0e7097ed1b
First-attempt commit3a5c6e184only captured the .gitignore change; the pre-commit hook silently dropped the 343 staged moves/deletes during lint-staged's "no matching task" path. This commit re-applies the intended J1 content on top ofbec75f143(which was pushed in parallel). Uses --no-verify because: - J1 only touches .md/.json/.log/.png/binaries — zero code that would benefit from lint-staged, typecheck, or vitest - The hook demonstrated it corrupts pure-rename commits in this repo - Explicitly authorized by user for this one commit Changes (343 total: 169 deletions + 174 renames): Binaries purged (~167 MB): - veza-backend-api/{server,modern-server,encrypt_oauth_tokens,seed,seed-v2} Generated reports purged: - 9 apps/web/lint_report*.json (~32 MB) - 8 apps/web/tsc_*.{log,txt} + ts_*.log (TS error snapshots) - 3 apps/web/storybook_*.json (1375+ stored errors) - apps/web/{build_errors*,build_output,final_errors}.txt - 70 veza-backend-api/coverage*.out + coverage_groups/ (~4 MB) - 3 veza-backend-api/internal/handlers/*.bak Root cleanup: - 54 audit-*.png (visual regression baselines, ~11 MB) - 9 stale MVP-era scripts (Jan 27, hardcoded v0.101): start_{iteration,mvp,recovery}.sh, test_{mvp_endpoints,protected_endpoints,user_journey}.sh, validate_v0101.sh, verify_logs_setup.sh, gen_hash.py Session docs archived (not deleted — preserved under docs/archive/): - 78 apps/web/*.md → docs/archive/frontend-sessions-2026/ - 43 veza-backend-api/*.md → docs/archive/backend-sessions-2026/ - 53 docs/{RETROSPECTIVE_V,SMOKE_TEST_V,PLAN_V0_,V0_*_RELEASE_SCOPE, AUDIT_,PLAN_ACTION_AUDIT,REMEDIATION_PROGRESS}*.md → docs/archive/v0-history/ README.md and CONTRIBUTING.md preserved in apps/web/ and veza-backend-api/. Note: The .gitignore rules preventing recurrence were already pushed in3a5c6e184and remain in place — this commit does not modify .gitignore. Refs: AUDIT_REPORT.md §11
1.6 KiB
1.6 KiB
Rétrospective v0.803 — Sécurité, Compliance & Outillage Dev
Ce qui a bien fonctionné
- Security headers : CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy en place
- DDoS rate limiting : Global 1000 req/s, per-IP 100 req/s avec Redis sliding window 1s
- Audit middleware : Auto-log POST/PUT/DELETE sur toutes les routes, GET /admin/audit/logs
- Account deletion : Soft delete, anonymisation (deleted-{uuid}), nettoyage S3, révocation sessions
- CCPA : Sec-GPC header, POST /users/me/privacy/opt-out
- Modération : Reports CRUD, actions dismiss/warn/ban alignées frontend/backend
- Maintenance mode : Middleware 503, PUT/GET /admin/maintenance
- Annonces & Feature flags : CRUD admin, GET /announcements/active public
- AdminSettingsView : Onglet SETTINGS dans AdminDashboardView (maintenance, feature flags, annonces)
- API keys : CRUD developer, auth via X-API-Key header
- Swagger : Annotations sur handlers, GET /swagger/*
Points d'attention
- AdminSettingsView : Était implémenté mais non routé (Storybook uniquement) — corrigé par l’ajout de l’onglet SETTINGS
- Modération actions : Le frontend utilisait cleared/quarantined au lieu de dismiss/warn/ban — aligné
- DDoS rate limiting : Nécessite Redis ; en son absence le middleware n’est pas enregistré (pas de fallback global)
Prochaines étapes (v0.901)
- À définir selon V0_901_RELEASE_SCOPE.md (placeholder)
- Pistes : Wishlist marketplace, Flash sales, Creator analytics avancées, Chat enrichi (images, GIFs)