-- test/                # Test setup

3.2 Feature Modules (35)

Module	Description	Has Pages	Has Tests
`admin`	Admin dashboard, moderation, platform	Yes	-
`analytics`	Creator analytics views	Yes	Yes
`auth`	Login, register, sessions, 2FA, OAuth	Yes	Yes
`chat`	Chat rooms, DMs, reactions, search	Yes	Yes
`checkout`	Cart, checkout flow	Yes	-
`cloud`	Cloud storage management	Yes	-
`dashboard`	User dashboard	Yes	-
`developer`	API key management	Yes	-
`discover`	Genre/tag browsing	Yes	-
`distribution`	Platform distribution	Yes	-
`education`	Course catalog, learning	Yes	-
`error`	Error pages (404, 500)	Yes	-
`feed`	Chronological feed	Yes	-
`inventory`	Gear/equipment management	Yes	-
`library`	Track library, playlists	Yes	-
`live`	Livestream viewer/broadcaster	Yes	-
`marketplace`	Product listing, buying	Yes	-
`notifications`	Notification center, preferences	Yes	-
`player`	Audio player, queue	Yes	Yes
`playlists`	Playlist management, collaboration	Yes	Yes
`presence`	Online status, rich presence	-	-
`profile`	User profile view/edit	Yes	-
`purchases`	Purchase history	Yes	-
`roles`	Role management	Yes	-
`search`	Fulltext search	Yes	-
`seller`	Seller dashboard	Yes	-
`sessions`	Active sessions management	-	-
`settings`	User settings (account, security, data, etc.)	Yes	-
`social`	Follow, groups	Yes	-
`streaming`	Audio streaming hooks/services	-	-
`subscription`	Plan management	Yes	-
`tracks`	Track detail, upload	Yes	Yes
`upload`	File upload	-	-
`user`	User components	-	-

3.3 Shared Components

UI primitives: accordion, avatar-upload, content-transition, context-menu, data-list, date-picker, dialog, dropdown-menu, feature-highlight, file-upload, hover-card, lazy-component, optimized-image, select, tabs, tooltip, virtualized-list
Domain: admin, analytics, auth, base, charts, commerce, dashboard, data, demo, developer, feedback, filters, forms, inventory, keyboard, layout, library, live, marketplace, modals, monitoring, navigation, notifications, player, pwa, search, seller, settings, share, social, theme, upload, user

3.4 State Management

Zustand stores in src/stores/
Feature-specific stores in features/auth/store/, features/chat/store/, features/player/store/

3.5 Testing

Unit tests: Vitest
E2E tests: Playwright (multiple configs: standard, mocks, visual regression)
Visual regression: Playwright visual comparison
MSW for API mocking
574 test + stories files

4. STREAM SERVER (Rust)

4.1 Architecture

veza-stream-server/
+-- src/
|   +-- main.rs
|   +-- lib.rs
|   +-- config/
|   +-- handlers/
|   +-- services/
|   +-- models/
|   +-- middleware/
|   +-- routes/
|   +-- audio/           # Audio processing (HLS, transcoding)
|   +-- storage/          # S3 integration
|   +-- monitoring/       # Metrics, health
+-- Cargo.toml

131 Rust source files
25 files with #[test] blocks
Handles: audio streaming, HLS segment serving, transcoding, S3 storage integration, metrics

5. INFRASTRUCTURE & DEVOPS

5.1 Docker

docker-compose.yml (production)
docker-compose.dev.yml (development: Postgres, Redis, RabbitMQ, ClamAV, MinIO)
docker-compose.staging.yml
docker-compose.prod.yml
docker-compose.test.yml
Dockerfiles in docker/

5.2 CI/CD (GitHub Actions - 10 workflows)

Workflow	Description
`ci.yml`	Main CI pipeline
`backend-ci.yml`	Go tests, lint, build
`frontend-ci.yml`	TypeScript checks, Vitest, ESLint
`rust-ci.yml`	Cargo test, clippy, fmt
`stream-ci.yml`	Stream server CI
`cd.yml`	Continuous deployment
`security-scan.yml`	Security scanning
`sast.yml`	Static analysis
`container-scan.yml`	Container vulnerability scan
`load-test-nightly.yml`	Nightly k6 load tests
`storybook-audit.yml`	Storybook validation

5.3 Kubernetes

Manifests in k8s/ directory

5.4 Makefile

Comprehensive Makefile with make/ includes (build.mk, tools.mk, etc.)
Key targets: dev, build, test, lint, doctor, infra-up-dev, migrate-up, etc.

5.5 Load Tests

k6 load test scripts in loadtests/

5.6 Monitoring

Prometheus metrics via Go middleware
Sentry error tracking integration

6. DOCUMENTATION

6.1 ORIGIN Specs (24 files)

Complete specification suite in veza-docs/ORIGIN/:

Architecture, features registry, API spec, security framework, business logic, UI/UX system
Code standards, testing strategy, performance targets, error patterns, error prevention guide
Quality metrics, feature validation, deployment guide, development phases
Database schema, technical stack, implementation tasks, revision summary

6.2 Existing Audit Reports

103_audit_global_features_states.md
103_RAPPORT_ETAT_FEATURES_2026_02_16.md
AUDIT_TECHNIQUE_2026-02-22.md
AUDIT_TECHNIQUE_VEZA_2026-03-04.md
ORIGIN_GAP_ANALYSIS_2026-03-04.md
PENTEST_REPORT_VEZA_v0.12.6.md
REMEDIATION_MATRIX_v0.12.6.md
ASVS_CHECKLIST_v0.12.6.md

6.3 Other docs

docs/adr/ - Architecture Decision Records
docs/ENV_VARIABLES.md
docs/SECRETS_AUDIT.md
CHANGELOG.md, CONTRIBUTING.md, README.md
VEZA_VERSIONS_ROADMAP.md - Version tracking (source of truth)

7. CODE HEALTH INDICATORS

Metric	Value	Notes
TODO/FIXME in backend+rust	2	Very clean
TODO/FIXME in frontend	43	Acceptable
Banned code traces (AI/ML/Web3/Gamification)	0	Clean
Go test files	328 (38% of Go files)	Good coverage
Frontend test+stories files	574 (30% of TS/TSX files)	Acceptable
SQL migrations	134	Comprehensive schema
CI workflows	10	Including security scans
Middleware files	40+	Very comprehensive

Fin de l'inventaire Phase 1

18 KiB Raw Blame History